Tag Archives: Data Protection Officer

Data Protection Impact Assessments under the GDPR

Accountability is an important aspect of the General Data Protection Regulation (GDPR).  The accountability principle in Article 5(2) of the GDPR obliges data controllers to be able to demonstrate that they are complying with the data protection principles in Article 5(1) of the GDPR.  Some of the technical requirements placed upon data controllers within the GDPR can be traced back, at least in part, to the accountability principle.  One of the requirements of the GDPR which will assist data controllers to demonstrate compliance with the data protection principles is the requirement to complete, in certain circumstances, a Data Protection Impact Assessment (DPIA).

For a number of years supervisory authorities around the EU, including the UK Information Commissioner, have encouraged organisations to conduct a Privacy Impact Assessment (PIA) as part of their promotion of good data protection practice. DPIAs are simply PIAs by another name. The requirements for DPIAs are set out in Articles 35 and 36 of the GDPR.

When do I need to perform a DPIA?

Article 35(1) of the GDPR requires data controllers to conduct an assessment of the impact of envisaged processing operations on the protection of personal data, where a type of processing, in particular using new technologies; and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.  The DPIA must be conducted prior to undertaking the processing envisaged.

Article 35(3) sets out specific circumstances where a DPIA should be carried out by a data controller and those are:-

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

When deciding whether a DPIA is required it will be important for data controllers to check the ICO’s website. The Information Commissioner is required to publish a list of the kind of processing operations which are subject to the requirement for a DPIA.  If the processing operations envisaged by a controller appear on this list, then they will be required to carry out a DPIA.  Article 35(5) also empowers the Information Commissioner (but does not require her) to establish and publish a list of the kind of processing operations for which no data protection impact assessment is required.

What does a DPIA require?

Article 35(7) sets out what the DPIA must include as a minimum; these are:-

  • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes
  • an assessment of the risks to the rights and freedoms of data subjects (the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage – see recital 75 of the GDPR for more detail)
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data; and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

It should be noted that requirements set out in Article 35(7) for the content of a DPIA are a minimum; there may be situations when a DPIA requires to go beyond what is set above.

The role of the Data Protection Officer

If you have appointed a Data Protection Officer, then Article 35(2) of the GDPR requires that you seek advice from them when carrying out a DPIA. It should be remembered that a DPIA might change a number of time during the process; you should therefore keep your DPO involved throughout and be seeking advice from them regularly at appropriate junctures. Seeking advice from the DPO is not simply a box ticking exercise and should therefore not be treated as such. If you treat it as a simple box-ticking you could find yourself not complying properly with the requirements of the GDPR and could potentially be missing out on valuable advice. Remember that controllers are not obliged to follow the advice of their DPO, but if they elect to act contrary to that advice then they should document this and could be required to defend that decision.

The Role of The Information Commissioner

I have already indicated that the Information Commissioner has a role in the DPIA process, but her role is more extensive than has already been covered above. There are circumstances, set out in Article 36 of the GDPR, in which controllers will be required to consult with the ICO.  This applies where, in the absence of any mitigating measures by the controller, the DPIA indicates that the processing would result in a high risk to the rights and freedoms of data subjects.

Within a period of 8 weeks following receipt of the request for consultation (but this may be extended by a further 6 weeks in appropriate cases) the Information Commissioner is required to provide written advice to the controller where she is of the opinion that the intended processing would infringe this Regulation.  It’s therefore important that you consult the Commissioner well in advance of undertakng the envisaged processing to ensure that you have enough time to receive any written advice from the Commissioner and to consider and apply it.

The Information Commissioner’s role does not end there; she is not simply limited to giving written advice to the controller.  She can also become much more involved by conducting a data protection audit; issuing a formal warning that the intended processing is likely to infringe the provisions of the GDPR and even limit or prohibit (temporarily or indefinitely) a data controller from undertaking the proposed processing.

