By Patrick Stewart
1. Legal background
Data Protection in the UK is currently governed by the Data Protection Act 1998. The statute implements the EU Data Protection directive of 1995.
The General Data Protection Regulations will come into force on 25 May 2018 and supersede the 1995 directive and the 1998 Act. They are regulations issued by the EU and have direct effect in all EU countries. The aim is to have a single set of regulations governing data protection throughout the EU. Having said this, there are some minor areas where individual countries will be able to exercise discretion.
Following the evocation of Article 50 to leave the EU, the Government’s Great Repeal Bill will bring the GDPR into UK law. In addition, the Government have submitted the Data Protection Bill to Parliament and it is currently being considered in the House of Commons. The Bill will also bring GDPR into UK law and fill in some of the discretions left to individual countries by those regulations.
The Government has made no secret of its support for GDPR. This is in large part to avoid interruption of data flow between EU countries and the UK post Brexit.
2. Personal data
The definition of personal data is as set out in the 1998 Act. It is:
- Data which relates to a living individual who can be identified from that data or from that data or other information which is in the possession of, or is likely to be in the possession of the Data Controller;
The definition of Data has not been changed by the regulations but it has been enhanced in that it now includes an IP address.
Sensitive Data – now referred to as Special Categories of Personal Data - includes racial and ethnic origins, political opinion, religious and other beliefs, trade union membership and sexual orientation. This remains but there is added to it, genetic data and biometric data.
3. Processing personal data
The principles which permit processing of personal data are as set out in Article 6 of GDPR and comprise. The relevant principles are:
- the Data Subject has given consent;
Consent – must be freely given; specific; informed and unambiguous.
the processing is necessary for performance of a contract to which the Data Subject is a party or taking steps at the request of the Data Subject with a view to entering into a contract;
processing is necessary for the compliance of a legal obligation to which the Data Controller is subject; and
the processing is necessary in order to protect the vital interests of the Data Subject;
Processing is necessary for the purposes of the legitimate interests pursued by the Controller except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.
This envisages a balance between the legitimate interests of the Data Controller which wishes to process the data and those of the Data Subject. It is to redress this balance in favour of the processor that many organisations are requesting that Data Subjects on their books confirm their opt-in to receive information.
4. Privacy statement
GDPR create a right on the part of the Data Subject to be informed of following information which must be provided at the time the data is collected:
i. Identity and contact details of the Data Controller;
ii. The purposes of the processing for which the personal data is intended as well as the legal basis for that processing;
iii. The recipient or categories of recipients of the personal data;
iv. Where applicable, the fact that the Controller intends to transfer data to a third country and the legal basis for the transfer;
v. The period for which the personal data will be stored, although if it is not possible to determine, the criteria used to determine that period;
vi. The existence of the right to request from the Controller, access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability;
vii. The right to lodge a complaint with the supervisory authority in the UK, the ICO;
viii. Whether the provision of personal data is a statutory or contractual requirement or required necessary to enter into a contract and whether the Data Subject is obliged to provide the personal data and the consequences of failure to provide such data; and
ix. Whether the personal data will be subject to any automated processing and if so, the logic involved as well as the significance and the envisaged consequences of such processing for the employees.
This must be provided in clear, concise, intelligible language.
The above should be considered in the context of a privacy statement.
5. The Data Controller / Data Processor
The Data Controller is the individual or organisation which determines the purpose and means of processing personal data. This is likely to be the organisation which is dealing with the Data Subject. This could be by way of employer – employee, supplier – buyer or buyer – supplier. It also covers direct marketing organisations.
The Data Processor is the individual or organisation which processes the personal data on behalf of the Data Controller. This might be in circumstances in which an organisation outsources payroll or a direct marketing exercise.
The relationship between the Data Controller and Data Processor will be more regulated under GDPR. In particular, there will need to be a written contract between the Data Controller and Data Processor which would cover the following areas:
The subject matter and duration of the processing;
The nature and purpose of the processing;
The type of personal data and categories of the Data Subject;
The obligation and rights of the Controller.
