I attended a seminar last year where an organisation presented a new database that they had been developing. In my view, it was great. Genuine issues recognised by both the organisation and the sector involved would be addressed and the tool, without doubt, would facilitate better management of those issues.
As the presentation went on, however, it became clear that nobody seemed to have considered compliance with data protection legislation. In my experience, this is not unusual in the vast majority of IT projects, in particular, new system development. The system contained many features that generally prevent most of us working with data protection from sleeping at night, namely multiple uses of the dreaded free text field. These were specifically designed to allow staff to enter potentially highly subjective information about identified individuals.
There is a high probability that those who are identified either by having a dedicated record in the database or from information in the free text field will have no knowledge that information is being captured and recorded about them. In fact, I strongly suspect I have, or will have, a record in the database and as yet have not been informed about the existence of the database. Additionally, one of the purposes of recording information is to inform significant decisions about those individuals as and when required at some point in the future.
Any Processing of Personal Data Must Comply with Data Protection Laws
There are many data protection issues that the database raises including accuracy, retention, as well as rights of, and accessibility by, those identified in the information. The purpose of this blog is to highlight one further issue; the need to identify the legal basis for processing data. This is fundamental for processing to be lawful. While some processing in the database above would be justifiable, I am not clear on the legal bases that cover all processing activities.
Under the Data Protection Act 1998 (DPA 1998), to be fair and lawful (Principle 1), processing must satisfy at least one of the conditions at Schedule 2. These conditions remain essentially the same under the GDPR although organisations will be required actively inform people about the legal basis that is being used to process their data. The size of the task to establish the legal basis for all processing is likely to be significant for some organisations and should not be underestimated. With a year to go, it would be worthwhile beginning this task as soon as possible.
If you are unable to identify the legal basis and justify the processing, it is potentially unlawful. The consequences could be significant with substantial fines for breaches of the legislation. There may also be compensation claims where the information has been used to inform decisions about people when it’s capture and subsequent use was unlawful. There could also be costly and rapid changes required to non-compliant systems.
Ensuring Your Processing is Lawful
This blog is probably contains some slightly more technical jargon than others. However, the summary below covers terms that, if you are responsible for data protection compliance, you will need to become familiar with. Briefly, for processing to be lawful under the GDPR at least one of the following must apply in every circumstance (Article 6):
- The person has given their consent for purposes of processing. The rules surrounding the obtaining consent are becoming far stricter and will be covered in a later blog;
- The processing is necessary for the performance of a contract to which the individual is party (or in order to enter into that contract at the request of the individual);
- Processing is necessarily for compliance with a legal obligation to which the Controller (the organisation responsible for the information) is subject. This must be a specific responsibility laid down by law;
- Processing is necessary to protect the “vital interests” of the individual or other person. This means the processing is “essential for the life” (Recital 46);
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, which should have a basis in law;
- Processing is necessary for the purposes of legitimate interests pursued by the Controller, although this must be balanced with the interests and fundamental rights and freedoms of the individual. This can be a difficult condition to justify and furthermore, public sector organisations are prevented from using this under the GDPR. Public sector organisations that are solely relying on legitimate interests will need to either implement measures to ensure another applies, such as obtaining consent, or change or potentially stop their processing activities.
Many of the justifications above are similar to the existing requirements. However, under GDPR you must also provide the legal basis to people in privacy notices and included in responses to a Subject Access Requests (SARs).
The processing of sensitive personal data is also currently subject to Schedule 3 of the DPA 1998. This type of information is dealt with under Article 9 of the GDPR.
Next Steps
Using your information asset register, ensure you understand the legal basis for all processing activities. Remember that the justification needs to cover every potential processing activity. For example, it is likely to be justifiable for staff managing payroll to have access to certain personal finance information. In most organisations, this is likely to be justifiable under a number of the legal bases above. These could include performance of a contract, and compliance with a legal obligation where information about tax and national insurance is processed. However, that justification will not extend to those that may work in a wider finance team with no payroll responsibilities. Access (and therefore ability to process) must therefore be restricted accordingly.
It is also worth noting that the GDPR requires systems to have data protection considerations by “design and default”. Data protection impact assessments (DPIA) will become mandatory in some cases and should be conducted at the planning stages of systems projects. DPIA will be discussed further in a later blog. Begin to consider required changes to your business processes to ensure the DPIA is conducted at the right stage in any project.
Tkm can help with identifying the legal basis for processing. If you would like help with this or any other preparations for the GDPR please contact us.
exploit – protect – comply