Data Protection
Understand the key principles and elements of data protection Recognise your responsibilities as a data controller Distinguish when you need consent from individuals to hold and use their data (and when you don’t) Ensure that your organisation’s security measures are appropriate Appreciate what the rights of data subjects are
Data Protection
Invaluable to data managers or those who handle personal information such as IT, personnel, marketing and fundraising departments, this book is essential reading for anyone in the UK voluntary sector who wants to get beyond tick-box data management. For professional advisers and academics it also offers a valuable summary that draws out key data protection points by examining and interpreting the primary legislation.
Sian Basker, Co-Chief Executive, Data Orchard
‘There are not many people within the charity sector who are specialists in data protection. Paul uses simple, straightforward language to cover all key aspects of this complex but vitally important subject. Brilliantly practical!’
for voluntary organisations
4th edition Paul Ticher
‘Written in accessible language and set in a meaningful context, this is the best translation of the hundreds of pages of data protection legislation as it applies to charitable organisations. A prodigious achievement on one of the most important and challenging legal responsibilities for our sector.’
KEY GUIDES
Data Protection
Open, fair and well-managed data protection practice is not just desirable but essential if you want to ensure trust in your charity. Get it wrong and you risk reputational damage as well as financial penalties. This book will enable you to set a shining example of best practice by complying with UK data protection legislation and the General Data Protection Regulation (GDPR) in force since 2018. It will help you:
KEY GUIDES
KEY GUIDES
Paul Ticher
Peter Dean, Director of Finance, Riding for the Disabled Association
data protection_Layout pink.indd 1
www.dsc.org.uk
09/12/2563 BE 11:46
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 1 of 16
What they said about the book . . .
‘Protecting personal data of vulnerable and disadvantaged people and ensuring their rights is the undeniable responsibility of every nonprofit organisation that supports them. If you feel out of your depth and worried that your organisation doesn’t meet the mark, this book is the perfect place to start. ‘Written in clear language and set in a meaningful context, this is the best translation of the hundreds of pages of data protection legislation as it applies to charitable organisations. A prodigious achievement on one of the most important and challenging legal responsibilities for our sector.’ Sian Basker, Co-Chief Executive, Data Orchard
‘A detailed and methodical approach to data protection. This comprehensive guide is an accessible source of information filled with valid and relevant examples. I found it a particularly great help in getting to grips with specific areas, such as consent and contracts.’ Kirsty Cunningham, Head of Fundraising, St Martin-in-the-Fields Charity
‘There are not many people within the charity sector who are specialists in data protection. Paul uses simple, straightforward language to cover all key aspects of this complex but vitally important subject. Brilliantly practical!’ Peter Dean, Director of Finance, Riding for the Disabled Association
‘I have worked with Paul for many years now and I have always appreciated his ability to share his enthusiasm for this complex subject and how it applies to our sector. Written in a very understandable and user-friendly way, this book is truly accessible.’ Jeni Woods, Quality Manager, Grace Eyre Foundation
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Date: 10/12/20
Time 18:52pm
Page 2 of 16
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 3 of 16
KEY GUIDES
Data Protection for voluntary organisations
4th edition Paul Ticher
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 4 of 16
Published by the Directory of Social Change (Registered Charity no. 800517 in England and Wales) Office: Suite 103, 1 Old Hall Street, Liverpool L3 9HG Visit www.dsc.org.uk to find out more about our books, subscription funding websites and training events. You can also sign up for e-newsletters so that you’re always the first to hear about what’s new. The publisher welcomes suggestions and comments that will help to inform and improve future versions of this and all of our titles. Please give us your feedback by emailing publications@dsc.org.uk. It should be understood that this publication is intended for guidance only and is not a substitute for professional advice. No responsibility for loss occasioned as a result of any person acting or refraining from acting can be accepted by the author or publisher. First published 2000 Second edition 2002 Third edition 2009 Fourth editions (print and digital) 2021 Copyright # Directory of Social Change 2000, 2002, 2009, 2021 All rights reserved. No part of the printed version of this book may be stored in a retrieval system or reproduced in any form whatever without prior permission in writing from the publisher. This book is sold subject to the condition that it shall not, by way of trade or otherwise, be lent, re-sold, hired out or otherwise circulated without the publisher’s prior permission in any form of binding or cover other than that in which it is published, and without a similar condition including this condition being imposed on the subsequent purchaser. The digital version of this publication may only be stored in a retrieval system for personal use. No part may be edited, amended, extracted or reproduced in any form whatsoever. It may not be distributed or made available to others without prior permission in writing from the publisher. The publisher and author have made every effort to contact copyright holders. If anyone believes that their copyright material has not been correctly acknowledged, please contact the publisher, who will be pleased to rectify the omission. The moral right of the author has been asserted in accordance with the Copyrights, Designs and Patents Act 1988. ISBN 978 1 78482 049 7 (print edition) ISBN 978 1 78482 050 3 (digital edition) British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Cover and text design by Kate Griffith Typeset by Marlinzo Services, Frome Printed and bound in the UK by Page Bros, Norwich
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 5 of 16
...........................................................................................................
Contents About the series About the Directory of Social Change About the author Acknowledgements Foreword by Jon Baines Preface Who this book is for Why data protection? 1 The key elements of the GDPR 2 Processing personal data 3 Who is the controller? 4 Engaging a data processor 5 Managing data protection 6 Determining your lawful basis for processing personal data 7 Special category data 8 The six data protection principles 9 Data protection principles 1 and 2: lawfulness, fairness and transparency, and purpose limitation 10 Data protection principles 3, 4 and 5: data minimisation, accuracy and storage limitation 11 Data protection principle 6: integrity and confidentiality 12 Transferring personal data abroad 13 Data subjects and their rights 14 Right of access by data subjects 15 Confidentiality 16 Working in collaboration with other organisations 17 Data protection in service delivery 18 Data protection in direct marketing (including fundraising) 19 Data protection in HR and volunteer management 20 Data protection in IT 21 Archiving, research and statistics 22 Role and powers of the Information Commissioner’s Office Appendix References and notes Index
vi vii viii ix x xi xii xiv 1 7 13 19 23 31 39 49 55 65 73 83 87 95 101 107 111 119 131 141 147 151 159 165 171 v
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 6 of 16
...........................................................................................................
About the series This series of key guides is designed for people involved with not-for-profit organisations of any size, no matter how you define your organisation – voluntary, community, non-governmental or social enterprise. All the titles offer practical, comprehensive, yet accessible advice to enable readers to get the most out of their roles and responsibilities. There are several other titles available in this series, you can find details about the whole range at www.dsc.org.uk/publication/key-guides. For further information, please contact the Directory of Social Change (see page vii for details).
vi
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 7 of 16
...........................................................................................................
About the Directory of Social Change At the Directory of Social Change (DSC), we believe that the world is made better by people coming together to serve their communities and each other. For us, an independent voluntary sector is at the heart of that social change and we exist to support charities, voluntary organisations and community groups in the work they do. Our role is to:
provide practical information on a range of topics from fundraising to project management in both our printed publications and e-books;
offer training through public courses, events and in-house services;
research funders and maintain a subscription database, Funds Online, with details on funding from grant-making charities, companies and government sources;
offer bespoke research to voluntary sector organisations in order to evaluate projects, identify new opportunities and help make sense of existing data;
stimulate debate and campaign on key issues that affect the voluntary sector, particularly to champion the concerns of smaller charities.
We are a registered charity ourselves but we self-fund most of our work. We charge for services, but cross-subsidise those which charities particularly need and cannot easily afford. Visit our website www.dsc.org.uk to see how we can help you to help others and have a look at www.fundsonline.org.uk to see how DSC could improve your fundraising. Alternatively, drop us a line at cs@dsc.org.uk.
vii
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 8 of 16
...........................................................................................................
About the author Paul Ticher’s whole career has been in the voluntary sector, mostly as an independent consultant and trainer working with national and local organisations. After working for some years as a volunteer in Africa and then with the Campaign Against Arms Trade, his focus of interest became information management, including such areas as the use of information technology and the management of information services. This led to a considerable amount of work on the application of the Data Protection Act 1984 to voluntary organisations. He wrote the first edition of this book in 2000 to coincide with the Data Protection Act 1998 coming into force. Since then, Paul has been a leading trainer and writer on data protection throughout the UK, and he has provided bespoke advice to many voluntary organisations, large and small. For many years he has been recognised as one of the sector’s go-to experts on data protection. Paul’s other books, published by the Directory of Social Change, include Minute Taking (with Lee Comer) and earlier editions of Data Protection for voluntary organisations. He also contributed the data protection appendix for The Complete Fundraising Handbook and published numerous articles and research reports into aspects of IT management in the voluntary sector. Readers are invited to contact the author with comments, or to seek further help on the practical application of data protection in their organisation. email: paul@paulticher.com
viii
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 9 of 16
...........................................................................................................
Acknowledgements This book would not have been possible without the numerous challenging and stimulating discussions with my colleagues in voluntary organisations up and down the country over the last two decades and more. Only when they shared with me the issues they were facing did I really start to understand how data protection works – or should work – in practice, and I would like to thank every one of them for their contribution. I am indebted to other professionals in the data protection field for providing insights, and often a second opinion, when I find myself struggling with an unfamiliar issue. In particular, I have benefitted immensely from contributions to the online JiscMail data protection discussion group. For her thoughtful and assiduous attention to detail I am indebted to Hannah Lyons at the law firm Bates Wells who reviewed the text and provided helpful comments from a legal perspective. I would like to thank successive staff at Bates Wells and especially Lawrence Simanowitz for their support on previous editions of the book and also for work together on other projects. The Directory of Social Change has not just given me the opportunity to get this book into print but also asked me to deliver face-to-face training on data protection for many years, which gave me insights into the issues facing a wide range of voluntary organisations, large and small. Finally, of course, I want to thank my partner Gill Taylor for her personal and professional support. She has frequently been a valuable sounding board as well as posing the occasional challenging data protection question from her work as an HR consultant. Every care has been taken to make sure that information in this book is as accurate and up to date as possible. Any mistakes or omissions are entirely my responsibility.
ix
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 10 of 16
...........................................................................................................
Foreword Data protection is a fundamental right, and compliance is, therefore, not just a tick-box exercise. On the contrary, fair, accurate and transparent handling of personal data is essential to the functioning of society. As someone who has practiced in data protection matters for a number of years, I am continually impressed by the desire of most organisations to comply with the relevant regulations – to do the right thing. But I am also struck by the difficulties they face in finding sound advice (without incurring huge costs). The voluntary sector has been a prime example of this. When many in the sector were receiving criticism, and in some cases regulatory action, for data protection infringements around fundraising, it became clear that what seemed obvious to some practitioners was not widely known by many voluntary organisations. The advent of the General Data Protection Regulation (GDPR) only intensified this imbalance between a desire to comply and the lack of support to do so. As much as one can rely on guidance from the Information Commissioner, it sometime lacks the detail and nuance that those working in specific sectors seek. And although the introduction of the GDPR led to any number of supposed experts appearing on the scene, that was not an unalloyed positive. Many of these ‘experts’ came from backgrounds ill-suited to the understanding of data protection law. Those of us, like Paul Ticher, who were around long before the GDPR and will remain around long after the hype (but not the impact) has faded away, are still having to help organisations overcome the effects of poor advice. In this context, I am most reassured to see the latest edition of Data Protection for voluntary organisations. I know Paul as someone with a wealth of experience, both as an expert commentator and – crucially – as a practitioner. He knows the subject and he knows the specific challenges those working in voluntary organisations face. I particularly commend the book to those working in the sector but also recommend it more widely – it is a fine guide to data protection in general. Jon Baines, Chair, National Association of Data Protection and Freedom of Information Officers and Senior Data Protection Specialist, Mishcon de Reya LLP
x
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 11 of 16
...........................................................................................................
Preface From what many would regard as rather shaky beginnings in 1984, data protection in the UK has gradually become a valuable and accepted consideration when data about individuals is collected and used. Voluntary organisations have generally been keen to accept the measures required by the legislation, recognising that the needs of the organisation have to be balanced against the interests of the people it engages with. At the same time, growing public awareness of individual rights and firmer expectations of how organisations are supposed to behave mean that organisations cannot afford – more than ever – to get data protection wrong. When the General Data Protection Regulation (GDPR) was agreed in 2016, it heralded an exciting new era in the European Union’s worldbeating data protection regime. This regulation benefitted from substantial input from the UK, which had pioneered much of the thinking on the topic in the last few decades of the twentieth century. The referendum decision for the UK to leave the European Union in 2017 raised questions which have not been fully resolved at the time of this book going to press. Although the UK’s data protection legislation will continue with little practical change for most organisations in the short term, there is scope for greater change in the future, especially in the context of the UK’s negotiation of trade deals around the world. It is too soon to speculate how data protection regulations may develop and, as you read the book and apply it in your organisation, you should bear in mind that over time some of the details may well change. However, the GDPR brings the legislation up to date with current technology and practice, and provides a solid common basis for good practice. There is now so much international support for the underlying principles – both as law and as good practice – that it is highly likely that the current regulations will be the benchmark for recommended practice for the foreseeable future.
xi
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 12 of 16
...........................................................................................................
Who this book is for Data protection is everyone’s business. Whether we like it or not, data about us is captured almost every time we engage with an organisation, as customers, members, citizens or recipients of services, and most of us care about how our data is used and looked after. The legal rules and obligations that apply to commercial organisations and public bodies also apply to voluntary organisations. This book uses the term ‘voluntary organisations’ to include charities, other not-for-profit organisations, clubs, societies and social enterprises. For these organisations, while the rules are the same, how they choose to comply and the issues they most often face can be somewhat different. For example:
Voluntary organisations don’t have the same powers and duties as public bodies but, unlike commercial organisations, they may have active members.
Most will do fundraising.
Their clients and beneficiaries may be particularly vulnerable.
They may have loose collaborative arrangements with other voluntary organisations.
They may have obligations towards their funders.
All these topics, along with the data protection basics, are covered in this book. It goes without saying that voluntary organisations need to hold information about people. Almost everyone within an organisation is likely to handle this personal data in some way and therefore to have some responsibility for looking after it and using it appropriately. It is important to recognise that this includes not just paid staff but also volunteers, who, for example, may obtain information when they visit clients at home or handle Gift Aid declarations in the organisation’s shop. However, it is the organisation itself that carries the main legal responsibility, not any individual. For most people who handle personal data, it is enough to have a general understanding of what data protection involves and then to follow the policies and procedures of the organisation. xii
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 13 of 16
WHO THIS BOOK IS FOR . .. . .. . .. . .. .. . ..
For others, data protection may be a significant proportion of their work – those in fundraising or marketing, for example, or those responsible for information security. And for many others, it will come into play as one element among many that affects their decision-making on policies, procedures and issues that arise from day to day. This includes the trustees, who are responsible for ensuring that their organisation complies with its legal obligations and may have to make key decisions about its approach to data protection compliance. This book is especially relevant to you if you fall into any of these categories – in other words, if you are more deeply involved in making decisions about how your organisation discharges its data protection responsibilities. As well as setting out the general principles behind data protection, this book therefore contains chapters that are particularly relevant to managers in the key areas where personal data is used in most voluntary organisations: service delivery (chapter 17), fundraising and marketing (chapter 18), HR (chapter 19) and IT (chapter 20). The legislation discussed in this book is based substantially on the European Union’s General Data Protection Regulation (GDPR), which applied directly in the UK from May 2018. The GDPR has now been adopted as domestic UK legislation, with slight modifications to reflect the UK’s departure from the European Union. So, although the principles and much of the detail may well be relevant elsewhere, this book explicitly covers just the UK.
xiii
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 14 of 16
...........................................................................................................
Why data protection? Data protection is not about protecting data but about protecting people. It does, of course, involve protecting data, but only because of the potential harm we could cause to individuals if we did not handle their personal data properly. Data protection can come over as terribly dry and procedural, but it goes to the heart of individual concerns, with potentially serious impacts on people’s lives. If your GP transfers your records to a computer and the old paper files end up in a skip for anyone to see, that’s a data protection issue. If your bank confuses you with someone else and your credit rating plummets, that’s also a data protection issue. Data protection issues can adversely affect your life chances in many ways: inaccurate detrimental information provided in a job reference might prevent you getting a job; a faulty computer algorithm might deny you a loan that you need (see page 91 for more information). There have even been cases when people have suffered physical harm from a data protection breach, such as when their location was wrongly disclosed to someone who then assaulted or abducted them. Fortunately, such extreme outcomes are rare. Your challenge in a voluntary organisation is to achieve the right balance: taking appropriate steps to prevent rare but potentially serious events, without imposing a regime which is so restrictive that it hampers the effective operation of the organisation. The risks have increased significantly as computers have become ubiquitous, allowing large amounts of data to be stored, manipulated, shared and disclosed. Further opportunities for things to go seriously wrong arise from the growth of the internet, with its support for cloud computing, social media, online shopping and banking, and home automation systems. The spread of small, portable devices such as laptops, smartphones and memory sticks also increases risk. As a result, the legislation has had to be progressively brought up to date. The UK’s first data protection legislation was the Data Protection Act 1984, which was followed by a 1998 Act of the same name. The next development occurred when the European Union reached agreement in 2016 on the General Data Protection Regulation,1 which is generally known as the GDPR and which came into force across the European Union (including the UK) in May 2018. xiv
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 15 of 16
WHY DATA PROTECTION? . .. . .. . .. . .. .. . ..
In the UK the GDPR is complemented by the Data Protection Act 2018 (DPA 2018), which also came into force in May 2018, and a number of other pieces of legislation. For more on the legal background, see the appendix. This book generally refers to the GDPR as shorthand for all of the relevant pieces of legislation. However, on occasion, it will draw your attention to specific provisions in the DPA 2018 or other UK legislation. While the main concern of the GDPR is to prevent harm, close behind this comes the concept of ‘fairness’ – above all, being open and honest with people about how you are using data about them, and giving them choices about what you do with the data. For example, in some cases individuals can stop an organisation from using their data, or even require the organisation to erase it (sometimes known, in somewhat of an exaggeration, as ‘the right to be forgotten’). The GDPR also offers genuine – and in some cases new – rights to ‘data subjects’ (the people about whom organisations hold data) and provides a framework for responsible behaviour by those using the data. It places great emphasis on accountability: your organisation must not just do the right thing, it must be able to show how it is doing so. For voluntary organisations, openness and fairness are key to building relationships of trust with the wide range of people who are vital to the effective functioning of the organisation, including clients, beneficiaries, volunteers, donors and paid staff. This trust-building is not just desirable but essential. Good data protection practice can also demonstrate to funders and regulators that your organisation takes its responsibilities seriously. Because of this, voluntary organisations have no reason to fear the GDPR. In many ways it gives legal backing to recognised good practice. Compliance with the GDPR can best be approached by understanding what it is trying to achieve, rather than seeing it as a series of legal hoops to be negotiated. You will find that compliance is very often a matter of judgement, not the application of detailed rules. This book makes the assumption that you will be keen to follow best practice wherever possible. Indeed, it is often more onerous to make the effort to find technical loopholes. Grudging compliance is an option, of course, for those wishing to circumvent the spirit of the legislation. As with any law, there are grey areas and special cases that can be exploited to avoid giving people the maximum benefit of the law. Ignoring the legislation is increasingly not an option, however, as the Information Commissioner’s Office (see chapter 22) has been given significantly increased enforcement xv
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/00 DP Prelims.3d
Date: 10/12/20
Time 18:52pm
Page 16 of 16
. .. . .. .. . .. . .. . .. WHY DATA PROTECTION?
powers while individuals are coming to expect, and insist on, greater transparency and higher standards of compliance. ..............................................................................................................
Note on legal terminology EU legislation is structured as a set of ‘recitals’ which set out the intentions and rationale of the legislation, followed by numbered ‘articles’ that make the specific legal provisions. This book occasionally refers to the recitals in the General Data Protection Regulation (GDPR) where it is felt that they give insight into the meaning or purpose of the articles. UK acts comprise numbered ‘sections’ (referred to as s.1, s.2 and so on in this book) supported by a series of ‘schedules’ that make additional provisions and go into specific matters in greater detail. The Data Protection Act 2018 (DPA 2018) is also divided into ‘parts’ and ‘chapters’; however, you may find this confusing: the sections are numbered consecutively throughout, but the chapter numbering in each part restarts from Chapter 1. On those rare occasions when you might need to refer directly to the Act itself, it is essential to check that you are looking at the correct part of the legislation. (This is especially true in the cases of Parts 2, 3 and 4. Part 2 contains the rules that apply to most organisations (including voluntary ones), while Parts 3 and 4 apply very similar rules to law enforcement and the intelligence services respectively.) See page 161 in the appendix for further detail on the structure of the DPA 2018. ..............................................................................................................
xvi
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/01 DP Chapter 1.3d
Date: 8/12/20
Time 15:02pm
Page 1 of 6
1 The key elements of
the GDPR The most important concepts in the General Data Protection Regulation (GDPR) relate to the two key pillars on which most of your data protection compliance rests: having a sound lawful basis for any processing that takes place and complying with the six data protection principles at all times. Before we look at these in detail, it is important to understand when data protection applies (and when it doesn’t), and whose responsibility it is to ensure compliance. By covering these topics, this chapter therefore provides a guide to the main issues that will be addressed in more detail in the following chapters. This chapter: briefly introduces key terminology and concepts; explains the obligation to have a lawful basis for all processing of personal data; outlines the six data protection principles; briefly lists some of the other key requirements; explains the role of the Information Commissioner’s Office (ICO); indicates where in this book to find out more on each topic.
When does data protection apply? Data protection applies whenever an organisation or its representatives ‘process’ ‘personal data’. These are both technical terms that are explained below.
Personal data The purpose of data protection is to protect people (or ‘data subjects’, as they are technically known). Information about a data subject is called ‘personal data’. The individuals have to be ‘identifiable’ and the GDPR sets out a very broad definition of the factors that could make someone identifiable (see chapter 2). Data protection only applies to information about living people. This is not stated in the GDPR, but it is made explicit in s.3(2) of the UK’s Data Protection Act 2018.
1
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/01 DP Chapter 1.3d
Date: 8/12/20
Time 15:02pm
Page 2 of 6
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
It is also worth noting that data protection applies only to recorded information, not to things that are just in your head because you have heard or seen them. These last two points help to explain why data protection and confidentiality are not the same thing (even though they do often overlap). Confidentiality is a common-law principle that goes back centuries. It is thoroughly embedded in the UK’s legal system, but is based on extensive case law rather than specific legislation. Confidentiality, but not data protection, might apply to information about people after they have died, to things you have witnessed but not recorded, or to information about organisations. (See chapter 15 for further discussion on confidentiality.) Data protection, meanwhile, applies to any personal data, even if it is not confidential – including information that is in the public domain. It’s worth thinking about where your organisation might hold personal data. Some places are obvious: your database or CRM (customer relationship management) system, the user data on your website or social media platform, or your paper files. Others may not immediately come to mind. For example, in many organisations, the largest amount of personal data is probably to be found in emails. Pretty much every time you write or receive an email about one or more people (even without them necessarily being named), you are creating or acquiring personal data about them.
Processing Data protection applies whenever personal data is ‘processed’. This doesn’t just mean getting a computer to do something with it. The definition in the GDPR effectively includes anything at all that you might do with data while it is under your control – for example, just reading information on screen, storing data in archives and destroying data. (This is discussed further in chapter 2.)
Who is responsible for complying? Those who have ultimate responsibility for complying with data protection are termed ‘controllers’ in the legislation (often expanded to ‘data controllers’ where needed for clarity). Any organisation is a controller under Article 4(7) of the GDPR if it ‘determines the purposes and means of the processing of personal data’.
2
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/01 DP Chapter 1.3d
Date: 8/12/20
Time 15:02pm
Page 3 of 6
THE KEY ELEMENTS OF THE GDPR . .. . .. . .. . .. .. . ..
Individuals who are in business on their own account can also be controllers.
Joint controllers The GDPR recognises that collaborative working happens and that two or more organisations may be joint controllers of a set of data or a set of processing activities. In such cases, the organisations involved must decide how they will share the responsibility for data protection and have a clear idea of who will do what in order to ensure full GDPR compliance. Both (or all) organisations involved need to understand what will happen if they don’t do their bit properly. (See chapter 3 for more on controllers and joint controllers.)
Data processors If you pay another organisation, or an individual engaged in their own business, to carry out processing for you, and if they have to act on your instructions, they are a processor (sometimes referred to as a ‘data processor’ where this helps to avoid confusion). This could cover a vast range of suppliers, including a payroll company, an external trainer, a web developer, a freelance photographer, an archive storage repository and many others. The GDPR sets out a list of things that must be covered in your contract with a processor. If they follow your instructions, you are responsible for any breach they cause. If they don’t, however, they can be directly liable. This makes it very important to check your contract, so that the processor’s responsibilities are clearly set out. (See chapter 4 for more information on processors.)
The six lawful bases for processing personal data Everything you do with personal data has to have a ‘lawful basis’, chosen from among the six possibilities set out in the GDPR. These are (briefly): with consent of the data subject; for a contract involving the data subject; to meet a legal obligation; to protect any person’s vital interests; for government and judicial functions; in your legitimate interests provided the data subject’s interests are respected.
3
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/01 DP Chapter 1.3d
Date: 8/12/20
Time 15:02pm
Page 4 of 6
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
You have to meet at least one of the lawful bases, but you do not have to use the same basis all the time, even for related bits of data. With employees, for example, your key employment records would be held on the basis of a contract involving the data subject; your disclosure of payments to HMRC would be a legal obligation; some information in your personnel records might be held on the basis of legitimate interests because it is worth having but not essential for the contract (such as emergency contact details); and other information – for genuinely optional matters (such as details required if they choose to opt into an employee benefit scheme) – might only be held with consent. The key thing is to be clear in every case what your lawful basis is. (See also the discussion on transparency in chapter 9, which explains that you not only need to know what your lawful basis is but must also give that information to your data subjects.) It is usually not difficult to identify cases where one of the four bases in the middle of the list applies. There has, however, been much debate over how to decide between consent and legitimate interests (see chapter 6), especially in the case of direct marketing (which is covered in detail in chapter 18).
Special category data In addition to the requirement to have a lawful basis for all processing of personal data, some personal data is regarded as particularly sensitive and therefore requires special provisions. This is known as ‘special category’ data and is covered in detail in chapter 7.
The six data protection principles In contrast to the lawful bases discussed above – where you need to comply just with the most appropriate one(s) in each situation – you must adhere to all six of the following principles when dealing with personal data: Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner. Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes. Accuracy: personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to erase or rectify personal data that is inaccurate without delay.
4
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/01 DP Chapter 1.3d
Date: 8/12/20
Time 15:02pm
Page 5 of 6
THE KEY ELEMENTS OF THE GDPR . .. . .. . .. . .. .. . ..
Storage limitation: personal data must be kept in a form which permits identification of data subjects for no longer than is necessary. Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
These principles are discussed further in chapters 8 to 11.
Responding to specific situations Chapters 12 to 14 look at situations that are not everyday occurrences but that may well arise from time to time, in particular how you should respond if data subjects choose to exercise certain rights. Chapter 15 examines the relationship between data protection and confidentiality, then chapters 16 to 21 consider how data protection is likely to apply to different areas of work within your organisation.
Guidance and enforcement The Information Commissioner is a public official, independent of the government, whose role includes promoting compliance with data protection legislation and enforcing it where necessary. See chapter 22 for more details on the ICO’s guidance and enforcement powers.
Additional compliance obligations There are some remaining matters that you must take account of to ensure full data protection compliance but that do not necessarily have dedicated chapters in this book. These include: Breach notification: there is now a mandatory requirement to report serious personal data breaches within 72 hours (see page 28). Extended rights: there is now an extended list of data subject rights, including rights to prevent processing or have data erased in certain cases (see chapter 13). Demonstrating compliance: there is now a requirement to keep records that can demonstrate the steps the organisation has taken to comply with the GDPR (see chapter 5). By design and by default: there is now an assumption that organisations should engage in ‘data protection by design and by default’, so that it is taken fully into account whenever a new activity or process is set up (see page 25).
5
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/01 DP Chapter 1.3d
Date: 8/12/20
Time 15:02pm
Page 6 of 6
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Protection of children: there should be greater protection where data is held on or acquired from children (see pages 87 and 113). Fees: as a data controller, you must pay an annual fee to the ICO (see chapter 22).
Legislation Finally, the appendix goes into more detail on how the various pieces of relevant legislation fit together and gives a brief history of data protection in the UK.
6
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/02 DP Chapter 2.3d
Date: 8/12/20
Time 15:03pm
Page 7 of 12
2 Processing personal
data Data protection applies whenever an organisation processes personal data. Normally it will be clear whether this is happening and who your data subjects are. However, you need to take into account that, under the GDPR, data subjects can be those whom you know only by online and other identifiers. Also, some records can be complex – for example, if they hold information about more than one person. This chapter: sets out the definitions of ‘personal data’ and ‘processing’; examines some issues that might arise where records relate to more than one data subject.
Personal data Personal data is defined in Article 4(1) of the GDPR as: any information relating to an identified or identifiable natural person (‘data subject’).
The GDPR introduced new considerations about how people might be identifiable. Essentially, they are identifiable if there is any way of picking that individual out from others and, potentially, treating them differently. You don’t necessarily have to know their name. Article 4(1) continues: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
This ties in with the emphasis in the GDPR on ensuring that data protection covers online activity – in particular, where someone is known by a unique username that bears no relation to their name in the real world. The GDPR also aims to encompass aspects of ‘big data’, where large numbers of people’s personal data are analysed in order to provide insights, predict behaviour or target people according to their individual characteristics. 7
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/02 DP Chapter 2.3d
Date: 8/12/20
Time 15:03pm
Page 8 of 12
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Equally, a photograph or other specific ‘factor’, as set out in the definition quoted above, may on its own, or in conjunction with other information, amount to personal data. Much of the personal data your organisation holds is likely to be in structured systems, whether electronic or on paper. In these cases you will probably have a pretty clear idea of the identity of the person linked with the data (the data subject), as the records you hold will probably be associated with their name and some contact details, along with other information. The data protection implications are usually obvious and fairly straightforward in such cases. In many organisations, alongside structured records, a considerable amount of personal data will be held in emails. It is therefore particularly worth considering giving training and guidance to your staff, volunteers and trustees about the implications of email for data protection. Anything they put into an email that refers to an identifiable individual must comply with all the data protection principles (see chapters 8 to 11). Your staff and volunteers should also bear in mind that the data subject would have the right to access the email, on request (see chapter 14). Structured records and emails are very unlikely to be the full extent of the personal data your organisation holds, however. The definition of a data subject specifies that they must be identifiable, but this does not necessarily mean that you have to know who they are in the real world. Someone’s email address or online username may be enough to pick them out from other individuals, so the email address itself or the username may well be personal data, along with any associated information you hold, such as messages or images that the person has posted. You may, for security or other reasons, decide to disguise someone’s identity in internal communications – for example, by giving them a reference number, code or pseudonym. However, as long as you retain the ability to identify them fully, any information about them – for example, in an email between colleagues or between trustees – remains personal data. What all this means, therefore, is that while many of your key records will clearly be about specific and readily identifiable individuals that you have a relationship with – clients, beneficiaries, donors, other supporters, employees, volunteers or contact people in other organisations, for example – you must also be on the alert for other locations where less obvious or less easily categorised personal data is held.
8
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/02 DP Chapter 2.3d
Date: 8/12/20
Time 15:03pm
Page 9 of 12
PROCESSING PERSONAL DATA . .. . .. . .. . .. .. . ..
When are paper files covered by the GDPR? In some cases the GDPR applies to paper records as well as electronic ones, but only if the paper records are in structured systems. Article 2(1) (in the UK version of the GDPR) states: This Regulation applies to the automated or structured processing of personal data.
Article 2(5)(a) then states: ‘the automated or structured processing of personal data’ means – (i) the processing of personal data wholly or partly by automated means, and (ii) the processing otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.
GDPR Recital 15 emphasises this criterion relating to the structure of records by stating that: Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.
What this means is that material held exclusively on paper is not covered by the GDPR unless it is (or is supposed to be) in a filing system, whereas electronic data is covered regardless of how it is organised. The GDPR’s definition of ‘filing system’ is ‘any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis’ (Article 4(6)).
Processing of personal data In simple terms, you are processing personal data the whole time it is under your control. Article 4(2) of the GDPR defines processing as: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
9
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/02 DP Chapter 2.3d
Date: 8/12/20
Time 15:03pm
Page 10 of 12
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
This is pretty comprehensive. It would include, for example, just reading personal data on screen or in a paper file, even if you don’t do anything else with it. It would also include storing archives of personal data; even if you do not consider yourself to be using the stored information in any way, you are still processing it. Since the definition includes ‘erasure or destruction’, this activity also has to comply with the GDPR’s principles – including, for example, the obligation to be ‘fair’. Deleting information might be unfair to an individual if it disadvantaged them in some way. It is also important to remember that if your organisation employs another organisation (or self-employed contractor) to process data on your behalf, your organisation is still responsible for the processing. (See chapter 4 for more on this relationship.)
Records that are about more than one individual Where a record is about a single individual, the situation is usually clear. However, any record, email, photograph or other document may contain information about more than one individual, and in many cases both or all of the individuals will be data subjects. For example, you may provide services to a family rather than an individual. If your records contain information about more than one member of the family, each is likely to be a data subject in and of themselves, with all the rights this involves (as described in chapters 13 and 14). They also have the right to be treated as individuals. Bear in mind too that there may be confidentiality issues (see chapter 15) about sharing information concerning one family member even with another person in the same family. It is also worth paying attention to information you hold about people who might be called ‘secondary data subjects’ – individuals whose data you capture when your focus is on someone else. For example, in a personnel system, your staff will clearly be the main data subjects. However, you may ask them for details of other people, such as next of kin or emergency contacts, who would also most likely be data subjects. Similarly, an email may be about a specific individual but the list of recipients to whom it has been sent may constitute personal data on each of them. (See page 136 for more information on third parties’ data in an HR context.)
