Data Protection – Everything You Need to Know Part 2

Data Protection – Everything You Need to Know But Were Afraid to Ask – Part 2

‘It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.’- Prof Clay Shirky, NYU.

In Part 1, I outlined how the protection of personal data has become a critical risk area for business, not-for-profits and charities as the regulator, the Information Commissioner’s Office (ICO), takes a tougher stance on enforcement of the rules.  A series of high profile incidents have heightened public concern about privacy and the misuse of personal data. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018.  In Part 2, I explain what will change when the GDPR comes into force from 25 May 2018.

What will change under the GDPR in 2018?

The GDPR will introduce a series of explicit rights for individuals in respect of their personal data, some of which are new, and some are enhancements of the existing position:

  • Right to access data (to be told whether personal data are being processed and access a copy)
  • Right to erasure (if consent is withdrawn, or there is no legal basis for holding the data individuals may request erasure)
  • Right to portability (the right to require data to be transferred to another data controller in a machine readable format)
  • Right to rectification – an individual’s right to have inaccuracies corrected or include a supplementary statement
  • Right to restrict processing – data to be held in limbo while any disputes are resolved
  • Right to be informed – i.e. to be told what information is being processed and for what purpose
  • Right to object – the right to stop personal data being processed by withdrawing consent or some other legal basis.

The key changes

  • The definition of ‘personal data’ will be widened to include IP addresses, genetic and biometric data.
  • Organisations will need to keep proper records of their data processing activities and make these available to the regulator if requested.
  • Data processors (as well as data controllers) have direct obligations for the first time. These include an obligation to: maintain a written record of processing activities carried out on behalf of each controller; designate a Data Protection Officer where required; appoint a representative (when not established in the EU) in certain circumstances; and notify the controller without undue delay on becoming aware of a data breach. How data protection matters are addressed in supply and other commercial agreements will need to be reviewed – especially the allocation of liability for data breaches.
  • The £10 fee for accessing records will be abolished and the time limit for dealing with a request to access or correct a record will be shortened from 40 days to 1 month. Extensions of up to 2 months may be allowed if the request is complex. Requests may be refused if they are ‘manifestly unfounded or excessive’
  • The right to request erasure of data has been strengthened. Under current rules the erasure can be requested if processing it causes unwarranted and substantial damage or distress. There will be specific circumstances where erasure can be requested e.g. the individual withdraws consent to processing, or the data was unlawfully processed in the first place. There will be very limited grounds to refuse to erase, e.g. to comply with a legal obligation in performing a public interest task or for public health purposes.
  • New right to ‘data portability’ – individuals will be allowed to obtain and re-use their personal data for their own purposes across different services (e.g. for use on a price comparison site). Organisations must provide the data free of charge in a machine readable format e.g. a .csv file within 1 month of a request.
  • There will be significantly harsher penalties for data breaches – the current limit of £500,000 will increase to 20 million euros or 4% of an organisation’s global turnover, whichever is greater
  • An explicit right for individuals affected by a breach of the rules by a data controller or a data processor to bring a claim for compensation which need not be for financial loss, it could cover personal distress and anxiety.
  • Special rules will apply to children’s personal data – privacy notices must be child-friendly. Before offering online services to children under 16 (most likely set at under 13 in the UK), parent or guardian’s permission will be required (except for online counselling and preventative services). (Note this does not affect the existing law for offline transactions where the capacity of the child may be relevant).
  • New privacy notices will be required which provide information about retention periods for data, the rights of the data subject, the right to withdraw consent, the right to complain to the ICO, whether it is a statutory or contractual requirement to provide the data, and whether any of the data will be used for automated decision-making about the individual.
  • There are potentially onerous new obligations on accountability and information governance. There is an explicit duty to put in place appropriate organisational measures to demonstrate compliance with the rules, which could include data protection policies, staff training, internal audits of data held and processing activities, privacy impact assessments when implementing new technologies or activities, reviews of internal HR policies and regular reviews of security arrangements. If your organisation has more than 250 employees there will be a more onerous duty to maintain records of processing activities. These records may be called for by the ICO as part of an investigation and may form an important part of your defence to any enforcement action.
  • Mandatory duty to appoint a Data Protection Officer for public authorities or organisations which undertake large scale monitoring of individuals or large scale processing of ‘sensitive personal data’. Note it is the scale of the processing, not the size of the organisation that matters. The DPO’s role is to (a) inform and advise the organisation and its employees about their data protection obligations, monitor compliance with data protection laws, conduct internal audits, train staff and coordinate data protection activities, be the first point of contact with ICO and supervisory bodies, as well as customers and suppliers whose data is being processed. The DPO is expected to report directly to the Board and must be given adequate resources and authority to perform their role. The role does not necessarily have to be an employee- it can be contracted out.
  • Duty to report data breaches to the ICO where it is likely to result in a risk to the rights and freedoms of individual affected; also a duty to notify the individuals affected if there is a high risk to their rights and freedoms. Notification must be made within 72 hours. The notification must detail the number of individuals and records involved, a description of the likely consequences of the data breach and the measures to be taken to (a) deal with the breach and (b) mitigate possible adverse effects. Failing to notify a breach can result in a fine of up to 10 million euros or 2% of the organisation’s global turnover!