Penalties

A failure by a controller to comply with its obligations to conduct a DPIA where one is required can attract an administrative fine of up to €10,000,000 or 2% of global turnover (whichever is greater); as can a failure to consult with the Information Commissioner where consultation is required under Article 36 of the GDPR.  Failure to comply with an order limiting or prohibiting the processing (whether temporary or indefinite) can attract an administrative fine of up to €20,000,000 or 4% of global turnover (whichever is greater).

Can I undertake a DPIA when one is not required by the GDPR?

Yes you can; a properly completed DPIA will be of assistance to you in demonstrating that you are complying the the data protection principles. A DIPA on its own will usually be insufficient to completely comply with the Artcile 5(2) obligations (even where it is required by Article 35), but a properly completed DPIA is certainly something that you can produce to the Information Commissioner to help evidence that you are taking your data protection obligations seriously.

Alistair Sloan

If you require advice or assistance with Data Protection Impact Assessments or any other data protection matter then contact Alistair Sloan on 0141 229 0880 or by E-mail. Alistair can also assist with other aspects of information law.

Data Protection Bill 2017: initial observations and comments

Last week the UK Government finally introduced their much anticipated Data Protection Bill [pdf], which is required to deal with certain aspects of the General Data Protection Regulation.  I have spent some time since then reading through the Bill and this blog post is intended as an initial introduction to the new Bill.

The first thing to note is that the Bill is not an easy read and certainly much of the commentary and discussion has centred on how uneasy a Bill it is to read.  This may well create some difficulties for practitioners going forward, and indeed may also cause some difficulties for data subjects who are trying to understand what their data protection rights are.

There are a few things of note which clarify a number of matters.  The GDPR requires public bodies to appoint a Data Protection Officer, but the GDPR does not stipulate what is and what is not a public body; this was left up to member states to deal with.  The proposed answer comes in Clause 6 of the Bill which gives it the same meaning as public authority in the Freedom of Information Act 2000 and Scottish public authority in the Freedom of Information (Scotland) Act 2002.  So, a public authority for the purposes of FOI is also a public authority for the purpose of the GDPR.  The definition does not include those bodies who are subject only to the Environmental Information Regulations 2004 or the Environmental Information (Scotland) Regulations 2004.

It should be noted that it is proposed that the Secretary of State will have the power to provide, in regulations, that a public body, as defined by clause 6, is not in fact a public body for the purposes of the GDPR.  It is also proposed that the Secreatry of State shall have the power to provide that a body that is not a public body, as defined by clause 6, is in fact a public body for the purposes of the GDPR.  There has been no indication as yet that the Secretary of State intends on making any Regulations under these powers and so for the time being it would be prudent to work on the basis that every person and organisation who is subject to the provisions of either the UK or Scottish FOI Acts is a public body for the purposes of the GDPR.

Although the Scottish Ministers cannot directly decide that a person or body ought to be (or ought not to be) a public body for the purposes of the GDPR, the exercising of their powers under Sections 4 and 5 of the Freedom of Information (Scotland) Act 2002 can result in persons or bodies becoming, or ceasing to be, public bodies for the purpose of the GDPR.  This effect is something to consider when the Scottish Government is seeking to extend the coverage of the Freedom of Information (Scotland) Act 2002; the obvious example is housing associations in Scotland.  The Scottish Government is currently considering whether they ought to be Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 or not.  If they lay Regulations to make housing associations a Scottish public authority this will have the effect of making housing associations a public body for the purposes of the GDPR as well.  Of course, the Secretary of State would have the power to then make Regulations which would have the effect of not making housing associations in Scotland a public authority for GDPR purposes.

This may well have an effect on how quickly an order under Section 5 of the Freedom of Information (Scotland) Act 2002 can come into force.  The data controller would become a public authority for the purposes of the GDPR immediately upon the coming into force of the “Section 5 Order”; if they do not already have a Data Protection Officer appointed then they will need to recruit an dappoint someone in advance of the Section 5 Order entering into force.

The definition of who is a public body also has implications beyond the need to appoint a Data Protection Officer.  Public bodies are not allowed to rely upon the “legitimate interests” condition for processing personal data in the performance of the public body’s tasks.