The domestic purposes ‘exemption’ The GDPR does not apply to ‘the processing of personal data by an individual in the course of a purely personal or household activity’
10
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/02 DP Chapter 2.3d
Date: 8/12/20
Time 15:03pm
Page 11 of 12
PROCESSING PERSONAL DATA . .. . .. . .. . .. .. . ..
(Article 2(2)(c)). This is often referred to as the ‘domestic purposes exemption’, although it technically puts this activity completely outside the scope of the GDPR, rather than being an exemption. Guidance from the Information Commissioner’s Office explains this as follows: Personal or household activities – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the GDPR.1
Note that it is the purpose that counts. Even if someone were to use their work computer to compile a list of people to invite to a family wedding, it would be outside the scope of the GDPR and the employer would not be responsible for how the data was used. (The employer might have a view on whether this was acceptable use of work equipment and work time, of course.) Meanwhile someone working from home, using their own equipment, could well be processing personal data for which their employer (as the data controller) is responsible.
11
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/02 DP Chapter 2.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:03pm
Page 12 of 12
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/03 DP Chapter 3.3d
Date: 8/12/20
Time 15:03pm
Page 13 of 18
3 Who is the controller? Legal responsibility for compliance with the GDPR lies with the controller (sometimes called ‘data controller’). The controller can be penalised if things go wrong. The controller will almost always be an organisation, not individual staff or volunteers. This chapter: explains the GDPR’s definition of a controller; explores the implications for an organisation of being a controller.
The controller The concept of the controller is fundamental. An organisation (or a partnership or individual in the course of business) that controls the processing of any amount of personal data is a controller, must comply with the GDPR in its entirety, and may have enforcement action taken against it if it is in breach. The definition, in principle, is quite straightforward. The controller is whoever decides why and how personal data is to be processed. Article 4(7) of the GDPR gives this definition: ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
If your organisation is unincorporated (e.g. a charitable trust or unincorporated association), it is not a ‘natural or legal person’. However, for most purposes, it is sensible to act as though an unincorporated organisation is itself the controller, although it is the trustees or management committee who are responsible for compliance. Any enforcement action by the Information Commissioner’s Office (ICO) in the case of an unincorporated organisation would have to be taken against the individuals running it. This has indeed happened (before the GDPR came in, under the Data Protection Act 1998), when the management committee of a volunteer-run health clinic that mistakenly revealed the identities of HIV-positive patients in a group email was fined £250.1 If your organisation is unincorporated, it is important that your management committee or trustees are made aware of the potential – however remote – for legal action against them as individuals in the case
13
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/03 DP Chapter 3.3d
Date: 8/12/20
Time 15:03pm
Page 14 of 18
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
of a data protection breach. If you are in any doubt about your situation, you should take qualified legal advice. The situation where two or more organisations are joint controllers is discussed on page 15. You should also note that if you outsource any activities that involve the use of (or access to) personal data, you are dealing with a processor (see chapter 4).
The implications of being a controller The GDPR’s emphasis on accountability means that it is not enough to comply in practice. You also have to be able to show that your compliance is based on clearly documented policies and procedures and that you have records of key decisions and actions. The starting point for a controller is that you must: identify all your data subjects and processing activities; ensure that you have a sound lawful basis for all your processing; ensure that your processing is consistent with all six data protection principles (see page 4). In practical terms, you are likely to need to do all or most of the following: appoint someone to lead on data protection in your organisation (see chapter 5); decide how your board of trustees should maintain oversight of your data protection compliance; consider whether data protection risks should be included in your risk register (if you have one); regularly review your policies that relate to data protection, to ensure that they reflect your current practice as well as developments within the law and its application; carry out and document data protection impact assessments to justify your approach where you undertake any processing that poses particular risks (such as processing of special category data, which also requires you to draw up an appropriate policy document (see chapter 7)); carry out and document a legitimate interests assessment for any processing where legitimate interests is your lawful basis (see chapter 6); produce and keep under regular review privacy notices for your different types of data subject, and make sure that these are presented in the most appropriate ways (see chapter 9); provide clear guidance and regular training for any of your staff or volunteers who handle personal data as part of their duties;
14
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/03 DP Chapter 3.3d
Date: 8/12/20
Time 15:03pm
Page 15 of 18
WHO IS THE CONTROLLER? . .. . .. . .. . .. .. . ..
In
keep records of any requests by data subjects to exercise their rights (access to their personal data, erasure, restriction of processing and so on) and your responses (see chapters 13 and 14); ensure that your contracts with any data processors are compliant and appropriate (see chapter 4); ensure that your agreements with any joint controllers are appropriate (see the following section and chapter 16); pay any fee due to the ICO (see chapter 22). addition, you must hold certain basic information on: the purposes of your processing; the types of data subject and personal data you use; recipients you will disclose the data to; any overseas transfers; retention periods, where possible; your security measures, where possible (a general description, not the full detail).
Joint controllers and other collaborative situations Although in many cases it is clear that a single organisation is in complete charge of how certain personal data is processed, there are many other more complex situations. For example, you may organise services or activities jointly with one or more other organisations. Your organisation may collect information about your clients or beneficiaries not for your own purposes but for monitoring by your funder. Your parent body may provide a platform for you to store data about your activities, so that it can produce national statistics. In all these cases and many more, it is essential to be clear about each organisation’s data protection responsibilities. Article 26(1) of the GDPR states that: [Joint controllers] shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the [required] information.
See chapter 16 for more on working in collaboration with other organisations.
15
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/03 DP Chapter 3.3d
Date: 8/12/20
Time 15:03pm
Page 16 of 18
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS ..............................................................................................................
Joint controllers: examples Harry and Sally are outreach workers from two drug addiction support charities. They decide to organise a one-off conference. Between them they work out what information to collect on the booking form, which details to include in the participants’ list (which will be included in the conference pack) and so on. They do not set up a separate organisation to run the conference, but they agree that the two organisations are likely to be joint controllers with respect to the data they collect. Brian is a keen member of his local church. Without consulting anyone, he plans to build up a small database on his home computer of people who are likely to help with the annual Christmas Fair. Just in time, he realises that this could make him a controller. He decides it would be better if the church were the controller, so he asks the church to authorise his activities before he starts the project. A mediation service uses self-employed sessional mediators. The case notes are recorded by the mediators and kept by them. The service knows which clients are on which mediators’ case list but holds no further details. The service has strict rules on confidentiality but makes no other provisions about what information should be recorded or how it should be kept. This raises the possibility that each individual mediator could be the controller for the information they hold. After consultation, the organisation decides that it would be better to issue clear instructions to the mediators about what to hold and how, including rules on security and confidentiality, to make it clear that the organisation is the controller. Veronica is in charge of fundraising at a large charity. In addition to mailing its previous donors, it has a contract with a specialist telephone fundraising agency which calls people to ask for money. The contract makes it clear that the fundraising agency is a processor (see chapter 4), with the charity remaining the controller. However, Veronica has also developed a small ‘Friends of the Centenary Project’ group of volunteers. She gives them the names and details of the 500 top donors and says, in effect, ‘Raise as much money from these people as you can, in whatever way you think best.’ On reflection, she realises that in this case the group of volunteers could well be regarded as a controller in its own right. Therefore, she ensures that the group is given sufficient guidance on how to behave and draws up a simple data-sharing agreement between the group and the main organisation. ..............................................................................................................
When might an individual be a controller? An individual employee is very unlikely to be the controller of personal data that is used by an organisation in the course of its activities. The controller will – in the vast majority of cases – be the organisation itself, with employees acting on the organisation’s behalf. Agency staff or contract workers who are under the direct control of the organisation will often be in the same position as employees for data protection purposes,
16
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/03 DP Chapter 3.3d
Date: 8/12/20
Time 15:03pm
Page 17 of 18
WHO IS THE CONTROLLER? . .. . .. . .. . .. .. . ..
but there may be situations where they are acting as a processor (see chapter 4), in which case their contract must include the provisions required by the GDPR. The case may be less clear cut when it comes to volunteers. The logical position would be for volunteers to be treated as acting on behalf of the controller, in exactly the same way as employees. This is partly a reflection of the fact that volunteers cannot be processors, because there isn’t (and must not be) any formal contract between them and the organisation they work for. (A volunteer agreement is legally deemed to be binding ‘in honour only’.) For example, the ICO has taken action against organisations that did not adequately train their volunteers.2 Self-employed people are, of course, controllers in their own right for the personal data that they hold for their own business purposes. However, when they process personal data on behalf of a client organisation, they could well be processors (see chapter 4). Where there is a serious possibility of confusion, you may find it worth establishing the situation very clearly on paper – probably through your contract if you are paying people for their services. Again, qualified legal advice is strongly recommended in such cases. Another – thankfully rare – case is where an individual goes rogue. In Various Claimants v. WM Morrisons Supermarkets Plc (2017), a senior employee with a grudge posted the payroll and other personal details of nearly 100,000 colleagues online.3 His role entitled him to have access to the data on behalf of his employer, but the judge decided that, once the employee had taken control of the data and published it, he had himself become a controller. (See chapter 11 for suggestions on how to protect data and ensure appropriate access by staff and volunteers.) It is usually not a good idea to call the person in your organisation who takes the lead on data protection compliance a ‘data controller’ as this could easily lead to confusion about where the ultimate responsibility lies. This is covered in more detail in chapter 5.
17
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/03 DP Chapter 3.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:03pm
Page 18 of 18
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/04 DP Chapter 4.3d
Date: 8/12/20
Time 15:03pm
Page 19 of 22
4 Engaging a data
processor Whenever you engage a person or other organisation to carry out data processing on your behalf, your organisation remains almost entirely responsible for any breach of the GDPR that occurs unless the processor acts against your instructions. It is therefore essential that your contract with any supplier, where part or all of their task is to process personal data on your behalf, is clear, precise and contains all of the provisions required by the GDPR. This chapter: explains the GDPR’s definition of a processor; discusses the provisions that must be in a data processor contract; explores issues that may arise when you use cloud services as data processors.
What is a processor? A processor is a company or organisation, or an individual who is not one of your employees or volunteers, that processes data on your behalf. Article 4(8) of the GDPR states: ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processors could, for example, include: payroll companies; database companies that host your member, client or beneficiary database; computer maintenance companies (if they have direct access to your organisation’s personal data); web-hosting companies (if your website collects or holds personal data); individuals such as freelance photographers (if they photograph individuals); marketing and order fulfilment companies; external researchers who obtain personal data as part of research you commission;
19
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/04 DP Chapter 4.3d
Date: 8/12/20
Time 15:03pm
Page 20 of 22
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
companies undertaking secure destruction of your confidential records.
The contract with a processor Article 28(3) of the GDPR sets out provisions for the contract between a controller and a processor. The key elements for most voluntary organisations include that the contract must set out: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data and categories of data subjects; the obligations and rights of the controller. While these are the most important things that must be in the contract, Article 28(3) also states that the contract must stipulate that the processor does the following: (a)
processes the personal data only on documented instructions from
(b)
ensures that persons authorised to process the personal data have
the controller . . . ; committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c)
takes all [necessary security-related] measures . . . [see chapter 11];
(d)
[gets permission before sub-contracting to another processor, imposes all the same obligations on the sub-processor and remains responsible for the sub-processor’s actions];
(e)
. . . assists the controller . . . , insofar as this is possible, [in responding] to requests for exercising the data subject’s rights . . . [see chapter 14];
(f)
assists the controller [with other obligations including any data protection impact assessment];
(g)
at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless [applicable] law requires storage of the personal data;
(h)
makes available to the controller all information necessary to demonstrate compliance with . . . this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
In addition, Article 28(3) states that ‘the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other . . . data protection provisions’.
20
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/04 DP Chapter 4.3d
Date: 8/12/20
Time 15:03pm
Page 21 of 22
ENGAGING A DATA PROCESSOR . .. . .. . .. . .. .. . ..
Article 28 then goes on to make provision for approved codes of conduct and standard contractual clauses, and for extensive written recordkeeping by the processor. The important point in all this is that the controller – your organisation – remains responsible for what happens to the data and remains liable for any mistakes. If you outsourced your payroll, for example, your employees would still quite rightly complain to you if they didn’t get paid because the processor made a mess of the data and sent the money to the wrong bank accounts. You, not the processor, would have to compensate them if they incurred bank charges as a result. Your most obvious remedy would be to seek to include a provision in your contract with the processor for it to reimburse you. Otherwise you would just have to accept your loss as the penalty for choosing a less-than-perfect supplier of payroll services. Some commercial organisations offering services that mean they are likely to be processors will have incorporated the necessary provisions into their standard contracts. However, it is the controller’s responsibility to ensure that compliant contractual arrangements are in place. Lawyers also recommend that you should undertake sufficient due diligence regarding the processors you engage (e.g. reviewing their data protection and security policies and accreditations, and in some cases asking them to complete data privacy questionnaires) in order to comply with Article 28(1) of the GDPR.
Cloud providers Your organisation quite possibly uses cloud providers for a wide variety of services, such as running bulk email lists, organising events or conducting online surveys. In many cases these providers are likely to be processors because the personal data involved is controlled by your organisation, for your purposes. (They might independently be controllers in their own right as well if they also use the information for their own purposes.) In effect, you have a contract with them, because you accept their terms and conditions and pay them money for their services. However, this contract may not meet the GDPR’s requirements for a processor contract. Many of these providers have, in fact, gradually realised the implications of European data protection law, and have taken them into account in rewriting their terms and conditions. What you need to do, in theory at least, is to read each set of terms and conditions carefully and decide whether it is compliant before deciding to use that particular service –
21
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/04 DP Chapter 4.3d
Date: 8/12/20
Time 15:03pm
Page 22 of 22
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
given that you are not likely to be in a position to negotiate a bespoke contract. You could also add the issue to your risk register, perhaps, if you think it necessary.
22
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/05 DP Chapter 5.3d
Date: 8/12/20
Time 15:03pm
Page 23 of 30
5 Managing data
protection We have looked at the responsibilities of a controller (broadly set out in chapter 3) and the implications of engaging a processor (covered in chapter 4). Your organisation will almost certainly want to designate someone to have oversight of data protection compliance, even if it’s not a major part of their job. However, because data protection has implications throughout the organisation, day-to-day compliance cannot be left to one person. It involves people in many teams incorporating relevant procedures into their routine work. This chapter: explains the situations when an organisation must appoint a formal data protection officer (DPO); discusses options for allocating data protection responsibilities, whether or not there is a formal DPO; explains the concept of ‘data protection by design and by default’; sets out the importance of ‘accountability’ – being able to show what you are doing to comply with your data protection responsibilities; considers how your policies and procedures should incorporate measures to support data protection compliance; briefly describes how you should respond to a personal data breach.
The data protection officer Article 37(1) of the GDPR states that certain organisations – ones that are engaged in more risky processing – must have a DPO. Specifically, public bodies must have a DPO in all cases and other organisations must have a DPO where: (b)
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c)
the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 23
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/05 DP Chapter 5.3d
Date: 8/12/20
Time 15:03pm
Page 24 of 30
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
(See chapter 7 for more on the provisions that Articles 9 and 10 set out for special categories of data and criminal convictions and offences.) In such circumstances, organisations must also give the DPO the authority to carry out their job and the DPO must be suitably qualified. Article 37(5) states: The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Article 38 makes a number of provisions about involving the DPO in decisions, giving them support and ensuring their independence, while Article 39(1) sets out their role in more detail: The data protection officer shall have at least the following tasks: (a)
to inform and advise the controller . . . and the employees who carry
(b)
to monitor compliance with [data protection legislation and the
out processing of their [data protection] obligations . . . ; organisation’s data protection policies], including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; (c)
to provide advice where requested as regards the data protection
(d)
to cooperate with the [Information Commissioner’s Office];
(e)
to act as the contact point for the [Information Commissioner’s
impact assessment and monitor its performance . . . ;
Office] on issues relating to processing, . . . and to consult, where appropriate, with regard to any other matter.
This is clearly a substantial post requiring a well-trained professional. Few voluntary organisations, however, are likely to meet the criteria for having to appoint a DPO although those working in the field of health, for example, may need one.
Who should be in charge of data protection? Even if you are not required to appoint a formal DPO, with all the specific duties set out by the GDPR, you should seriously consider giving someone in your organisation a remit to oversee and take charge of your data protection compliance. This person should be at the appropriate level in the organisation and have the necessary authority to ensure all relevant measures are put in place. Their duties could include: ensuring that all of the controller obligations set out in chapter 3 are being met in an appropriate way;
24
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/05 DP Chapter 5.3d
Date: 8/12/20
Time 15:03pm
Page 25 of 30
MANAGING DATA PROTECTION . .. . .. . .. . .. .. . ..
briefing the board of trustees and senior managers on data protection developments, both within the organisation and in general; carrying out or arranging induction and training on data protection for staff and volunteers (including trustees); liaising with the Information Commissioner’s Office (ICO) as necessary (see chapter 22); carrying out or overseeing the organisation’s response to requests by data subjects to exercise their rights (see chapter 14); signing off the data protection elements in contracts with any data processors (see chapter 4); maintaining records to demonstrate compliance with the GDPR.
Because of the specific nature of the role set out in the GDPR, it is probably unhelpful to give the title of DPO to anyone whose position doesn’t meet the criteria in Article 37. Doing so could lead people to assume that they have all the qualifications, roles and responsibilities set out in Article 38 when, in fact, their position and level of accountability might be less onerous. Similarly, people outside the organisation might be misled by the name and assume they are dealing with a specially trained professional. Designations such as ‘data protection lead’ or ‘data compliance manager’ may be more suitable and less prone to confusion. As well as there being a data protection lead, managers and team leaders should have responsibility for the detail of data protection compliance within their respective areas. Chapters 17 to 20 look at specific issues that are likely to arise in service delivery, fundraising and marketing, HR and volunteer management, and IT. Those managing these areas will have insight into the implications of the decisions the organisation needs to make in order to comply with data protection requirements. They will also be able to make appropriate judgements, with the assistance of the data protection lead if necessary.
Data protection by design and by default Data protection has never been something that can be ‘bolted on’ afterwards. It has to be part of the way you work, and your processes and procedures have to be designed to ensure that this happens. The GDPR was the first European data protection legislation to make this an explicit legal requirement: Article 25 devotes three paragraphs to explaining what the GDPR means by ‘data protection by design and by default’. This is why some of the responsibility should lie with operational teams. Everyone who starts a new project or sets up a system or a process must
25
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/05 DP Chapter 5.3d
Date: 8/12/20
Time 15:03pm
Page 26 of 30
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
ensure that they incorporate data protection as a matter of course. Consideration of the data protection implications should be a standard check point before any project or system is signed off.
Accountability Accountability is described by the ICO as – in effect – a seventh data protection principle. This means that you must not only do the right thing; you must be able to show that you are doing it. You should therefore keep records of key decisions and actions, including: discussions and decisions about data protection at the level of the board of trustees; policies and procedures that contribute to data protection compliance; any legitimate interests assessments or data protection impact assessments that you have carried out (see chapter 6); induction and regular training of staff and volunteers; your management of and response to the exercise of rights by data subjects (see chapter 14); any personal data breaches and your response, whether or not they reach the level of seriousness that requires reporting to the ICO (see page 28). These records should be kept systematically, so that they can be referred to or produced when required. They should also be reviewed at appropriate regular intervals.
Policies and procedures Among the documentation you create to demonstrate your compliance, there will inevitably be policies and a range of other materials. Most organisations find they need a stand-alone data protection policy, which could include matters such as: a general commitment to good data protection practice; allocation of responsibilities to the data protection lead, as outlined above; allocation of responsibilities to managers and team leaders for data protection in their area of work, including development of appropriate procedures as well as induction and training of their staff (including volunteers); an obligation on all staff (including volunteers) to follow policies and procedures on data protection and to report breaches (see the following section).
26
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/05 DP Chapter 5.3d
Date: 8/12/20
Time 15:03pm
Page 27 of 30
MANAGING DATA PROTECTION . .. . .. . .. . .. .. . ..
Details of your processing activities probably do not need to be repeated in your data protection policy. Your privacy notices (see chapter 10) are likely to be more appropriate places for these activities to be documented. Alongside your data protection policy will almost certainly be other policies that interact with it, such as ones on confidentiality (see chapter 15) and IT use and security (see chapters 11 and 20). It is important to consider these as an integrated, cohesive package, to avoid any gaps or contradictions. Most procedures relating to data protection should be embedded into general operating guidance, following the requirement for data protection to be by design and by default, rather than as separate documents. You may, however, feel the need for separate procedures on some matters specific to data protection, such as handling data breaches (see the following section) and data subject access requests (see chapter 14). Since these are rare occurrences, it may be sufficient to describe the procedures in outline, with a commitment to follow current guidance from the ICO should the need arise. However, it is best practice to have written procedures in place, especially in larger organisations.
Breach reporting Article 4(12) of the GDPR defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. It does not, therefore, cover all data protection breaches, such as sending marketing to someone who has opted out. It is important to recognise that the only legal requirement is to report security breaches (although there may be cases where you decide to report other breaches, particularly ones likely to result in complaints to the ICO). The ICO’s guidance quotes Recital 85 of the GDPR, which states: A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
27
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/05 DP Chapter 5.3d
Date: 8/12/20
Time 15:03pm
Page 28 of 30
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
The ICO’s guidance further states that: a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience . . . Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors.1
Reporting breaches to data subjects Article 34(1) of the GDPR provides that, in addition to considering whether the breach merits a report to the ICO (see below), you must inform affected people if there might be serious consequences for them: When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
In some situations there may be particular urgency in providing information to people affected, for example when there is remedial action they can take, such as changing their passwords. You must, however, be sure that you have investigated thoroughly so that you understand the nature and extent of the breach and can give the affected individuals accurate and helpful information. The ICO can compel you to inform individuals if you have not done so where necessary.
Reporting breaches to the Information Commissioner’s Office Article 33(1) of the GDPR requires that any personal data breach must be reported to the ICO within 72 hours, ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’. Your agreements with data processors should include a clause requiring them to inform you immediately – or in any event within 24 or 48 hours of them becoming aware of a breach. This is because your organisation, as the controller, remains responsible for making the report to the ICO within the 72 hours. A breach may in some cases also constitute a ‘serious incident’ that must be reported to the Charity Commission. The ICO provides guidance on breach reporting along with resources for making a report.2 See the box at the end of the chapter for information on the key steps you should take in the event of a breach. 28
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/05 DP Chapter 5.3d
Date: 8/12/20
Time 15:03pm
Page 29 of 30
MANAGING DATA PROTECTION . .. . .. . .. . .. .. . ..
Encouraging reporting within your organisation Meeting these reporting requirements can be a challenge if your staff are reluctant to report breaches for fear of the consequences for them and their career. The longer it takes before a breach is reported internally, the harder it becomes to take remedial action to minimise any harm, quite apart from the need to meet the 72-hour deadline. It may therefore be advisable to make it clear that, while anyone can make a mistake, failing to report a breach immediately is the worst thing a staff member or volunteer can do. People must be in no doubt about their responsibilities or about how to report a breach internally, including for incidents that come to light outside normal working hours. The 72-hour time limit is 72 hours, not 72 working hours. It is worth extending this obligation on staff and volunteers to include reporting of potential breaches and near misses where a breach is narrowly prevented, as these can provide valuable learning opportunities. ..............................................................................................................
Breach checklist In the event of a breach, your actions should include the following, probably in this order: Immediately assess the scale and nature of the breach. Ensure that the breach is not still occurring. Take any immediate mitigating action that may reduce the impact of the breach. Report the breach to the ICO and any potentially affected individuals, if required. Take longer-term action to mitigate any effects of the breach. Ensure that, after the event, a review takes place to identify lessons you can learn and changes you can make. ..............................................................................................................
29
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/05 DP Chapter 5.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:03pm
Page 30 of 30
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/06 DP Chapter 6.3d
Date: 8/12/20
Time 15:03pm
Page 31 of 38
6 Determining your
lawful basis for processing personal data Everything your organisation does with personal data must have a recognised lawful basis. In some cases the lawful basis will be fairly obvious; in others you may have to make a decision on which lawful basis is most appropriate. This chapter: discusses issues that might arise in determining which of the six lawful bases of the GDPR is applicable; considers in detail how to decide between consent and legitimate interests as the appropriate lawful basis.
The six lawful bases The full text of the six possible lawful bases specified in the GDPR is set out in Article 6(1) as follows: Processing shall be lawful only if and to the extent that at least one of the following applies: (a)
the data subject has given consent to the processing of his or her
(b)
processing is necessary for the performance of a contract to which
personal data for one or more specific purposes; the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c)
processing is necessary for compliance with a legal obligation to
(d)
processing is necessary in order to protect the vital interests of the
which the controller is subject; data subject or of another natural person; (e)
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
31
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/06 DP Chapter 6.3d
Date: 8/12/20
Time 15:03pm
Page 32 of 38
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
(f)
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
When the GDPR was under discussion at the European level, some commentators argued that it was flawed and problematic on the grounds that it would require consent extensively and disproportionately. This is not necessarily the case. Although consent is stated first, the list is not hierarchical; each lawful basis is as valid as any other, and it is a matter of determining which is most appropriate in any particular situation. You may have noted that in each of the lawful bases – apart from consent – the word ‘necessary’ appears. Whenever processing can be justified as necessary, consent is unlikely to be the only appropriate basis. You may, of course, choose to base your processing on consent as a matter of policy, even if another lawful basis is available. Once you have found a clear lawful basis for any particular instance of processing, you do not have to consider any others. Although there are situations where more than one might apply, it is very unlikely that consent would ever be used alongside one of the other lawful bases. As will be explained in chapter 7, consent may also be required where you are processing ‘special category data’ or where you are marketing by phone, email or text message.
The more straightforward lawful bases For most voluntary organisations, the easiest situations to resolve are likely to be where the lawful basis should be (b) contract or (c) legal obligation. These two will cover much, but not necessarily all, of the processing associated with employment and with any kind of trading (including membership and paid-for events). (See chapters 17 to 20 for more on the use of particular lawful bases in specific areas of your work.) Lawful basis (d) vital interests is designed primarily for emergencies and should not be used routinely. Guidance from the Information Commissioner’s Office (ICO) indicates that ‘vital interests are intended to cover only interests that are essential for someone’s life. So this lawful basis is very limited in its scope, and generally only applies to matters of life and death.’1 Note that the ‘interests’ here are those of the data subject(s), not of the controller.
32
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/06 DP Chapter 6.3d
Date: 8/12/20
Time 15:03pm
Page 33 of 38
DETERMINING YOUR LAWFUL BASIS FOR PROCESSING PERSONAL DATA . .. . .. . .. . .. .. . ..
Lawful basis (e) public functions is almost always relevant only to public authorities, although there may be rare cases where voluntary organisations carry out public functions on behalf of a public body. You should seek appropriate advice if this situation appears to apply to your organisation.
Legitimate interests One of the big dilemmas for many voluntary organisations is establishing whether basis (f) legitimate interests is an appropriate lawful basis, if (b) contract or (c) legal obligation do not apply. The alternative, if legitimate interests cannot be used as the lawful basis, is to ask for consent (or, of course, to choose a different course of action that modifies how the data is used or does not require data processing at all). This dilemma arises particularly often in the case of marketing and fundraising (see chapter 18). The ICO’s useful guidance on legitimate interests was not produced quite soon enough to entirely quash the spread of misinformation about consent. However, it does make clear that there is nothing inherently wrong with considering legitimate interests as a lawful basis. The ICO’s guidance states: Legitimate interests is the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your processing. . . . Legitimate interests is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Where there is an impact on individuals, it may still apply if you can show there is an even more compelling benefit to the processing and the impact is justified.2
In many cases – but not necessarily all – voluntary organisations are likely to find that processing of personal data where it is an essential part of carrying out their core purpose(s) is not difficult to justify under the legitimate interests lawful basis. Examples might include: records of members’ contact details and membership fees; client case records; records of bookings for an event. However, the following subsections explore some additional aspects to bear in mind. Don’t forget, too, that consent might be required because you are processing special category data (see chapter 7) or carrying out direct marketing by phone, email or text message.
33
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/06 DP Chapter 6.3d
Date: 8/12/20
Time 15:03pm
Page 34 of 38
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Legitimate interests assessments The definition of legitimate interests contains three elements. All must be satisfied in order for this to be the basis of processing: You must be able to show what your interest is, and that it is legitimate. You must be able to show why the processing is necessary in pursuing the interest. You must carry out a balancing test, to confirm that the data subject(s) do not have any rights or interests that should outweigh yours. The process of checking that you meet all three requirements is known as a legitimate interests assessment (LIA). Your assessment should involve the following steps: Describe what you intend to do. Set out and analyse the risks that your processing might engender. Consider any mitigating measures that you could take to reduce the risks, including informing data subjects and either asking for consent or giving them some control over what you do. Indicate whether, on balance, continuing with the proposed processing would comply with GDPR. When considering potential risks to data subjects, bear in mind the guidance from the ICO: To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.3
When you have carried out your assessment, you should document it carefully, so that it is clear that you have given it serious consideration and that your conclusions can be justified. You may find it helpful to use the template provided on the ICO’s website.4
Opt-outs As an additional safeguard, you may want to consider offering data subjects an opt-out. (In some cases, you must do this – for example, in order to comply with the Code of Fundraising Practice when sending direct marketing.5) It will not always be possible to provide an opt-out, if your legitimate interests mean that there is absolutely no choice. However, in other cases the decision you make as a result of your LIA might hinge on whether your interests outweigh the data subjects’
34
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/06 DP Chapter 6.3d
Date: 8/12/20
Time 15:03pm
Page 35 of 38
DETERMINING YOUR LAWFUL BASIS FOR PROCESSING PERSONAL DATA . .. . .. . .. . .. .. . ..
interests. An opt-out gives them the opportunity to indicate that they do not think your interests outweigh theirs. Note that data subjects have a right to object to their data being processed if your lawful basis is legitimate interests, unless you have a compelling reason to continue with the data processing. See chapter 13 for more information.
Reasonable expectations If you conclude that you can base your processing on legitimate interests, you should also note the ICO’s reference, in one of the passages quoted above, to what a data subject might ‘reasonably expect’. Reasonable expectations is a concept used several times in the GDPR recitals. Put yourself in the position of a typical data subject and consider whether you are proposing to act in a way that they would recognise as reasonable. You may be able to add further clarification in your communications with them in order to set out what they should expect.
Consent The GDPR requires consent to be genuine. Article 4(11) defines consent as: any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
This definition is significantly stricter than that in the Data Protection Act 1998, because of the addition of the term ‘unambiguous’ and the emphasis on ‘a statement or . . . clear affirmative action’. This is reinforced by Recital 32, which states that: Silence, pre-ticked boxes or inactivity should . . . not constitute consent.
In order to support this, Article 7 includes additional requirements which must also be given very careful consideration: Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. (Article 7(1)) [A] request for consent must be presented in a manner which is clearly distinguishable from . . . other matters, in an intelligible and easily accessible form, using clear and plain language. (Article 7(2)) The data subject shall have the right to withdraw his or her consent at any time. (Article 7(3)) 35
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/06 DP Chapter 6.3d
Date: 8/12/20
Time 15:03pm
Page 36 of 38
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
When assessing whether consent is freely given, utmost account shall be taken of whether . . . a contract . . . is made conditional on [consent to processing] that is not necessary for the performance of that contract. (Article 7(4))
These provisions are quoted here extensively, because they have clearly been very carefully drafted and every word is important. In addition to making consent ‘clearly distinguishable’ from other matters, the GDPR expects consent itself to be ‘granular’ (this term does not appear in the GDPR itself but is used extensively in the ICO’s guidance; see also Recitals 32 and 43 of the GDPR). This means that you cannot bundle different things together and ask for consent for all of them at once. The outcome is that, in seeking consent, you must do the following: Offer the data subject a genuine choice, not tied into them accepting something else. While you would presumably prefer them, in many cases at least, to give consent, you must be happy to live with the consequences if they say no, either at the outset or if they change their mind later on. Offer the data subject a clear choice to opt in, separating out different issues as much as possible and explaining properly what they are letting themselves in for. Keep a record of who gave consent, when, how and exactly what for. It is very rarely appropriate to seek consent for holding data (and probably unfair to say something like ‘by completing this application you consent to us holding the data for [whatever purpose]’). Once you have had some involvement with people, you are likely to have a legitimate interest in keeping a record of that involvement (except in very simple cases, such as when someone wants to be removed from a mailing list). However, seeking consent to use data in particular ways, and especially to share or disclose data, may well be appropriate. It is also important to distinguish between consent to receive a service or intervention, and consent relating to the data generated by that activity. Take, for example, a home visiting service. You might ask your clients or beneficiaries whether they would like someone to visit them once a week. If they consent, they will receive visits. If they then change their mind, the visits will stop. However, your records will still show that they were visited a number of times, and you may very well conclude that retaining this information is on the lawful basis of your legitimate interests (for example, accounting for the time spent by volunteers or reporting on their activity). You may also need to keep records in case any questions arise in the future about the service you delivered. 36
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/06 DP Chapter 6.3d
Date: 8/12/20
Time 15:03pm
Page 37 of 38
DETERMINING YOUR LAWFUL BASIS FOR PROCESSING PERSONAL DATA . .. . .. . .. . .. .. . ..