What do we need to do to prepare for GDPR?

  • Ensure Board members and management are aware of the new duties and are taking active steps to prepare, including securing resources and budgets required.
  • Designate a Data Protection Officer to take responsibility for compliance and decide where this role will sit within your organisation’s overall governance structure.
  • Review all policies and procedures which are relevant to data protection and privacy.
  • Conduct information audit and privacy impact assessments – understand what personal data your organisation holds, where it comes from and with whom you share it; identify the legal basis for processing the information, document your findings. Is there a clear audit trail showing how and when individuals gave their consent to processing of their personal data and opted into marketing communications?
  • Review your privacy notices- see examples of good practice here
  • Take extra care if you are collecting information about children – bear in mind the new requirement to obtain parent or guardian’s consent to processing data about children in most cases.
  • Prepare to deal with subject access requests within the shorter time period of 1 month
  • When contracting out work to third parties (e.g. payroll providers, HR consultants, fulfilment houses)- check what measures they have in place to ensure compliance with the new duties – are they signed up to any certification schemes or codes of conduct? Ensure you have appropriate contractual clauses in place to protect your organisation against their failures.
  • Have robust procedures for detecting and investigating data breaches and internal reporting so that notification can be made to the authorities within the 72 hour period.
  • Review insurance covers to determine what risks or incidents are covered or excluded.

The new GDPR represents a step-change in the level of risk for organisations collecting, holding and processing personal data. It will be essential to begin preparations now, identifying resources, reviewing current procedures and policies in readiness.  Elderflower Legal offers specialist legal, governance and company secretarial services to help keep your organisation compliant elderflowerlegal.co.uk.

 


Elderflower Legal & Secretarial offers a cost-effective outsourced company secretarial service to small business, charities, social enterprises and academy trusts. For a fixed monthly fee we can provide peace of mind to directors and board members that compliance duties are being met, returns filed by the deadlines and risks properly identified.
Contact us today for a no-obligation chat or check out our website at elderflowerlegal.co.uk or call 01625 260577.
Find out for more details of our service packages here.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Data Protection – What You Need to Know

Data Protection – Everything You Need to Know But Were Afraid to Ask

We thought digital was the new oil, but discovered it is also the new asbestos”- Christopher Graham, former Information Commissioner, 2016.

The protection of personal data has become a critical risk area for business, not for profits and charities. The regulator, the Information Commissioner’s Office (ICO), is taking a tougher stance on enforcement of the rules.  A series of high profile incidents have heightened public concern about privacy and the misuse of personal information. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018.

What should we already be doing?

The existing rules on data protection cover the collection, storage and processing of personal data about individuals. They give individuals a right to request data held by organisations (a “subject access request”) and the right to correct errors. They also create offences where data is lost or stolen due to ineffective security or carelessness – which can lead to significant fines. Particular care must also be taken around marketing activities where contact is made with prospects, supporters, donors or service users. The general principle is that you must have the consent of the person you are contacting before sending them a communication. When you collect information on a paper form or via a website, or over the phone, you must tell people in a ‘privacy notice’ why you are collecting the information, what it will be used for and who it may be shared with. They must be given the option to specifically ‘opt in’ to different types of marketing communications by ticking a box. Pre-ticked boxes are not allowed. The reputational and financial risks of getting it wrong can be very serious. In 2014, the organisers of Park Life Festival were fined £70,000 by the ICO for sending unsolicited and inappropriate marketing text messages. In December 2016, the ICO announced fines for the RSPCA (£25,000) and British Heart Foundation (£18,000) over the inappropriate handling and sharing of donors’ personal information without permission.