The contract should include provisions requiring that the Processor:
Only act on the written instructions of the Controller;
Ensure that people processing the data are subject to a duty of confidence – this might require the inclusion of a confidentiality clause in all contracts of employment, consultancy arrangements with those individuals;
Take appropriate measures to ensure the security of processing;
Only engage sub processors with the prior consent of the Controller and under a written contract;
Assist the Controller in providing subject access and allowing Data Subjects to exercise their rights under the GDPR;
Assist the Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and Data Protection impact assessments;
Delete or return all personal data to the Controller as requested at the end of the contract; and
Submit to audits and inspections, provide the Controller with whatever information it needs to ensure they are both meeting their obligations under the GDPR and tell the Controller immediately if they are asked to do something which infringes the GDPR or other data protection law.
Under Article 28 of GDPR, if a Data Controller is seeking to contract with a Data Processor, the Data Controller must ensure that the Data Processor is competent to deal with the matter and with all requirements of GDPR. A degree of due diligence will be required. The Data Controller will remain primarily responsible for ensuring that personal data is processed in accordance with the GDPR. The Data Controller cannot rely upon the breaches of the Data Processor, unless the Data Controller can demonstrate that it was not in any way responsible for the event that gave rise to the damage.
Existing contracts between Data Controllers and Data Processors will need to be reviewed to ensure that they are compliant with the GDPR with effect from 25 May 2018. New contracts will have to incorporate those terms as well.
6. Recording / reporting
The Data Controller must keep a written record of any personal data breaches that the organisation suffers. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. In broad terms, it is a security incident which has prejudicial effect on confidentiality, integrity or availability of personal data.
Circumstances in which the breach is likely to lead to a risk to the individual’s rights or freedoms, there is an obligation to notify the ICO. Whether the breach is likely to lead to a risk to the individual’s rights or freedom, is assessed with reference to the following factors:
Type of breach: the nature, sensitivity and volume of personal data;
Ease of identification of individuals;
Severity of consequences for individuals;
Special characteristics of the individual – for example children or others who are vulnerable;
Number of individuals affected;
Specific characteristics of the Data Controller. A medical organisation processing health records would pose a greater threat than the mailing list of a charity.
Notification must be made without undue delay and within 72 hours. The information to be included in the notification is:
A description of the personal data breach including categories and approximate numbers of individuals concerned, and the categories and the approximate numbers of the data records concerned;
The name or contact details of the Data Protection Officer if any, or any other contact point where more information may be obtained;
A description of the likely consequences of the personal data breach;
A description of the measures taken, or proposed to be taken to deal with the personal data breach. This is to include, where appropriate, actions taken to mitigate any possible adverse effects.
Beyond this, where the data breach is likely as a result of a high risk to the rights and freedoms of the individual, there is an obligation to notify the individual concerned. There is no stated time for that such notification and the general view is that it should follow notification to the supervising authorities. The information to be given to the individual is as to the supervising authority, other than the first item which of course may refer to the data of other individuals.
The maximum penalties proposed under GDPR for breaches are significant. They break into two tiers, the lower tier which is a maximum of €10,000,000 or 2% of global turnover for breach of obligations to maintain records, report breaches, to obtain consent in relation to children’s data, failure to appoint a Data Protection Officer. The higher maximum of €20,000,000 or 4% of global turnover can be imposed for breach of basic principles, ignoring Data Subject’s rights.
The fines are said to be imposed at a level which is to be effective, proportionate and dissuasive. However, the regulations also require regard to be had to the:
a. gravity, nature and duration of the infringement;
b. nature, scope, purposes of processing;
c. categories of personal data affected;
d. numbers of affected Data Subjects and level of damage suffered;
e. financial benefits to the breaching party;
f. intentional or negligent compliance history;
g. adherence to Code of Conduct or approved certification;
h. mitigation taken such as cooperation with the Authorities.
It will be interesting to see how the Authorities allow for these factors in the fixing of levels of fine.
It is long established that an Employer can be liable for losses suffered by third parties caused by the actions of its employees. In the case brought by a number of Claimants against Morrisons, the supermarket, the company was held liable for deliberate data breach perpetrated by a disaffected employee. Liability was not dependent upon the steps taken by Morrisons to ensure security of their data, but simply on the basis that they were responsible for the actions of the employees.
For further information, please contact firstname.lastname@example.org
For further details about our expertise in this area, please Click Here