Confusion between consent and other lawful bases Consent from data subjects has, quite rightly, received prominent attention in the context of the GDPR. This has, however, led to a widespread belief that consent is somehow ‘better’ than any of the other lawful bases, or even that consent is always required. It is worth clarifying that this is not the case. You must ensure in particular that staff and volunteers whose role involves obtaining personal data from clients, beneficiaries, members, customers or other individuals understand your organisation’s decisions on when to seek consent, and precisely what for. This will also enable them to be clear about whether data subjects have the right to prevent the further use of their data by withdrawing their consent or whether their right to prevent the use of their data is more limited. The chart below may help to illustrate the relationship between consent and legitimate interests. ..............................................................................................................
Choosing between consent and legitimate interests Legitimate interests Consent
Legitimate interests assessment threestage test
OK
Offer opt-out?
Set expectations through clear privacy notice
OK Not Ask properly for unambiguous opt-in
Keep records to ‘demonstrate’ that you have consent
..............................................................................................................
37
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/06 DP Chapter 6.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:03pm
Page 38 of 38
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 39 of 48
7 Special category data The question of consent is of prime importance if you wish to process special category data. However, there are provisions for using special category data without consent, particularly where it would be to the significant benefit of the data subject. This chapter: examines the risks involved with processing special category data; looks at what constitutes valid consent; considers the situations where it is possible to process special category data without consent.
Consider the risks You can never assume that any particular data is risk free. For example, for most people, disclosure of their residential address does not pose significant risks. However, there is always the possibility, however remote, that someone could be at grave risk from a person who wishes them harm, in which case the disclosure of their address could be disastrous. Some types of personal data, however, are much more likely to pose a risk if they are misused or fall into the wrong hands, and therefore can be processed only with additional safeguards. Special category data is a slightly expanded version of what used to be called ‘sensitive personal data’ under the Data Protection Act 1998 (DPA 1998). The new terminology is probably better, as it avoids possible confusion with data that doesn’t fall within the criteria but about which a data subject might feel sensitive. The GDPR lists the following details about data subjects as special categories: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; data concerning a natural person’s sex life or sexual orientation. 39
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 40 of 48
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Note that a person’s criminal record (offences, alleged offences, court appearances, etc.) is not special category data (because the GDPR doesn’t apply to law enforcement), although it was in the list of ‘sensitive data’ in the DPA 1998. However, under the Data Protection Act 2018 (DPA 2018), the UK has made provision for criminal record data to receive the same additional protection as special category data, and the provisions discussed below for processing special category data without consent apply equally to criminal record data. All references to special category data in this chapter should therefore be taken to include criminal record data. It is central to the work of many voluntary organisations that they will wish to process special category data about their beneficiaries or clients. The GDPR makes it possible to process special categories of data where it is appropriate, but you should always first consider whether you really need to use special category data, given the potential risks that it introduces. Article 9 of the GDPR starts by stating bluntly that the processing of special category data is prohibited, but then goes on to set out a number of situations in which the prohibition is lifted. This makes for what can be a complex situation. You must review the conditions that allow the processing of special category data carefully to ensure that they apply to your situation. It is also necessary to remember that in every case you must also meet one of the six regular lawful bases described in chapter 6, in addition to meeting the conditions for processing special category data.
Consent The first situation where processing special category data is allowed is where the data subject has given their explicit consent. The difference between ordinary consent and explicit consent is, as the Information Commissioner’s Office (ICO) guidance acknowledges, not very clear.1 However, the guidance suggests that in order to be explicit, the consent should be confirmed by a statement which the data subject has to acknowledge (for example, by ticking a box or signing). Such a statement could be something like:
£ I consent to the use of [this data] for [this purpose]. The guidance suggests that you cannot assume consent, even from an action that appears to imply consent. For example, if you are collecting monitoring data (and if you cannot do this anonymously), it is not 40
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 41 of 48
SPECIAL CATEGORY DATA . .. . .. . .. . .. .. . ..
sufficient to say at the start of the form that completion is optional, nor merely to include a ‘Prefer not to say’ option for each question (although this is certainly worth doing). You must offer a clear invitation to give consent. This means that if someone completed a paper version of a form but did not give consent, your only course of action would be to destroy the response immediately. If you were using an electronic means of submission, you would need to set it up so that the form couldn’t be submitted at all unless the person ticked the box to give their consent, and giving an explanation that submitting the form at all is not required. Clearly, obtaining explicit consent would also satisfy the normal consent lawful basis.
Processing special category data without consent The situations where special categories of data may be processed without consent are set out in Article 9(2) of the GDPR, as follows: (b)
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law [with caveats];
(c)
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d)
processing is carried out by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim [in the course of its legitimate activities with appropriate safeguards] and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e)
processing relates to personal data which are manifestly made
(f)
processing is necessary for the establishment, exercise or defence of
public by the data subject; legal claims or whenever courts are acting in their judicial capacity; (g)
processing is necessary for reasons of substantial public interest [expanded on below];
(h)
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social
41
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 42 of 48
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
care or treatment or the management of health or social care systems and services [with caveats]; (i)
processing is necessary for reasons of public interest in the area of public health [with examples and caveats];
(j)
processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes [with caveats].
As can be seen, even without the caveats these provisions are complex. Most of the caveats refer to the processing being carried out under appropriate law, and a large proportion of the DPA 2018 is taken up with the UK government’s implementation of the details. For more on (b) employment and (h) occupational health see chapter 19. Condition (e) manifestly made public needs little comment. However, note that this must be by the data subject. If someone is ‘outed’ on social media in relation to any special category data, that information must not be reused, even though it may now be in the public domain. Condition (f) legal claims appears self-explanatory, while condition (i) public health is less likely to be relevant to most voluntary organisations. These are therefore not discussed further.
Vital interests – condition (c) This is a much stricter definition than the standard vital interests lawful basis in Article 6(1)(d), because it can only apply if the data subject is incapable of giving consent. The standard vital interests condition might be met if it were in some way inappropriate to seek consent, even if the data subject were capable of giving it. For example, you might want to obtain someone’s address (which is not special category data) on the basis of your legitimate interests but seek consent for collecting their health data (which is special category data) on the basis of consent. If your processing meets the special category condition, it is likely that the standard lawful basis of vital interests will also be met.
Not-for-profit bodies – condition (d) This condition is restricted to political parties, trade unions, and philosophical or religious bodies. It does not extend to other not-forprofit bodies. This is a narrower definition than the similar provision in the DPA 1998.
42
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 43 of 48
SPECIAL CATEGORY DATA . .. . .. . .. . .. .. . ..
Substantial public interest – condition (g) As permitted by the GDPR, the DPA 2018 sets out (in Schedule 1, Part 2) the situations where it may be in the ‘substantial public interest’ for processing of special category data to take place without consent. The full list is given here, although many of these are not relevant, or unlikely to be relevant, to voluntary organisations. Those ones that are most likely to be relevant are starred and discussed further in the subsections below:
Statutory etc and government purposes
Administration of justice and parliamentary purposes
Equality of opportunity or treatment*
Racial and ethnic diversity at senior levels of organisations*
Preventing or detecting unlawful acts*
Protecting the public against dishonesty etc
Regulatory requirements relating to unlawful acts and dishonesty etc
Journalism etc in connection with unlawful acts and dishonesty etc
Preventing fraud
Suspicion of terrorist financing or money laundering
Support for individuals with a particular disability or medical condition*
Counselling etc*
Safeguarding of children and of individuals at risk*
Safeguarding of economic well-being of certain individuals*
Insurance
Occupational pensions
Political parties
Elected representatives responding to requests
Disclosure to elected representatives
Informing elected representatives about prisoners
Publication of legal judgments
Anti-doping in sport
Standards of behaviour in sport
You should note that in each of the substantial public interest cases, the DPA 2018 specifies that the condition may only be relied on if the controller has an ‘appropriate policy document’ in place (Schedule 1, paras 5 and 38–41). This document must justify your use of special category data and, in particular, make sure that you don’t keep it for longer than is absolutely necessary. Your policy document must set out how you are going to comply with the GDPR’s principles (see chapters 8 to 11) while using the special category data. It must also explain your policy on how long you will keep the data.
43
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 44 of 48
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
You must retain the policy document until six months after you have stopped processing the data, keep it up to date and provide a copy to the ICO on demand. You must also keep a record describing: which condition you are relying on; which of the Article 6 lawful bases your processing relies on; whether you retain and erase the personal data in accordance with your policies on retention and erasure (and, if not, why you do not follow those policies).
Equality of opportunity or treatment As set out in Schedule 1, paragraph 8(1) of the DPA 2018, you are allowed to process special category data for the purpose of monitoring the ‘existence or absence’ of equal opportunities and treatment. However, this does not include making any decisions about individuals or taking action in respect of individuals based on the special category data. You are therefore allowed to collect and analyse data for monitoring purposes, but not to use that data in order to select individuals for a programme aimed at overcoming their disadvantage. Schedule 1, paragraph 8(4) further specifies that you must not do anything to cause ‘substantial damage or substantial distress’ to any individual. You must also stop using a person’s data for monitoring purposes within a reasonable time frame if they tell you to in writing.
Racial and ethnic diversity at senior levels of organisations This provision (in Schedule 1, paras 9(1)(b), (c) and (d) and para. 9(2)(b) of the DPA 2018) allows you to use personal data revealing racial or ethnic origin as ‘part of a process of identifying suitable individuals to hold senior positions’ if it is necessary for the purposes of ‘promoting or maintaining diversity’ and can ‘reasonably be carried out’ without consent, as long as you are not ‘aware of the data subject withholding consent’. (Withholding consent must be active; failing to respond to a request for consent does not count.) Again, you must not do anything to cause ‘substantial damage or substantial distress’ to any individual. In relation to voluntary organisations, ‘senior positions’ would include trustees or directors and senior managers, whether in a particular organisation, a type of organisation or organisations generally. If you intend to use this provision, you may wish to consult the full detail in the DPA 2018 (Schedule 1, para. 9).
44
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 45 of 48
SPECIAL CATEGORY DATA . .. . .. . .. . .. .. . ..
Preventing or detecting unlawful acts This provision is satisfied if the processing is necessary for the purposes of the prevention or detection of an unlawful act; must be carried out without the consent of the data subject so as not to prejudice those purposes; and is necessary for reasons of substantial public interest. (‘Prejudice’ is used in the legislation to mean ‘interfere with’.) If the processing consists of the disclosure of personal data to a competent authority (such as the police) or is carried out in preparation for such disclosure, you do not have to have a policy document in place. In many situations you would be able to ‘prevent or detect unlawful acts’ without using special category data, and it is hard to envisage situations where many of the special categories could be relevant. One that might be applicable is biometric data. For example, this could be used (without consent) to determine that a particular person had used fingerprint recognition to access a certain location at a specified time, or to bar someone from accessing sensitive material or systems that could allow them to take unlawful action. If the ‘unlawful act’ involves fraud, terrorism or money laundering, you may also wish to check Schedule 1, paragraphs 14 and 15 of the DPA 2018.
Support for individuals with a particular disability or medical condition This provision is available only to not-for-profit bodies that provide support for people with a particular disability or medical condition and when the processing is necessary to raise awareness of the condition, provide support directly or enable individuals to support each other. You must be able to show that it is reasonable not to have consent, and you must not be aware that the data subjects have withheld consent (as for the racial and ethnic diversity provision). This provision does not apply to all special category data – just to racial or ethnic origin, genetic data, biometric data, data concerning health, and data concerning an individual’s sex life or sexual orientation. The individuals whose data you are processing must be (or have been) a member of your organisation because they have or have had the condition, or face a significant risk of developing it, or be a family member or carer of such an individual. This provision is more likely to apply to small mutual support organisations than to large service delivery ones, whose service users or supporters are less likely to meet the narrow criterion of being members.
45
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 46 of 48
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Counselling etc To satisfy this provision, the processing of special category data must be necessary for the purposes of confidential counselling, advice or support or another similar service provided confidentially. It may only be carried out without the consent of the data subject for one of the following reasons:
In the circumstances, consent to the processing cannot be given by the data subject;
In the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing; or
The processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service.
For example, one or more of these provisions would appear to cover a situation where the personal data concerned is not that of the person being counselled but of a person they may want to discuss in the course of the counselling.
Safeguarding of children and of individuals at risk This provision (outlined in Schedule 1, para. 18 of the DPA 2018) applies where an individual is either aged under 18 or aged over 18 and at risk. ‘At risk’ means that you have ‘reasonable cause to suspect’ that the over18 individual: (a)
has needs for care and support,
(b)
is experiencing, or at risk of, neglect or physical, mental or
(c)
as a result of those needs is unable to protect himself or herself
emotional harm, and against the neglect or harm or the risk of it.
The processing must be necessary for the purposes of ‘protecting an individual from neglect or physical, mental or emotional harm, or protecting the physical, mental or emotional well-being of an individual’. You must also have a good reason for not seeking consent (in exactly the same way as in the case of counselling above).
Safeguarding of economic well-being of certain individuals Schedule 1, paragraph 19 of the DPA 2018 states that this provision applies to anyone aged over 18 who is ‘less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability’. You may process data about their health (but not other special categories) 46
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Time 15:04pm
Page 47 of 48
SPECIAL CATEGORY DATA . .. . .. . .. . .. .. . ..
if it is necessary to protect their economic well-being and if you have a good reason for not obtaining consent (that is, if you can satisfy one of the same three reasons set out under ‘Counselling etc’ above).
Archiving, research and statistics – condition (j) The entry in Schedule 1 of the DPA 2018 relating to the use of special category data for archiving, research and statistics specifies that the processing must be ‘necessary’ and ‘in the public interest’, and that it must comply with Article 89(1) of the GDPR. This article essentially states that research should be based on data that is anonymous wherever possible, and using no more personal data than necessary. It draws attention to the concepts of data minimisation and pseudonymisation. Section 19 of the DPA 2018 adds that you must not carry out research that is ‘likely to cause substantial damage or substantial distress to a data subject’ or take ‘measures or decisions with respect to a particular data subject’ except in the case of approved medical research.
47
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/07 DP Chapter 7.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:04pm
Page 48 of 48
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/08 DP Chapter 8.3d
Date: 8/12/20
Time 15:04pm
Page 49 of 54
8 The six data protection
principles Once you have established your lawful basis (see chapter 6) for processing data (including one of the additional conditions for processing special category data if necessary; see chapter 7), everything that you do from that point on must comply at all times with the six data protection principles. These are the core of the GDPR, and following the principles should become instinctive for you and your colleagues whenever personal data is being processed. This chapter: sets out the six data protection principles; examines the implications of the principles for your day-to-day work. If you were familiar with the previous Data Protection Act 1998 (DPA 1998), you may remember that there were eight data protection principles. The change in the GDPR is presentational rather than fundamental. There is a small difference in the wording of the third principle, while the sixth (respect for data subject rights) and eighth (limitations on transfers abroad) principles in the DPA 1998 are omitted from the GDPR’s principles but there are very similar provisions elsewhere in the GDPR.
What do the principles say? The text of the six principles is set out in Article 5(1) of the GDPR. Although each stands alone, they can be subdivided into groups for the purposes of this discussion.
First two principles: lawfulness, fairness and transparency, and purpose limitation The first two principles state that personal data must be: (a)
processed lawfully, fairly and in a transparent manner in relation to
(b)
collected for specified, explicit and legitimate purposes and not
the data subject (‘lawfulness, fairness and transparency’); further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public
49
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/08 DP Chapter 8.3d
Date: 8/12/20
Time 15:04pm
Page 50 of 54
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).
This means that before you start processing data, you must know what purpose or purposes you are going to use it for, and then restrict its use accordingly. These purposes must be lawful (which includes having a lawful basis) and you have to be fair to people. Fairness isn’t defined in the GDPR, but you can use its generally understood meaning – put yourself in the position of the data subjects and decide whether you would regard the processing as fair. The biggest change under the GDPR is the much greater emphasis on genuine transparency. The list of information that must now be available to data subjects is lengthy (see page 58) and the GDPR is very particular about what must be included. The list must be followed even if it means telling people things you might prefer not to disclose – such as if you are sharing data with other organisations or using it for additional purposes (i.e. ones that are not an intrinsic part of the main reason for you obtaining the data). In most cases it is unrealistic to provide all of this information in full every time data is obtained, so a ‘layered’ approach is required. A full privacy notice should be available on request or to download, and probably provided to people as part of a welcome pack or similar. Meanwhile, shorter notices should give key information and options at each point of data capture. Although this may seem like a tedious exercise, it is well worth putting the effort into compiling and making good use of both the full privacy notice and the shorter statements. Doing so will help you to avoid the obvious difficulties that can arise if people find out that you are doing things with their data that they have not been told about and are not happy with. Chapter 9 explores these first two principles in more detail.
Third, fourth and fifth principles: data minimisation, accuracy and storage limitation These principles state that personal data must be: (c)
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
50
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/08 DP Chapter 8.3d
Date: 8/12/20
Time 15:04pm
Page 51 of 54
THE SIX DATA PROTECTION PRINCIPLES . .. . .. . .. . .. .. . ..
(d)
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e)
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed . . . (‘storage limitation’).
These principles concern data quality. Although the GDPR encapsulates the third principle as ‘data minimisation’, that is a bit misleading. The principle is about holding the appropriate data for your purpose – certainly not too much and not for too long, but also not too little. Accuracy needs little comment. It goes without saying that the data you hold should be fit for purpose, and your existing processes for ensuring data quality are unlikely to need much change. However, the importance of data quality must not be overlooked. If you make the wrong decision or take the wrong action because you are relying on inaccurate or out-of-date information about an individual, the consequences – for them and for your organisation – could be extremely serious. One of the new transparency requirements is that you must now provide information about how long you will hold the data you obtain. It is therefore usually worth compiling a full data retention schedule, setting out how long different classes of data are held and why each retention period has been set. You are allowed to keep information for archiving, scientific or research purposes, subject to certain safeguards, even when you have finished using it for its original purpose. Chapter 10 explores these three principles further.
Sixth principle: integrity and confidentiality This principle states that personal data must be: (f)
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
51
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/08 DP Chapter 8.3d
Date: 8/12/20
Time 15:04pm
Page 52 of 54
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Security is obviously a major concern of data protection, but it is important not to see it as merely a technical problem that can be left to the IT department or your facilities manager. A high proportion of security breaches involve human error, so robust procedures and good staff training are equally, if not more, important as technological security. If your existing security is fit for purpose, there is probably little that you will need to change. However, it may be worth taking the opportunity to review your security nonetheless. Data is always more vulnerable when it is ‘in transit’, whether it is being transmitted by email, uploaded to the cloud, being carried around on a portable device or taken out of your office in paper form. Data ‘at rest’ is more likely to be in a secure environment. Policies, procedures and training are all important parts of your security measures. Most data protection breaches are the result of security flaws, and it is worth remembering that the maximum penalty for a breach has risen from £500,000 (under the DPA 1998) to £17 million or up to 4% of global turnover (under the GDPR). In the case of British Airways in 2019, this meant that the Information Commissioner was able to indicate their intention to impose a penalty of over £180 million.1 (This was, however, challenged by the British Airways and subsequently reduced to £20 million.2) Chapter 11 looks at the sixth principle in more detail.
Embedding the data protection principles You need to put some thought into how your organisation is going to ensure that it fully complies with the data protection principles. Measures to promote compliance can, of course, be built into documents such as data collection or consent forms, and into policies and procedures for handling personal data. However, compliance also depends on you ensuring that the individual staff and volunteers who are processing the data understand what is expected. For example, in order to fully comply with the second principle (purpose limitation), everyone has to be aware of the purpose(s) for which the data was originally obtained in order not to stray from those purposes. Equally, the fourth principle (accuracy) should be at the back of everyone’s mind whenever they contribute entries to a record about an individual or write an email that concerns that individual. This cannot be left to chance. You should regularly provide your staff with reminders and training that focus on these aspects of data protection. If you become aware of standards slipping or mistakes being made, you 52
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/08 DP Chapter 8.3d
Date: 8/12/20
Time 15:04pm
Page 53 of 54
THE SIX DATA PROTECTION PRINCIPLES . .. . .. . .. . .. .. . ..
should raise these with both the individuals concerned and the team. You should carefully monitor complaints or feedback from data subjects to determine whether anything systematic needs to be addressed, and you should look out for patterns that could suggest that something could be going wrong – for example, an increase in the rate of people unsubscribing from a mailing list.
53
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/08 DP Chapter 8.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:04pm
Page 54 of 54
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 55 of 64
9 Data protection
principles 1 and 2: lawfulness, fairness and transparency, and purpose limitation The first two data protection principles (covering lawfulness, fairness and transparency, and purpose limitation) apply right from the moment you plan to process personal data and, once you have set things in motion, you must stick by your decisions. One of the main implications of the first principle is that you must provide your data subjects with privacy notices, so this topic is given special attention in this chapter. This chapter: explores the first two data protection principles; discusses privacy notices in detail; considers the concepts of ‘purpose’ and ‘compatible processing’.
Lawfulness, fairness and transparency The first principle, as we saw in chapter 8, states that personal data must be: (a)
processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
The mention of lawfulness is a reminder of your obligation to have a sound lawful basis for your processing, but it probably needs no further comment beyond that. Fairness is enshrined in the GDPR as being fundamental to data protection compliance. You might believe that you are sticking to the absolute letter of the GDPR, but, if the outcome is in any way unfair to data subjects, you will be in breach of the first principle nonetheless. Having said that, few if any voluntary organisations would wish to be unfair to their data subjects.
55
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 56 of 64
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Your central concern relating to the first principle is likely to be transparency. The GDPR insists that data subjects should know what is being done with their data, and it is essential that they have sufficient information beforehand so that they are able to make an informed judgement about whether or not to provide that data. The information that you must give to data subjects is set out below. The full set of information is extensive, and it is unlikely that you would want to provide this at every point at which you obtain data. It usually makes sense for the critical items to be provided in a short statement or statements given at the time of data collection. Alongside these you must also have a full privacy notice going into more detail about the data you collect, what you do with it and the rights of your data subjects. This should be made available to anyone who wants to know more, but it also demonstrates that your organisation has a thought-through approach to its processing and to its relationship with data subjects. The Information Commissioner’s Office (ICO) calls this a ‘layered approach’ and provides guidance on how to achieve it.1 In an online context, this can also be achieved by including pop-up information boxes, just-in-time notices (which appear when someone starts to provide their information) and similar measures.
Statements provided at the time of data collection Whenever you ask people to provide you with personal data, they should be given appropriate key information about what you intend to do with it. You should especially provide information on matters that might affect their decision on whether to provide the data or not, or to exercise a choice over uses to which you might put it. There is an art to writing statements that provide sufficient relevant information succinctly and in a way that data subjects might be expected to understand even when they read it quickly. The danger is that in making things too user friendly, you might end up being vague and giving an incomplete picture. The more your statements vary across your organisation or from time to time, the more scope there is for confusion about what you may or may not do with any particular person’s data. It is worth taking the time to develop standard wording for use across your organisation in the majority of routine situations. These statements should, ideally, be tested with people who have not been involved in writing them, to ensure that they give the right message.
56
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 57 of 64
DATA PROTECTION PRINCIPLES 1 AND 2 . .. . .. . .. . .. .. . ..
Wherever possible, data subjects whose data is to be used in the same way should all be given the same statement(s). That way there will be less opportunity for uncertainty about how the data of any particular individual may be used. The statements should be on the face of the document or form that people are completing, not something that they have to click through to or ask for specially. When the data is being collected verbally, face to face or on the phone, a statement as similar as possible to the written version should be read out. If you obtain data from third parties, you need to think about how you can provide the data subjects with the information to which they are entitled (see the following section, on what must be in a privacy notice). You should give them at least the basic information at the earliest opportunity, and it is often a good idea to provide a copy of your full privacy notice at an appropriate point soon afterwards.
A comprehensive privacy notice Your comprehensive privacy notice can serve a number of purposes: It can be consulted by anyone who wants more detailed information than they get via shorter statements at the time of data collection. You can provide it directly to people whose data you have obtained from elsewhere. You can provide it to people with whom you expect to have greater involvement over the longer term. It can act as a reference point for staff who are not clear about whether their intended use of data is consistent with what people have been told. As part of discharging your accountability obligations (see page 26), it can serve to show the ICO and other organisations that you have properly thought through your uses of personal data. All but the smallest organisations are likely to have a range of different data subjects – clients or beneficiaries, supporters, donors, members, employees, volunteers, event attendees, email list subscribers and so on. Although you will follow the same GDPR requirements for each of these categories, the details will be different in each case. In order to make your full privacy notice more manageable, you should think about breaking it up into sections that apply to different types of data subject. For an example, see the privacy notice of the ICO itself.2 It contains a section of core information and then a series of sections that apply depending on the data subject’s relationship with the ICO.
57
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 58 of 64
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
You can also provide your comprehensive privacy notice to data subjects in entirely separate publications. For example, information relevant to employees might be in the staff handbook, while a new donor might get the version that relates to them as a donor. You should also note that there are some differences in what you have to tell people, depending on whether you get information from the data subjects themselves or from some other source. You may be able to combine all the information into a single privacy notice, or you may find that it is simpler to have one for each situation.
What you must tell people when you obtain data directly from them Much of the time you will obtain personal data from the data subjects themselves. In this case the transparency requirements are set out in Article 13 of the GDPR, in two separate lists. The first list (slightly summarised) is: the identity and contact details of the controller (and data protection officer if there is one); the purposes and lawful basis of the processing; the legitimate interests of the controller or third party (if legitimate interests is the lawful basis); any recipient(s) of the data; details of any overseas transfers (see chapter 12). The second list is introduced with the explanation that it is ‘necessary to ensure fair and transparent processing’, but there is no indication of whether this means that you must provide it because it is necessary, or that you need only provide it to the extent that it is necessary. The safest course of action is to assume that this information must also be provided in all situations: the storage period or criteria for deletion of the data; the data subject’s rights of access to the data and to rectification or erasure, restriction of processing and data portability (see chapter 13); the data subject’s right to withdraw consent at any time, if consent is the lawful basis, ‘without affecting the lawfulness of processing based on consent before its withdrawal’; the data subject’s right to lodge a complaint to a supervisory authority (the ICO in the case of the UK); whether the provision of the personal data is contractually or statutorily required, whether the data subject is obliged to provide the data, and possible consequences of failure to provide it (this should probably be in your short privacy notice at the point of data collection
58
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 59 of 64
DATA PROTECTION PRINCIPLES 1 AND 2 . .. . .. . .. . .. .. . ..
as well as in your full notice, since it could affect whether or not the data subject provides the data in the first place); details of any automated processing or profiling that will be carried out (see chapter 18) and ‘meaningful’ information (in simple and clear terms that your data subjects can understand) about the logic involved as well as the significance and envisaged consequences for the data subject.
If you subsequently want to use data for a purpose other than the one for which it was originally obtained, you must tell the data subjects before starting. Don’t forget that you might also need to gain consent again if your original lawful basis doesn’t extend to the new purpose(s).
What you must tell people when you obtain data from a different source Article 14 of the GDPR makes provision for when personal data is obtained from a source other than the data subject. There are minor differences between this article and Article 13, but the majority of the content is the same. Again there are two parts to the list. The first (slightly summarised) is: the identity and contact details of the controller (and data protection officer if there is one); what categories of personal data you have obtained; the purposes and lawful basis of the processing; any recipient(s) of the data); details of any overseas transfers (see chapter 12). The second part of the list in Article 14 (again required because it is ‘necessary to ensure fair and transparent processing’) includes: the storage period or criteria for deletion of the data; the legitimate interests of the controller or third party (if legitimate interests is the lawful basis); the data subject’s rights of access to the data and to rectification or erasure, restriction of processing and data portability (see chapter 13); the data subject’s right to withdraw consent at any time, if consent is the lawful basis, ‘without affecting the lawfulness of processing based on consent before its withdrawal’; the data subject’s right to lodge a complaint to a supervisory authority (the ICO in the case of the UK); the source of the personal data and, if applicable, whether it came from publicly accessible sources;
59
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 60 of 64
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
details of any automated processing or profiling that will be carried out (see chapter 18) and ‘meaningful’ information (in simple and clear terms that your data subjects can understand) about the logic involved as well as the significance and envisaged consequences for the data subject.
Other rules about transparency in the case of personal data obtained from third parties are: The data subject must be given the information within a ’reasonable period’, but no more than a month from when you first obtained the data. If the data is to be used for communicating with the data subject, the information must be provided with the first communication (if this is before the one-month deadline) or at the point where the data is to be disclosed to a third party. You don’t have to provide the information if the data subject already has it. This could perhaps be because the source of the data told the data subjects before disclosing the personal data to you – but the onus would be on you to check that they had really done this. You may want to include this requirement in any contract with the source of the data. You don’t have to provide the information if it would involve ‘disproportionate effort’, in particular if it is being processed for archiving, research or statistical purposes. You don’t have to provide the information if the personal data is being obtained or disclosed because that is required by law, or if the personal data must remain confidential.
Providing the information Having prepared your detailed full privacy notice or notices, you then have to decide how to provide the information to your data subjects. Where your point of contact is online, it is common to provide a link on your website or in emails. However, this should not be an afterthought, tucked away in small print at the bottom of a page. Wherever you ask for personal data or outline activities that might involve you in processing personal data, you should clearly draw people’s attention to your privacy notice. You should also check, of course, that the notice on your website is up to date and actually addresses the relevant areas of processing. (Your website notice may also include cookie information, although this is probably better provided in a separate document.)
60
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 61 of 64
DATA PROTECTION PRINCIPLES 1 AND 2 . .. . .. . .. . .. .. . ..
When you are collecting data face to face, you can, of course, offer data subjects a copy of your privacy notice on paper or provide them with the web address for the online version. Similarly, if you are communicating by post, you can include a copy of your privacy notice in a welcome pack, for example, and make it available on request. One obvious danger in all this is information overload. Most people are in contact with a wide variety of organisations and, realistically, are not going to spend time reading the full privacy notice of every one. They may only decide to refer to it if they are concerned about something that seems to be out of order. To discharge your obligation of fairness (part of the first data protection principle), you should therefore work hard to give data subjects just enough key information at appropriate points in your engagement with them, without them needing to refer to your comprehensive privacy notice. The ICO provides suggestions on how you might do this.3
Giving notice of changes to your privacy notice From time to time, you may want to make changes to how you use personal data that you have already obtained. The new activity may be clearly compatible with your existing purposes (see the next section, on purpose limitation). However, if the extension of your use of the data amounts to a new purpose, you must not engage in it without updating your privacy notice and thinking about how to inform your data subjects of the changes. It is not enough to put the onus on them to check your privacy notice for updates. If the changes are minor and have little impact on the data subjects, you may decide to include the details as part of a regular communication – a newsletter or renewal notice, for example – as long as this is being sent reasonably soon. You might also highlight the change on your website, for example on the main page or in a banner. If, however, the changes are more substantial, you must inform the affected data subjects before you start using the data in the new way. You must also, of course, ensure that you have a lawful basis for this new activity and, if the lawful basis is to be consent, you must not use the data in this way unless and until you have received consent. It is worth reminding your staff to inform you if they find that your existing privacy notice does not reflect the ways they want to use the personal data you hold – or, more urgently, if they realise that they are already using the data in ways that are not covered by your privacy notice.
61
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 62 of 64
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Purpose limitation The second data protection principle states that personal data must be: (b)
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).
On the face of it, this is straightforward. You have a purpose for which you collect personal data, and then you use the data for that purpose only. In many cases the situation will, indeed, be straightforward. However, a question could well arise: how should we interpret the word ‘compatible’ in working out how broad a purpose can be? The principle itself already gives one specific example of processing that is likely to be compatible – the further use of data for archiving, research or statistics. In other situations, Article 6(4) of the GDPR states that you must take into account, among other things: (a)
any link between the purposes for which the personal data have
(b)
the context in which the personal data have been collected, in
been collected and the purposes of the intended further processing; particular regarding the relationship between data subjects and the controller; (c)
the nature of the personal data, in particular whether special categories of personal data [or] personal data related to criminal convictions and offences are processed;
(d)
the possible consequences of the intended further processing for data subjects;
(e)
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
A useful rule of thumb might be to put yourself in the position of the data subject. At what point would they consider that you had strayed from one broad purpose into two or more separate purposes? In the case of most data subjects, there is likely to be a core purpose that clearly and reasonably encompasses a number of different activities. You can help to set their expectations by how you define your purpose initially. If you have members, for example, you will probably outline your membership ‘package’ – for example, a regular magazine, free or reduced-rate entry to locations that you manage, information about events
62
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Time 15:04pm
Page 63 of 64
DATA PROTECTION PRINCIPLES 1 AND 2 . .. . .. . .. . .. .. . ..
that they could participate in, and so on. That would probably feel to most people like one purpose, even though membership brings a range of different benefits. You would therefore be within your original purpose if you processed your members’ data in order to do things like send them their magazine, bank their membership subscription (or chase them for non-payment), select members in a particular area to send them information about a local event (provided they have opted in to marketing or not opted out, as appropriate), or send them a membership renewal reminder. In contrast, it would be very unlikely for it to be compatible with the original purpose for you to send them commercial marketing about holidays overseas that are aimed at people who share your members’ interests, or to provide their details to an external organisation that wants to recruit people for a research project in your field (but that is not associated with your organisation). You can extend a purpose to cover new processing, as long as you are confident that your data subjects would see the new purpose as compatible with the old. However, you should consider providing them with additional information and also review your lawful basis. The ICO’s guidance points out that: If your new purpose is compatible, your processing will be lawful and you don’t need a new lawful basis for the further processing. However, you should remember that if you originally collected the data on the basis of consent, you usually need to get fresh consent to ensure your new processing is fair and lawful. You also need to make sure that you update your privacy information to ensure that your processing is still transparent.4
Even if you believe that your new purpose is compatible, you may want to take into account the data subjects’ ‘reasonable expectations’ in deciding how to proceed. If they might be surprised, you should pre-empt that by letting them know in advance what new processing you are intending to do.