The current rules

The Data Protection Act 1998 governs the holding and processing of personal data. ‘Personal data’ means any information which identifies any living individual, whether in digital form, on disk, USB sticks, and includes photos, video and sound recordings. ‘Processing’ personal data means obtaining, recording or holding the information on computer systems, in the cloud or in a paper filing system. More stringent rules apply to ‘sensitive personal data’ which includes information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, details of any offences committed or alleged.

Businesses and charities routinely handle the personal information of employees, volunteers, service users, and suppliers. It is therefore very likely that these activities will be caught by the provisions of the Act. A ‘data controller’ is a person or entity that determines the purposes for which personal data is processed. They may also be processing the data. A ‘data processor’ is usually, but not always, a service provider who handles the data but doesn’t control it. Under the current law, the legal responsibility for compliance falls directly on the data controller and not on the data processor. If you are a ‘data controller’ under the Act and fail to register your organisation with the Information Commissioner, you can be fined.

The Act says that all personal data must be:

  • Fairly and lawfully processed (i.e. you must be transparent with individuals about what you’re doing with their data and why, you must have a lawful basis for collecting and processing the information and you process it in a way that individuals would reasonably expect);
  • Processed for specified purposes only (i.e. you must tell people why you are collecting data and what it will be used for from the outset and not then use it for other purposes);
  • Adequate, relevant and not excessive;
  • Accurate and, where necessary, kept up to date (you have positive duty to keep the information up to date and correct any errors);
  • Not kept for longer than is necessary (so employment applications, CVs etc should be securely destroyed after a reasonable period);
  • Processed in line with the rights of the individual;
  • Kept secure (i.e. employ reasonable security precautions); and
  • Not transfer the data to countries outside the European Economic Area, unless the information is adequately protected. Care must be taken if any of your data is stored on cloud based servers in the United States or other countries which do not have a ‘safe harbour’ arrangement in place (e.g. via cloud based accounting, HR or CRM systems). Some transfers are still permitted e.g. if the individual specifically consents, or if there is a suitable contract in place with the data handler to protect the data.

Non-compliance can result in an enforcement notice preventing a business from processing data, effectively preventing many businesses from operating, together with significant fines up to £500,000. Managers and directors can also be prosecuted personally for non-compliance if the offence was committed “with their consent or connivance”.

Individuals have a right to ask your organisation to disclose what personal data you hold about them by submitting a subject access request and paying a fee of £10. You must respond within 40 days. If you fail to respond the requester can make a complaint to the ICO. So you need to be careful about the records, notes and correspondence you keep about employees, job applicants and service users, since it could all be disclosable to them upon request!

The key steps to ensure compliance are:

  • Ensure your organisation is registered with the ICO as a data controller
  • Prepare a Data Protection Policy
  • Put in place appropriate ‘privacy warnings’ for clients and customers giving them the required notices and informing them of their rights
  • Ensure that you hold no more personal data than is necessary for the business activities that you perform
  • Establish procedures for staff to follow when processing personal data. (Demonstrating that procedures were put in place might be a defence in the event of a complaint brought against you)
  • Train, and regularly refresh, all your staff in best practice
  • Put in place contracts with your suppliers which assist in the protection of information
  • Check your insurance and evaluate your risks of suffering a data breach or security incident

Data controllers must put in place adequate technical and organisational measures to safeguard personal data from destruction, accidental loss, unauthorised access or disclosure.  Data breaches can occur through unauthorised entry into IT networks, loss of mobile devices or memory sticks, or even simple errors like leaving confidential papers in unsecured waste bins. In recent years, the ICO has toughened its stance on prosecuting data breaches. For example, in July 2014, the ICO fined a Thomas Cook subsidiary, Think W3 Limited, £150,000 after a hacker stole more than 1 million customers’ personal details – including credit and debit card numbers – due to poor data security measures on its website. In March 2014 the ICO imposed a penalty of £200,000 on the charity British Pregnancy Advice Service (BPAS) for exposing thousands of personal details of patients to a malicious hacker. The charity failed to realise its website was storing the name, address, date of birth and telephone number of anyone who had requested a call back for advice on pregnancy issues. The personal data was not stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.

