As the next in our series of “back to privacy basics”, we look the rules regarding collection and processing of personal data.
As we will do throughout this series, we take a look at the current position and what is current best practice for an organisation. We will also briefly consider what the new Data Protection Regulation may mean in this area.
Data protection law requires all processing of personal data to be fair and lawful. Translating from data protection jargon this means ‘transparency’ and ‘legitimacy’.
For the processing to be “fair” or “transparent”, companies should ensure that certain, clear information is provided to individuals in advance of processing it. Specifically, data controllers need to ensure that individuals are, so far as practicable, told:
who the data controller is
why the personal information is being processed
any further information which is necessary, having regard to the specific circumstances, to enable the processing in respect of the relevant individual, to be fair.
In practice this means clear and specific information being provided in privacy policies, marketing consents, employee handbooks, online policies etc.
In terms of ‘legitimacy’ (or “lawfulness”) the purpose for which the information is collected is key. Data protection law will only permit its collection and subsequent processing if organisations can demonstrate the processing is for one of a defined list of conditions for processing. This aims to ensure that personal data is only used for legitimate reasons.
For many organisations, the key purposes that it will be able to rely upon or are those for which it has collected the individual’s consent; where the processing is necessary in connection with contracted goods / services provided to the individual; and where required by law.
Organisations may also collect and process information where it is in the organisation’s “legitimate interests” to do so. But this is a balancing act. The collection and processing will not be permitted where the individual’s fundamental rights under data protection law override the interests of the organisation.
Before undertaking any data collection, or embarking on a product development that will involve significant data collection, conduct a Privacy Readiness Assessment or Privacy Impact Assessment to identify personal data being collected and establish legitimate grounds for collection and processing.
Position under draft Data Protection Regulation
One of the real bug-bears of privacy regulators is the practice of treating privacy notices as “small print”, burying away details of processing. Privacy notices should be seen as a way of being upfront and assuring customers of an organisation’s good privacy practices.
Expect this trend to continue should the draft Regulation pass into law in its current state. The draft Regulation places a greater emphasis on enhanced transparency and requires that a much more extensive privacy notice is given to individuals. The proposal is that a standard ‘privacy graphic’ is used with organisations being required to specify details of where the processing varies from the norm.
The well known conditions for processing will, fundamentally, remain the same. This is definitely a case of ‘no news is good news’ for many organisations who rely on ‘legitimate interests’ (or private sector organisations anyway). However, privacy notices will likely need to specify the legitimate interests in advance so this is an extra overhead.
The bad news for public authorities is that they will no longer be able to rely on this ground.
Next up in our series is the topic of data accuracy and proportionality.