63
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/09 DP Chapter 9.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:04pm
Page 64 of 64
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/10 DP Chapter 10.3d
Date: 8/12/20
Time 15:04pm
Page 65 of 72
10 Data protection
principles 3, 4 and 5: data minimisation, accuracy and storage limitation The third (data minimisation), fourth (accuracy) and fifth (storage limitation) data protection principles must be complied with as soon as you start to collect personal data. How you ask for data can make a difference to the quality of data you obtain, and you must adhere to the third and fourth principles every time you create or add to a record. Part of this responsibility falls on individual staff members whenever they create or update a record (or compose an email, for example). You must also have a clear idea of how long you will retain data. This chapter: explores the third, fourth and fifth principles of data protection; considers the responsibility of individuals for data quality; discusses the need for a clear and workable retention schedule that sets out how long you will normally keep different categories of data.
What do the principles say? As discussed in chapter 8, Article 5(1) the GDPR states that personal data must be: (c)
adequate, relevant and limited to what is necessary in relation to the
(d)
accurate and, where necessary, kept up to date; every reasonable
purposes for which they are processed (‘data minimisation’); step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (e)
kept in a form which permits identification of data subjects for no longer than is necessary . . . (‘storage limitation’).
65
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/10 DP Chapter 10.3d
Date: 8/12/20
Time 15:04pm
Page 66 of 72
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
These principles are considered here in a single chapter because they are all closely related to the content of your records, whether these are structured in a database, spreadsheet or similar system; as physical paper records; or in unstructured electronic documents and files, such as emails, social media records, recordings of online meetings or word-processed documents. Most organisations are likely to have a combination of these record types.
Data quality Taken together, the third and fourth principles (data minimisation and accuracy) mean that your data must be: Adequate: you must have sufficient data to support any decisions or actions you are taking in respect of the data subject. If you don’t have enough, you may end up guessing – with a clear risk of guessing wrongly and ending up making the wrong decision or taking the wrong action. For example, if you are working with children, you need to know which adults are entitled to act on their behalf. Relevant: you must be able to show that the information you are holding relates to the purpose for which you are holding it. (Note that the requirement is for it to be ‘relevant’; in this respect, the legislation does not impose the stricter test of it being ‘necessary’.) Limited to what is necessary: you must not record more information than you need. If you can make your decision or take your action confidently with a smaller amount of information, you must not collect additional information, even if you could argue that it does relate to your purpose(s). Accurate: the phrasing of the principle allows no leeway – your data must be accurate. Note, however, that the principle clearly recognises that perfect accuracy the whole time is not achievable and that sometimes the facts will change without you knowing. Kept up to date (where necessary): how much you need to do will depend on the purpose for which you are holding the data. Note that, while you must take ‘every reasonable step’ to correct or erase inaccurate data without delay, this is ‘having regard to the purposes for which [it] is processed’. Clearly the address in your accounting system of someone who paid you money last month doesn’t need to be updated urgently if they move (unless they make another payment), but the address of a member or magazine subscriber does have to be changed as soon as you are told.
66
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/10 DP Chapter 10.3d
Date: 8/12/20
Time 15:04pm
Page 67 of 72
DATA PROTECTION PRINCIPLES 3, 4 AND 5 . .. . .. . .. . .. .. . ..
Data quality is not just an optional ‘nice to have’ and you don’t get a gold star for complying. There are situations where you could cause genuine harm if your data quality is not up to scratch, such as the following: Inaccurate financial information could lead to you paying someone the wrong amount or failing to pay them at all. The mistake can almost always be put right eventually, but meanwhile the person is out of pocket and may be put to considerable inconvenience – especially if they were relying on your payment to settle their bills. Inaccurate or insufficient information about a person’s qualifications and career history could lead to them not getting a job they were suitable for – or getting a job they were not suitable for. Inaccurate or insufficient information about a person’s medical condition, allergy or disability could lead to you putting them in a risky, even life-threatening, situation. You should identify situations where poor-quality data would pose a particular risk. Ensure that in those situations you pay special attention to checking your information as far as possible before relying on it. One of the main issues with data quality is that, whereas decisions on your lawful basis and purposes are taken by (or at least on behalf of) the organisation as a whole, the accuracy and relevance of the personal data you hold in your records are largely dependent on the performance of the individuals who enter the data. While the vast majority of your staff will undoubtedly understand their professional responsibilities and do their best, as part of your GDPR accountability you should be able to demonstrate what you have done to ensure that this is the case. This means providing clear guidance and training to begin with, and then monitoring the quality of the data your staff or volunteers record, carrying out refresher training, giving briefings in team meetings and providing comments in appraisals if standards show any sign of slipping. This support must be given to volunteers as well if they have any responsibility for data entry. This is especially important when staff have a lot of discretion about what to record and how to record it – for example, in free-text areas of a database, in paper file notes or, in particular, in emails. Emails are perhaps the trickiest area of all, as their use is ubiquitous and routine in most organisations and they are completely unstructured. Anyone – including a trustee or a member of an interview panel – who composes an email on behalf of their organisation where that email contains any personal data must pay attention to the need for it to be of appropriate
67
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/10 DP Chapter 10.3d
Date: 8/12/20
Time 15:04pm
Page 68 of 72
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
quality to meet the test of being adequate, relevant, not excessive, accurate and up to date. You should therefore provide clear guidance about emails, particularly those written in haste or ones that deal with individuals’ personal situations – especially when there is a contentious issue under consideration. It is worth reminding people that data subjects have the right to see their personal data and that writers should be confident that they could fully justify what they have written and how they have written it, whether what they have written is fact or opinion. (The statement ‘I think this is true’ could be accurate, even if I’m wrong.) In many voluntary organisations, information about the same person is held in many different places – perhaps in a membership database, in a fundraising database, in a spreadsheet holding the details of people who are interested in a particular project, and as emails in the email system. This, of course, poses difficulties when the person’s details change. They may inform one part of the organisation and assume, quite reasonably, that they have therefore told the organisation as a whole. Your challenge is to ensure that everyone else who holds information about that person finds out about the change. A single central database system can reduce this problem, but there will still be cases where it makes sense to work with smaller data sets. Spreadsheets are commonly used for this purpose, despite their disadvantages; these disadvantages include the ease of deleting or corrupting data without realising what has happened, and usually a lack of controls to ensure consistency of data entry. Spreadsheet users should be encouraged to refresh their data from the central record at appropriate intervals or, better still, to delete the spreadsheet once the immediate purpose is complete and recreate it next time if necessary. Subsidiary data sets may also exist online, for example in an externally provided bulk email system or an event-booking system. Many such services provide facilities for synchronising data with in-house systems; in other cases, you should consider how this might be done manually. As well as ensuring that you update your records properly when you are informed of a change, you should consider enabling subjects whose data you regularly use to keep their own records up to date, either online or by contacting them at appropriate intervals and asking them to check that you still have the correct data. Giving them the opportunity to update their own details doesn’t shift the responsibility entirely onto them (since you retain the responsibility for holding accurate data), but it should make your job much easier.
68
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/10 DP Chapter 10.3d
Date: 8/12/20
Time 15:04pm
Page 69 of 72
DATA PROTECTION PRINCIPLES 3, 4 AND 5 . .. . .. . .. . .. .. . ..
There may also be obvious opportunities to check your data, such as when you invite people to renew their membership or, for staff, at their annual appraisal.
Retention In chapter 9 we saw that your full privacy notice must contain information about how long you will keep personal data and what your criteria are for deletion. You should also consider whether you should mention your retention period in the shorter statements you provide at the point where you collect personal data, especially if it is significantly longer or shorter than people might expect. This means that you should compile a retention policy and schedule setting out the different types of personal data you hold (and other nonpersonal material if you wish, for completeness), the length of time you will hold it, and the rationale behind your choice of retention period. In some cases, retention will be based on legal considerations; in others, the reasoning may be more practical or policy based. Once it has been put in place, responsibility for implementing it must, of course, be allocated and monitored. The retention schedule, or a summary of the key entries, may be appended to your full privacy notice. It is usually possible to set up a reliable system to manage the retention period for structured records – for example, by running a report on a database to list all individuals who have not been in contact for more than a certain number of years, and then deleting their records automatically after the list has been checked. Similarly, with paper files it is possible to add a destruction date as you close the file. Retention periods for unstructured records – and here again emails are one of the main headaches – are more of a problem. An ideal system would be for any email destined for retention to be identified and attached to a structured record, so that the remaining emails could safely be deleted after a set period. In the absence of such as system, individuals should still be encouraged to delete non-essential emails regularly. Article 5(1)(e) of the GDPR makes special provision for records to be retained indefinitely for archiving, research and statistical purposes (see chapter 21). You may also want to consider retaining records in anonymised form if the data is likely to remain useful even if the individuals are not identifiable. Alternatively, you may want to ‘pseudonymise’ them so that they can be accessed without the
69
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/10 DP Chapter 10.3d
Date: 8/12/20
Time 15:04pm
Page 70 of 72
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
individuals being identified, but linked back to a known individual should the occasion arise.
How long should you keep photographs? You may have photographs of your organisation’s activities, and these can be of interest long after they were taken. However, if they contain images of recognisable individuals, they are very likely to be personal data. One approach would be as follows: Initially, designate the photograph as ‘current’ for a relatively short time. Depending on your lawful basis for holding it and any consent given by the data subject, it could be used during this period, for example online, in publicity or in funding applications. Then either delete the photograph or ‘retire’ it (ideally after linking it with information to identify the subject(s) of the photograph) and stop reproducing it, to avoid any possibility of an inappropriately out-ofdate photograph being used routinely. After a period of retirement – typically of several years at least – make the photograph available for use again, but identify it as an ‘archive photograph’ each time it is used.
Retention of legacy data When it comes to legacies, charities may also wish to indefinitely keep legacy data relating to supporters who are still alive. For example, if a person may pledge a legacy at a later date or otherwise informs your organisation that they are thinking about leaving a gift in their will, you may want to retain this information (and other data about the person) for their lifetime in order to administer your legacy fundraising programme or for stewardship purposes. Where you do retain such data about living individuals for long periods, it should be archived or put out of everyday use with restrictions on who can access it. Alternatively, it could be pseudonymised.
Retention after people have died People are no longer data subjects after they have died – mainly because they are no longer in a position to be compensated for any harm caused by mishandling their data. However, that is no excuse for failing to respond properly when you are informed that one of your data subjects has died. From both a practical and a humanitarian point of view, you will obviously wish to avoid harming or upsetting the family or other people, even when they are technically not your data subjects. 70
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/10 DP Chapter 10.3d
Date: 8/12/20
Time 15:04pm
Page 71 of 72
DATA PROTECTION PRINCIPLES 3, 4 AND 5 . .. . .. . .. . .. .. . ..
It may be appropriate to retain the records for some time – for example, if the person was a client, beneficiary or staff member, or if a supporter has left a legacy. In the case of the latter, your organisation my need to retain the details of that supporter to enable it to administer the legacy and/or defend any claims brought in connection with the legacy – showing that that the supporter had a clear intention to leave the legacy or a close relationship with the charity may help in defending a claim. However, you must ensure that the record is marked so that it cannot be used inappropriately. This is particularly important with lists of people you are likely to contact regularly, such as members, supporters and customers who might have bought products or services from you. It is very poor practice to risk upsetting their relatives by continuing to email, mail or – even worse – phone after you have been informed that they have died.
71
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/10 DP Chapter 10.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:04pm
Page 72 of 72
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 73 of 82
11 Data protection
principle 6: integrity and con¢dentiality The sixth data protection principle (integrity and confidentiality) concerns security, which is clearly one of the most important data protection issues. Unauthorised access to information is a big risk, and the harm that can result from information getting into the wrong hands is considerable. Compliance with the sixth principle requires not just written policies and precautions implemented centrally across your organisation, but also staff who fully understand how to maintain high levels of security in their day-to-day work. This chapter: explores the sixth principle of data protection; gives examples of security breaches that have led to financial penalties; considers possible security measures; explores the issue of authorised and unauthorised access.
What does security entail? Security is about making sure that the personal data you hold is available when needed by you (or anyone else who is authorised to use it, such as a data processor), and to no one else. As we saw in chapter 8, Article 5(1) of the GDPR states that personal data must be: (f)
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The key concepts here are ‘integrity’ – protection against accidental loss, destruction or damage, so that the data is there when you need it – and ‘confidentiality’ – measures to prevent unauthorised or unlawful processing. No security can ever be perfect. The GDPR recognises this in requiring your security measures to be ‘appropriate’. It also requires you to consider
73
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 74 of 82
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
both ‘technical’ and ‘organisational’ measures. You can install a lock on your front door (technical), but then you must make sure that everyone in your household locks the door when they leave and remembers to take a key with them (organisational). The requirements for data minimisation and appropriate retention periods (see chapter 10) are also worth bearing in mind. If you hold only the data that you really need, there is less data to protect.
Penalties Breaches of data protection can result in enforcement action by the Information Commissioner’s Office (ICO) (see chapter 22). It seems clear that the Information Commissioner regards security as a priority, as this is one of two areas where a significant proportion of breaches on which the ICO has taken action have attracted financial penalties, often of sixfigure sums.1 The other area is blatant contravention of the marketing restrictions in the GDPR or the Privacy and Electronic Communications (EC Directive) Regulations 2003 (see chapter 18). There is a story behind each breach – each one has unique situations and different reasons, often relating to human error – but together these examples (most of which occurred in the last few years of the Data Protection Act 1998 (DPA 1998), before the GDPR was introduced in 2018) give a picture of what can go wrong: The British Pregnancy Advisory Service website was hacked – something made easy because the default administrator password had not been changed – and five years’ worth of highly personal messages from almost 10,000 clients to the organisation’s helpline were stolen (penalty: £200,000). (See further background on this case on page 116.) Intruders were able to access personal data (including some payment card and bank account details) of 417,000 supporters of the British and Foreign Bible Society due to a weakness in the organisation’s network (penalty: £100,000). A charity social worker left four sets of highly confidential adoption reports outside a house when the intended recipients were not in to receive them (penalty: £70,000). An Aberdeen-based social worker, working from home, inadvertently allowed her computer to upload confidential documents to an unprotected cloud site (penalty: £100,000). When mailing out an e-newsletter, a volunteer-run London HIV support group disclosed recipients’ email addresses, some of which identified the individuals (penalty: £250).
74
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 75 of 82
DATA PROTECTION PRINCIPLE 6 . .. . .. . .. . .. .. . ..
Gloucestershire Police sent a bulk email (using ‘To’ instead of ‘BCC’) that identified victims of non-recent child abuse (penalty: £80,000). Worcestershire County Council emailed highly sensitive data about a large number of vulnerable people to 23 unintended recipients (penalty: £80,000). Ealing and Hounslow councils were jointly responsible when an unencrypted laptop containing 1,700 clients’ details was stolen from an employee’s house (penalties: £70,000 and £80,000). A Heathrow Airport employee lost a USB memory stick that was not encrypted or password protected, exposing ten individuals’ details (including names, dates of birth and passport numbers) and the details of up to 50 aviation security personnel (penalty: £120,000). Bayswater Medical Centre left highly sensitive medical information unsecured in an empty building for more than 18 months (penalty: £35,000).
Some of these breaches were the result of intentional intrusion, made more possible by lax security. Many, as is often the case, followed from a quite simple human error – losing something, carelessly putting important information in the wrong place or not realising that a risk had been created. In each of these latter cases, the penalty was imposed not because the breach happened but because the organisation could reasonably have done more to prevent it. Stiff penalties were especially likely where a similar incident had happened before but the organisation had failed to learn from it and improve its practices. While the volume of data compromised obviously played a part in some of these penalties, a breach affecting a very small number of data subjects is equally serious if the consequences for the individuals could be significant.
Key security measures Security could easily merit a book of its own, and there are many resources available on all of its aspects.2 However, it is worth bearing in mind a few key points.
Protect ‘data in transit’ Security experts agree that electronically or physically, vulnerable than ‘data at rest’ by robust security measures. consider the different ways in
‘data in transit’ – when it is moving, from one place to another – is more – where it is more likely to be protected Your first priority should therefore be to which data may move around. 75
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 76 of 82
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
An obvious one is when data is physically being carried on portable devices, including laptops, phones and media such as USB sticks. These are often vulnerable to being stolen for their intrinsic value, or lost. In order to prevent their data then falling into the wrong hands, you must consider access controls (passwords, biometrics or other measures to prevent someone making use of the device) and encryption (so that if someone does break into the device, they are less likely to be able to access the data in readable form). Possibly an even more common way for data to be in transit is by email or some other form of electronic transfer, such as text message or posting on social media. A significant risk with email is the possibility of selecting the wrong recipient(s) or copying in unintended recipients by mistake. Several measures may be appropriate, such as: routinely using a mailing programme or database facility to send individual emails to each recipient of bulk emails and newsletters, instead of sending one email to many people at once (given that remembering to use ‘BCC’ is a known weak point); training users – who could be anyone who sends emails on your behalf – to select email addresses from a reliable source (such as a database or address book) rather than starting to type them in and accepting the first (possibly wrong) address that comes up; training users to check that there is no unintended personal data in the email trail when they respond to or forward an incoming message; sending confidential material as a password-protected attachment and providing the recipient with the password by a different channel (such as text, phone or verbally); using an encrypted email system (if your volume of confidential emails justifies this); transferring confidential material by uploading it to a secure web location, rather than sending it via email. None of the suggestions above are perfect, of course, but it is important to think about how significant risks can be reduced, rather than ignoring the problem. Paper documents containing personal data are yet another key risk area. Highly confidential material might warrant a system for checking it out and in again when it is taken from a secure environment. For less confidential personal data, training the people who handle it might be enough, as well as getting your staff and volunteers (and trustees) accustomed to handing in confidential materials after meetings rather than retaining them.
76
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 77 of 82
DATA PROTECTION PRINCIPLE 6 . .. . .. . .. . .. .. . ..
IT-related security measures This is not the place to discuss in detail the measures that you should already be using to protect your network and your website from intrusion and to back up your data routinely. However, it is important to remember that it is your organisation’s responsibility, as the controller (see chapter 3), to ensure that these are in place, even if you rely on external companies for the actual provision. You should select competent providers and give them clear instructions on what you expect them to do.
Equipment Whenever your staff, volunteers or trustees use their own equipment to create, store or transmit personal data for which your organisation is the controller, ultimate responsibility lies with the organisation. This can be a tricky issue in a charity that has small local volunteer-run branches or supporter groups which form part of the main organisation but operate with a degree of autonomy. Unless you ban the use of personal equipment entirely (and issue equipment to those who genuinely need it), you should have a ‘bring your own device’ (BYOD) policy setting out the behaviour that you consider appropriate and the precautions that people should take.
Working from home Other considerations arise when staff, volunteers or trustees work from home. You may want them to use their home equipment just to access your central system, in order to avoid the risks involved in having personal data held less securely at home and being transported between home and work. You may be concerned as to whether other members of their household make use of the same equipment, and whether there is a sufficient barrier to protect your organisation’s data. You may also want to restrict the printing of confidential material at home, to avoid the obvious risk of it being inappropriately disclosed. All these matters, along with other considerations such as working hours and health and safety, will no doubt be dealt with in your working-fromhome policy. If the Covid-19 pandemic led to a significant increase in home-working in your organisation, it is worth including the data protection implications when you review your experience and decide how much home-working will take place in future.
Cloud applications Cloud applications are another potential risk area. You should decide whether your staff, volunteers and trustees are permitted to use their own 77
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 78 of 82
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
cloud accounts to handle personal data on your behalf – to run a small survey, for example, or to transmit documents. There are risks in allowing them to make their own judgement on whether the services they would like to use are sufficiently secure and – where the provider of cloud services would be acting as a processor – whether the terms and conditions meet the GDPR’s requirements. An additional potential risk would be that, in the event of the account holder being unavailable, your organisation might lose access to key personal data. You might, therefore, want a policy that requires all cloud services – or at least those used for processing personal data – to be set up and managed on a corporate basis. The cloud also has implications if you rely on it to hold your data. The GDPR requirement for integrity implies that data should be available when you need it. If you are over-reliant on cloud providers accessed over the internet, there is a risk that your data will become inaccessible in the case of physical interruption to your internet connection or a technical or commercial failure of your provider. You must take these risks into account when adopting any particular strategy for making use of the undoubted benefits of the cloud.
Online meetings The increasing use of online meetings for business purposes brings its own data protection challenges, particularly if you record the meetings. It is unlikely to be fair to make a recording of a meeting without the consent of all participants – and in many situations this would also apply to individual meeting participants making their own recording. Records of attendance and of written communications between participants during a meeting are also likely to be retained by the service provider and to be available to the meeting host. These will generally contain personal data about the meeting participants, but they may also contain personal data of anyone else who was mentioned (and possibly confidential information about your organisation). Security, and control over future access and use of such data (both by your organisation and by the platform provider), should therefore be considered.
Physical security If your building is open to the public, if you share premises with other organisations or if some of your teams work on particularly confidential personal data, you should take precautions against personal data being seen by unauthorised people. Such precautions would include things like access controls to the building, a clear-desk policy to avoid people leaving confidential material where it could be inadvertently seen, locked filing 78
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 79 of 82
DATA PROTECTION PRINCIPLE 6 . .. . .. . .. . .. .. . ..
cabinets for confidential paperwork and automatic screen shutdown when people are away from their desks. You should also remember that your responsibility for personal data does not end until it has been securely destroyed once it is no longer required. Arrangements for shredding papers and for disposing of electronic equipment that holds personal data must be robust. It is worth reviewing whether practice has become lax – for example, if people are leaving bags full of material that is waiting to be shredded unsecured in common areas of the building.
Checks and monitoring Although we would like to be able to trust everyone, experience shows that this can be unwise. Data protection breaches are regularly reported that are the result of deliberate misbehaviour by people who have privileged access to information (see page 17 for an example and page 154 for further information). You should carry out proportionate pre-employment checks (for example, via the Disclosure and Barring Service) on individuals who are likely to have access to large amounts of personal data or to highly sensitive data. As far as possible, you should implement controls in these situations, such as you might for financial transactions. Potential controls include supervision or a requirement for confirmation from a second person. Such measures can prevent an individual being in a position where they are able to take unwelcome or hostile action. You may also want to consider proportionate monitoring of staff who are not obviously in high-risk positions but who could do serious damage to your organisation or its data subjects. For example, you could implement automated systems to flag up an unusual amount of access to personal data that a staff member would not normally need to work on. Finally, of course, you must not forget to make appropriate checks on external contractors who are acting on your behalf as processors (see chapter 4).
Security standards The longstanding international standard for Information Security Management (ISO 27001) has now been supplemented by ISO 27701, the international standard for Privacy Information Management Systems.3 These international standards are detailed and complex. Most voluntary organisations’ processing of personal data is relatively low risk, in which
79
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 80 of 82
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
case application of the standards to your own operations may well be a step too far. However, you should expect many of your suppliers of IT services, especially the larger ones, to be ISO compliant, and this should be a factor in your selection process. Cyber Essentials is a UK-government-backed scheme which is much simpler than ISO 27001. It aims to guide organisations through five technical controls to: secure an internet connection; secure devices and software; control access to data and services; protect the system from viruses and other malware; keep devices and software up to date. There are two levels: a basic Cyber Essentials certification, which is largely self-assessed, and Cyber Essentials Plus, which is externally verified.4 If your organisation takes card payments, you will also be aware of the need to comply with (and keep up to date with the latest version of) the Payment Card Industry Data Security Standard.5
Authorised and unauthorised access From the fact that you have to prevent unauthorised access, it follows that you have to be clear about what kinds of access are authorised. This should cover the following points: Internal access: who on your staff (including volunteers) is allowed access to the information, and for what purpose(s)? This is often best set out in your confidentiality policy (see chapter 15). External access: who outside your organisation is allowed access, and under what circumstances? For example, what methods of disclosing information do you consider secure? And, if the external person is in a category of people who are occasionally allowed access but not in regular contact with your organisation (a client’s social worker, for example), do they have to prove their identity, and if so how? Far more security breaches come about through inadvertent, mischievous or deliberate misuse of data by people who are entitled to have it, rather than by external intrusion. This could mean people looking at files that they know (or should know) they are not allowed to see, or leaving information around where other people can easily read it. Equally, you should think about how you might prevent staff and volunteers from giving out information over the telephone to the wrong people, or giving
80
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 81 of 82
DATA PROTECTION PRINCIPLE 6 . .. . .. . .. . .. .. . ..
out information over the telephone that should not be given out in this way at all. It is not enough to assume that your staff, volunteers, trustees and external contractors will automatically understand what is meant by confidentiality and security. Your regular receptionist may be quite clear that staff members’ home numbers are not given out, but this week’s temp may not. This is why security and confidentiality should be standard parts of the induction for anyone new to your organisation, and should be regular parts of staff briefings to keep them in the forefront of everyone’s mind. Once you are clear what access is authorised, anyone making deliberate unauthorised access – for whatever reason – could be committing a criminal offence. The Data Protection Act 2018 (DPA 2018) states in s.170 that: (1)
It is an offence for a person knowingly or recklessly— (a)
to obtain or disclose personal data without the consent of the controller,
(b)
to procure the disclosure of personal data to another person without the consent of the controller, or
(c)
after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. . . .
(4)
It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed.
It is also a criminal offence, under s.171 of the DPA 2018, to knowingly or recklessly ‘re-identify’, without the consent of the controller, personal data that has been ‘de-identified’. One of the first cases involving deidentification came in April 2020, when the ICO decided to prosecute someone who had received a confidential document by mistake and managed to undo the redactions and then make use of the information for his own purposes.6 A legal defence against these offences can be made on the grounds that the person had the ‘reasonable belief’ that the action was permissible, and in some other circumstances, such as preventing or detecting crime. This is another argument for being clear about what people are authorised to do with personal data. There have been numerous prosecutions for offences under the DPA 1998 that are similar to those in s.170 and s.171 of the DPA 2018 (described
81
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/11 DP Chapter 11.3d
Date: 10/12/20
Time 18:02pm
Page 82 of 82
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
above). These have ranged from blatant attempts to con information out of people to situations where the perpetrator probably thought their actions were innocuous, including staff who have looked up people they know on medical or police databases. Numerous individuals have received a fine and a criminal record for such activities. While your staff and volunteers are, presumably, unlikely to access information deliberately without authorisation, you may find it worth pointing out the legal position to them and warning them that this is not a trivial matter. They could end up with a criminal record. It is not unknown, for example, for a disgruntled volunteer to walk off with an organisation’s membership list and try to set up a rival organisation, or for a staff member to break into the confidential personnel filing cabinet to find out what the organisation’s lawyers advised in a disciplinary case.
Database copyright In addition to data protection restrictions on access, you should be aware that databases benefit from copyright protection (whether these contain information about individual people or not).7 A case in 2008 found against two ex-employees who took details from a firm’s customer database on their departure. The question of whether the information was confidential was immaterial; merely taking the information was a breach of copyright. While the criminal offence of unauthorised access is in some ways more serious, breach of copyright is a civil matter, which means that an organisation could take action for an injunction and/or damages directly, without having to involve the police in a prosecution. Another aspect of database copyright is that copyright usually resides with the creator of the material in question. If you outsource work and your contract with the data processor is not correctly drafted, then the data processor may end up owning the rights to any information they collect. Any contract with a data processor should therefore include an assignment of the intellectual property in any database (or any other ‘creative’ work) that the data processor produces, develops or uses on your behalf.
82
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/12 DP Chapter 12.3d
Date: 8/12/20
Time 15:05pm
Page 83 of 86
12 Transferring personal
data abroad Having taken the trouble to protect the personal data you hold in the UK, you are obliged to ensure that it stays protected if it is transferred abroad. Although relatively few voluntary organisations transfer information directly to other organisations abroad, if you use cloud services there is the possibility that your supplier’s computers may be based far away from the UK. This chapter: describes the restrictions that apply to transferring personal data abroad; considers the options available for international data transfers.
Transfers that are not restricted Although the GDPR is a European Union (EU) regulation, it applies to the whole of the European Economic Area (EEA) (the EU plus Iceland, Liechtenstein and Norway). Transfers of personal data within the EEA can be made without any restrictions (other than compliance with the normal data protection rules, of course). In addition, the European Commission, on the basis of recommendations from the European Data Protection Board (which oversees data protection for the EU), can decide that certain other jurisdictions have sufficiently similar (or ‘adequate’) data protection provisions for transfers to these countries to also be unrestricted. As of October 2020, these countries and territories were Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The European Commission has made partial findings of adequacy about Canada, Japan and the USA: In Canada, transfers can only be made in respect of – broadly – commercial data. In Japan, transfers can only be made in respect of private sector organisations. The position with the USA is complex (see page 86).
83
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/12 DP Chapter 12.3d
Date: 8/12/20
Time 15:05pm
Page 84 of 86
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
These decisions were all made before the GDPR came into force but have been renewed, at least for the time being. In its preparations for the UK to leave the EU, the UK government adopted (under s.74 of the Data Protection Act 2018) the EU decisions on adequacy, and has also indicated that transfers from the UK to the EEA will remain unrestricted. However, there is no certainty that the UK’s position will continue to mirror the EU’s decisions indefinitely.
Transfers where additional measures are required If you want to make a transfer of data to a country that is outside the EEA and not covered by an adequacy decision, Article 46(2) of the GDPR lays down several options.
Standard contractual clauses and binding corporate rules The first option is a legal agreement between the sender and receiver of the organisation which obliges the receiver to maintain the protection given by the GDPR. The GDPR sets out criteria for these contractual arrangements, and models based on them are generally known as ‘standard contractual clauses’. For up-to-date information on these, and a set of model contractual clauses, see the Information Commissioner’s Office (ICO) website.1 When the transfer is between different parts of the same organisation, instead of a contract you can use equivalent ‘binding corporate rules’ (also subject to the GDPR’s criteria set out in Article 46(2)).
Other options If a legal option is not available, transfers can be made according to Article 49 of the GDPR under one of the following conditions: (a)
the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b)
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken at the data subject’s request;
(c)
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(d)
the transfer is necessary for important reasons of public interest;
84
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/12 DP Chapter 12.3d
Date: 8/12/20
Time 15:05pm
Page 85 of 86
TRANSFERRING PERSONAL DATA ABROAD . .. . .. . .. . .. .. . ..
(e)
the transfer is necessary for the establishment, exercise or defence
(f)
the transfer is necessary in order to protect the vital interests of the
of legal claims; data subject or of other persons, where the data subject is physically or legally incapable of giving consent; (g)
the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
If you can’t satisfy any of the provisions above, Article 49 goes on to say that you can still make a transfer but only if it:
is not repetitive;
concerns only a limited number of data subjects; [and]
is necessary [in the controller’s] compelling legitimate interests, which are not overridden by the interests, rights and freedoms of the data subject.
Additionally, you must have carried out an assessment to ensure that you have suitable safeguards in place (the assessment and safeguards must be documented) and you must also inform the supervisory authority (the ICO) and the data subject about the transfer.
What to consider when you are transferring data outside the UK What this boils down to is that before you transfer any data outside the UK (including storing it on a cloud service unless you have a guarantee that its servers are all in the UK), you should consider: Is the destination within the EEA? If not, is the destination in the current list of jurisdictions with an adequacy decision? If not, do you have a legal agreement with the recipient, using the standard contractual clauses, that guarantees all the safeguards required by the GDPR, or could one be put in place? If not, do you have the fully informed consent of the data subject(s)? If not, is the transfer necessary because of a contract between your organisation and the data subject and do such transfers only happen occasionally? If not, is the transfer necessary because of a contract between your organisation and the data subject which benefits another individual, and do such transfers only happen occasionally?
85
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/12 DP Chapter 12.3d
Date: 8/12/20
Time 15:05pm
Page 86 of 86
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
If not, are you in one of the special situations set out in points (d) to (g) above? If not, is this a one-off transfer that you have documented and for which you have conducted a risk assessment?
As soon as you get to a ‘yes’ in the list above, the transfer can go ahead, subject to any necessary safeguards. Otherwise, you can’t do it.
The USA The USA has no general data protection law, but many online services are provided by US companies, often from within the USA, so any restriction on transfers of personal data would be commercially disadvantageous. In order to address this state of affairs, under the EU’s pre-GDPR data protection regime, after prolonged and at times acrimonious negotiation, the European Commission agreed a Safe Harbour scheme that purported to provide an adequate level of protection in the USA. This, however, was challenged at the European Court of Justice and struck down. Subsequently, it was quickly replaced by a modified scheme known as Privacy Shield. Few commentators were satisfied that Privacy Shield provided a level of protection and redress that is equivalent to the GDPR, but the quantity of personal data transferred between the EU and the USA meant that some arrangement had to be made and this appeared to be the best on offer. However, in a decision in July 2020, the EU Court of Justice concluded that Privacy Shield was not, in fact, an appropriate method for protecting personal data transfers to the USA and could no longer be relied on. The main reason is that it does not prevent the US government from accessing the personal data once it is in the USA. The judgment went further and found that standard contractual clauses do not provide a satisfactory alternative, because they can only bind the signatories and, again, do not prevent the US government from accessing the personal data. The situation was not fully resolved at the time of writing and you should consult the latest available information.
86
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/13 DP Chapter 13.3d
Date: 8/12/20
Time 15:05pm
Page 87 of 94
13 Data subjects and
their rights In Articles 15 to 22, the GDPR significantly enhances the rights of data subjects to control how their data is used and what happens to it. It is important to be aware of these rights – and any restrictions on when they apply – and to respond promptly and appropriately when a data subject seeks to exercise their rights. This chapter covers some particular issues that arise when data subjects are children, and then describes data subjects’ rights to: stop receiving direct marketing; access the personal data you hold about them; rectify personal data that is incorrect or incomplete; ‘be forgotten’ in some situations; restrict processing of their personal data in some situations; transfer their personal data from one provider to another in some situations; object to you processing their personal data; prevent you from carrying out completely automated decision-making; complain that you have not complied with the GDPR; receive compensation for any harm resulting from non-compliance. The chapter ends by considering the situation where a third party makes a request on behalf of a data subject, and then discussing potential exemptions.
