DP BILL: GROUNDS FOR PROCESSING LGA GDPR/DP Regional Conferences: Manchester & London (January 2018) chris.pounder@amberhawk.com Go through the courseware; identify action plan for controllers – parking rights for the moment
DP BILL WORKS IN SAME WAY AS THE DPA 1. Does organisation process in a way that engages the Act? Is the information processed “personal data”? Is the organisation a “data controller”? 2. If the Act is engaged then: Is there a lawful basis to process personal data? 3. If there is a lawful basis for the processing then: How do we process? Apply the Data Protection Principles and other obligations (e.g. rights)
DEFINITIONS (A.4; RECITALS 26-30) More personal data covered (e.g. IP address, URLs) as identification is not by the controller Manual filing systems are structured processing by any criteria (e.g. relating to individuals, number) Controller, Processor, Processing, Recipient and Third Party more or less the same RFS and semi structured filing systems covered; Accessible Records might go the other way; Biometric = processing to make an ID (e.g. facial recognition, speed of pen in signature) Recital 30: Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
SPECIAL PERSONAL DATA (A.9) All “Sensitive Personal Data” of the DPA plus: Sexual orientation Biometric in the context of ID (e.g. facial recognition CCTV) Genetic information (DNA or RNA) Criminal convictions not “special” (more like “extra special”) Photos not systematically “special personal data” (R.51) Make sure you have the right regime; criminal records processed in the context of law enforcement is Part 3 of the DP Bill have different grounds (consent, necessary for a law enforcement purpose or in Schedule 8). This session relates to grounds for “GENERAL PROCESSING” (described in Part 1/Part 2 of the Bill). deoxyribonucleic acid or ribonucleic acid,
GROUNDS FOR MOST CONTROLLERS Article 6 little different from Schedule 2; Article 6 legal basis needed for each processing operation “Consent” changes as a result of Article 7 and related Recitals “Public task” defined in Clause 7 includes Sched 2, para 5 “Legitimate interests” cannot be used for public tasks; Article 9 (Schedule 3) has flexibility for Member States for some items of “Special Personal Data” (e.g. Health) Criminal records etc (Article 10) are not Special Personal Data, but are subject to the similar kind of restrictions. Legal basis now specified in the “Fair Processing Notice”; expect more challenges on “necessary” More prominence for the legal basis of the processing
DATA SUBJECT CONSENT ‘consent’ of data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes (e.g. by a statement, by a clear affirmative action) signifies agreement the processing of personal data. WP29: Direction of travel is “opt-in” for consent Burden of proof is on the controller to demonstrate that consent was given by the data subject. Recital 42: Controller to demonstrate that the data subject has given consent to the processing operation). Consent, in the public sector, is only realistic for fringe processing (e.g. supporters of the Local Museum) ICO CONSULTATION (widely acclaimed!). Might need a consent for each purpose. Also consent Recitals very important. Directive has “unambiguously given his consent” as part of its equivalent of Schedule 2; now it is part of the definition of consent.
CONSENT (A.7; RECITALS 32, 42 & 43) Consent clearly distinguishable from the other matters (e.g. other statutory notices) and explained in an intelligible and easily accessible form, using clear & plain language. Any part of the consent declaration which constitutes an infringement of the Regulation can negate consent Right to withdraw consent at any time (no retrospective effect). It shall be as easy to withdraw consent as to give it; right to withdraw consent is identified in FPNs (A.13; A.14). Recital 32: pre-ticked boxes do not constitute consent Recital 42: Consent not valid if there is no effective choice
“NECESSARY” & DATA SUBJECT CONSENT Third Principle: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Fifth Principle: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed A.6 grounds are “necessary” for something except consent. However, the 3rd and 5th Principle link necessary to consent
“PUBLIC TASK” (A.6(1)(e) & CLAUSE 7) processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for— (a) the administration of justice, (b) the exercise of a function of either House of Parliament, (c) the exercise of a function conferred on a person by an enactment, or (d) the exercise of a function of the Crown, a Minister of the Crown or a government department. Right to object to the processing applies (consider it carefully) Functions of a public nature in the public interest
“LEGITIMATE INTERESTS” (A.6(1)(f)) Public authority cannot use this ground for public tasks (R.47) Controller’s “legitimate interest” explained in FPN (A.13; A.14) A.17 right: controller has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of data subject. Note that the S.10 threshold of substantial unwarranted damage or substantial unwarranted distress has gone. Right to restrict processing (A.18) until determination of whose legitimate interest prevails (and possible notify recipients; A.19) A.40 Code of conduct should be followed once it exists Identify Para 6 Schedule 2 processing as an action
GROUNDS FOR SPECIAL PERSONAL DATA the data subject has given explicit consent to the processing of those personal data for one or more specified purposes necessary for the purposes of carrying out the obligations in the field of employment and social security and social protection law necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim;
GROUNDS FOR SPECIAL PERSONAL DATA personal data manifestly made public by the data subject necessary for establishment, exercise or defence of legal claims necessary for reasons of substantial public interest (Member State law shall be proportionate to the aim pursued .. and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject) necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care
SCHEDULE 1: MORE RELEVANT GROUNDS TO LOCAL GOVERNMENT Health and Social Care; Public health Research (linked to safeguards in Article 89 and Clause 18) Substantial Public interest (very broad but mirrors Clause 7) Equal Opportunities Preventing fraud, unlawful acts, dishonesty etc Elections, political parties and elected representatives Note: Criminal convictions need 3 conditions (a ground in A.6, one in A.9 or Schedule 1, Parts 1-3 & one in Schedule 1, Part 4) Can be a requirement for policies and other safeguards which can be assessed re Accountability Principle
SUMMARY CONCLUDING COMMENTS Special Personal Data and Personal Data definitions are widened All Schedule 2 and 3 grounds in the DPA, can be found in Article 6 and Article 9/Schedule 1 (find them) Right to be informed: requires the grounds for the processing of personal data to be identified to the data subject other rights to be identified as part of the right to be informed (e.g. right to object; withdraw consent) Some grounds for processing Special Personal Data have mandatory recording requirements (e.g. policies) which will be assessed as part of the Accountability Principle
THE END Q U E S T I O N S More on the GDPR and LED in all Amberhawk DP courses …. and on HAWKTALK (wholly balanced blog) ©Chris Slane