UNITED GRAND LODGE OF ENGLAND SUPREME GRAND CHAPTER DATA PROTECTION ISSUES ADVICE ON THE NEW DATA PROTECTION LAW (revised) 1
Instructions
1.1
We were asked to advise the United Grand Lodge of England (“UGLE”) how it and other Masonic entities are likely to be affected by the new data protection law. This involves consideration of the European Union’s General Data Protection Regulation (“the GDPR”), and of the Data Protection Bill 2017 now before Parliament (“the Bill”). It is intended that they together will supersede the United Kingdom’s Data Protection Act 1998 as currently in force, based of course upon earlier European legislation.
1.2
This Advice (dated 13 November 2017) has been revised as of 26 January 2018 to correct an error in the original, explained in paragraphs 5.1 below, resulting in a general revision and expansion of paragraph 5, together with some other updating.
2
The GDPR
2.1
With effect from 25 May 2018, the earlier European legislation will be superseded by the GDPR, promulgated by the European Parliament and the Council of Ministers on 27 April 2016 (2016/679), in accordance with its final Article 99.
2.2
Because 25 May 2018 will inevitably precede expiry of the UK’s 2 years’ ‘Brexit’ notice under Article 50 of the Lisbon Treaty given on 29 March 2017, on 25 May 2018 the GDPR will become operative in the UK as part of UK law without needing to be re-enacted by way of UK legislation (as well as becoming operative in every other member State of the European Union).
2.3
The GDPR is a lengthy document, but it seems to us that in contradistinction to earlier European legislation on this subject, it is at least in its English language version expressed with comparative clarity and precision.
-1-
3
The Bill
3.1
Meanwhile the UK’s Data Protection Bill 2017 is currently before Parliament and under consideration in committee.
3.2
The Bill does not itself seek to incorporate the GDPR, but proceeds on the assumption that the GDPR will automatically become part of UK law on 25 May 2018 (see paragraph 2.2 above), and deals directly with those qualifications, exemptions and supplementary provisions which the GDPR itself permits to the UK. It will remain in force after Brexit assuming enactment of the European Union (Withdrawal) Bill 2017, clause 3, providing that direct EU legislation, so far as operative immediately before exit day, forms part of domestic law on and after exit day. It follows that the UK government proposes to adopt the substance of the GDPR subject to the qualifications, exemptions and supplementary provisions that it itself permits. The principle is thus recognised that every individual has the right to proportionate protection of that individual’s personal data. It is also clearly recognised that future trading between entities established in the UK and entities established within the EU is likely to be severely hampered if the UK entity is not subject to data protection legislation comparable to that applying within the EU.
3.3
We regret that the opportunity was not taken to draft the Bill so as to incorporate the GDPR directly. For example, Article 7 of the GDPR could have been reproduced as the clause which would become section 7(1) of the Data Protection Act 2018, with all of the qualifications and exceptions that apply particularly to the UK comprised in section 7(2) onwards (and perhaps with the lengthy Preamble of the GDPR reproduced as a Schedule). Instead, the Bill has been drafted by crossreferences to the GDPR in such a way that the reader needs to have both open at the same time, to the detriment of easy navigation and of understanding.
3.4
We also deplore drafting such as the following excerpt from clause 4 (Definitions) of the Data Protection Bill 2017: “(1)
Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR. -2-
3.5
(2)
In subsection (1), the reference to a term’s meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term’s meaning for the purposes of the GDPR.
(3)
Subsection (1) is subject to any provision in Chapter 2 which provides expressly for the term to have a different meaning.”
Of course, it remains to be seen which precise provisions will eventually be contained in the Data Protection Act 2018 and in the European Union (Withdrawal) Act 2018 when enacted.
4
Concepts and definitions
4.1
Although a number of new concepts and definitions are introduced by the GDPR, our view is that none of them need worry UGLE or and other Masonic entities. Particular examples follow.
4.2
The GDPR refers to “natural persons” (while the Bill refers to “identifiable living individuals”), but it is clear that the GDPR will not apply to the personal data of deceased individuals.
4.3
The GDPR introduces the new expression ‘pseudonymisation’ (Article 4(5)), which refers to the device of keeping personal data secret by arranging that it may only be accessed by use of a separately stored electronic key, which for obvious reasons must itself be subject to security (the Bill does not use the expression ‘pseudonymisation’). We see no reason for UGLE to have the ADelphi computerised database adapted to include such a device.
5
Appointment of a data protection officer
5.1
We confess that our original reference to the Bill, clauses 67 to 69, was erroneous. We accept that those clauses would not if enacted apply to UGLE and other Masonic entities, and therefore those clauses do not in themselves require them to appoint a ‘data protection officer’.