Data on children Children can, of course, be data subjects. The GDPR does not treat them particularly differently from adults, but it does expect you to take appropriate precautions. In particular: When you are considering ‘legitimate interests’ as your lawful basis (see chapter 6), you have to be particularly careful not to override the interests of children (Article 6(1)(f)).
87
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/13 DP Chapter 13.3d
Date: 8/12/20
Time 15:05pm
Page 88 of 94
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
When you are providing information to children about how you will process their data, you have to ensure that they will genuinely be able to understand it (Article 12(1)). The Information Commissioner’s Office (ICO) has now completed an Age Appropriate Design Code, which came into force in September 2020.1 When you are offering ‘information society services’ – essentially online services – you are required to have demonstrable parental consent if the child is below a particular age (Article 8). The GDPR provides for the cut-off age to be 16, but national governments are permitted to reduce this, and the Data Protection Act 2018 (DPA 2018) (s.9(a)) sets the age in the UK at 13.
In addition, Article 8(4) of the UK version of the GDPR excludes online ‘preventive or counselling services’ from the need for parental consent at any age. This would apply, for example, to online services such as those offered by Childline.
Direct marketing Every data subject has the right not to receive direct marketing if that is their choice. See chapter 18 for full details.
Right of access by data subjects Every data subject has the right to know what information you hold about them. Access to their own personal data is an important right which data subjects are becoming increasingly well aware of. There is also detailed guidance from the ICO on the subject.2 Chapter 14 discusses the right of access in more detail. The other rights discussed below, many of them introduced for the first time by the GDPR, may take some time before they become as well known as the right of access.
Making changes to data or processing Rectification Provisions in Article 16 of the GDPR state that if the data subject becomes aware that you are holding incorrect information about them, they have the right for it to be corrected, and if your information is incomplete, they can also submit additional information to be added.
88
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/13 DP Chapter 13.3d
Date: 8/12/20
Time 15:05pm
Page 89 of 94
DATA SUBJECTS AND THEIR RIGHTS . .. . .. . .. . .. .. . ..
Erasure (‘right to be forgotten’) If a data subject asks you to delete their information, then, in the following situations, Article 17 states that you must do so without undue delay: (a)
the personal data are no longer necessary in relation to the purposes
(b)
the data subject withdraws consent [if that is the basis on which the
for which they were collected or otherwise processed; processing is taking place], and where there is no other legal ground for the processing; (c)
the data subject objects to the processing [see ‘Objection to processing’ below] and there are no overriding legitimate grounds for the processing;
(d)
the personal data have been unlawfully processed;
(e)
the personal data have to be erased for compliance with a legal
(f)
the personal data have been collected in relation to the offer of
obligation . . . ; [online services to a child].
In addition, if you have made the information public, you must try to get it erased in other locations as well, within the bounds of practicality and cost. There are exceptions to the ‘right to be forgotten’ for reasons relating to freedom of expression, public health, archiving, research and statistics, and legal claims (for example, so that you would not have to undermine your case against a data subject by deleting your evidence). There may also be circumstances where a controller has no choice but to retain data, for example to mark a record for suppression in order to ensure that no direct marketing is sent to that individual in the future. Essentially, if you cannot give a good reason for holding certain data, you must delete it on request (and probably should have done so before the request anyway). If you think there is a good reason for holding it, you should ask the data subject which of the above situations they believe applies and consider their point of view. If you cannot reach a mutual agreement, you may need to take legal advice.
89
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/13 DP Chapter 13.3d
Date: 8/12/20
Time 15:05pm
Page 90 of 94
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Restriction of processing in some situations Article 18 of the GDPR states that you must restrict processing – stop using the data – if: (a)
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b)
the processing is unlawful and the data subject opposes the erasure
(c)
the controller no longer needs the personal data for the purposes of
of the personal data and requests the restriction of their use instead; the processing, but [the data is] required by the data subject for the establishment, exercise or defence of legal claims; (d)
the data subject has objected to processing [see ‘Objection to processing’ below] pending the verification whether the legitimate grounds of the controller override those of the data subject.
Informing recipients If you have complied with a request to rectify or erase data or restrict processing, Article 19 of the GDPR states that you must inform anyone to whom you have disclosed the data, unless this ‘proves impossible or involves disproportionate effort’. You must also tell the data subject which recipients you have disclosed the data to if they ask. Some recipients will be easy to inform – for example, your data processors, linked organisations (such as your trading company) or organisations with which you collaborate. Guidance from the ICO addresses the situation where information has been made public online, but states only that ‘reasonable’ steps must be taken to inform other controllers who could erase links to the data or copies of it, taking account of ‘available technology and the cost of implementation’.3
Portability This right applies when processing is based on consent or a contract between you and the data subject and the processing is taking place ‘by automated means’. Data subjects are entitled to receive from you a copy of any personal data they have provided to you, in a ‘structured, commonly used and machinereadable format’, so that they can provide the data to a different controller.4 Alternatively, you can provide it directly to the other
90
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/13 DP Chapter 13.3d
Date: 8/12/20
Time 15:05pm
Page 91 of 94
DATA SUBJECTS AND THEIR RIGHTS . .. . .. . .. . .. .. . ..
controller (presumably a different service provider). The ICO gives three examples of suitable formats: CSV (Comma Separated Values), which is often used by spreadsheets; XML (Extensible Markup Language), which is used by many web applications; and JSON (JavaScript Object Notation), which is also a web-based format. It is hard to see many situations where this right would be relevant to voluntary organisations, since the data this applies to is very limited and in most cases will only affect online services. The right only applies where both of the following are true: the data has been provided to you by the data subject (this excludes any additional information that you have added to their record); and the data is being processed automatically.
Objection to processing If a data subject objects to any processing of their data that you are carrying out on the lawful basis of legitimate interests (or public functions if your organisation is a public body), you must stop processing it unless you can demonstrate ‘compelling legitimate grounds’ (Article 21(1)) for carrying on against their wishes. A fairly obvious example where you could refuse to stop processing data might be where you have put in a Gift Aid claim in respect of a donation but the data subject subsequently objects to you processing their data. In this case, you would have to retain the Gift Aid declaration and a record of the donation even if, for example, you agreed to anonymise the donation itself in your financial records.
Automated decision-making Data subjects have the right not to have decisions made about them solely by automated processing if this has a significant effect on them, unless the decision is necessary in connection with a contract between the data subject and the controller or the data subject has provided their explicit consent. ‘Automated’ implies that the processing takes place without any human intervention, such as when job applications are initially assessed by computer and may be rejected before they have been considered by a human being. Even in situations where processing is based on consent or contract, the controller must make provision for the data subject ‘to obtain human intervention . . . , to express his or her point of view and to contest the decision’ (Article 22(3) of the GDPR). Section 14 of the DPA 2018 makes provision, as permitted by the GDPR, for safeguards in cases where the lawful basis is not consent or contract. For 91
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/13 DP Chapter 13.3d
Date: 8/12/20
Time 15:05pm
Page 92 of 94
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
example, the controller must inform the data subject that the decision has been made automatically. They must also reconsider the decision, or make a new decision that is not based solely on automated processing, if the data subject asks them to do so (within a month of the request).
Complaints and compensation If a data subject is not happy because they believe that the controller has not complied with data protection legislation, they can complain to the ICO (see chapter 22 for more on this). If a data subject has been harmed by a breach of data protection legislation, they can take the controller to court for compensation, although awards have been quite low.
Requests on behalf of data subjects In normal circumstances you would expect a data subject to make requests under any of the above rights on their own behalf. However, they may want someone else to help them or to make the request for them. This is acceptable, but you will always need to confirm – in whatever way you feel appropriate – that the request is genuinely being made on the data subject’s behalf. For more on situations where people can act on behalf of others (for example, when they are service users), see page 113.
Exemptions Under certain circumstances you do not have to comply with a request by a data subject to exercise one of their rights, such as to access their data. These exemptions are complex, and you should refer to the ICO’s guidance if you believe one of them might apply or if you feel uncomfortable about doing what the data subject has asked for and would welcome the option of applying an exemption.5 In brief, the categories of data that may qualify for an exemption, and that are potentially most likely to apply to voluntary organisations, include: data required to be disclosed by law or in connection with legal proceedings, if complying would prevent you from disclosing the data (for example, if a data subject asked for their data to be erased but you needed it to support a legal case); data that is subject to legal professional privilege; data that would result in self-incrimination, if disclosure would expose you to proceedings for the offence;
92
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/13 DP Chapter 13.3d
Date: 8/12/20
Time 15:05pm
Page 93 of 94
DATA SUBJECTS AND THEIR RIGHTS . .. . .. . .. . .. .. . ..
data whose disclosure is prohibited or restricted by a law covering human fertilisation and embryology, adoption, special educational needs, parental orders or children’s hearings; data disclosed to the authorities for immigration purposes, in limited circumstances; research and statistics (but not activities such as market research); archived data in the public interest; health, social work or education data (in some circumstances); management forecasts; negotiations; confidential references (both those given and those received).
In addition, there are exemptions (sometimes very limited) in relation to a wide range of government, parliamentary, public and regulatory functions, as well as journalism, academia, art and literature. If you are in a situation where you think one of these exemptions might apply, you should consult the ICO’s guidance referenced above.6
93
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/13 DP Chapter 13.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:05pm
Page 94 of 94
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/14 DP Chapter 14.3d
Date: 8/12/20
Time 15:05pm
Page 95 of 100
14 Right of access by
data subjects The data subject’s right to see the information you hold on them is a significant safeguard against information being used wrongly or held inaccurately. It is important to get subject access right, because people who make a request are often already at odds with the controller, and any mistakes will only make a bad situation worse. This chapter: explains the right of subject access; sets out criteria for determining a valid request; describes what you must include in your response and what you can exclude; discusses your time limit for responding and the need to keep a record of your response.
What does the right entail? The right of subject access existed in very similar terms under the Data Protection Act 1998. The main difference under the GDPR is that the controller is no longer permitted to charge a fee, and the time limit for a response is reduced to one month. Article 15 of the GDPR states: 1.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a)
the purposes of the processing;
(b)
the categories of personal data concerned;
(c)
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d)
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
95
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/14 DP Chapter 14.3d
Date: 8/12/20
Time 15:05pm
Page 96 of 100
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
(e)
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f)
the right to lodge a complaint with a supervisory authority;
(g)
where the personal data are not collected from the data subject, any available information as to their source;
(h)
the existence of automated decision-making, including profiling . . . and [in some cases], meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards . . . relating to the transfer.
3.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
You will probably have recognised that the list of items in paragraph 1 is essentially the same as the list of items that you have to provide in your full privacy notice (see chapter 9), while paragraph 2 applies only in limited circumstances. The key element of Article 15 is paragraph 3, which gives the data subject the right to receive a copy of the data. Remember that processing includes storage, so a copy must be provided even of data that is not being actively used.
The request A data subject access request (DSAR – or sometimes abbreviated to SAR) may be made in any way. Any request from a data subject for access to their records must be accepted, including one made verbally. You may find it helpful to ask if the request can be refined or limited in some way, and it may be appropriate to ask the data subject for assistance in locating the information – perhaps by telling you what their relationship is to your organisation (for example, client, donor or member).
96
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/14 DP Chapter 14.3d
Date: 8/12/20
Time 15:05pm
Page 97 of 100
RIGHT OF ACCESS BY DATA SUBJECTS . .. . .. . .. . .. .. . ..
Some organisations choose to have a form for data subjects to complete, but this is optional and you cannot require someone to complete a form. If you decide to have one, it should: ask for the information that you might require in order to identify the data subject reliably; ask whether the data subject wishes to restrict the type of information they wish to see or to receive information relating only to a specific time period; ask for information that might help you to locate the personal data; ask for evidence of authorisation if the person making the request is not the data subject; if relevant, ask the data subject whether they would like the information sent on paper or electronically (normally you would be expected to respond electronically if that is how they submitted the DSAR). Ideally, such a form should be available on your website in a format that allows the request to be submitted electronically. Although you will probably assign a person with responsibility for responding to DSARs (in order to speed up your responses and make sure they are handled correctly), a request might arrive on anyone’s desk or inbox, anywhere within your organisation. It is important, therefore, that all staff know how to recognise an incoming DSAR, and know that their response should be to acknowledge it and pass it on without delay to the designated person. You should consider providing training and briefings on this topic at regular intervals. There are limited circumstances in which you can refuse to respond to a request that is ‘manifestly unfounded’ or ‘excessive’. The Information Commissioner’s Office (ICO) guidance on the GDPR gives some suggestions as to how this could be assessed.1
Responding to the request Your first task is to ensure that you can unambiguously identify the requester. You do not want to send the personal data of the wrong person or mix up two or more people’s records. If you are not able to match the requester to a known person in your records, such as a staff member or client, you may wish to ask for evidence of identification. However, you should be proportionate and not make this an unnecessary obstacle. For example, if you have a supporter’s email address and the DSAR comes from that address, you may not need any further confirmation.
97
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/14 DP Chapter 14.3d
Date: 8/12/20
Time 15:05pm
Page 98 of 100
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Next you need to find all the personal data you hold about the requester. Some locations will be obvious and easy to search – in a database, for example – but other relevant information may be scattered across many different email accounts, small data sets (such as spreadsheets or email lists) or paper records. You also need to provide the information listed on pages 95–6 in the quotes from Articles 15(1)(a–h) and 15(2). At this point it is important to recognise that data subjects are entitled to a copy of the personal data that you hold, but not necessarily in the format or document in which it is held. This means, for example, that if you hold the requester’s name and address in a number of different places, you just need to give them one copy of it. It may be easier to print out a copy of their database record, but it is equally permissible to create a new document to contain the personal data that has to be provided. Equally, if there are a number of copies of an email about the requester, perhaps as part of a long trail, you only need to give them the information once. If an ex-member of staff submits a DSAR, you may well find that there are hundreds of emails that they have signed on behalf of your organisation, none of which, or only a very small proportion of which, contain any personal data about your ex-employee other than their name, job title and email address. In order to reassure the requester that you have looked properly for the information you hold, your response might include something along the lines of ‘We also hold 273 emails that you signed on our behalf, between [this date] and [that date], containing no personal data relating to you other than your name, email address and job title.’ You must provide the personal data that you hold at the time when the data subject makes their request to access it, except that you are allowed to make routine changes. For example, say that you sell publications and a customer asks for a copy of their record. If, shortly after they make the request, you receive a payment from them, you are allowed to update their record. You can even delete the information altogether if you would have done so anyway. For example, you might take people’s details in order to send them a brochure, then delete the information once the brochure has been sent. Someone might make an access request only to find that by the time you responded, you legitimately no longer held any information about them. What you certainly must not do is tamper with the information to remove parts you would rather the data subject didn’t see, or do anything to it that you wouldn’t have done in the normal course of events. This is an offence under s.173 of the Data Protection Act 2018. The ICO’s guidance is very clear on this point.2
98
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/14 DP Chapter 14.3d
Date: 8/12/20
Time 15:05pm
Page 99 of 100
RIGHT OF ACCESS BY DATA SUBJECTS . .. . .. . .. . .. .. . ..
What information can you exclude? The next step is to examine the information you have assembled to ascertain whether there is any personal data in it about someone other than the requester who can be identified. You may have to redact this in order to comply with Article 15(4) (quoted on page 96). Redaction could mean making a paper copy and blanking out the bits that have to be removed (then possibly photocopying it again in case the text can be read through from the back). It could also involve creating an electronic copy, blanking bits out (or removing them) and saving the resulting document in a format that will not allow the changes to be undone. You don’t necessarily have to remove all the information about third parties. You can leave it in if: the third party has consented to the disclosure; or it is reasonable to comply with the request without the third party’s consent. Your decision on whether to redact or not should take into account: any duty of confidentiality you owe to the third party (see chapter 15); anything you have done to try to get their consent; whether they are able to give consent; whether they have refused consent; harm that may be caused to the data subject by not disclosing the information, set against the harm that may be done to the third party by disclosing it. If the requester already has the information about the third party (for example, where the third party was acting in some professional capacity) or if the inclusion of the information would pose little or no risk to the third party, you may well decide that the information should be provided and that there is no need to seek the consent of the third party. The ICO’s guidance states that: For the avoidance of doubt, you cannot refuse to provide access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.3
In a few cases there may be some reason why you feel it is not appropriate just to send the data subject a copy of their data, either because of practical difficulties over the format in which it is held or because there might be immediate questions or concerns which would be better handled
99
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/14 DP Chapter 14.3d
Date: 8/12/20
Time 15:05pm
Page 100 of 100
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
face to face. Although the right is technically to obtain a copy of the data, you may wish in these cases to invite the data subject to view it first.
The time limit for responding The GDPR specifies that you must respond to a DSAR within one month of receiving the request, or within one month of receiving verification of the requester’s identity if you need it. This has caused some confusion, since months vary in length. The ICO’s guidance explains that the time limit takes no account of working days.4 In most cases you must provide the response on the equivalent date in the following month, or earlier if the month is shorter and there is no equivalent date. The examples given are: DSAR received on 3 September: response required by 3 October. DSAR received on 31 March: response required by 30 April.
Record-keeping As with almost everything else to do with GDPR compliance, you should keep a log of DSARs you receive and how and when you responded. This will also stand you in good stead if you need evidence to reject a request from someone who has already made a request recently, on the grounds that it is excessive.
100
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/15 DP Chapter 15.3d
Date: 8/12/20
Time 15:05pm
Page 101 of 106
15 Con¢dentiality Data protection and confidentiality overlap, but they are not the same. In most organisations it makes sense to have a policy on confidentiality that is consistent with data protection, and a separate policy on data protection (see chapter 9). Clarity over confidentiality can help when it comes to disclosing personal data and determining what access is authorised. This chapter: explores the interaction between data protection and confidentiality; discusses the elements of a confidentiality policy that relate to data protection.
The interaction between data protection and confidentiality As explained in chapter 2, data protection law only applies to personal data. Much personal data is confidential, but not all, and a wide variety of material may be confidential but not personal data. For example: Information that is not recorded anywhere cannot be personal data, however private it might be – a conversation with a client or a colleague, or something observed or overheard, for example. Information that is recorded on paper but not in, and not intended to be in, a filing system is not personal data, even if it is about an identifiable individual. Information that is not personal may be confidential – relating to the plans, proposals, negotiations and business practices of your organisation, for example. Information about a deceased person may be confidential even though it is no longer personal data. Security information, such as passwords and access codes, is unlikely to be personal, but it is certainly confidential. It can be confusing to have some aspects of confidentiality dealt with under a data protection policy and others in a separate policy (or to have your data protection policy extend into areas which are not strictly the concern of data protection). Therefore, it makes sense in most organisations to have a stand-alone confidentiality policy which refers to data protection concerns when appropriate. Confidentiality is not the same as secrecy. It is about setting clear boundaries within which information may legitimately be shared on a 101
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/15 DP Chapter 15.3d
Date: 8/12/20
Time 15:05pm
Page 102 of 106
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
need-to-know basis. The boundaries will depend partly on the nature of the information and partly on your policy decisions.
Making things clear Once you have set boundaries, all parties need to know the situation. If you tell your clients that you offer a confidential service, you should aim to ensure that they are clear about what this means: will you keep the information within just the team that is working with them, or within the organisation, or might you even share it with an external professional, such as a doctor or social worker? Your staff – paid employees or volunteers – also need to be clear where the boundaries are: can they share a particular type of information in a particular way as a matter of routine, or do they need to get authorisation for a proposed disclosure?
Confidentiality and data protection Chapter 11 describes how the data protection principle of integrity and confidentiality forms the basis for deciding what security measures you need to take. This is where data protection and confidentiality interact. In order to comply with the security requirements of the GDPR, you have to know what access to personal data is authorised. In some cases, this authority will come from the situation: for example, a person tasked with a particular responsibility will implicitly be authorised to access the personal data they need in order to carry it out. In other cases, the authority may well come from a confidentiality policy that sets out how to determine whether access to or disclosure of personal data is appropriate, or what steps should be taken to establish whether it is appropriate. The authority may also come directly from a data subject. They may authorise someone to act on their behalf, or give you permission to disclose their data in a particular situation.
When does a duty to disclose override confidentiality? It is important not to promise absolute confidentiality given that you may not be able to deliver on that promise. You may have no choice about disclosing information, for a variety of reasons. For example: You may have a duty of care not to overlook something that comes to your attention. Many advisers, for example, make it clear to their clients that information may be disclosed if the adviser becomes aware of a risk of harm either to the client or to another person (especially a
102
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/15 DP Chapter 15.3d
Date: 8/12/20
Time 15:05pm
Page 103 of 106
CONFIDENTIALITY . .. . .. . .. . .. .. . ..
child), even though the relationship is normally based on confidentiality. Increasingly, funders such as local authorities impose (or try to impose) a contractual obligation to disclose information about the people benefiting from the service they are funding. If you agree to funding on these terms, you must ensure that you can do so while complying with data protection requirements. There may be a legal obligation to disclose information. This can come in two forms: a requirement to provide information if asked (which can be dealt with on a case-by-case basis) or – more rarely – a requirement to report information if you become aware of it.
This is not the place to deal with the issue of legal disclosure exhaustively, but the situations relating to the disclosure of personal data where matters must be reported are many and varied. These include, for example: employment-related matters to do with tax and National Insurance; accidents and some breaches of health and safety; concerns about potential risk or harm to children or vulnerable adults; suspicions relating to terrorism; suspicions relating to money laundering; suspicions relating to drug sale and use. Where there is a duty of confidentiality without a legal duty of disclosure, disclosure without the consent of the person to whom the duty of confidentiality is owed could be a breach of confidentiality. In these situations, consent to disclose should be obtained – for example, a counselling client might be asked to agree that the counsellor can discuss their case in sessions when the client is not present but the counsellor is receiving coaching from their supervisor.
Official requests for disclosure The data protection legislation does not give anyone (other than the data subject) the right to demand the disclosure of personal data. However, if an entity has a specific legal power in some other legislation, data protection does not prevent the disclosure. Many agencies do have the power to demand information, but it is quite reasonable to expect them to know what powers they have and to be able to justify their request in writing. Under the Data Protection Act 1998 (DPA 1998), for example, the police developed a standard form for requesting data (making reference to s.29 of the DPA 1998, which explicitly made provision for disclosure without consent).
103
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/15 DP Chapter 15.3d
Date: 8/12/20
Time 15:05pm
Page 104 of 106
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Schedule 2, paragraph 2 of the Data Protection Act 2018 follows the DPA 1998 in making provision for cases where you might be asked to disclose personal data (even without the data subject’s knowledge) in relation to ‘crime and taxation’ – i.e. ‘the prevention or detection of crime’, ‘the apprehension or prosecution of offenders’ or ‘the assessment or collection of a tax or duty or an imposition of a similar nature’. Many of your normal GDPR obligations are lifted in this case, if they would ‘prejudice’ (i.e. interfere with) the crime and taxation purposes (the obligations that are lifted include the fairness and transparency elements of the first data protection principle, the purpose limitation of the second principle and many of the data subject’s rights). Similar provisions are made in Schedule 2 for immigration matters, legal proceedings, measures to protect the public from financial dishonesty (and a range of other malpractice), audit, and regulatory functions relating to legal services, the health service and children’s services. If you decide to breach confidentiality, either in response to an external request or on your own initiative, you may want to take certain steps to ensure that all the issues are properly considered first. A basic step to take is to insist that the request is submitted in writing with a statement of which power is being exercised. You could also have a policy only to release the information on the authority of an appointed senior member of staff (or trustee) and to keep a record of the disclosure and the reasons for making it.
Your confidentiality policy A confidentiality policy should recognise that confidentiality is about boundaries, not total secrecy. It should be clear about: who (usually by role, rather than on an individual basis) has access to which information, and for what purpose(s); whether access is automatic, or needs to be authorised in each case or in specific cases (such as where information is especially confidential); any likely exceptions to your general undertaking to provide services on a confidential basis; how data subjects will be informed about your confidentiality policy, and in particular any exceptions to confidentiality; how data subjects will be consulted over disclosures of confidential information, and how their consent (if given) will be recorded; how staff, and anyone else who has access to confidential information, will be informed and trained on their responsibilities regarding confidentiality;
104
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/15 DP Chapter 15.3d
Date: 8/12/20
Time 15:05pm
Page 105 of 106
CONFIDENTIALITY . .. . .. . .. . .. .. . ..
how disclosures that the organisation decides to make which breach confidentiality will be handled and authorised; the penalties for breaches of confidentiality by individual staff members without the organisation’s authority; any related policies (such as security or whistle-blowing).
In support of the full policy, you may also want to have specific confidentiality statements for your main data subjects and for staff.
How can you enforce confidentiality? A legal responsibility to maintain confidentiality may be imposed by law, explicitly or implicitly under a contract, or by a professional relationship (such as that between a counsellor and a person receiving counselling). Employees have an implicit duty of confidentiality towards their employer. However, in the case of anyone with whom you have a contract (for example, staff or external contractors), the contract should explicitly contain an obligation of confidentiality where this is relevant. In the case of volunteers (and trustees), where there is no contract, you can impose an equally strong obligation of confidentiality through common law. If you give someone information ‘in confidence’, that creates the common-law duty of confidentiality. You should therefore make it clear to people when you give them access to confidential information that it is confidential and that they have a legal duty to maintain confidentiality.
105
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/15 DP Chapter 15.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:05pm
Page 106 of 106
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/16 DP Chapter 16.3d
Date: 8/12/20
Time 15:05pm
Page 107 of 110
16 Working in
collaboration with other organisations Working in collaboration with other organisations can involve data protection issues, and in these cases it is important to ensure that your arrangements are clear. In particular, you may find complex questions arise when a public body commissions services. This chapter: sets out the implications of being joint controllers; explains the situations in which two or more organisations might be joint controllers; explores other possible relationships in the data protection context; discusses issues that may arise when a public body commissions services from your organisation.
Joint controllers Article 26 of the GDPR states that: Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information.
There is no assumption here that one organisation has to take overall control, or that the responsibility should be allocated in any particular way. You therefore have considerable flexibility about the arrangements that you make. The key point is that you must agree clear arrangements – the relationship must not be based on assumptions or expectations. It seems reasonable to suppose that any arrangements agreed should be set down in writing, both to avoid potential future disputes and so that data subjects can readily find out how the responsibilities are allocated.
107
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/16 DP Chapter 16.3d
Date: 8/12/20
Time 15:05pm
Page 108 of 110
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
A possible list of topics for your joint controller agreement could include: who it applies to; general principles, including the basic principle of confidentiality and a recognition of the different requirements placed on different types of organisation (e.g. the Caldicott principles for NHS organisations1); the purposes for which information will be shared; the lawful basis on which sharing will take place; how each partner will discharge their transparency obligations, and whether all parties will use the same form of words to ensure consistency; procedures for sharing information, and in particular for obtaining and recording consent from the data subject (if this is the lawful basis); procedures to ensure that all parties have the same understanding of how to comply with the data protection principles regarding data quality and retention; access and security procedures; procedures for ensuring that the handling of data subjects’ rights is consistent and fully compliant; procedures for raising concerns or resolving difficulties; how the agreement will be managed and kept under review. In simple cases, for example where two organisations run a joint event, your joint controller agreement may not need to go into lengthy detail, but it is still worth having one. For example, you would not want one organisation to promise the people who register for the event that their details will be kept confidential, only to find that the other organisation has produced an attendance list and distributed it to all of the participants before the event. A separate agreement may not be necessary if it is possible to include the provisions within or as a schedule to a commercial or services agreement that you and the other organisation already have in place.
Are you joint controllers? Your relationship with another organisation is likely to be one of joint controllers where the two organisations share (some of) the same data, process it for the same purpose(s) and together make (some of) the decisions. For example, a charity and a trading company sharing the same marketing database, and using it to promote both the charity’s fundraising and the trading company’s products, could be joint controllers. Two or more organisations collaborating to run services for the same client or beneficiary group, or organising joint activities, might also be joint controllers.
108
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/16 DP Chapter 16.3d
Date: 8/12/20
Time 15:05pm
Page 109 of 110
WORKING IN COLLABORATION WITH OTHER ORGANISATIONS . .. . .. . .. . .. .. . ..
Other possible relationships include the following: Each organisation is a separate controller and the organisations merely disclose information to one other. In this case an informationsharing protocol may be useful. One organisation is the controller with the other being a processor. The processor does not have the final say in the decisions about why or how the information is used (although it may provide professional advice or make recommendations because it has specific expertise to offer). (See chapter 4 for more on data processors.) The organisations form a consortium which itself is an independent controller that discloses information to and receives information from its members. Where the consortium is a defined legal entity (such as a company set up for the purpose), this is quite likely. The legal status of the joint activity becomes blurred when the consortium is run by a steering group or other body that is partially independent from its members. You may require legal advice in such a situation.
Information-sharing If personal data that is collected by one controller will routinely be shared with one or more other controllers, it is essential that data subjects are made aware of this when the information is obtained. This is in line with your obligation of transparency (see chapter 9). You might, for example, have an arrangement with several grant-makers that if your clients’ or beneficiaries’ needs appear to fall within their criteria, you will make a referral. You must, of course, have a lawful basis for the information-sharing, usually separately from the basis on which you process the data for your own purposes. Where your lawful basis for holding data in the first place is legitimate interests, you would have to consider carefully whether the sharing is strictly necessary for the purpose in mind, or whether you should perhaps be asking for consent. This does not, however, mean that all sharing of personal data must be based on consent or legitimate interests. Other lawful bases will apply in situations such as making statutory disclosures of child protection concerns. (See chapter 6 for more on lawful bases.) In some situations, for example where your data-sharing takes place on a large scale or involves special category data (see chapter 7), you may want to have a formal data-sharing agreement or protocol. This could set out considerations such as: criteria on which you might select the data for sharing; what you will tell data subjects about the recipient organisation;
109
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/16 DP Chapter 16.3d
Date: 8/12/20
Time 15:05pm
Page 110 of 110
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
what communication methods you will use in order to maintain security.
Where the two parties jointly determine the content of a data-sharing agreement, however, you may well find that you are in fact joint controllers.
Working with statutory bodies In certain respects, statutory or public bodies are subject to slightly different data protection requirements from voluntary organisations, and much of their processing is likely to be based on the fifth lawful basis (public functions), which is not normally available to voluntary organisations. There are also extensive provisions in the Data Protection Act 2018 for the processing of special category data by various public bodies in connection with their core functions. Public bodies also have freedom-of-information obligations, which can intersect with data protection considerations. What this can mean is that statutory bodies – or at least the staff involved – do not always get data protection right when they commission work from external organisations. Where a statutory body commissions work from a voluntary organisation, this will normally be based on a contract or other formal agreement. It is far from uncommon for the voluntary organisation involved to find that the agreement they are offered is unclear about the data protection implications of the arrangement. The statutory body may describe itself as the controller with the voluntary organisation as a processor, but without the agreement meeting the criteria set out in the GDPR, and in situations where the voluntary organisation clearly is expected to make many of the decisions of a controller. Alternatively, the statutory body may describe the voluntary organisation as the controller, but then stipulate in some detail the personal data that must be collected and passed back to the funder, which would suggest that the two organisations are, in fact, joint controllers. Voluntary organisations do not always have the opportunity to challenge situations such as this, but it is worth, at least, registering any concerns in writing, perhaps in a formal letter. Should there be a data protection breach of some kind, this might help to avoid your organisation being penalised unfairly.
110
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/17 DP Chapter 17.3d
Date: 8/12/20
Time 15:05pm
Page 111 of 118
17 Data protection in
service delivery If your organisation provides services to individuals, you will undoubtedly need to hold information about them. It will probably not be difficult for you to determine the most appropriate lawful basis for holding this information and for using it as part of your service delivery (see chapter 6 for more on lawful bases). You must also, of course, ensure that your records comply with the data protection principles (see chapters 8–12). This chapter: considers the likely lawful basis for processing service delivery records; explains why data quality is particularly important in service delivery; explores some of the other implications of the GDPR for service delivery records.
Lawful basis The appropriate lawful basis for collecting personal data that you need to deliver your services, and for most of the subsequent processing, could well be legitimate interests – as long as you can justify it as necessary and can demonstrate that the rights of the data subject do not override yours. Often you will clearly have a legitimate interest in delivering the services and activities set out or implied in your reason for existence. In other cases, where people have paid for a service, your lawful basis could be the contract. Remember that it is rarely appropriate to ask for consent to hold the personal data that you need, even if you are obtaining consent from someone to receive a particular service or intervention. Once they have opted in to the service, the data collection is necessary. You may, however, find that consent is more appropriate for other processing, such as disclosing the data to other organisations (even if you feel that doing so is very much in the interests of your data subjects) and for ancillary activities such as taking photographs of your activities for use in publicity. 111
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/17 DP Chapter 17.3d
Date: 8/12/20
Time 15:05pm
Page 112 of 118
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
If your services require the collection of special category data you must, of course, consider the additional conditions, at least one of which must be met (see chapter 7). In this case you may decide that explicit consent is the appropriate condition, but you could find yourself having to explain any restrictions that a refusal would place on your service delivery. The implications of consent subsequently being withdrawn could also be an issue if your service delivery up to that point was based on consent and you felt that, after the consent was withdrawn, you needed to retain a record of your interactions with the client or beneficiary.
Data quality (adequate, relevant, not excessive, accurate and up to date) Data quality is key. The records that you keep are likely to be used to make decisions that could have a significant impact on your data subjects. Your professional standards no doubt already refer to the quality of record-keeping. Ensuring that your staff (including volunteers) record the right information in the right way is also a data protection issue, and one which you should monitor as well as providing regular training and reminders. Chapter 10 has more information on data quality.