In relation to consent, the GDPR allows member states to set an age between 13 and 16 for the purposes of when a child can give consent for the processing of their personal data by ‘information society services’ (e.g. Twitter, Facebook, Snapchat); Clause 8 of the Data Protection Bill proposes setting this at 13 in the UK.  It should be stressed that this only applies to consent provided to information society services and not consent more generally.  A child who is younger than 13 may be capable of providing consent more generally under the GDPR (and ineed, the presumtion in Scotland will continue to be that a child of 12 can provide consent).

The GDPR allows data controllers to charge fees, in limited circumstances, when dealing with subject access requests.  Clause 11 of the Data Protection Bill provides that the Secretary of State may “by regulations specify limits on the fees that a controller may charge”.   The inclusion of this power within the Bill suggests that it is the Government’s intention to place a cap on what can be charged by data controllers in those circumstances where a fee can be charged.  The general right to charge a fee in order to process a subject access request, that is in place under the current Data Protection Act, will go.  A more detailed blog on the topic of subject access requests under the GDPR shall follow.

The Monetary Penalty Notice is to remain (although it will now just be a penalty notice) and this is the way in which the Information Commissioner will be able to exercise her powers under the GDPR to issue administrative fines.  The procedure adopted under the current monetary penalty regime is retained with the requirement for the Commissioner to issue a “notice of intent” in advance of serving a penalty.  It will also continue to be a requirement that the penalty notice be issued within 6 months of the notice of intent (see Schedule 16 of the Data Protection Bill).  The Commissioner will be able to issue a penalty notice to a data controller who has failed to comply with an enforcement notice.

These are just a few of the notable points from the new Data Protection Bill and there is plenty more to write about, but that will come in future blog posts.  The Bill has only just been introduced to the House of Lords and still has to go through the full process of scrutiny in both the House of Lords and the House of Commons; therefore, it is entirely possible that the Bill’s 194 clauses and 18 schedules will be amended during the passage of the Bill through Parliament.  The Bill is due to have its Second Reading in the House of Lords, at which the House of Lords will agree (or not) to the general principles of the Bill, on 10th October 2017.

Alistair Sloan

If you would like advice on the General Data Protection Regulation or on the new Data Protection Bill then contact our Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send him an E-mail directly.

Data Protection Officers under the GDPR

Many data controllers already have people within their organisation who are referred to as “Data Protection Officers”.  Currently, people with the job title of “Data Protection Officer” can be senior members of staff, or (more often) quite junior members of staff, and their job roles can vary quite considerably from organisation to organisation.  Under the current data protection framework within the UK there is no formal concept of a Data Protection Officer, but that will all change in May 2018 when the General Data Protection Regulation becomes applicable.

The Data Protection Officer

The Data Protection Officer, or DPO, is a specific concept within the GDPR.  All public bodies will be required to appoint a DPO (with one exception, on which see further on) as will many private sector organisations.  The DPO is a key person within the new data protection framework and organisations should avoid giving people who are not a DPO within the context of the GDPR job titles which could be misleading.

The DPO should operate at a senior level and be able to feed into the highest level of the organisation.  The DPO should be a person with expert knowledge of data protection law and practices and should assist the controller or processor to monitor internal compliance with the GDPR.  The DPO can be a full-time or part-time member of staff, but can also be provided by a third party in terms of a service contract.

Where a DPO has been appointed, the data controller is required to publish the name and contact details for their DPO.

When does a Data Protection Officer require to be appointed?

All public authorities, regardless of size, (and with the exception of courts acting in their judicial capacity) will be required to appoint a DPO under the GDPR.  The GDPR does not define what is meant by “public authority or body” and this will largely be left up to national laws to determine.  It would be fair to say that in the UK any organisation that is deemed to be a public authority for the purposes of the Freedom of Information Act 2000 or a Scottish public authority for the purposes of the Freedom of Information (Scotland) Act 2002 will be considered as a public authority or body.

It is also probable that private companies who carry out functions of a public administrative nature will also be considered as a public authority or body and so the definition of public authority for the purposes of the Environmental Information Regulations 2004 and the Environmental Information (Scotland) Regulations 2004 should also be considered.

