Data Protection – Everything You Need to Know But Were Afraid to Ask
“We thought digital was the new oil, but discovered it is also the new asbestos”- Christopher Graham, former Information Commissioner, 2016.
The protection of personal data has become a critical risk area for business, not for profits and charities. The regulator, the Information Commissioner’s Office (ICO), is taking a tougher stance on enforcement of the rules. A series of high profile incidents have heightened public concern about privacy and the misuse of personal information. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018.
What should we already be doing?
The existing rules on data protection cover the collection, storage and processing of personal data about individuals. They give individuals a right to request data held by organisations (a “subject access request”) and the right to correct errors. They also create offences where data is lost or stolen due to ineffective security or carelessness – which can lead to significant fines. Particular care must also be taken around marketing activities where contact is made with prospects, supporters, donors or service users. The general principle is that you must have the consent of the person you are contacting before sending them a communication. When you collect information on a paper form or via a website, or over the phone, you must tell people in a ‘privacy notice’ why you are collecting the information, what it will be used for and who it may be shared with. They must be given the option to specifically ‘opt in’ to different types of marketing communications by ticking a box. Pre-ticked boxes are not allowed. The reputational and financial risks of getting it wrong can be very serious. In 2014, the organisers of Park Life Festival were fined £70,000 by the ICO for sending unsolicited and inappropriate marketing text messages. In December 2016, the ICO announced fines for the RSPCA (£25,000) and British Heart Foundation (£18,000) over the inappropriate handling and sharing of donors’ personal information without permission.
The current rules
The Data Protection Act 1998 governs the holding and processing of personal data. ‘Personal data’ means any information which identifies any living individual, whether in digital form, on disk, USB sticks, and includes photos, video and sound recordings. ‘Processing’ personal data means obtaining, recording or holding the information on computer systems, in the cloud or in a paper filing system. More stringent rules apply to ‘sensitive personal data’ which includes information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, details of any offences committed or alleged.
Businesses and charities routinely handle the personal information of employees, volunteers, service users, and suppliers. It is therefore very likely that these activities will be caught by the provisions of the Act. A ‘data controller’ is a person or entity that determines the purposes for which personal data is processed. They may also be processing the data. A ‘data processor’ is usually, but not always, a service provider who handles the data but doesn’t control it. Under the current law, the legal responsibility for compliance falls directly on the data controller and not on the data processor. If you are a ‘data controller’ under the Act and fail to register your organisation with the Information Commissioner, you can be fined.
The Act says that all personal data must be:
- Fairly and lawfully processed (i.e. you must be transparent with individuals about what you’re doing with their data and why, you must have a lawful basis for collecting and processing the information and you process it in a way that individuals would reasonably expect);
- Processed for specified purposes only (i.e. you must tell people why you are collecting data and what it will be used for from the outset and not then use it for other purposes);
- Adequate, relevant and not excessive;
- Accurate and, where necessary, kept up to date (you have positive duty to keep the information up to date and correct any errors);
- Not kept for longer than is necessary (so employment applications, CVs etc should be securely destroyed after a reasonable period);
- Processed in line with the rights of the individual;
- Kept secure (i.e. employ reasonable security precautions); and
- Not transfer the data to countries outside the European Economic Area, unless the information is adequately protected. Care must be taken if any of your data is stored on cloud based servers in the United States or other countries which do not have a ‘safe harbour’ arrangement in place (e.g. via cloud based accounting, HR or CRM systems). Some transfers are still permitted e.g. if the individual specifically consents, or if there is a suitable contract in place with the data handler to protect the data.
Non-compliance can result in an enforcement notice preventing a business from processing data, effectively preventing many businesses from operating, together with significant fines up to £500,000. Managers and directors can also be prosecuted personally for non-compliance if the offence was committed “with their consent or connivance”.
Individuals have a right to ask your organisation to disclose what personal data you hold about them by submitting a subject access request and paying a fee of £10. You must respond within 40 days. If you fail to respond the requester can make a complaint to the ICO. So you need to be careful about the records, notes and correspondence you keep about employees, job applicants and service users, since it could all be disclosable to them upon request!