Transparency When someone takes up your services for the first time, there is probably quite a lot of information that you would like them to have. Among this you must include at least the main points of your privacy notice, and ready access to the full statement if the data subject wants to see it (see chapter 9). Your privacy notice should clarify the extent to which personal data is treated confidentially in your organisation (see chapter 15). It should also explain any sharing of data that may take place, along with any other processing that the data subject would not reasonably expect in the context of receiving your services. If you provide telephone services, don’t forget that you need to provide at least the key points of your privacy notice verbally, at an early point in the conversation, and that you must tell people if the call is recorded.1
Third parties Your records may hold information about people other than your immediate data subjects – family members, people who have been involved with the individual in various ways and so on. This has
112
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/17 DP Chapter 17.3d
Date: 8/12/20
Time 15:05pm
Page 113 of 118
DATA PROTECTION IN SERVICE DELIVERY . .. . .. . .. . .. .. . ..
implications for transparency: to what extent should these people be made aware that you hold data about them? With family members, and in most other cases, you should probably tell them if possible, or ask your data subjects to tell them. However, if the nature of your services means that your data subject does not have the best of relationships with these third parties (or has no contact with them), you would not be obliged to tell them anything. This is in line with Article 14(5) of the GDPR, which states that you do not have to provide the data subject with information if: (a)
the data subject already has the information;
(b)
the provision of such information proves impossible or would involve a disproportionate effort, . . . or . . . is likely to render impossible or seriously impair the achievement of the objectives of that processing . . . ;
(c)
obtaining or disclosure is expressly laid down by . . . law . . . ; or
(d)
where the personal data must remain confidential subject to an obligation of professional secrecy.
Authorisation on behalf of a data subject Another area where third parties might be involved is where your data subjects are not able to give consent on their own behalf or understand the implications of you holding their data, or where they want someone to assist them in the exercise of their data subject rights. For example, when a child is too young to make meaningful decisions on their own behalf, someone else – usually a parent – is entitled to make decisions for them. There are also cases where an adult may not have the capacity to make decisions for themselves, or an adult with capacity may choose to have someone act on their behalf – for example, in exercising any of the rights that data subjects have. A person acting on behalf of a data subject should normally be properly authorised, and, if acting on behalf of a data subject who does not have capacity, must act in the data subject’s interests. If you are not confident that these two conditions apply, then you should not automatically accept the request or decision (for example, to consent to something). In many cases you will need to seek formal, legal authorisation: An adult may authorise someone else to act on their behalf for a specific purpose. Someone with a relevant power of attorney can act on someone else’s behalf.
113
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/17 DP Chapter 17.3d
Date: 8/12/20
Time 15:05pm
Page 114 of 118
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
A parent can act on behalf of a child who is too young to act on their own behalf.
Where an adult asks someone to act on their behalf – engaging a solicitor, for example – it would not be unreasonable for you to ask to see a signed authorisation from the data subject if there is any doubt. However, in practice, you may often decide to take at face value the solicitor’s assurance that they act for the individual. An adult who is not capable of making their own decisions – either temporarily or permanently – may have appointed someone under a lasting power of attorney under the Mental Capacity Act 2005. Again, in cases where the risk is low, you may decide to accept an assurance that a power of attorney exists. If in doubt, however, or if the matter concerns money or raises some other potential risk, you should consider asking for evidence. In the case of children, the presumption must be that children are likely to be capable of making many of their own decisions from the age of 13, as set out in Data Protection Act 2018, but it can depend on the child’s capacity to understand the issues sufficiently. Where a person with parental responsibility (as set out in the Children Act 1989) acts on a child’s behalf, they must be acting in the child’s interests. In very rare cases you may feel that a parent’s actions are not in the child’s interests – or that information you hold about a child should not be disclosed to the parent(s) for some reason – but it would normally be wise to take professional legal advice in such situations. There are many situations either where formal authorisation is nonexistent or where the evidence is not available to you. In such cases you may have to make a judgement as to whether the person seeking to act on behalf of the data subject is appropriate. It is often unhelpful to be overly cautious, because this might prevent you from taking action promptly where the risks are low, and might unnecessarily upset the people you are dealing with. However, care must be taken to neither divulge information inappropriately nor enable someone to interfere inappropriately with another person’s affairs. You cannot even assume that it is always appropriate to share information with a data subject’s spouse, or for them to act on behalf of their husband or wife. Even if they are on good terms, people are allowed to have secrets from each other – and these could range from serious health or financial matters to an innocuous surprise. To avoid individual staff having to make a judgement on the spot, it is worth considering the most common situations that people in your 114
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/17 DP Chapter 17.3d
Date: 8/12/20
Time 15:05pm
Page 115 of 118
DATA PROTECTION IN SERVICE DELIVERY . .. . .. . .. . .. .. . ..
organisation are likely to face. You should create guidance to cover these possibilities, leaving any unusual situations to be dealt with on a case-bycase basis – possibly by reference to a manager or other appropriate person. You can also pre-empt problems by establishing with data subjects at the outset who else might act on their behalf. For example, when you are taking on a new client, helping a new beneficiary or signing up a new supporter, you could ask whether they are happy for you to deal with anyone else in their absence – if you phone them to check something, for example – or who else they are happy for you to disclose information to if you are unable to give it to the data subject directly. This is especially relevant if the data subject’s condition is likely to deteriorate over time, or if they are in a particularly stressful or upsetting situation.
Retention It is very likely that you will need to retain service delivery records for at least the duration of your work with each individual. Afterwards, you may want to keep the records for at least six years, for example if contractual issues might emerge or if you might need to defend a legal claim, for which the statute of limitations (i.e. the longest time within which you are normally allowed to bring a legal case) is six years. If you provide services to children, it is not unusual to find retention periods that start only when the young person reaches the age of 18, and there may be safeguarding reasons for keeping the records even longer in some cases. You may also consider that your records have benefits as archives, either for the individuals’ or their families’ own interest, or for wider social purposes. See chapter 21 for more on this.
Security and confidentiality The types of personal data you hold in connection with service delivery may well require enhanced security. You should ensure that your staff understand very clearly that most of your organisation’s information about clients is confidential and must not be shared outside the organisation, even unintentionally. This includes with close friends and family, other professionals and – probably worst – on social media. You must also emphasise that the access that your staff are granted to the information is for your service delivery purposes only. You may want to draw their attention to the material on authorised and unauthorised access in chapter 11 (see page 80), which describes how individuals have
115
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/17 DP Chapter 17.3d
Date: 8/12/20
Time 15:05pm
Page 116 of 118
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
been heavily penalised for unauthorised access to personal data on their work-related systems. When your services are delivered at people’s homes or other locations outside your own premises, you should think very carefully about how the personal data that you collect, and possibly need to take with you on each occasion, should be protected. In many cases, a well-protected electronic device may be more secure than paper records. The need for security applies equally when personal data is handled by volunteers. In 2016 the Alzheimer’s Society was issued with an enforcement notice by the Information Commissioner’s Office (ICO) after a lengthy investigation involving volunteers who were supporting the society’s beneficiaries in applying for NHS funding. The ICO found that the volunteers were using personal email addresses to receive and share information about beneficiaries, storing unencrypted data on their home computers and failing to keep paper records locked away. The volunteers had not been trained in data protection, the charity’s policies and procedures had not been explained to them, and they received little supervision from staff.2 You should also take care if you provide your services directly to individuals electronically, as shown by a case involving the British Pregnancy Advisory Service (BPAS).3 In 2014, BPAS was fined £200,000 after a hacker broke into its website and accessed the details of almost 10,000 individuals who had left their details on the website and requested a call-back. The attacker had intended to deface the website as a protest about abortion, but then downloaded the details and threatened to publish them. The ICO found that BPAS had been unaware that the website held the details of the enquirers, even after their request had been passed on, and that it had not taken sufficient security measures or included appropriate provision for security in its contractual arrangements with the website host.
Reporting and statistics You will already be aware that you need to think about how you report on your service delivery work. You may need to report to funders on the work that you have done, or make use of case studies in funding applications or publicity. Statistics, provided they are fully and genuinely anonymised, raise no data protection concerns. Case studies, however, do. They must be realistic, but not infringe the privacy of individuals. You may decide, for example, that you would like to use true stories in funding
116
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/17 DP Chapter 17.3d
Date: 8/12/20
Time 15:05pm
Page 117 of 118
DATA PROTECTION IN SERVICE DELIVERY . .. . .. . .. . .. .. . ..
applications, with the consent of the individuals concerned, amalgamations or fictionalised versions in wider publicity.
but
Where the funder – often a public body – has a direct interest in the individuals that you are supporting, you may be required to report in detail on each individual as part of your funding agreement. This must, of course, be made clear to your data subjects at the outset. If you have any concerns, you should raise these with the funder before accepting the work.
117
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/17 DP Chapter 17.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:05pm
Page 118 of 118
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 119 of 130
18 Data protection in
direct marketing (including fundraising) Fundraisers and those involved in marketing were probably among the earliest in the voluntary sector to get to grips with the GDPR. Direct marketing and fundraising do not always require consent, but the situation is complicated by the European Union’s regulations on eprivacy – currently the Privacy and Electronic Communications (EC Directive) Regulations 2003 (commonly referred to as PECR), which is due to be replaced by the Regulation on Privacy and Electronic Communications (known as the ePrivacy Regulation). This chapter: defines and discusses direct marketing (which throughout this chapter includes fundraising); considers the appropriate lawful basis for direct marketing; explains the implications of PECR and the ePrivacy Regulation for direct marketing; explores other implications of the GDPR for direct marketing and fundraising.
Guidance on direct marketing The Data Protection Act 2018 (DPA 2018) requires the Information Commissioner’s Office (ICO) to produce certain codes of practice, and s.121 specifically requires one on direct marketing. In January 2020, the ICO launched a public consultation on its draft Direct Marketing Code of Practice to replace the guidance issued under the Data Protection Act 1998. Although the closing date of the consultation was March 2020, no final version appears to have been issued at the time of writing. The draft Code of Practice is a significant improvement on the previous version. Throughout there are well-thought-out examples to illustrate the points, and it is clear that this code – while perhaps not perfect – has a much better understanding of the voluntary sector context than the old guidance. The draft code takes full account of PECR, which remains in force while the new ePrivacy Regulation remains under discussion, and is 119
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 120 of 130
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
much clearer in discussing the lawful basis for marketing. The draft code also addresses business-to-business email marketing and discusses viral marketing, social media, online advertising, use of third parties to send marketing messages, profiling and data enriching, among other topics. The conclusions are clear and do not seem unreasonable. The discussion in this chapter is based on the assumption that the code will eventually be issued in something close to the draft version. Once the Code of Practice is in place, as the ICO states, ‘if you do not follow this code, you will find it difficult to demonstrate that your processing complies with the GDPR or PECR’.1 Fundraisers will be aware that fundraising is also subject to the Code of Fundraising Practice.2 Since one of the Fundraising Regulator’s first actions on being set up was to sign a memorandum of understanding with the Information Commissioner, it can be assumed that the code is fully consistent with the GDPR (the code was completely rewritten in 2019 and makes specific reference to the GDPR in Part 1, Section 3). The Fundraising Preference Service (FPS), set up at the same time, is – despite its name – a direct marketing preference service. An individual can go online and specify charities from which they do not want to receive any unsolicited communications. In effect, this provides a mechanism for exercising the right under the GDPR not to receive direct marketing. The Fundraising Regulator reports on charities that fail to follow up requests through the FPS to cease marketing. There have been suggestions, however, that with wider awareness of the right under the GDPR to prevent direct marketing, the FPS is no longer necessary and may be discontinued.3
Definitions of direct marketing The term ‘direct marketing’ is not defined in the GDPR. In the DPA 2018 it is defined as ‘the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals’ (s.122(5)). This answers some questions but not the crucial one: what counts as ‘advertising or marketing material’? Although the definition of direct marketing in the draft code remains broader than many people might assume, it is a big improvement on the previous guidance, which said: All promotional material falls within this definition, including material promoting the aims of not-for-profit organisations. . . . It will also cover any messages which include some marketing elements, even if that is not their main purpose.4 120
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 121 of 130
DATA PROTECTION IN DIRECT MARKETING (INCLUDING FUNDRAISING) . .. . .. . .. . .. .. . ..
The new draft retains the rather unhelpful reference to promotion (which was based on a political party case, not a voluntary sector one) but also takes into account the overall purpose of the communication: Clearly [the definition] is intended to be wider than simply sending direct marketing communications. The focus is on the purpose of the processing, not the activity. Therefore, if the ultimate aim is to send direct marketing communications, then all processing activities which lead up to, enable or support sending those communications is processing for direct marketing purposes, not just the communication itself.5
The ICO’s broad definition of marketing would include, for example, an enewsletter that mainly contains information about your recent activities, with just a small amount of encouragement to support or participate in them. Asking someone to sign a petition, become a member or attend an event that they would have to pay for are almost certainly within the ICO’s definition. Fundraising approaches clearly fall within the definition, but it could be argued that other communications do not constitute ‘promotion’ and are therefore borderline, if not outside the definition. Some argue that these could include, for example, inviting service users to participate in an activity, seeking to recruit volunteers to work for your organisation or asking a recent donor whether they are eligible to sign up for Gift Aid. Others take a more cautious approach and regard at least the first two of these cases as marketing. As a rule of thumb, if you want to send information to people because it could be good for your organisation in any way – even if it benefits the recipient as well – you should regard it as falling within the ICO’s definition of marketing. Communications that are purely part of your service delivery or purely administrative are described in the draft Code of Practice as ‘service messages’ and therefore unlikely to count as marketing. In the draft code, the ICO makes it clear that the restrictions only apply where direct marketing is unsolicited. If someone has specifically asked to receive your material, that would imply that they have given consent. The consent could of course be subsequently withdrawn, but in the meantime it would provide you with an unassailable lawful basis. Note that the ICO has penalised commercial companies for emailing individuals who had opted out of direct marketing, asking them whether they would like to change their preferences, on the basis that this request in itself counts as marketing. For example, in March 2017, Honda and 121
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 122 of 130
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Flybe were both fined (£13,000 and £70,000 respectively) for sending such emails without consent.6
Lawful basis and e-privacy The GDPR states (in Recital 47) that ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. (Note the ‘may be’ – it is not automatic.) However, you almost certainly can’t base all your marketing on legitimate interests, because other EU regulations state that you need consent in certain circumstances for marketing by phone, email or text message. The existing EU legislation is the Privacy and Electronic Communications Regulations 2003 (SI 2003 no. 2426), commonly known as PECR. New legislation known as the ePrivacy Regulation is intended to replace the legislation on which PECR is based. A first draft was completed in 2017 but, at the time of writing, the final regulation appeared to be quite some time away from implementation. PECR continues to apply in the meantime, despite now being quite out of date. PECR largely relates to the behaviour of telecommunications providers, but it has a small section about marketing. Effectively this says that: Marketing by post, being outside the scope of PECR, is unaffected: the GDPR alone applies. Telephone marketing is restricted: you must not make a marketing call to anyone whose number is on the Telephone Preference Service (TPS) (or Corporate TPS) unless they have given prior consent. Marketing by email or text message is restricted when it is sent to private facilities (for example, a person’s personal email account or mobile phone): in such cases, marketing similar products or services to existing customers (i.e. those who have bought or enquired about something) is permitted, as long as you have told them that this might happen and given them an opt-out. Otherwise, you must have prior consent. Marketing by email or text message is significantly less restricted when it is sent to business facilities: consent is not required, but the individual to whom it is addressed can exercise their data protection right not to receive future marketing. The TPS is widely used and applies to mobile phones as well as landlines. Many individuals have registered their number with the service. The email and text message restrictions imposed by PECR apply where the ‘subscriber’ – the person who has the contract with the email provider or phone provider – is a private individual.
122
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 123 of 130
DATA PROTECTION IN DIRECT MARKETING (INCLUDING FUNDRAISING) . .. . .. . .. . .. .. . ..
The exception for email marketing to existing customers is a large part of the reason why many high street shops now offer to send your receipt by email after you have made a purchase. It would appear that for individuals to be ‘customers’, some commercial transaction must be involved. This could apply, for example, to people who have bought products, attended a paid-for event or purchased membership, but it would not apply to donors, even though money has changed hands. In effect, therefore: Marketing by mail may be based on legitimate interests or consent. Marketing by phone may be based on legitimate interests provided that you have checked within the past 28 days that the number you are calling is not on the TPS, but otherwise requires consent. Marketing by email or text message to individuals on their personal email or phone account requires consent unless they have been involved in a commercial transaction. Business-to-business marketing by email or text message, using an individual contact but to a business account, could be based on legitimate interests. There has been no suggestion as yet that targeted advertising on websites or social media counts as direct marketing, but it would seem a plausible argument. At about the same time that the GDPR was being finalised, 13 UK charities were taken to task by the Information Commissioner for their marketing practices (see page 125). This drew considerable attention to the question of the appropriate ethical basis, let alone lawful basis, for direct marketing. Many charities appear to have decided to carry out all of their electronic direct marketing – by phone, email or text message – on the basis of consent as this avoids complications, but to retain the option of marketing by mail on the basis of legitimate interests. If you want your lawful basis to be legitimate interests, there are essentially two requirements: you have to tell people in advance that you are going to use their data for direct marketing (which in the case of new donors would be at the point where you first capture their details) and you have to tell them that they have the right to opt out, and give them an easy way of doing so. In other words, you need, as a minimum, a clear statement and an opt-out box. There are obviously some advantages in being able to mail people who haven’t given you consent, which is why many charities are taking this route. The downside is that it makes your data capture forms and data 123
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 124 of 130
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
management more complicated, because you will be working on an opt-in basis for electronic contact and an opt-out basis for mail. So you have to make a decision and then make sure that all your processes, systems and paperwork support that decision accurately.
The right to opt out Article 21(2) of the GDPR provides that: Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
From this it would appear that the onus is on the individual to exercise this right. However, you cannot leave it entirely up to the data subject to take the initiative, because of your responsibility to be fair and transparent when obtaining personal data (see chapter 9 and page 126 in this chapter). If you are obtaining the data directly from the data subject, in order to be fair you should in most cases give them the opportunity to opt out there and then, preferably through having a box to tick if they don’t want any future contact. It is much less likely to be fair if you tell them that they have to send in a form or write to a separate address in order to opt out. Over and above this, the Code of Fundraising Practice states that there must be an opt-out included in every direct marketing communication. If they do opt out, then or subsequently, you have no choice: you must stop all direct marketing. This might prevent you from sending something like a membership renewal reminder. You should therefore think very carefully about the wording of your opt-out box and either explicitly exclude certain communications or provide separate options if you believe, for example, that a significant proportion of people who tick the ‘no marketing’ box would still be happy to renew their membership. (See also page 127 later in this chapter.) When someone opts out, this applies only where the material is unsolicited. If you advertise something and someone phones up to ask for more information, you can send a brochure even if they are marked on your database for ‘no direct marketing’. Equally, if they receive a regular membership magazine or newsletter – even though it may meet the marketing definition because it contains promotion and advertising – you do not have to stop sending it if you take the view that it is not unsolicited. You can reinforce this by promoting membership as a package
124
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 125 of 130
DATA PROTECTION IN DIRECT MARKETING (INCLUDING FUNDRAISING) . .. . .. . .. . .. .. . ..
– and making sure individuals realise that the newsletter or magazine will be sent as part of the package they have chosen, even if they opt out of direct marketing. Your lawful basis for sending the newsletter or magazine may indeed be contractual, rather than consent or legitimate interests. You are also still permitted to send administrative messages to someone who has opted out, for example contacting them if there is a problem with their direct debit, as long as these do not contain any marketing messages.
Enforcement action by the Information Commissioner’s Office In December 2016, fundraisers in major charities were challenged by the Information Commissioner over marketing practices that had long been taken for granted as being acceptable. The British Heart Foundation and the RSPCA, followed before long by 11 other charities, were given financial penalties based on three aspects of their fundraising:7 Data-sharing on a massive scale, through a scheme called Reciprocate, whereby they pooled data on their donors and then extracted details of people they thought were likely to support their own charity on the basis of which ones they had previously supported. Data-matching from external sources to amend or add information to the contact data they already held – for example, adding an email address to an existing contact, or updating someone’s postal address if they had moved. Wealth-screening and profiling their donors, to identify people that they thought could be persuaded to increase their level of support. The Information Commissioner stressed that these activities were not in themselves illegal but that they had been done without the data subjects’ knowledge or consent. The Information Commissioner did not make clear whether knowledge on its own would have been sufficient or whether these activities could only be carried out with consent. While most commentators supported the Information Commissioner’s view on Reciprocate, many fundraisers were dismayed, in particular at the inclusion of wealth-screening and profiling. Although the Information Commissioner’s action was potentially susceptible to challenge in a tribunal, all of the boards of trustees of the 13 charities declined to take that step, partly on the grounds of cost. The Information Commissioner had imposed penalties at just 10% of the level she felt the breaches to merit, on the basis that the organisations were charities. The RSPCA therefore faced a penalty of £25,000 rather than £250,000 and the British
125
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 126 of 130
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Heart Foundation £18,000 rather than £180,000 (discounted further in both cases for prompt payment).8 Most large charities undertook substantial reviews of their approach to fundraising on the basis of this enforcement action and the data-sharing operation was shut down. One other important conclusion is that – notwithstanding the ICO’s emphasis in the draft Code of Practice on the overall purpose of the activity – it is clearly not enough to assume that data-matching, wealth-screening and profiling are ‘compatible’ with fundraising. If they are not compatible, then under the second data protection principle (purpose limitation) they need to be identified as separate purposes.
Transparency The implications of the Information Commissioner’s finding that data subjects should have been told about data-matching, wealth-screening and profiling chime with the frequent mention of profiling in the GDPR, as in Article 21(2) (quoted above on page 124). (Note, however, that the term ‘profiling’ under Article 21 of the GDPR refers to automated processing and does not necessarily align with the type of desk-based prospect research that may be undertaken by charities.) Where personal data is to be used for any of these ancillary activities, whether they count as profiling or not, this must be explicitly mentioned in privacy notices (see chapter 9). This is despite the fact that they are an integral part of fundraising activity and – in the view of many fundraisers – should lie within the ‘reasonable expectations’ of donors and prospective donors. Writing a full privacy notice that includes fundraising should not present too many problems, especially as it might reasonably be assumed that relatively few data subjects will ever read it, and it can therefore cover everything in as much detail as is necessary. The key thing to get right is the short privacy notices provided at the point of data capture or as a minor part of communications with data subjects. These are the ones that most people will see, and then decide whether to provide their information and whether to exercise any choices you offer. How much to tell people is a matter for each organisation to decide for itself, but it is not enough to say ‘Tick here if you are happy for us to contact you in future’ or words to that effect. You must also say something about the nature of the contact and – in the case of donors, at least – something about the way individuals’ data will be used to determine the details of the future contact. You should also include a statement
126
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 127 of 130
DATA PROTECTION IN DIRECT MARKETING (INCLUDING FUNDRAISING) . .. . .. . .. . .. .. . ..
informing them that they can opt out in the future, and tell them how to do so. Don’t forget that, if you obtain information from elsewhere (for example, if your charity and its trading subsidiary share supporter and customer data), you need to make it clear how you obtained the data and that you are using it for direct marketing. You must also tell data subjects clearly that they can opt out, and make this as easy as possible for them. You must do this as soon as you use the information – in most cases at your first contact with the data subjects – and in any case no later than 30 days after obtaining the data.
Membership, paid events and trading When you have a commercial relationship with people, there important difference in the options you have for marketing to them. allows you to market by email to existing customers without consent. They still have the right, of course, not to receive marketing, and you must offer them an easy way to opt out.
is an PECR prior direct
However, this does mean that, unless people have opted out, you don’t need their consent to send email reminders about membership renewals, email invitations to next year’s (paid-for) event after they have – we hope – enjoyed this year’s, or email notices of new items in stock in your online shop.
System implications It is important that, if you make any use of direct marketing, your recordkeeping system is able to record who has consented or objected to what. This is to comply with the data quality principles (see chapter 10) and the GDPR requirement to have a record that enables you to ‘demonstrate’ that you have consent (if that is your lawful basis). The system must also be reliably able to exclude any individual’s details if they have opted out. It is up to you whether you allow nuances in opting out. There is nothing to prevent you giving people the choice to receive, for example, information about membership benefits but not a trading catalogue, or invitations to participate in sponsored events but not raffle tickets. The basic minimum, however, is a blanket ‘yes’ or ‘no’ to all marketing material. When someone does opt out, deleting them altogether from your database or list may be unwise. If you ever came across their name again, you would have no record that they had exercised their direct marketing opt-
127
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 128 of 130
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
out and you might inadvertently end up marketing to them again, against their wishes. You should also ensure that if you transfer data to other organisations for marketing purposes, either you exclude anyone who has opted out of direct marketing or you include their opt-out status with the information transferred. If you obtain marketing databases from other organisations, you need guarantees that those organisations have excluded (or marked) those who have opted out of direct marketing. Although this is not sufficient to ensure that your marketing is compliant with the DPA 2018, such a guarantee will give you recourse if you inadvertently send direct marketing to someone who has opted out. Finally, it is important that all your staff and volunteers who may be in contact with data subjects understand the full implications of these rights. There must be a clear procedure for acting on the wishes of anyone who says ‘Stop sending me this stuff’ or ‘Stop phoning me’.
Trading companies and marketing on behalf of other organisations Where a charity has a linked trading company, the two organisations are separate controllers (see page 15 for more information on joint controllers). Equally, a national organisation may have close relationships with independent branches. In both situations, the separate controllers may operate independently or they may, if they have access to a common database, be joint controllers of the same data. Either way, it is necessary for each controller to ensure that its data subjects know that their data is going to be used by the other controller (and of course this also applies to any other data they share, even if it is not used for fundraising or marketing). You should include an opt-in or opt-out, depending on whether the material will be posted or emailed, when you first obtain personal data. This could be along the lines of: We would also like to send you material from our trading company/from our branch nearest to you. If you do not want us to do this [or ‘If you would like us to do this’], please tick this box:
£
The situation is perhaps less straightforward if you want to swap data with other organisations for marketing purposes. The Information Commissioner stressed, in the case of the RSPCA, the British Heart Foundation and the 11 other charities that were fined (see page 125), that nothing they had done was illegal. In other words, swapping data between charities for marketing purposes is not prohibited. However, you must be
128
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Time 15:06pm
Page 129 of 130
DATA PROTECTION IN DIRECT MARKETING (INCLUDING FUNDRAISING) . .. . .. . .. . .. .. . ..
clear with people what you are doing and give them a choice. The safest course of action is to name each organisation you would like to swap data with, and ask for consent for each individually. You might occasionally want to include in your regular mailing a leaflet or information about another organisation, on the basis that you are confident that the recipients would regard this as consistent with their expectations. However, unless you have made them explicitly aware that this is what to expect, this may be a risky option.
129
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/18 DP Chapter 18.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:06pm
Page 130 of 130
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 131 of 140
19 Data protection in
HR and volunteer management Data protection and HR are a good fit. Good HR – like good data protection – is about treating people fairly and respectfully. The GDPR does, however, require something of a culture change in many organisations. Practices that were taken for granted in the past may no longer be acceptable, and the new rights that data subjects have acquired under the GDPR need to be recognised. This chapter looks at: the lawful bases that might apply to HR records (see chapter 6 for more on the lawful bases); application of the data protection principles in HR; the use of special category data in HR (see chapter 7 for more information); how data protection applies to the records of volunteers and third parties; the implications of data protection for giving and receiving references; employees’ use of their own equipment for your purposes and their use of your systems for private purposes; the role of HR in providing policies, procedures and training related to data protection; data subject access requests (DSARs) from employees.
Lawful bases In many organisations it has been the practice to have a data protection clause in each employment contract requiring the employee to consent to the processing of their data. It may be questioned whether this was legitimate under the Data Protection Act 1998 (DPA 1998), because of the requirement for consent to be ‘freely given’, but under the GDPR it almost certainly doesn’t meet the criteria for consent. Article 7(4) explicitly states that: When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the
131
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 132 of 140
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Even if a contractual obligation to consent could be justified, a blanket approach does not fit with the requirement to be ‘granular’, meaning that consent should be separate for each different use of someone’s personal data (as mentioned in chapter 6, the term ‘granular’ does not appear in the GDPR itself but is used extensively in the Information Commissioner’s Office(ICO) guidance; see also Recitals 32 and 43 of the GDPR). Remember also that if your lawful basis is consent, data subjects have the right to withdraw that consent, which could put you in an impossible position. Asking for consent also runs the risk that employees who exercise their right to refuse consent may worry that this will be interpreted badly and lead to a detriment. You should take care to ensure that this doesn’t happen, and that your staff know that the choice is genuinely optional. There will, of course, be some situations where processing is genuinely optional, such as where you offer employee benefit programmes. In these cases you should ask for consent before enrolling an individual. However, in most situations the three most likely lawful bases for routine HR activities are contract, legal obligation and legitimate interests. Bear in mind, however, that for each of these Article 6(1) states that the processing must be ‘necessary’. Examples of these lawful bases, not requiring consent, might include the following situations: Collecting and holding bank details in order to pay a salary would be necessary as part of an employment contract. Disclosing salary details to HMRC would be in compliance with a legal obligation. Auto-enrolling a new employee in your pension scheme would also be necessary in compliance with a legal obligation. Keeping supervision and appraisal records would usually be in your legitimate interests as an employer. In relation to employment, it is worth noting that s.183 of the Data Protection Act 2018 (DPA 2018) makes it an offence in most cases (as it was similarly under the DPA 1998) for you to force a data subject to give you, for employment purposes (including recruitment), access to information about their health, criminal convictions or police cautions that they have derived from a DSAR. If you need to check any of these for safeguarding or other compelling reasons, you should use the mechanism available through the Disclosure and Barring Service (DBS).
132
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 133 of 140
DATA PROTECTION IN HR AND VOLUNTEER MANAGEMENT . .. . .. . .. . .. .. . ..
Application of the data protection principles to HR The data protection principles that are most relevant to HR are transparency (see chapter 9), data quality and retention (see chapter 10).
Transparency The point at which you first collect personal data from employees will usually be at the application stage. Your forms should therefore contain relevant privacy information, especially if you ask for any special category data. These short statements need to cover things that might not be obvious but could be of concern. For example, you might need to say how long you will keep data on unsuccessful applicants. You might also want to explain why you are asking particular questions. Diversity monitoring forms may need to explain how the data will be used. Later, when you obtain more detailed information from new staff after they have been hired, you should point out which information you will disclose to other organisations (and why) – again, if it is not obvious. Once an employee has been appointed, you should give them your full privacy notice (see chapter 9), either as a stand-alone document or as part of your staff handbook. You may want them to sign a confirmation that they have read it. Make sure your short privacy notices at the point of data capture reflect what you actually do and have not just been cut and pasted from somewhere else.
Data quality Your personnel records obviously have to be adequate, relevant, not excessive, accurate and up to date. You may want to review your mechanisms for ensuring this, whether they involve a regular check – perhaps at appraisal time – or a self-service HR system where employees can update their own records. Be aware of the requirements to be relevant and not excessive. Just because you have accumulated personal data about an employee does not mean that you should keep it unless you have a good reason to do so.
Retention Because employment involves a contract, you must keep essential HR records for at least six years after someone has left, but you may not need the whole file for that long. Other considerations might include data that
133
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 134 of 140
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
would be relevant to a reference you might be asked to give and data that relates to other obligations, such as health and safety. As with all other retention and destruction questions, don’t forget the data held in emails, which can be substantial. If it has continuing importance for your business, there may be grounds for a longer retention period. However, if it is personal data about a departed employee, there may be less reason to retain it.
Special category data The use of special category data and criminal record data must always be under one of the six lawful bases, but in addition it must comply with one of the additional conditions discussed in chapter 7. Article 9(2) of the GDPR makes two specific provisions relevant to HR. These allow the processing of special category and criminal record data without consent where: (b)
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by . . . law or a collective agreement . . . providing for appropriate safeguards for the fundamental rights and the interests of the data subject; . . .
(h)
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Article 9(3) then states that (h) applies only when the data is processed ‘by or under the responsibility of a professional subject to the obligation of professional secrecy [or by another person] subject to an obligation of secrecy’. These provisions would appear to allow processing without consent in appropriate situations such as: carrying out a DBS check for posts where you are required to do so (revealing criminal record information); referring an employee to an external occupational health service (involving health information); deducting union contributions from wages (revealing trade-union membership);
134
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 135 of 140
DATA PROTECTION IN HR AND VOLUNTEER MANAGEMENT . .. . .. . .. . .. .. . ..
carrying out right-to-work checks (which could refer to the data subject’s racial or ethnic origin).
This is, however, a complex area of law and you may wish to take legal advice on your specific situation.
Equal opportunity monitoring The use of special category data to monitor equality of opportunity is specifically allowed without consent, when carried out in the ‘substantial public interest’ (see chapter 7 and the conditions that apply, set out in Part 2 of Schedule 1 in the DPA 2018). However, you should always try to anonymise such data as far as possible. It is also good practice always to offer a ‘prefer not to say’ option. That being said, you should recognise that, because consent cannot be assumed and because, for special category data, it must be explicit, a data subject’s decision to provide an answer instead of ‘prefer not to say’ does not necessarily amount to consent.