Social media such as Facebook or LinkedIn company pages can also be subject to the Act. A data controller who runs an online forum has a responsibility to take reasonable steps to check the accuracy of any personal data that is posted on its site by third parties and presented as a ‘matter of fact’. For example, the operator of a site which invites service users to post reviews and feedback on service providers would be subject to this duty.

Special rules for electronic marketing

The Privacy and Electronic Communications Regulations (PECR) were introduced in 2003 to complement the Data Protection Act. They introduced specific rules about sending marketing and advertising by electronic means, including email, telephone, text messages, picture messages and fax. ‘Marketing’ covers not just the sale of products and services, but also the promotion of aims and ideals. In many cases, organisations need consent send individuals marketing or to pass their details on. There is a limited exception for existing customers and clients known as the “soft opt in”, but only for commercial products or services – not campaigning and fundraising activities. Organisations will need to demonstrate through appropriate records that consent was knowingly and freely given. Consent may sometimes be time-limited, depending on the circumstances. Organisations must always say who they are and provide contact details.  Individuals can ‘opt out’ of cold calls by registering with the Telephone Preference Service. You must not continue to send marketing messages to a person who objects or has opted out. Particular care must be taken if your organisation uses bought-in lists for marketing. Appropriate due diligence should be carried out on the quality of the list before proceeding, including obtaining assurances about whether the individuals have ‘opted in’ to receive marketing. Beware of the temptation to sell your own lists of supporters to others without permission. Pharmacy2U was fined £130,000 by the ICO for selling on their customer list, when customers had not given their consent for personal data to be sold on. This can be a particular issue to focus on where mergers, acquisitions or outsourcing are taking place.

Be careful about sharing data

A particular area of risk is the sharing of personal data. Charities may sometimes have a legitimate need to share or disclose data to other agencies and organisations in order to best serve the needs of their service users, or to protect vulnerable beneficiaries. There are a number of lawful routes for sharing data:

  • The person has knowingly given their express consent to the passing on information (usually on a paper form or website sign-up).
  • The processing is necessary in relation to a contract which the individual has entered into; or because the individual has asked for something to be done so they can enter into a contract.
  • The processing is necessary because of a legal obligation that applies to your organisation, except an obligation imposed by a contract (for example, a safeguarding duty).
  • The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, (e.g. where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident).
  • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
  • The organisation needs to process the data for the purpose of its own ‘legitimate interests’ or the legitimate interests of the third party that the information is disclosed to. The burden is on the organisation to demonstrate that is the case and that the individual is not harmed.

You can share without an individual’s knowledge in cases where personal data is processed for:

  • the prevention or detection of crime;
  • the apprehension or prosecution of offenders; or
  • the assessment or collection of tax or duty.

However, the sharing of information must be fair and transparent. People should generally be aware of which organisations are receiving their personal data, and what it is being used for. The best way to achieve this is to make sure a clear privacy notice is included on application forms, membership forms, website forms etc. that which sets out all this information. It is good practice to keep records of data that has been shared and the reason(s) for sharing. If you regularly share or disclose data to other organisations, you should consider having a Data Sharing Agreement with them, setting out respective responsibilities, requirements for security and for secure deletion of data when no longer required.

Many organisations have come a cropper for sharing personal data for non-legitimate reasons. This can be where they sell a mailing list of supporters to another organisation, or where they pass on personal data to another agency where they shouldn’t have done so and this causes harm to someone (e.g. passing on information about an employee’s health condition to a third party).

Right to object – individuals have a clear right to object to your processing their personal data and this must be brought to their attention when you first collect the data from them. If you are processing data for marketing purposes you must stop as soon as you receive the objection- there are no grounds to refuse or exemptions.

Other legal rules can also apply to disclosing or sharing personal data, such as information obtained in confidence and the Human Rights Act 1998 (Article 8 right to private and family life, home and correspondence).

In Part 2 of this post, we will examine the more stringent rules coming in May 2018 when the new General Data Protection Regulation enters into force.

 


Elderflower Legal & Secretarial offers a cost-effective outsourced company secretarial service to small business, charities, social enterprises and academy trusts. For a fixed monthly fee we can provide peace of mind to directors and board members that compliance duties are being met, returns filed by the deadlines and risks properly identified.
Contact us today for a no-obligation chat or check out our website at elderflowerlegal.co.uk or call 01625 260577.
Find out for more details of our service packages here.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.