As already noted, the requirement to appoint a DPO is not simply confined to public authorities; private sector organisations will also be required to appoint a DPO if they meet certain criteria.  Private sector organisations (whether they are a data controller or a data processor – references to data controller in this blog post should be taken to include data processors) will need to appoint a DPO where their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.

Finally, any data controller whose core activities consist of processing, on a large scale (which is yet to be properly defined), special categories of data or personal data relating to criminal convictions and  offences.  Special categories of personal data broadly corresponds with what the Data Protection Act 1998 describes as “sensitive personal data”, which includes personal data such as race, religion, political beliefs, health data etc.

What this means is that there is likely to be a requirement on a large number of private sector organisations to appoint a DPO.

The tasks of the Data Protection Officer

The GDPR sets out various tasks that Data Protection Officers will be required to carry out; these are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to the GDPR;
  • to monitor compliance with the GDPR, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
  • to co-operate with the Information Commissioner as the supervisory authority
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Data Protection Officers must be able to carry out their functions independently and must also be given sufficient resources to enable to them fulfill their obligations (for larger organisations, this is may include, for example, having a staff to assist them).  The requirement for them to conduct their responsibilities independently means that they should not be subject to direction on the performance of their responsibilities by anyone in the organisation and should not be treated unfairly for discharging their duties (e.g. they shouldn’t be side-lined or dismissed if they give an opinion that isn’t appreciated).

There is no obligation within the GDPR for an organisation to do what their DPO advises them to do; however, the accountability principle in the GDPR will mean that the ICO will likely want an explanation as to why an organisation has gone against the advice of their DPO if that is what they decide to do.

It is for each data controller and processor to decide whether or not they require to appoint a DPO; however, the accountability principle of the GDPR will mean that organisations who have decided they do not require a DPO should be able to demonstrate how and why they came to that decision. Organisations that are not required to appoint a DPO under the GDPR can still appoint one if they wish, but persons who are “electively” appointed as a DPO will be viewed in exactly the same way as those whose appointment is mandatory.

Core Activities

What constitutes and organisation’s core activities is not specifically defined within the GDPR.  However, Recital 97 of the GDPR states that in the private sector, the “primary activities [of the controller] and do not relate to the processing of personal data as ancillary activities”.  The Recital is not part of the law, but is a tool which assists with the inetrpretation of the law.  Oragnisations will need to be clear as to what their “primary activities” are in order to be able to work out whether processing personal data is one of their “core activities”.

The Article 29 Woking Party, in its Guidelines on Data Protection Officers expresses it in the following way:

“Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.

On the other hand, all organisations carry out certain supporting activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”

Large Scale Processing

As noted above, the GDPR does not define what is meant by large scale processing activities.  In its guidelines on Data Protection Officer, the Article 29 Working Party has suggested four factors which should be taken into consideration when decideing whether processing is taking place on a large scale.  Those factors are:

  1. the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
  2. the volume of data and/or the range of different data items being processed;
  3. the duration, or permanence, of the data processing activity;
  4. the geographical extent of the processing activity

As the phrase remains underfined within the GDPR it is a matter that will require a level of judicial interpretation.  No doubt the domestic courts will be asked to grapple with the concept of large-scale processing at somepoint; as will the Court of Justice of the European Union (although, what impact a decision of the court will have in the UK given Brexit is a matter that remains to be seen).

Penalties

A failure to appoint a DPO where one is required is a matter which can attarct an administrative fine; in this case the maximum is €10m or 2% of global turnover (which ever is greater).  I have covered administrative fines in more detail in another blog post.  Articles 38 and 39 of the GDPR, which relate to the position of the DPO and their tasks, are also subject to the administartive fine provisions; again with the maximum being €10m or 2% of global turnover (whichever is greater).

Alistair Sloan

If you would like advice on Data Protection Officers under the GDPR, or on any other matter relating to data protection/privacy or Freedom of Information, then you can contact Alistair Sloan on 0345 450 0123, by completing the contact form on this blog, or you can send him an E-mail directly.