Use of biometric data Some security access systems involve biometric data – face recognition, iris scans or fingerprints, for example. These clearly involve the use of special category data. Unless you can make the case that these features are ‘manifestly made public by the data subject’, which under Article 9(2)(e) allows processing without consent, it is hard to see how an employer could insist on the use of such systems without the individual explicit consent of each employee. You would probably be wise to carry out a full data protection impact assessment before installing any system based on biometric data. Note also that in 2019 the ICO compelled HMRC to delete all biometric data held under a voice authentication system for which it did not have explicit consent.1
Confidentiality Confidentiality should apply to much of the special category data you hold. For example, if an employee is on sick leave, they may not want their colleagues to know the details. You could adopt a policy of generalising the reason for absence when you inform other staff. For example: planned could include anything from holidays to hospital appointments; unplanned could mean illness, a broken boiler or travel disruption;
135
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 136 of 140
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
working away could mean the employee is working at home, at a meeting or at an event.
You could also incorporate information on whether the employee can be contacted or not. It would then be up to the employee to decide how much to tell their colleagues. You may, of course, decide that there are good reasons for providing a bit more detail to the employee’s manager and immediate colleagues. (See chapter 15 for more on confidentiality.)
Volunteers Volunteers’ personal data should be treated in much the same way as employees’ but in most cases there will be neither a contract nor a legal obligation to form the lawful basis for processing. Legitimate interests, however, is likely to cover most of the processing relating to volunteers. You should therefore have a privacy notice for volunteers separate from, but very likely similar to, that for your employees. Your retention period for personal data on volunteers may well be shorter than that for your employees, but the same basic criteria should be applied: keep it if you can demonstrate a good reason, otherwise don’t. Your volunteer agreement should also ensure that your volunteers are put under a common-law duty of confidentiality, if they handle confidential personal data or other information, since they do not have the implied duty of confidentiality – often backed up in the contract – that goes with being an employee. Your volunteer agreement could include a clause on confidentiality, or you could ask volunteers to sign a separate confidentiality pledge, but you should take care not to create a contract or treat your volunteers as employees with all the employment rights that would bring. Don’t forget that trustees and management committee members are also likely to handle confidential personal data from time to time. A duty of confidentiality should be set out in their code of conduct and they should be reminded of it at appropriate times, such as when they sit on appointment panels for staff or hear complaints, grievances or disciplinary procedures.
Third parties Your personnel records are quite likely to contain small amounts of personal data about third parties – for example, family members of employees who are listed as next of kin or emergency contacts.
136
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 137 of 140
DATA PROTECTION IN HR AND VOLUNTEER MANAGEMENT . .. . .. . .. . .. .. . ..
As a minimum, you should ensure that these people know that you hold their data. The easiest way is generally to ask the staff member to confirm that they have told the people whose names and contact details they have given that they have done so. Your lawful basis for holding this data would most likely be legitimate interests rather than the data subject’s ‘vital interests’, although this might be a viable alternative. (Note that Article 6(1)(d) extends the definition of vital interests to the data subject or another person. This means that holding details of the family members could perhaps be justified on the basis that it was in the vital interests of the employee so that you could contact someone in an emergency.)
References Schedule 2, Part 4 of the DPA 2018 makes provision for circumstances in which the data subject does not have the right to know about the data being processed or have access to it. These include situations when personal data is used to provide confidential references for the following purposes: (a)
the education, training or employment (or prospective education,
(b)
the placement (or prospective placement) of the data subject as a
(c)
the appointment (or prospective appointment) of the data subject to
(d)
the provision (or prospective provision) by the data subject of any
training or employment) of the data subject, volunteer, any office, or service.
This is subtly different from the previous provision (in the DPA 1998), which only applied to confidential references received. You should make a policy decision on whether to ask for confidential references, which means that they would not be shown to data subjects in response to a DSAR, whether to ask for open references as a matter of course, or whether to ask the referee to say whether they want their reference to be kept confidential or not.
Equipment use Employees’ use of their own equipment for your purposes There are many advantages to allowing, or encouraging, employees to make some use of their own equipment for work purposes. If you want them to be contactable on the move, it is usually more convenient for
137
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 138 of 140
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
them to use their own mobile phone rather than a second one issued by you as the employer, and they may prefer to use their own computer at home rather than taking a work laptop with them. The important thing to remember is that any personal data relating to employees’ work remains the responsibility of the controller – the employer – regardless of whose equipment it is held on. If this situation applies to your organisation, you will therefore need a ‘bring your own device’ (BYOD) policy (which should include stipulations about the level of security that should be maintained) as well as possibly a contractual obligation to allow you (the employer) access to the equipment if necessary.
Employees’ use of your systems for private purposes Depending on your policy, you may or may not allow employees to carry out personal activities using your email or other systems. Any personal data they hold on your systems, if this is allowed, remains their responsibility, not yours, and benefits from the ‘domestic purposes’ exemption from data protection compliance, set out in Article 2(2)(a) of the UK GDPR. In order to maintain employees’ confidentiality, you should insist that staff store any private data in a designated area or folder, and/or label private data as private. You should give clear notice of any possibility – for example, if you are investigating misdemeanours or security breaches – that you may need to access, or cannot avoid accessing, this private data.
Policies, procedures and data protection management If you have a suite of staff policies obtained from an external source, it may include a data protection policy. However, it is not usually appropriate to give your HR team (or individual) the whole organisational data protection remit. Your staff handbook is likely to reference your organisation’s data protection policy, as one of those that employees must follow, but the policy itself should take account of input from managers across the organisation as well as the data protection lead (see also chapter 5). What the staff handbook should contain is a full privacy notice for staff, providing all the information that they are required to have about their own personal data and data protection rights. You should also consider including a provision making clear that reporting of personal data breaches is absolutely mandatory, and an assurance that prompt
138
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 139 of 140
DATA PROTECTION IN HR AND VOLUNTEER MANAGEMENT . .. . .. . .. . .. .. . ..
reporting will be a substantial mitigating factor if a member of staff does inadvertently bring about a breach. HR may also have a role in providing training for staff and/or monitoring whether appropriate induction and training on data protection have taken place. These activities must include volunteers who handle personal data in the course of their duties, and are also relevant to trustees. If this has not already been done as part of a GDPR audit, your HR department should review: staff contracts, to ensure that they contain no clauses incompatible with the GDPR; volunteer agreements; privacy notices and notices for employees, applicants and volunteers; your policy on whether to ask for confidential references or open ones; procedures and documents that involve the capture and use of personal data (including, for example, recruitment documents, DBS checks, references, application forms, equality and diversity monitoring forms, personal data update forms, records of disciplinary procedures, appraisals, and exit and leaving processes); relationships and contracts with external providers of services such as payroll, occupational health and pensions, to ensure that they are GDPR compliant and that there is appropriate security in the way personal data is transferred between you and the provider (see chapter 4); retention periods for different categories of data.
Data subject access requests from employees If you have a policy of open HR records, staff may not need to make a formal DSAR for routine situations where they want to check something. However, HR must be ready to co-operate with the data protection lead in preparing a response if a staff member, or perhaps more often an exmember of staff, does make a DSAR or asks to exercise any of their other data protection rights. Such requests should be handled in exactly the same way as any other DSAR, but they do bring their own particular problems. It is quite likely, for instance, that a significant number of documents (and especially emails) will contain the (ex-)employee’s name, job title, contact details and the like, without any additional personal data. These all have to be located and reviewed, in case they contain other relevant material. However, it is worth bearing in mind that a data subject is entitled to the information that is held. If there are several hundred or thousand emails
139
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/19 DP Chapter 19.3d
Date: 8/12/20
Time 15:06pm
Page 140 of 140
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
with the same small amount of information in each one, it is not necessary to print them all off and then redact the bulk of each document. As suggested in chapter 14 (see page 98), you could simply inform the data subject how many emails you hold with the same information within them. Another likely issue is that where relevant personal data is held, the information may have been provided by colleagues or may relate to colleagues. In such cases, some effort will be required to ensure that this third-party data is either withheld or disclosed appropriately. In some situations exemptions may apply and allow you to refuse responding to a DSAR or withhold certain information. Exemptions could include: legal professional privilege; references given in confidence; personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that complying with a subject access request would prejudice the conduct of the business or activity; personal data consisting of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the subject access request would be likely to prejudice the negotiations.
140
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/20 DP Chapter 20.3d
Date: 8/12/20
Time 15:06pm
Page 141 of 146
20 Data protection in IT When data protection was first introduced in the UK, it was often seen as an IT responsibility. Increasingly it is recognised as a policy matter, not a technical one. The IT team does, however, have an important role to play. This chapter: explores the aspects of data protection that are relevant to the use and management of IT; reiterates the need for GDPR-compliant contracts with external suppliers; outlines the rules on transparency and consent relating to website cookies; discusses the role of IT in breach management, data subject access requests, and monitoring and investigations.
Application of the data protection principles to IT Given that security is a significant data protection requirement, this will undoubtedly be a focus for the IT team. However, the team can also assist with compliance in other areas, such as data quality. The data protection principle that requires integrity and confidentiality (see chapter 11) establishes the basis for security in data protection.
Integrity Integrity implies that the information should be available and undamaged, when you need it. Obvious provisions here would include: back-up systems that are run and tested at appropriate intervals; robust physical communications links, both within the organisation and externally, especially when data is held in the cloud to any great extent (again, this should be backed up and tested as appropriate); protection, where necessary, for electronic communications and online activity, through encryption at an appropriate level, among other measures; provision of reliable software, especially in the configuration of databases or acquisition of ready-made systems, to ensure that they hold the right information in the right structure for the organisation’s needs.
141
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/20 DP Chapter 20.3d
Date: 8/12/20
Time 15:06pm
Page 142 of 146
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Confidentiality Confidentiality is about ensuring that only the right people have access to the data. The role of IT here is likely to be concerned with: up-to-date intrusion protection for core systems, ideally with regular independent testing; provision of access controls, through passwords and segregation of data – this means organising your databases and file storage so that, as far as possible, users are able to access only the data that they are authorised to use; provision of secure methods for staff working from home or out of the office to access the data they need, including, where appropriate, twofactor authentication; training staff in the security measures they may be required to take (such as password-protecting files where this is an appropriate security measure). IT staff may have relatively unfettered access to personal data (and other confidential or critical information) held on your systems. As a result, some consideration should be given as to whether it is acceptable for significant actions to be undertaken on the authority of a single person, even if the staff in question have been subject to careful vetting and references before joining the organisation.
External suppliers Wherever external suppliers provide services which would enable them to access personal data held by your organisation, they are likely to be processors. Typical roles here include: website hosting and/or development; database and information system supply, configuration and maintenance; cloud applications of many different sorts; cloud hosting of data and/or back-up systems; email hosting. Few of these services are likely to be provided on the basis of individually negotiated contracts. However, your organisation, as the controller of the data (see chapter 3), must ensure that the contractual basis of the service – whether negotiated or provided on fixed terms and conditions – meets the requirements of the GDPR (see chapter 4). Where the services are of a technical nature, IT should be involved every time a service is commissioned, even if it will largely be externally run 142
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/20 DP Chapter 20.3d
Date: 8/12/20
Time 15:06pm
Page 143 of 146
DATA PROTECTION IN IT . .. . .. . .. . .. .. . ..
and managed. The technical competence and security of the provider should be assessed – through their adherence to recognised standards or accreditation if possible. Additionally, where relevant, they should be given clear instructions that are technically meaningful and ensure data protection compliance. See also the discussion of security measures and security standards in chapter 11.
Cookies Cookies play a vital role on websites, but their use is affected by data protection provisions set out in PECR – the Privacy and Electronic Communications Regulations 2003, as amended in 2011. (The legislation may change to reflect the EU’s new ePrivacy Regulation when that is finally agreed; see page 122 for more information.) Regulation 6 of PECR states that cookies (described in the legislation as ‘information stored in the terminal equipment of a subscriber or user’) may only be used with consent, unless they are ‘strictly necessary for the provision of an information society service requested by the subscriber or user’. The standard of consent required by PECR is determined by data protection legislation. Therefore, when the GDPR brought in a tighter definition of consent, consent under PECR was tightened up too. A judgment of the EU Court of Justice in October 2019 gave additional clarification.1 The key points in the judgment were that: Pre-ticked check boxes do not constitute consent for cookies (which would presumably also apply to a pre-selected ‘Accept’ option). The rules apply even if cookies do not amount to personal data. The website must give sufficient information about how long cookies are to be retained and which third parties have access to them. The court was not asked to give an opinion on whether it was legitimate to incentivise consent by making consent to receive marketing a condition for entering a promotional lottery. In brief, therefore, the cookie rules are: You must inform users of your site about essential cookies – those that are required in order for the website to function properly, for example by remembering a user’s shopping basket – but you do not need (and should not ask for) consent. Your lawful basis would most likely be necessity for a contract or, perhaps, legitimate interests. You must inform users about other, non-essential, cookies and you must ask for consent. In many cases you will want to group the nonessential cookies. Typical groupings might be analytics (useful for you 143
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/20 DP Chapter 20.3d
Date: 8/12/20
Time 15:06pm
Page 144 of 146
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
to understand how people use your website but not essential to its functioning); profiling (so that you can make an educated guess about what things the user might be interested in); and data-sharing (see below). You must be fair to people, which means making things clear, making it easy to access the options and not steering people in a particular direction. Setting a cookie to remember someone’s cookie preferences would probably not need consent, as it would clearly be in their interests.
Obviously, the likely outcome of such an approach may be that you don’t get much consent for non-essential cookies, and that might deprive you of useful information (and in some cases revenue). It’s worth getting the balance right, though, which means having a proper discussion with your website developer so that you are happy with whatever solution they implement. Note that in the matter of sharing, this chapter is concerned only with cookie-based systems that collect information so that other organisations might contact the user with their own marketing. Where you collect information through a form that the user fills in, your information would be provided through an adjacent privacy notice, and the options would typically be selected through tick boxes or something similar. In the case of cookie-based sharing, you may want to consider itemising each recipient, so that users of your website can choose which organisations they are happy for their data to be shared with.
Breach management Most personal data breaches involve the loss of personal data held electronically. IT should therefore be closely involved in drawing up and participating in breach-management procedures based on: assessment of the scale and extent of the breach; containment, so that the breach is brought to an end as quickly as possible; mitigation through measures either to recover the data or to prevent its malicious use; review and learning any lessons for the future. The procedure should also include a formal assessment of whether the breach is reportable to the Information Commissioner’s Office (ICO) (and possibly to a relevant charity regulator or other body) and whether potentially affected individuals have to be notified (see page 28 for more information). 144
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/20 DP Chapter 20.3d
Date: 8/12/20
Time 15:06pm
Page 145 of 146
DATA PROTECTION IN IT . .. . .. . .. . .. .. . ..
Given that serious breaches must be reported to the ICO within 72 hours of their initial discovery (regardless of whether this happens in the evening, at the weekend or when staff are on holiday), it may be worth considering whether there is a need for people to be on call to start dealing with a breach out of hours in order not to miss the reporting deadline.
Data subject access requests Responding to a data subject access request (see chapter 14) will almost certainly involve an extensive trawl of computer systems to locate the data that needs to be included in the response. Unstructured data such as emails poses a particular challenge, probably requiring assistance from IT.
Monitoring and investigations Monitoring of IT usage should only be carried out where it is justified, and not routinely. However, systems that flag up unexpected behaviour for further investigation may be used legitimately as long as users are aware that this is done. Charities on the whole are not as keen as some other organisations on systems that monitor staff behaviour, such as tracking the amount of time that employees spend at their desk or assessing their ‘productivity’. Such systems should only be introduced where there is a demonstrable need, and only after staff have been fully consulted. Where individual staff members are suspected of unauthorised or even illegal behaviour, IT is likely to be involved in recovering electronic files and logs as part of the investigation. Such investigations may be carried out, provided there is a legitimate reason for suspicion and the monitoring or access to files is appropriate.
145
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/20 DP Chapter 20.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:06pm
Page 146 of 146
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/21 DP Chapter 21.3d
Date: 8/12/20
Time 15:06pm
Page 147 of 150
21 Archiving, research
and statistics The GDPR makes significant exceptions from many of its provisions when personal data is being used for archiving, research and statistical purposes in addition to the original purpose. This chapter: explains how the GDPR makes special provision for archiving, research and statistics; looks at the safeguards and exclusions that might apply; considers how to judge whether archiving falls within the public interest.
Archiving is compatible with the original purpose The special provision for archiving starts with the second data protection principle (purpose limitation) in Article 5 of the GDPR, which states that personal data must be: collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall . . . not be considered to be incompatible with the initial purposes (‘purpose limitation’).
This means that when you declare your purpose(s), you do not need to specify any subsequent use that meets the criteria for ’archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’. The fifth data protection principle (storage limitation) then specifies that retention periods may be extended where personal data needs to be retained for these purposes, while Article 9(2)(j) allows the processing of special category data for these purposes without consent. In Article 14 – which sets out the information that must be provided to data subjects when their personal data has been obtained from someone else – paragraph 5(b) specifies that you do not need to provide data subjects with information where ‘the provision of such information proves 147
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/21 DP Chapter 21.3d
Date: 8/12/20
Time 15:06pm
Page 148 of 150
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
impossible or would involve a disproportionate effort’. It then goes on to make a specific exemption for archiving, scientific or historical research, and statistical purposes if the obligation to provide information ‘is likely to render impossible or seriously impair the achievement of the objectives of that processing’. Article 17 excludes archiving, research and statistics from the right of erasure ‘in so far as the right . . . is likely to render impossible or seriously impair the achievement of the objectives of that processing’. All of these provisions are subject to Article 89, which sets out safeguards that must be taken and strongly encourages using data that can be anonymised or pseudonymised (i.e. presented anonymously even if there is a code or suchlike that you could use to re-identify the individuals).
Safeguards Section 19 of the Data Protection Act 2018 (DPA 2018) makes some additional provisions for safeguards when processing is necessary for archiving in the public interest, research or statistical purposes. It states that: Such processing does not satisfy the [GDPR requirements] if it is likely to cause substantial damage or substantial distress to a data subject.
What this means is that you must think carefully about whether your archive could cause ‘substantial damage or substantial distress’. Would your data subjects want future researchers to find out intimate details of their lives? Would people be happy to see their relatives in archive photographs of a service for people with mental health problems? Would people who were children when they used your services want their juvenile experiences widely known? If your archives are used only for statistical purposes, you will, in almost all cases, want to ensure that the data is held and presented in a form that does not allow individuals to be identified. Section 19 of the DPA 2018 adds that: Such processing does not satisfy that requirement if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.
In other words, your archives must be genuine archives. If you are still engaged with the data subjects and still using the information, it must form part of your active records, however old it is. 148
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/21 DP Chapter 21.3d
Date: 8/12/20
Time 15:06pm
Page 149 of 150
ARCHIVING, RESEARCH AND STATISTICS . .. . .. . .. . .. .. . ..
Exclusions of data subject rights Where personal data is processed for archiving, research or statistics, data subjects lose many of the rights to have some control over their data that would apply in other situations. Schedule 2, Part 6 of the DPA 2018 makes these provisions, as permitted by Article 89(2) and (3) of the GDPR. Paragraph 27 of the DPA 2018 states that, where personal data is processed for scientific purposes, historical research purposes or statistical purposes, ‘to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question’ you do not have to comply with certain data subjects’ rights. This does not mean that you can automatically ignore the rights of data subjects when you carry out these activities; you still have to weigh up whether the exercise of the rights would ‘prevent or seriously impair’ your purposes. These provisions apply to the following rights: confirmation of processing, access to data and safeguards for thirdcountry transfers, as long as ‘the results of the research or any resulting statistics are not made available in a form which identifies a data subject’; rectification; restriction of processing; objections to processing. Paragraph 28 of Schedule 2 makes similar provisions for archiving in the public interest, again ‘to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes’. The rights that are excluded are similar: confirmation of processing, access to data and safeguards for thirdcountry transfers; rectification; restriction of processing; notification regarding rectification or erasure of personal data or restriction of processing; data portability; objections to processing.
What is ‘archiving purposes in the public interest’? There is no clear definition in the GDPR or the DPA 2018 of ‘in the public interest’, although the term is used frequently when some processing of personal data is permitted only if there is a sound reason for it. Before retaining personal data for archiving purposes, you should, therefore, 149
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/21 DP Chapter 21.3d
Date: 8/12/20
Time 15:06pm
Page 150 of 150
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
make your own assessment of why it might be in the public interest to do so. From numerous UK court decisions it is clear that what is of interest to the public is not the same thing as what is in the public interest. The DPA 2018 has a broader definition of the public interest than the GDPR, and government statements suggest that certain sectors, such as universities and museums, would automatically be considered to be processing personal data in the public interest in many cases. This broader definition of the public interest might also include, for example: understanding the history of your organisation and its place in the development of social policy in your field; enabling individuals to recover important information about themselves if they have received significant services from your organisation at particular stages of their lives; providing information to authorities that may wish to investigate events from the past – historical child abuse being just one example. As with all GDPR-compliance decisions, you should keep a clear record of how you came to the conclusion that your archiving is in the public interest.
150
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/22 DP Chapter 22.3d
Date: 8/12/20
Time 15:07pm
Page 151 of 158
22 Role and powers of
the Information Commissioner’s O⁄ce The Information Commissioner’s Office (ICO) enforcement powers were considerably strengthened by the substantial increase in the financial penalties that the GDPR allows to be imposed for breaches. Other powers are substantially similar to those under the Data Protection Act 1998 (DPA 1998). This chapter: provides some background and describes the role of the ICO; looks at the guidance and codes of practice available from the ICO; sets out the ICO enforcement powers; outlines the offences that individuals might commit under the Data Protection Act 2018 (DPA 2018); describes the financial penalties that the ICO can impose; explains that the ICO cannot award compensation for breaches of the DPA 2018; explains the requirement to pay a fee to the ICO.
Background The UK’s data protection legislation is enforced by the Information Commissioner, who also has responsibility for enforcing the Privacy and Electronic Communications (EC Directive) Regulations 2003 (commonly referred to as PECR; see chapter 18). The Information Commissioner is the UK’s supervisory authority for the GDPR and is an independent regulatory authority, reporting directly to Parliament. The government’s and other public bodies’ use of personal data is subject to regulation by the ICO, just as much as commercial and non-profit organisations’ use. In addition, the Information Commissioner has responsibility for upholding freedom of information (in England, Wales and Northern Ireland, but not Scotland) and other information rights.
151
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/22 DP Chapter 22.3d
Date: 8/12/20
Time 15:07pm
Page 152 of 158
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
The first Data Protection Registrar, from 1985, was Eric Howe. His successor was Elizabeth France, who became Information Commissioner when freedom of information was added to her responsibilities. She was succeeded by Richard Thomas, then Christopher Graham and, in July 2016, Elizabeth Denham.
Role of the Information Commissioner’s Office The tasks of the ICO are set out in Article 57 of the GDPR, and include: monitoring and enforcing the application of the GDPR; promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to processing; advising on legislation and administrative measures on data protection; increasing controllers’ and processors’ awareness of their obligations; on request, providing information to any data subject concerning the exercise of their rights; handling complaints lodged by a data subject or organisation, and investigating these appropriately; co-operating with other supervisory authorities; conducting investigations on the application of the GDPR; monitoring relevant developments that may have an impact on data protection, in particular the development of information and communication technologies and commercial practices; adopting standard contractual clauses for processors; encouraging the drawing up of codes of conduct and approving them if they are suitable; helping to develop certification systems for good data protection practice; authorising contractual clauses and approving binding corporate rules in relation to transfers abroad.
Support for good practice Codes of practice The ICO’s mission is to improve the protection of personal data. It does have powers to impose financial penalties, but the purpose of these is to draw attention to poor practice, not to raise funds (which go to the treasury, not the ICO). Codes of practice are therefore a key part of the ICO’s work. Sections 121– 24 of the DPA 2018 require the ICO to produce codes of practice on:
152
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/22 DP Chapter 22.3d
Date: 8/12/20
Time 15:07pm
Page 153 of 158
ROLE AND POWERS OF THE INFORMATION COMMISSIONER’S OFFICE . .. . .. . .. . .. .. . ..
data-sharing; direct marketing; age-appropriate design where ‘information society services’ (the term used in the GDPR and other EU legislation) – essentially online services – are likely to be accessed by children; journalism.
A code of practice on age-appropriate design came into force on 2 September 2020, with a 12-month transition period, so organisations have until 2 September 2021 to fully conform. See chapter 18 in relation to a code of practice on direct marketing. The ICO also has powers to develop other codes of practice. Although the ICO codes are not law, they do have statutory status. In accordance with section 127 of the DPA 2018, the ICO must take the relevant code into account when considering whether an organisation has complied with its data protection obligations. In particular, the ICO will take a code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR or the DPA 2018. The code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant. Before issuing codes of practice, the ICO must consult the public and interested parties, such as trade associations. Codes of practice issued under the DPA 1998 are being progressively reviewed (and consulted on). Those still available on the ICO website generally have a health warning, stating that they still apply where applicable.
Guidance In addition to codes of practice, the ICO issues guidance, both on data protection in general and on particular issues. The main body of guidance on the ICO’s website now refers explicitly to the GDPR and the DPA 2018. Guidance previously issued under the DPA 1998 does not necessarily still apply and is being progressively withdrawn, but it may be a useful indication of how the ICO views things.
153
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/22 DP Chapter 22.3d
Date: 8/12/20
Time 15:07pm
Page 154 of 158
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Enforcement powers Additional powers of the ICO include: Information notices: the ICO can require a controller to provide information that the ICO reasonably requires in order to carry out its investigations. If you don’t respond, a court can order you to do so, and giving false information is a criminal offence under s.144 of the DPA 2018. Assessment notices: the ICO can require a controller to allow the ICO to carry out an assessment of whether they are complying with the GDPR. Enforcement notices: the ICO can issue an enforcement notice to anyone who has failed to comply with the GDPR, giving instructions about what they must now do to comply. If a person fails to comply with an enforcement notice, the ICO can issue a penalty notice under s.155(1)(b) of the DPA 2018. Entry and inspection: the ICO can obtain a warrant from the High Court, a circuit judge or a magistrate to enter premises and seize documents. It is a criminal offence to obstruct a warrant. It is a criminal offence (s.148 of the DPA 2018) to destroy or falsify relevant information after having been served with an information notice or an assessment notice.
Individual offences In addition to the offences described above, individuals commit an offence under s.170, s.171, s.172 or s.173 of the DPA 2018 if they: knowingly or recklessly obtain or disclose personal data without the consent of the controller, procure the disclosure of personal data to another person without the consent of the controller, or, after obtaining personal data, retain it without the consent of the person who was the controller in relation to the personal data when it was obtained; sell personal data, or offer to sell personal data, if they obtained it in the above circumstances; knowingly or recklessly re-identify information that has been deidentified without the consent of the controller responsible for deidentifying it (subject to a number of caveats); alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure to the data subject (the controller would be committing the offence if they got someone to do this).
154
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/22 DP Chapter 22.3d
Date: 8/12/20
Time 15:07pm
Page 155 of 158
ROLE AND POWERS OF THE INFORMATION COMMISSIONER’S OFFICE . .. . .. . .. . .. .. . ..
It may be worth making staff, volunteers, and trustees or management committee members who have access to personal data aware of these provisions. Under the DPA 1998, many individuals have been fined for accessing data without the consent of the controller, even when this was done with no obvious malicious intent, and this will undoubtedly occur under the DPA 2018 as well.
Financial penalties Under the DPA 1998, the ICO had the power to impose a financial penalty of up to £500,000. Most of the penalties issued were for serious security breaches, blatant marketing in contravention of the restrictions or deliberate misuse of personal data on a large scale. With some exceptions, these penalties were usually in the five-to-six-figure range. The ICO has indicated that this level of penalty, and the associated publicity, was sufficient to draw attention to poor practice. However, when the GDPR was drawn up, one objective was to give supervisory authorities such as the ICO greater powers over large multinational internet companies (among others), for whom a six-figure penalty is not a serious disincentive. The GDPR therefore set the maximum penalty for the most serious breaches at d20 million or 4% of global turnover, whichever is higher. For less serious breaches, the maximum is d10 million or 2% of global turnover. The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 convert d20 million to £17.5 million and d10 million to £8.7 million in fixing the maximum penalties in the UK, using the exchange rate in effect at the time. The Information Commissioner has suggested that many penalties under the GDPR will remain at around the current level, where this is appropriate, with the higher penalties reserved for those organisations that were previously out of effective reach.
Compensation and redress The ICO cannot award compensation or force a controller to put matters right directly. (The ICO would have to issue an enforcement notice, then take the controller to court if they did not comply.) An individual seeking compensation or other forms of redress has to take a civil case against the controller.
155
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/22 DP Chapter 22.3d
Date: 8/12/20
Time 15:07pm
Page 156 of 158
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Fees and exemptions Under the DPA 1998, every controller had to notify the ICO of their existence, pay a fee and provide general information about the processing they were carrying out. The GDPR explicitly abolishes notification but does include a requirement for each national government to make arrangements to fund its independent supervisory authority adequately. The UK government opted to fund the ICO through a requirement on each controller to pay an annual fee, which has been set by the Data Protection (Charges and Information) Regulations 2018 at three levels (with a £5 per annum discount for paying by direct debit): Tier 1: micro organisations (maximum turnover of £632,000 or under 10 staff) – £40 per annum. Tier 2: small and medium organisations (maximum turnover of £36 million or under 250 staff) – £60 per annum. Tier 3: large organisations (not in Tiers 1 or 2) – £2,900 per annum. Charities – whatever their size – are automatically in Tier 1, unless they benefit from one of a number of exemptions under the Data Protection (Charges and Information) Regulations 2018 (not all of which are relevant to voluntary organisations). If an exemption applies, no fee is payable. However, in practice, if your organisation is a charity you may well decide to pay the £40 fee rather than go to great lengths to justify a borderline exemption. The exemptions are where your processing is solely for the purposes of: staff administration; advertising, marketing and public relations; accounts and records; not-for-profit purposes; personal, family or household affairs; maintaining a public register; judicial functions; processing personal information without an automated system such as a computer. The not-for-profit exemption does not apply to all voluntary organisations, even if you regard your organisation as being run on a not-for-profit basis. This exemption applies when all four of the following conditions are satisfied: You only process information necessary to establish or maintain membership or support.
156
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/22 DP Chapter 22.3d
Date: 8/12/20
Time 15:07pm
Page 157 of 158
ROLE AND POWERS OF THE INFORMATION COMMISSIONER’S OFFICE . .. . .. . .. . .. .. . ..
You only process information necessary to provide or administer activities for people who are members of your organisation or have regular contact with it. You only hold information about individuals whose data you need to process for this exempt purpose. The personal data you process is restricted to personal information that is necessary for this exempt purpose.
The intention here appears to be to restrict this exemption to small membership organisations, such as local sports clubs or self-help groups. You could, of course, still be exempt if you employ staff, because you would benefit from the staff administration exemption as well, and a limited amount of fundraising might keep you within the advertising, marketing and public relations exemption. If your activities are more extensive than those set out in the not-for-profit exemption, you will not be exempt. If your organisation fails to pay the fee when it is not exempt, it is breaking the law and can be fined up to £4,350 (one and a half times the Tier 3 fee). ..............................................................................................................
The Information Commissioner’s Office The Information Commissioner’s Office (ICO) is based in Wilmslow. All of the ICO’s information and guidance is available online at https://ico.org.uk. (Although the ICO is a public body, its web address deliberately avoids the use of .gov.uk in order to emphasise that the government itself is also required to comply with data protection legislation.) Other contact details for the ICO are: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: 0303 123 1113 ..............................................................................................................
157
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/22 DP Chapter 22.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:07pm
Page 158 of 158
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/23 DP Appendix.3d
Date: 8/12/20
Time 15:07pm
Page 159 of 164
...........................................................................................................
Appendix The legislation and a bit of history The evolution of data protection law has been influenced by the development of the technologies used for processing personal data – from the initial introduction of computers, in place of largely paper-based systems, to today’s electronic world – as well as a growing understanding of what good data protection practice should look like.
The Data Protection Act 1984 The UK got its first Data Protection Act – fittingly, as it seemed at the time – in 1984, the year of George Orwell’s Big Brother. The law was introduced in order to allow the government to ratify a data protection convention that had been drawn up by the Council of Europe. The limitations of the 1984 Act quickly became apparent. For organisations that were using data about people, it imposed bureaucratic burdens while offering very little benefit to individuals who might be concerned about how their data was being used. Data controllers had to register with the Data Protection Registrar, the forerunner of the Information Commissioner, but could then do more or less what they liked, while data subjects could be faced with significant fees if they wanted to find out what data was held on them.
The 1995 Directive and the Data Protection Act 1998 Despite these shortcomings, the Home Office took the view that it did not want to legislate again in this area too quickly. Quite soon, in any case, the European Union began debating harmonisation of its data protection laws, and this was then given as a valid reason for making no premature change in the UK. Eventually, on 24 October 1995, the European Union agreed Directive 95/46/EC on the harmonisation of data protection laws. This gave member states three years to enact domestic legislation to put the Directive into effect. The UK government which took office in May 1997 acted commendably quickly, and in August 1997 a white paper appeared, committing the government to implementing the spirit as well as the letter of the European Directive. This was followed, after a short period of consultation, by a Bill, which started its journey through Parliament in January 1998.
159
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/23 DP Appendix.3d
Date: 8/12/20
Time 15:07pm
Page 160 of 164
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Instead of incorporating all the detail into the Bill, as had been done in 1984, the 1998 legislation laid down a broad structure, leaving much of the detail to be completed through secondary legislation. This had the important advantage that any subsequent changes could be brought in much more easily if required. However, an unfortunate consequence was that royal assent for the new law on 16 July 1998 was not the end of the story. The law could not take effect until some 30 pieces of secondary legislation had been prepared, consulted on and brought before Parliament. Despite the deadline set in the European Directive, the UK – in common with most other EU member states – started to fall behind schedule. In fact, it was 1 March 2000 before the Act finally came into effect, and it was not until 24 October 2007 that the final ‘transitional provisions’ expired. There is no doubt that the 1998 legislation overcame many of the most obvious flaws in the 1984 Act: Data subjects were given real, if limited, controls over how their information was used. There was provision for much greater transparency: data subjects could in principle know much more about who was doing what with information about them. The impenetrable and unhelpful format for registration was replaced with a slightly simpler system of notification. Above all, the 1998 Act incorporated much good practice. Until then, complying with the Act and following good practice, while by no means mutually exclusive, were almost two separate exercises.