5.2
GDPR, Article 37, does however make provision which might be applicable to Masonic entities in requiring, in addition to any ‘data controller’ and ‘data processor’, the appointment of a ‘data protection officer’, on pain of a fine for -3-
failing to do so. The tasks of the data protection officer would include general supervision and monitoring of data protection compliance, as well as being a point of contact with the Information Commissioner’s Office: see GDPR, Articles 38 and 39. However, it is only compulsory to appoint a data protection officer where the core activities of the data controller or a data processor consist of: 5.2.1
processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale: Article 37(1)(b); or
5.2.2
processing on a large scale of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, other than with the explicit consent of the Mason concerned: Article 37(1)(c), and Articles 9(1) and 9(2)(a); or in any of the special circumstances itemised in Article 9(2)(b) to 9(4), none of which would seem likely to apply to processing by any Masonic entity.
5.3
It is to be noted that: 5.3.1
GDPR, Article 9(1) forbids in principle and subject to limited exceptions the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, even with the consent of the data subject; and
5.3.2
GDPR, Article 10 forbids the processing of personal data relating to criminal convictions and offences other than under the control of official authority.
5.4
Thus although we agree that it is good practice to appoint a data protection whether or not it is compulsory to do so, it seems to us that the main issue for any Masonic entity that wants to know if it is compulsory for it to do so, must be whether its core activities involve any processing referred to above “on a large scale”. This expression is not defined in the GDPR (although the EU’s Working Party on the GDPR has given some examples by way of guidance), with the result that the
-4-
Information Commissioner’s Office and ultimately a Court may be expected to try to give that expression its natural and ordinary meaning. 5.5
As a working guide, our view on whether the appointment of a data protection officer is compulsory as opposed to being optional, is as follows: 5.5.1
UGLE itself we understand to have over 200,000 members, and to have already decided on the appointment of a data protection officer, a decision we commend;
5.5.2
the situation of a Province or of the Metropolitan Grand Lodge is less clear cut, and it may well be the case that some Provinces or the Metropolitan Grand Lodge undertake relevant processing “on a large scale”, and that
some do not. In our view each Province and the Metropolitan Grand Lodge ought to give careful consideration to whether it undertakes relevant processing “on a large scale”, seeking specific advice if it considers it appropriate to do so; 5.5.3
a Lodge we doubt would ordinarily or typically undertake relevant processing “on a large scale”, and in our view should not feel obliged to appoint a data protection officer, unless its particular circumstances indicate the contrary, or the need for specific advice.
5.6
Appointing a data protection officer does not absolve the members of a Masonic entity from liability for any breach of the law which the data protection officer condoned or should have prevented.
6
Other new obligations
6.1
As a general indication of the principal new obligations that we consider are likely to apply to UGLE and other Masonic entities with effect from 25 May 2018 at the latest, and without setting out any detailed or exhaustive list of steps to be taken, we would recommend that UGLE and other Masonic entities should meanwhile plan and implement procedures to comply with four main obligations, described below. In each case, compliance would not seem to us to be exceptionally onerous.
-5-
There are four such other main obligations applicable to UGLE or any other Masonic entity. 6.2
First, it will be necessary to make and publish an explicit record of the defined purposes for which personal data are to be processed, retained and shared: GDPR, Article 5.
6.3
Second, it will be necessary to ensure that any Mason may withdraw any consent previously given (for example to be solicited for donations to Masonic charities): GDPR, Article 7(3) provides that: “It shall be as easy to withdraw consent to the processing of personal data as easily as it was given.” In the case of explicit consent previously given by a Mason by signing an application form, we consider that signing a form withdrawing consent counts as withdrawing consent “as easily as it was given”.
6.4
Third, it will be necessary to ensure transparency in informing any Mason how and to what extent the Mason may gain access to personal data relating to him, and may correct errors: GDPR, Articles 13 to 15.
6.5
Fourth, it will also be necessary not only to record any security breach, for example when by accident there has been an impermissible disclosure of personal data, but for such a security breach to be reported by UGLE or the other Masonic entity concerned both to the Information Commissioner’s Office and to the Mason affected: GDPR, Articles 33 and 34.
Henderson Chambers 2 Harcourt Buildings Temple EC4Y 9DB
PETER SUSMAN QC HANNAH CURTAIN 13 November 2017 (revised 26 January 2018)
-6-
RE:
UNITED GRAND LODGE OF ENGLAND SUPREME GRAND CHAPTER DATA PROTECTION ACT ISSUES
_______________________________________________ ADVICE ON THE NEW DATA PROTECTION LAW (revised) _______________________________________________
Geoffrey Dearing United Grand Lodge of England Freemason’s Hall 60 Great Queen Street London WC2B 5AZ