The key steps to ensure compliance are:
- Ensure your organisation is registered with the ICO as a data controller
- Prepare a Data Protection Policy
- Put in place appropriate ‘privacy warnings’ for clients and customers giving them the required notices and informing them of their rights
- Ensure that you hold no more personal data than is necessary for the business activities that you perform
- Establish procedures for staff to follow when processing personal data. (Demonstrating that procedures were put in place might be a defence in the event of a complaint brought against you)
- Train, and regularly refresh, all your staff in best practice
- Put in place contracts with your suppliers which assist in the protection of information
- Check your insurance and evaluate your risks of suffering a data breach or security incident
Data controllers must put in place adequate technical and organisational measures to safeguard personal data from destruction, accidental loss, unauthorised access or disclosure. Data breaches can occur through unauthorised entry into IT networks, loss of mobile devices or memory sticks, or even simple errors like leaving confidential papers in unsecured waste bins. In recent years, the ICO has toughened its stance on prosecuting data breaches. For example, in July 2014, the ICO fined a Thomas Cook subsidiary, Think W3 Limited, £150,000 after a hacker stole more than 1 million customers’ personal details – including credit and debit card numbers – due to poor data security measures on its website. In March 2014 the ICO imposed a penalty of £200,000 on the charity British Pregnancy Advice Service (BPAS) for exposing thousands of personal details of patients to a malicious hacker. The charity failed to realise its website was storing the name, address, date of birth and telephone number of anyone who had requested a call back for advice on pregnancy issues. The personal data was not stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.
Social media such as Facebook or LinkedIn company pages can also be subject to the Act. A data controller who runs an online forum has a responsibility to take reasonable steps to check the accuracy of any personal data that is posted on its site by third parties and presented as a ‘matter of fact’. For example, the operator of a site which invites service users to post reviews and feedback on service providers would be subject to this duty.
Special rules for electronic marketing
The Privacy and Electronic Communications Regulations (PECR) were introduced in 2003 to complement the Data Protection Act. They introduced specific rules about sending marketing and advertising by electronic means, including email, telephone, text messages, picture messages and fax. ‘Marketing’ covers not just the sale of products and services, but also the promotion of aims and ideals. In many cases, organisations need consent send individuals marketing or to pass their details on. There is a limited exception for existing customers and clients known as the “soft opt in”, but only for commercial products or services – not campaigning and fundraising activities. Organisations will need to demonstrate through appropriate records that consent was knowingly and freely given. Consent may sometimes be time-limited, depending on the circumstances. Organisations must always say who they are and provide contact details. Individuals can ‘opt out’ of cold calls by registering with the Telephone Preference Service. You must not continue to send marketing messages to a person who objects or has opted out. Particular care must be taken if your organisation uses bought-in lists for marketing. Appropriate due diligence should be carried out on the quality of the list before proceeding, including obtaining assurances about whether the individuals have ‘opted in’ to receive marketing. Beware of the temptation to sell your own lists of supporters to others without permission. Pharmacy2U was fined £130,000 by the ICO for selling on their customer list, when customers had not given their consent for personal data to be sold on. This can be a particular issue to focus on where mergers, acquisitions or outsourcing are taking place.
Be careful about sharing data
A particular area of risk is the sharing of personal data. Charities may sometimes have a legitimate need to share or disclose data to other agencies and organisations in order to best serve the needs of their service users, or to protect vulnerable beneficiaries. There are a number of lawful routes for sharing data:
- The person has knowingly given their express consent to the passing on information (usually on a paper form or website sign-up).
- The processing is necessary in relation to a contract which the individual has entered into; or because the individual has asked for something to be done so they can enter into a contract.
- The processing is necessary because of a legal obligation that applies to your organisation, except an obligation imposed by a contract (for example, a safeguarding duty).
- The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, (e.g. where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident).
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
- The organisation needs to process the data for the purpose of its own ‘legitimate interests’ or the legitimate interests of the third party that the information is disclosed to. The burden is on the organisation to demonstrate that is the case and that the individual is not harmed.
You can share without an individual’s knowledge in cases where personal data is processed for:
- the prevention or detection of crime;
- the apprehension or prosecution of offenders; or
- the assessment or collection of tax or duty.
However, the sharing of information must be fair and transparent. People should generally be aware of which organisations are receiving their personal data, and what it is being used for. The best way to achieve this is to make sure a clear privacy notice is included on application forms, membership forms, website forms etc. that which sets out all this information. It is good practice to keep records of data that has been shared and the reason(s) for sharing. If you regularly share or disclose data to other organisations, you should consider having a Data Sharing Agreement with them, setting out respective responsibilities, requirements for security and for secure deletion of data when no longer required.
Many organisations have come a cropper for sharing personal data for non-legitimate reasons. This can be where they sell a mailing list of supporters to another organisation, or where they pass on personal data to another agency where they shouldn’t have done so and this causes harm to someone (e.g. passing on information about an employee’s health condition to a third party).
Right to object – individuals have a clear right to object to your processing their personal data and this must be brought to their attention when you first collect the data from them. If you are processing data for marketing purposes you must stop as soon as you receive the objection- there are no grounds to refuse or exemptions.
Other legal rules can also apply to disclosing or sharing personal data, such as information obtained in confidence and the Human Rights Act 1998 (Article 8 right to private and family life, home and correspondence).
In Part 2 of this post, we will examine the more stringent rules coming in May 2018 when the new General Data Protection Regulation enters into force.