The General Data Protection Regulation and the Data Protection Act 2018 The next development was a growing recognition across Europe that the legislation based on Directive 95/46/EC was struggling to keep pace with technological developments, in particular the growing spread of portable devices and the massive expansion of the internet, bringing cloud computing, online shopping and banking, social media and the like. At the same time, experience of the operation of the 1995 Directive indicated areas where improvements could be made and loopholes closed. By 2012 some of the key components of the new data protection regime were becoming clear, and over the next four years the debate on the details was at times intense. The General Data Protection Regulation (EU) 2016/679 (GDPR) was agreed on 27 April 2016. Unlike the previous EU legislation, this was a Regulation, not a Directive. This meant that it would apply directly and consistently across the 160
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/23 DP Appendix.3d
Date: 8/12/20
Time 15:07pm
Page 161 of 164
APPENDIX . .. . .. . .. . .. .. . ..
European Union, without the need for each country to produce its own version of the legislation. National governments did, however, have to make minor adjustments to adapt the GDPR to their local situation. The UK’s Data Protection Act 2018 (DPA 2018) received royal assent on 23 May 2018, just two days before it and the GDPR came into force simultaneously, on 25 May 2018. The provisions in the DPA 2018 to make the GDPR work in the UK context include: Renewing the provisions in the Data Protection Act 1998 (DPA 1998) that establish the powers and duties of the Information Commissioner’s Office (ICO). Providing the ICO with enforcement powers similar to those in the DPA 1998, including the ability to impose financial penalties. Bringing the provision for paying a fee to the ICO within data protection law. Setting out data-protection-related offences that can be committed by individuals. Making minor adjustments to the GDPR in a few permitted areas (such as varying the age at which special protection for children is required in online services). In addition, the UK government took the opportunity to use the legislation to apply provisions that are based on the GDPR to the areas of law enforcement and national security. The GDPR itself explicitly does not apply to these areas. Alongside this there is a small piece of legislation, the Data Protection (Charges and Information) Regulations 2018, which sets up the details of the obligation on controllers to pay an annual fee that partially funds the ICO.
Structure of the Data Protection Act 2018 It is worth setting out the structure of the DPA 2018, because – if it is ever necessary to look up a specific detail – you need to be sure that you are looking at the right part. Note in particular that much of the material in both Parts 3 and 4 is very similar to Part 2. The Act is divided into seven parts and 20 schedules. The parts are: Part 1: Preliminary – this gives an overview and some key definitions. Part 2: General processing – this is the main part that applies the GDPR to the UK context, and is the part that is most relevant to voluntary organisations. Part 3: Law enforcement processing – this applies only to law enforcement. 161
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/23 DP Appendix.3d
Date: 8/12/20
Time 15:07pm
Page 162 of 164
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
Part 4: Intelligence services processing – this applies only to the intelligence services. Part 5: The Information Commissioner – this provides for the ICO powers and duties, including carrying out audits and producing codes of practice. Part 6: Enforcement – this sets out the various enforcement procedures available to the ICO. Part 7: Supplementary and final provision – miscellaneous provisions.
In addition, Parts 2, 3 and 4 are divided into ‘chapters’, with the chapter numbering restarted at the beginning of each part. These are largely for convenient grouping of material and are best disregarded when referring to material within the Act. For reference purposes, the important numbering is of the smallest subdivision – the sections. These are numbered consecutively throughout the seven parts. For example, Part 2 starts at s.4 and Part 3 starts at s.29. Some of the 20 schedules are divided into ‘parts’. These bear little relationship to the ‘parts’ of the main text and are more akin to the ‘chapters’. Again, they should be disregarded for reference purposes, in favour of the paragraphs (akin to the ‘sections’ in the main body of the Act), which are numbered continuously within each schedule.
ePrivacy Regulation One other piece of legislation needs to be mentioned at this point. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) are concerned largely with the behaviour of telecommunications providers, but there are two paragraphs that deal with the use of phone, email and text messages for marketing purposes. These must be taken into account in conjunction with the GDPR. (The implications are discussed in chapter 18). It is worth being aware that a replacement ePrivacy Regulation has been under discussion at the European level for some time. At the time of writing it is not clear when it might be finalised or what provisions it will contain. There is provision in the DPA 2018 for the UK to incorporate such a regulation into UK law if it wishes, even though the UK is no longer part of the EU.
162
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/23 DP Appendix.3d
Date: 8/12/20
Time 15:07pm
Page 163 of 164
APPENDIX . .. . .. . .. . .. .. . ..
The current situation and leaving the European Union From the above, it can be seen that the main legislation on data protection in the UK, at the time of writing, comprises: an EU regulation (the GDPR); a UK Act (DPA 2018); a UK Statutory Instrument (PECR). This situation continued after the UK decided to leave the EU, but it will only last to the end of the transition period, which was eventually set at 11.00pm on 31 December 2020. The UK government made provision in the European Union (Withdrawal) Act 2018 for the substance of the GDPR to continue to apply indefinitely in the UK, but with the omission of those parts of the GDPR that apply to EU institutions of which the UK is no longer a part. However, this Act is modified by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, which create the ‘UK GDPR’ by removing elements of the GDPR that will no longer be relevant to the UK. The regulations also make minor adjustments to the DPA 2018. These changes are scheduled to come into effect at 11.00pm on 31 December 2020, and from then onwards the UK operates under the UK GDPR. There is, at the time of writing, considerable uncertainty about what will happen next. There have been suggestions that – as part of its trade negotiations with non-EU countries – the UK government might be tempted to water down its data protection provisions. This would appear to be the outcome envisaged in the UK government’s National Data Strategy, published in September 2020.1 Such a development would, however, significantly complicate relationships with the European Union and other European Economic Area countries.
163
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
M1997
{jobs}M1997 (DSC - Data Protection)/23 DP Appendix.3d
Date: 8/12/20
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Time 15:07pm
Page 164 of 164
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/24 DP References.3d
Date: 8/12/20
Time 15:08pm
Page 165 of 170
...........................................................................................................
References and notes Prelims – Why data protection? 1 Regulation (EU) 2016/679. Chapter 2 1 See ‘What are exemptions?’ at ‘Exemptions’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-todata-protection/guide-to-the-general-data-protection-regulation-gdpr/ exemptions, accessed 9 September 2020. Chapter 3 1 Chris Fox, ‘HIV clinic fined £250 for data breach’ [web article], BBC News, www.bbc.co.uk/news/technology-35131543, 18 December 2015. 2 See Susannah Birkwood, ‘Information Commissioner takes action against Alzheimer’s Society for ‘‘disappointing attitude’’ to data use’ [web article], Third Sector, www.thirdsector.co.uk/information-commissioner-takesaction-against-alzheimers-society-disappointing-attitude-data-use/ management/article/1378571, 7 January 2016. 3 Various Claimants v. WM Morrisons Supermarkets Plc [2018] EMLR 12, [2017] EWHC 3113 (QB), [2018] IRLR 200, [2018] 3 WLR 691 (www. bailii.org/ew/cases/EWHC/QB/2017/3113.html, accessed 9 September 2020). For the decision on who was the controller (appealed on the question of vicarious liability), see WM Morrisons Supermarkets Plc (Appellant) v. Various Claimants (Respondents) [2020] WLR(D) 204, [2020] UKSC 12, [2020] 2 WLR 941 (www.bailii.org/uk/cases/UKSC/ 2020/12.html, accessed 9 September 2020). Chapter 5 1 ‘Personal data breaches’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guideto-the-general-data-protection-regulation-gdpr/personal-data-breaches, accessed 9 September 2020. 2 ‘Report a breach’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/report-a-breach, accessed 9 September 2020. Chapter 6 1 ‘Vital interests’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-thegeneral-data-protection-regulation-gdpr/lawful-basis-for-processing/vitalinterests, accessed 9 September 2020. 165
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/24 DP References.3d
Date: 8/12/20
Time 15:08pm
Page 166 of 170
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
2 ‘Legitimate Interests’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guideto-the-general-data-protection-regulation-gdpr/legitimate-interests, accessed 9 September 2020. 3 ‘Data protection impact assessments’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-todata-protection/guide-to-the-general-data-protection-regulation-gdpr/ accountability-and-governance/data-protection-impact-assessments, accessed 9 September 2020. 4 ‘How do we apply legitimate interests in practice?’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/fororganisations/guide-to-data-protection/guide-to-the-general-dataprotection-regulation-gdpr/legitimate-interests/how-do-we-applylegitimate-interests-in-practice, accessed 9 September 2020. 5 See ‘Processing personal data (information)’ [web page], Fundraising Regulator, 2019, www.fundraisingregulator.org.uk/code/all-fundraising/ processing-personal-data, accessed 9 September 2020. Chapter 7 1 See ‘(a) Explicit consent’ in ‘What are the conditions for processing?’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/ for-organisations/guide-to-data-protection/guide-to-the-general-dataprotection-regulation-gdpr/special-category-data/what-are-the-conditionsfor-processing, accessed 30 September 2020. Chapter 8 1 ‘Intention to fine British Airways £183.39m under GDPR for data breach’ [web article], Information Commissioner’s Office, https://ico.org.uk/aboutthe-ico/news-and-events/news-and-blogs/2019/07/ico-announcesintention-to-fine-british-airways, 8 July 2019. 2 ‘ICO fines British Airways £20m for data breach affecting more than 400,000 customers’ [web article], Information Commissioner’s Office, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/ 10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400000-customers, 16 October 2020. Chapter 9 1 See ‘What is a layered approach’ at ‘What methods can we use to provide privacy information?’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/ guide-to-the-general-data-protection-regulation-gdpr/the-right-to-beinformed/what-methods-can-we-use-to-provide-privacy-information/# how2, accessed 9 September 2020. 166
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/24 DP References.3d
Date: 8/12/20
Time 15:08pm
Page 167 of 170
REFERENCES AND NOTES . .. . .. . .. . .. .. . ..
2 ‘ICO privacy notice’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/global/privacy-notice, accessed 9 September 2020. 3 ‘What methods can we use to provide privacy information?’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/fororganisations/guide-to-data-protection/guide-to-the-general-dataprotection-regulation-gdpr/the-right-to-be-informed/what-methods-canwe-use-to-provide-privacy-information, accessed 9 September 2020. 4 ‘Principle (b): Purpose limitation’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-todata-protection/guide-to-the-general-data-protection-regulation-gdpr/ principles/purpose-limitation, accessed 9 September 2020. Chapter 11 1 Details of recent penalties can be seen at ‘Enforcement action’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/actionweve-taken/enforcement, accessed 9 September 2020. For older penalties it is worth checking the Wayback Machine: ‘Wayback Machine’ [web page], Internet Archive, 2020, https://web.archive.org/web/*/ico.org. uk, accessed 9 September 2020. Of the 47 monetary penalties in the two years up to June 2020, 12 related to major security breaches, 28 to marketing infringements and 7 to a range of other issues. A summary of all previous monetary penalties back to 2010 can be found by searching for ‘civil monetary penalties’ on the ICO’s website. 2 For some introductory material, see ‘Securing your information’ [web page], Technology community (technical architecture), 2018, www.gov. uk/service-manual/technology/securing-your-information, accessed 13 October 2020 and guidance from the National Cyber Security Centre at www.ncsc.gov.uk. 3 See ‘ISO/IEC 27001’ [web page], International Organization for Standardization, 2020, www.iso.org/isoiec-27001-information-security. html, accessed 9 September 2020. 4 See ‘About Cyber Essentials’ [web page], National Cyber Security Centre, 2020, www.ncsc.gov.uk/cyberessentials/overview, accessed 9 September 2020. 5 See ‘PCI security’ [web page], PCI Security Standards Council, 2020, www.pcisecuritystandards.org/pci_security, accessed 9 September 2020. 6 The ICO’s action was related to London Borough of Lambeth v. Anthony Amaebi Harry [2020] EWHC 1458 (QB) (www.bailii.org/ew/cases/ EWHC/QB/2020/1458.html, accessed 9 September 2020).
167
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/24 DP References.3d
Date: 8/12/20
Time 15:08pm
Page 168 of 170
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
7 Implementation of European Directive 96/9/EC under the Copyright and Rights in Databases Regulations 1997, which amended the Copyright, Designs and Patents Act 1988. Chapter 12 1 ‘International transfers’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guideto-the-general-data-protection-regulation-gdpr/international-transfers, accessed 9 September 2020. Chapter 13 1 ‘Age appropriate design: A code of practice for online services’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/fororganisations/guide-to-data-protection/key-data-protection-themes/ageappropriate-design-a-code-of-practice-for-online-services, accessed 9 September 2020. 2 ‘Right of access’ [web page], Information Commissioner’s Office, https:// ico.org.uk/for-organisations/guide-to-data-protection/guide-to-thegeneral-data-protection-regulation-gdpr/right-of-access, accessed 29 October 2020. 3 ‘Right to erasure’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-thegeneral-data-protection-regulation-gdpr/individual-rights/right-to-erasure, accessed 9 September 2020. 4 ‘Right to data portability’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guideto-the-general-data-protection-regulation-gdpr/individual-rights/right-todata-portability, accessed 9 September 2020. 5 See ‘Exemptions’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-thegeneral-data-protection-regulation-gdpr/exemptions, accessed 9 September 2020. 6 Ibid. Chapter 14 1 ‘Manifestly unfounded and excessive requests’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-todata-protection/guide-to-law-enforcement-processing/individual-rights/ manifestly-unfounded-and-excessive-requests, accessed 9 September 2020.
168
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/24 DP References.3d
Date: 8/12/20
Time 15:08pm
Page 169 of 170
REFERENCES AND NOTES . .. . .. . .. . .. .. . ..
2 See ‘Right of access’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guideto-the-general-data-protection-regulation-gdpr/individual-rights/right-ofaccess, accessed 9 September 2020. 3 See ‘What should we do if the data includes information about other people?’ at ‘Right of access’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/ guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ right-of-access/#15, accessed 9 September 2020. 4 See ‘How long do we have to comply?’ at ‘Right of access’ [web page], Information Commissioner’s Office, 2020, https://ico.org.uk/fororganisations/guide-to-data-protection/guide-to-the-general-dataprotection-regulation-gdpr/individual-rights/right-of-access/#8, accessed 9 September 2020. Chapter 16 1 Information: To share or not to share [PDF], Department of Health, 2013, https://assets.publishing.service.gov.uk/government/uploads/system/ uploads/attachment_data/file/251750/9731-2901141-TSO-CaldicottGovernment_Response_ACCESSIBLE.PDF, accessed 9 September 2020. Chapter 17 1 See the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. 2 Susannah Birkwood, ‘Information Commissioner takes action against Alzheimer’s Society for ‘‘disappointing attitude’’ to data use’ [web article], Third Sector, www.thirdsector.co.uk/information-commissioner-takesaction-against-alzheimers-society-disappointing-attitude-data-use/ management/article/1378571, 7 January 2016. 3 See, for example, ‘Abortion provider BPAS fined £200,000 for data breach’ [web article], BBC News, www.bbc.co.uk/news/health-26479985, 7 March 2014. Chapter 18 1 Direct Marketing Code of Practice [PDF], Information Commissioner’s Office, 2020, https://ico.org.uk/media/about-the-ico/consultations/ 2616882/direct-marketing-code-draft-guidance.pdf, p. 6, accessed 9 September 2020. 2 ‘Code of Fundraising Practice’ [web page], Fundraising Regulator, 2020, www.fundraisingregulator.org.uk/code, accessed 9 September 2020.
169
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/24 DP References.3d
Date: 8/12/20
Time 15:08pm
Page 170 of 170
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
3 Andy Ricketts, ‘Review of Fundraising Preference Service to ask if it’s still needed’ [web article], Third Sector, www.thirdsector.co.uk/reviewfundraising-preference-service-ask-its-needed/fundraising/article/1673898, accessed 9 September 2020. 4 Direct Marketing [PDF], Information Commissioner’s Office, 2018, https:// ico.org.uk/media/1555/direct-marketing-guidance.pdf, pp. 13–14, accessed 9 September 2020. 5 Direct Marketing Code of Practice [PDF], Information Commissioner’s Office, 2020, https://ico.org.uk/media/about-the-ico/consultations/ 2616882/direct-marketing-code-draft-guidance.pdf, p. 14, accessed 9 September 2020. 6 Note that the section ‘Action we have taken’ on the ICO’s website only includes events in the past two years or so. A spreadsheet summary of older material, going back to 2010, can be found by searching on the ICO’s website (https://ico.org.uk) for ‘civil monetary penalties’. 7 See Jowanna Conboye, ‘RSPCA and British Heart Foundation fined for serious data protection breaches’ [web article], Stephens Scown, www. stephens-scown.co.uk/intellectual-property-2/data-protection/rspcabritish-heart-foundation-fined-serious-data-protection-breaches, 26 January 2017. 8 Ibid. Chapter 19 1 ‘ICO says that voice data collected unlawfully by HMRC should be deleted’ [web article], Information Commissioner’s Office, https://ico.org. uk/about-the-ico/news-and-events/news-and-blogs/2019/05/ico-says-thatvoice-data-collected-unlawfully-by-hmrc-should-be-deleted, 3 May 2019. Chapter 20 1 Case C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. v. Planet49 GmbH [2019] ECLI EU C 801 (https://eur-lex.europa.eu/legal-content/ GA/TXT/?uri=CELEX:62017CJ0673), accessed 9 September 2020. Appendix 1 ‘National Data Strategy’ [web page], Department for Digital, Culture, Media & Sport, 2020, www.gov.uk/government/publications/uk-nationaldata-strategy/national-data-strategy, accessed 9 September 2020.
170
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/25 DP Index.3d
Date: 10/12/20
Time 18:03pm
Page 171 of 176
...........................................................................................................
Index access see also data subject access requests (DSAR) authorised and unauthorised access to personal data 80–2, 115–16 right of access by data subjects 88, 95–100 accountability 14–15, 26 accuracy principle 50–1, 65–9 advertising material 120–2 see also direct marketing archiving, research and statistics anonymised or pseudonymised data 69, 116 148 data retention special provision 69, 147 data subject rights 149 ‘in the public interest’, meaning 149–50 purpose limitation 62, 147 special category data processing 47, 147–50 biometric data special category data processing 45, 135 breaches Charity Commission, reporting to 28 data subjects, reporting to 28 enforcement action by ICO 125–6 ICO, reporting to 28, 144–5 management procedures 144–5 penalties 52, 74–5, 155 reporting 27–9, 138–9, 144–5 charities annual fee to ICO 156 ICO enforcement for fundraising failures 125–6 trading companies linked to 128–9 Charity Commission reporting serious incident to 28 children age-appropriate code of practice 153 authorisation on behalf of 113–15 data subjects, as 87–8 parental consent 88 special category data processing 46 cloud providers 21–2 security of applications 77–8 Code of Fundraising Practice 120, 124 compensation for data subjects 92, 155 complaints by data subjects 92
compliance breach 27–9 data protection principles 52–3 policies and procedures 26–7 responsibility for 2–3 role of manager 24–5 confidentiality 101–5 see also integrity and confidentiality principle data protection, interaction with 2, 101, 102 duty to disclose overriding 102–3 enforcement 105 IT 142 official requests for disclosure 103–4 policy 104–5 references 137 service delivery 115–16 volunteers 136 consent cookies 143–4 data subjects 35–7, 125 definition 35 direct marketing 122 explicit 40–1 HR management 131–2 processing personal data 32, 33, 35–7 relationship with legitimate interests 37 special category data 40–7, 147 contracts with processor 20–1 controllers 2–3, 13–17 see also joint controllers accountability 14–15 contract with processors 20–1 definition 13 individuals as controllers 16–17 reporting breaches to ICO 28 responsibilities 14–15 cookies 143–4 copyright of database 82 counselling service parental consent 88 special category data processing 46 criminal offence personal data breaches by individuals 154–5 unauthorised access to personal data 81–2 criminal record data 40 see also special category data 171
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/25 DP Index.3d
Date: 10/12/20
Time 18:03pm
Page 172 of 176
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
criminal record data—continued official requests for disclosure 104 Cyber Essentials 80 data minimisation principle 50–1, 65–9 data protection see also compliance; controllers; data protection principles; lawful bases; personal data; processing personal data by design and by default 25–6 confidentiality, interaction with 2, 101, 102 history of the legislation xiv–xv, 159–63 management 23–9, 138–9 organisations working in collaboration 3, 15–16, 107–10 when applicable 1–2 Data Protection Act 1984 xiv, 159 Data Protection Act 1998 xiv, 159–60 Data Protection Act 2018 xv–xvi, 161–2 Data Protection (Charges and Information) Regulations 2018 156, 161 data protection officer 23–4 data protection principles 4–5, 49–82 accuracy 50–1, 65–9 data minimisation 50–1, 65–9 fairness 49–50, 55–61 integrity and confidentiality 51–2, 73–82, 102, 141–2 IT, application to 141–2 lawfulness 49–50, 55–61 purpose limitation 49–50, 62–3, 147 storage limitation 50–1, 69–71, 147 transparency 49–50, 51, 55–61 data quality 51, 66–9, 127 emails 67–8 HR management 133 service delivery 112 data retention 51, 69–71 archiving, research and statistics 69, 147 data subjects who have died 70–1 emails 69 HR management 133–4 legacies 70, 71 photographs 70 volunteers 136 data subject access requests (DSAR) 96–100, 139–40 exemptions 140 IT assistance 145 whether to redact information 99–100 data subjects 1, 7–8 see also children; right of access
data subjects—continued authorisation by third party 113–15 automated decision-making, rights as to 91–2 compensation 92, 155 complaints 92 consent 35–7, 125 death of 70–1 exemptions to rights 92–3 more than one individual 10 opt-outs 34–5, 124–5, 127–8 portable format, right to receive data in 90–1 privacy notices 56–8, 60–1, 112 processing, rights on 90, 91 reasonable expectations 35, 63 rectification of information, right of 88–9 reporting breaches to 28 requests made on behalf of 92 rights for archiving, research and statistical purposes 149 secondary 10 special category data 39–47 vital interests 32, 42 database copyright 82 deletion see erasure of information direct marketing 119–29 consent 122 definitions 120–2 draft ICO Code of Practice 119–21 ePrivacy Regulation (EU) 119, 122, 162 ethics 123 existing customers 127 Fundraising Preference Service (FPS) 119 lawful basis 122–4 opt out records 127–8 Privacy and Electronic Communications Regulations (PECR) 2003 119, 122, 151, 162 processing personal data 122–4 record-keeping 127–8 right to opt out 124–5 trading companies linked to charities 128–9 transparency 126–8 disability, persons with special category data processing 45, 46–7 disclosure of information confidentiality and duty to disclose 102–3 official requests 103–4
172
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/25 DP Index.3d
Date: 10/12/20
Time 18:03pm
Page 173 of 176
INDEX . .. . .. . .. . .. .. . ..
electronic data 9 emails data quality control 67–8 marketing by 122–3 response to data subject request for access 97–8, 139–40 retention periods 69 security 76 employees see also HR management data subject access requests (DSAR) 139–40 privacy notices 138–9 private use of employers’ systems 138 security checks and monitoring 79 use of own equipment 137–8 ePrivacy Regulation (EU) 119, 122, 162 equal opportunities special category data processing 44, 135 equipment employees’ use of own 137–8 erasure of information 10 data subjects right to request 89 ethics direct marketing 123 ethnic diversity or origin special category data processing 44, 45 European Economic Area (EEA) 163 transfers of personal data to 83–4 European Union (EU) Data Protection Directive 1995 159–60 ePrivacy Regulation 119, 122, 162 General Data Protection Regulation (GDPR) 2016 xi, xiii–xvi, 160–1 leaving of UK xi, 163 Privacy and Electronic Communications Regulations (PECR) 2003 119, 122, 151, 162 transfers of personal data to 83–4 transfers of personal data to US 86 fairness principle 49–50, 55–61 right to opt out 124–5 fees to ICO 156 fundraising see also direct marketing Code of Fundraising Practice 120, 124 enforcement action by ICO 125–6 Fundraising Preference Service (FPS) 120 General Data Protection Regulation (GDPR) 2016 xi, xiii–xvi, 1–6, 160–1 see also data protection principles; lawful bases genetic data special category data processing 45
home-working see working from home HR management 131–40 confidentiality 135–6 data quality 133 data retention 133–4 data subject access requests (DSAR) 139–40 employees’ use of own equipment 137–8 equal opportunity monitoring 135 lawful bases 131–2 policies and procedures 138–9 references 137 reporting personal data breaches 138–9 special category data 134–6 third parties 136–7 transparency 133 volunteers 136 ICO see Information Commissioner’s Office identifiable individuals see data subjects Information Commissioner 5, 151 list of office holders 152 Information Commissioner’s Office (ICO) 151–7 assessment notices 154 codes of practice 152–3 contact details 157 draft Direct Marketing Code of Practice 119–21 enforcement action 125–6 enforcement powers xv–xvi, 154 fees and exemptions 156–7 financial penalties 155 guidance 153 information notices 154 reporting breaches to 28, 144–5 warrants for entry and inspection 154 integrity and confidentiality principle 51–2, 73–82, 102 IT, application to 141–2 intellectual property rights 82 international data transfers 83–6 adequacy provision 83–4 European Economic Area (EEA) 83–4 European Union 83–4 United States 86 international standards on security 79–80 IT see also online activity breach management 144–5 confidentiality 142 data protection principles applied to 141–2 173
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/25 DP Index.3d
Date: 10/12/20
Time 18:03pm
Page 174 of 176
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
IT—continued external suppliers 142–3 integrity 141 monitoring and investigating usage 145 security 77–8, 141–3 joint controllers 3, 15–16, 107–10 data-sharing 128–9 statutory bodies, working with 110 lawful bases contract 32 direct marketing 122–4 HR management 131–2 legal obligation 32 legitimate interests 33–5 processing personal data 3–4, 31–7, 55 public functions 33, 110 service delivery 111–12 vital interests 32 lawfulness principle 49–50, 55–61 legacies data retention 70, 71 legitimate interests lawful basis for processing 33–5 relationship with consent 37 marketing 120–2 see also direct marketing email, by 122–3 fundraising failures by charities 125–6 meetings online 78 membership renewals 127 mental illness, persons with special category data processing 46–7 online activity 7, 141–5 see also IT age-appropriate code of practice 153 children 88 privacy notices 56, 60–1 security of meetings 78 security of service delivery 116 opt-outs 34–5, 124–5 record-keeping 127–8 paper records 9 security 76 parental consent 88 PECR see Privacy and Electronic Communications Regulations penalties fundraising failures by charities 125–6 ICO powers 155 security breach 52, 74–5 person, identifiable see data subjects
personal data see also controllers; data protection principles; data subjects; international data transfers; privacy notices; processing personal data; right of access; special category data authorised and unauthorised access 80–2, 115–16 breaches 27–9, 138–9, 144–5 categories 7–8 definition 1–2, 7 domestic purposes exemption 10–11 identifiable person 1, 7–8 information-sharing 109–10 records about more than one individual 10 third parties, information from 60, 136–7 transparency 49–50, 51, 55–61, 133 photographs retention period 70 policy document 26–7 confidentiality 104–5 retention policy and schedule 69 special category data 43–4 staff data protection 138–9 political parties special category data processing 42 Privacy and Electronic Communications Regulations (PECR) 2003 119, 122, 151, 162 privacy notices 56–8 employees 138–9 fundraising transparency 126–8 notification of changes 61 providing the information 60–1 retention schedule appended to 69 service delivery 112 volunteers 136 processing personal data 7–11 see also data protection principles; lawful bases; special category data automated 91–2 consent 32, 33, 35–7 contract lawful basis 32 data subject restricts or objects 90, 91 definition of processing 2, 9–10 direct marketing 122–4 lawful bases 3–4, 31–7, 55 legal obligation lawful basis 32 legitimate interests lawful basis 33–5 public functions lawful basis 33, 110 service delivery 111–12 vital interests lawful basis 32
174
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/25 DP Index.3d
Date: 10/12/20
Time 18:03pm
Page 175 of 176
INDEX . .. . .. . .. . .. .. . ..
processing personal data—continued vital interests without data subject’s consent 42 processors 3 cloud providers 21–2, 78 definition 19–20 IT suppliers 142–3 reporting breaches to controller 28 requirements in contracts for 20–1 profiling 126 promotional material 120–2 see also direct marketing public bodies see statutory bodies public interest see also substantial public interest definition 150 purpose limitation principle 49–50, 62–3, 147 compatibility issue 62–3 quality of data see data quality racial diversity or origin special category data processing 44, 45 reasonable expectations 35, 63 record-keeping data subject access requests (DSAR) 100 direct marketing 127–8 opt-outs 127–8 service delivery 115 records see also accountability; data retention; record-keeping about more than one individual 10 paper 9 references confidentiality 137 religious bodies special category data processing 42 research see archiving, research and statistics retention of data see data retention right of access 88, 95–100 see also data subject access request (DSAR) safeguards archiving, research and statistics 47, 148 children 46 special categories of data 41–7, 148 security authorised and unauthorised access to information 80–2, 115–16 breach 27, 52 cloud applications 77–8 data in transit, vulnerability of 52, 75–6
security—continued emails 76 equipment 77 integrity and confidentiality principle 51–2, 73–82, 102, 141–2 IT 77–8, 141–3 paper documents 76 penalties for breaches 52, 74–5 physical 78–9 service delivery 115–16 staff checks and monitoring 79 standards 79–80 volunteers 116 website 77 working from home 77 self-employed people 17 sensitive data 4, 40 see also special category data service delivery 111–17 authorisation on behalf of data subject 113–15 case studies and statistics, reporting of 116–17 confidentiality 115–16 data quality 112 lawful basis 111–12 privacy notices 112 records retention 115 security 115–16 special category data 112 third parties 112–15 transparency 112 sexual orientation special category data processing 45 special category data 4, 39–47 archiving, research and statistics 47, 147–50 biometric data 45, 135 consent 40–7, 147 counselling service 46 disability or medical condition, persons with 45 equal opportunities 44, 135 ethnic diversity or origin 44 HR management 134–6 non-for-profit bodies 42 prevention or detection of unlawful acts 45 processing without consent 41–7 racial diversity or origin 44, 45 safeguarding of children 46 service delivery 112 substantial public interest 43–4, 110 175
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
3B2 Version Number 8.07t/W (Aug 8 2005)
{jobs}M1997 (DSC - Data Protection)/25 DP Index.3d
Date: 10/12/20
Time 18:03pm
Page 176 of 176
. .. . .. .. . .. . .. . .. DATA PROTECTION FOR VOLUNTARY ORGANISATIONS
special category data—continued vital interests 42 statistics data retention special provision 69, 147 purpose limitation 62, 147 service delivery 116–17 special category data processing 47, 147–50 statutory bodies joint controllers with 110 public functions lawful basis for processing 33, 110 special category data processing 43–4, 110 storage limitation principle 50–1, 69–71, 147 see also data retention subject access requests see data subject access requests (DSAR) substantial public interest special category data processing 43–4, 110
voluntary organisations xii–xiii annual fee to ICO 156 volunteers 17 agreements 136 security of personal data 116 training on data protection 139 websites 77 cookies 143–4 privacy notices 60–1 working from home 77
tax data official requests for disclosure 104 telephone marketing 122 Telephone Preference Service (TPS) 122 telephone services 112 third parties authorisation on behalf of data subject 113–15 personal data from 60, 136–7 service delivery 112–13 trade unions special category data processing 42 trading companies charities linked to 128–9 training on data protection 139 transparency fundraising 126–8 HR management 133 principle 49–50, 51, 55–61 service delivery 112 third parties 60, 112–13 unincorporated organisations compliance with the GDPR 13–14 United States (USA) transfers of personal data to 86 unlawful acts, prevention or detection special category data processing 45 vital interests lawful basis for processing 32 special category data processing 42 176
M1997
Directory of Social Change – Data Protection for Voluntary Organisations 2020
Marlinzo Services, Frome, Somerset
Data Protection
Understand the key principles and elements of data protection Recognise your responsibilities as a data controller Distinguish when you need consent from individuals to hold and use their data (and when you don’t) Ensure that your organisation’s security measures are appropriate Appreciate what the rights of data subjects are
Data Protection
Invaluable to data managers or those who handle personal information such as IT, personnel, marketing and fundraising departments, this book is essential reading for anyone in the UK voluntary sector who wants to get beyond tick-box data management. For professional advisers and academics it also offers a valuable summary that draws out key data protection points by examining and interpreting the primary legislation.
Sian Basker, Co-Chief Executive, Data Orchard
‘There are not many people within the charity sector who are specialists in data protection. Paul uses simple, straightforward language to cover all key aspects of this complex but vitally important subject. Brilliantly practical!’
for voluntary organisations
4th edition Paul Ticher
‘Written in accessible language and set in a meaningful context, this is the best translation of the hundreds of pages of data protection legislation as it applies to charitable organisations. A prodigious achievement on one of the most important and challenging legal responsibilities for our sector.’
KEY GUIDES
Data Protection
Open, fair and well-managed data protection practice is not just desirable but essential if you want to ensure trust in your charity. Get it wrong and you risk reputational damage as well as financial penalties. This book will enable you to set a shining example of best practice by complying with UK data protection legislation and the General Data Protection Regulation (GDPR) in force since 2018. It will help you:
KEY GUIDES
KEY GUIDES
Paul Ticher
Peter Dean, Director of Finance, Riding for the Disabled Association
data protection_Layout pink dig.indd 1
www.dsc.org.uk
09/12/2563 BE 14:58