Is it Fair? Is it Lawful?
The first DPP is about using information in a fair and lawful way. Fair processing is simply making sure you tell people about what you’re going to do with their personal information. This is usually done with a Fair Processing Notice or a Privacy Notice. To see some examples (good and bad) have a look at the ICO’s Privacy Notices Code of Practice.
It’s important to note that, from May 2018, the General Data Protection Regulation 2016 comes into force. You’ll be able to find related information on the ICO’s Data protection reform pages. If in doubt, check the table on the ICO’s right to be informed webpage.
In any event, the information you provide must be concise, transparent, intelligible and easily accessible. It must also be written in clear and plain language, particularly if addressed to a child.
Lawful processing refers to your purpose or justification for using the data, as outlined in the Conditions for Processing contained in the DPA. If you’re only using personal information, such as name, address and contact details, you must meet at least one condition as set out in Schedule 2 of the DPA.
If you’re using sensitive personal information, such as physical or mental health, criminality, sexual life, then you have to meet at least one condition from Schedule 2 and Schedule 3 of the DPA. Where you rely on consent, it needs to be freely given and fully informed, with the latter covered in your Privacy Notice.
But what if you’re relying on consent and a service user tells you to stop using their information? You may not be able to honour the request if, for example, you’re under a legal obligation through a funding contract to retain such records for a set amount of time. In this case, you would be obliged to tell the service user that you cannot honour their request for this reason.
What about the fact that you were relying on the user’s consent in the first place? This is why your Privacy Notice needs to reflect, in a fair and accurate manner, what you do with service users’ information. In our example, now that consent has been withdrawn, you would have to rely on another condition, such as Schedule 2:3 – a legal obligation to which the data controller (i.e. the organisation) is bound.
Consent is not the most appropriate condition in this example, as the organisation is under a legal obligation to use the information in accordance with the funding contract. The Privacy Notice should have informed the user that personal information would be obtained, used and retained for the purposes of complying with that legal obligation.
you should avoid saying you’ll never share personal information without the consent of the user
The second important point to note is that the use has to be reasonably necessary. An example would be a reliance on vital interests, which is in both Schedules 2 and 3, and would cover child/adult protection, self-harm or harm to others.
This is why you should avoid saying you’ll never share personal information without the consent of the user. Instead, you should state that you will normally not share without consent, unless required to by law or because it would be in the vital interests of the user. Please note that this is not the same as best interests! It has to be vital interests and the ICO believes that this is up at significant harm level.
The concepts discussed in this blog form the foundation of good data protection practice and are vital in building that web of compliance. Get these blocks in place and the rest will fit neatly around them.
Next time, we’ll look at the second, third and fourth DPPs; and learn about purposes, excessiveness and individuals’ rights under the DPA.
Maureen H Falconer is Regional Manager – Scotland for the Information Commissioner’s Offic