A summary of the implications of the General Data Protection Regulations (GDPR)

Transcription

1 Introduction A summary of the implications of the General Data Protection Regulations (GDPR) 1. The General Data Protection Regulation (GDPR) will apply in the UK from 25 May Various implications of the GDPR will need to be resolved in advance of that date, owing to the academic year and other business cycles (e.g. undergraduate students matriculate in October annually: GDPR-compliant data protection statements will need to be ready for October 2017). 2. The government has confirmed that the UK s decision to leave the EU will not affect the commencement of the GDPR. Irrespective of Brexit, GDPR will stay in effect to the extent that it applies to organisations outside the EU that offer goods or services to individuals while they are in the EU. In addition, the government has confirmed that it is likely that the GDPR (or a national version of it) will persist after Brexit so as to enable to UK to apply for data protection adequacy status as a non-eu state. 3. It will apply to Colleges as both data controllers and data processors (a controller says how and why personal data is processed and the processor acts on the controller s behalf). It will also apply in a similar way to the Office of Intercollegiate Services. Key points 4. There are some changes in Principles between the Data Protection Act (DPA) and the GDPR, but these are not significant. The general move is towards greater transparency and accountability, and it is these concepts that will impose new requirements on Colleges in the management of personal data and related record-keeping. 5. Colleges will be required to produce additional documentation to comply with the transparency elements of GDPR, including: records of processing activities (paragraphs 27-28); data protection statements (especially where historically they have only had one) (paragraph 29); records of sharing personal data with third parties, including data sharing agreements. 6. The definition of personal data remains largely unchanged ( any information relating to an identified or identifiable natural person ( data subject ) ): it has been expanded to include data relating to the digital age (e.g. IP addresses, genetic code, location data). 7. Sensitive personal data (which has always relied more heavily on consent) is re-categorised as special categories of data. It retains the inclusion of data relating to many (though not all) of the protected characteristics under the Equality Act but is similarly updated for the digital age. 8. A key factor for understanding implementation of GDPR will depend on whether the University and the Colleges are designated as public authorities under national interpretation of the Regulation. Public authorities have the following substantive additional constraints: they cannot rely on the legal basis of legitimate interests to process personal data (paragraph 12); they must employ a Data Protection Officer, a new governance role (paragraphs 22-26). 9. Where a College relies on consent to process personal data, the bar is now higher: consent must be clear, affirmative, easily withdrawable, demonstrable and separate from other matters. Further guidance is expected but it is clear that opt-in consent will now be needed in all cases where consent is relied upon.

2 Recommendations for the Legal Affairs and Employment Sub-Committee (LA&E) and the Office of Intercollegiate Services (OIS) i. Adopt the Colleges GDPR timetable (as provided in a separate paper) and keep it under regular review as a standing agenda item for LA&E until May 2018; ii. Approve the data audit template materials prepared by OIS (provided as separate papers) for wider circulation to the Colleges; iii. Approve the recommendations for Colleges, as outlined below; iv. Recommend the circulation of this paper to Bursars Committee and Colleges Committee; v. Endorse the appointment of a Colleges Advisory Group (as outlined in a separate paper) to assist LA&E and OIS in the consideration of GDPR-related business; vi. Endorse the proposed data protection statement template for alumni, friends and other supporters (as provided in a separate paper); vii. Commit to the consideration of future data protection statement templates for other categories of data subject, and of data sharing agreements (or protocols) as these are revised; viii. OIS will need to draft a data sharing agreement with the Colleges and the University (in its role of data processor for certain processes of the Colleges involving personal data). These were all agreed by LA&E at its meeting on 3 March Recommendations for Colleges ix. Nominate a person to co-ordinate GDPR requirements and actions in preparation for the implementation of the Regulations by May 2018; x. Instigate a series of data audits to record the processing of personal data in the College, in preparation for the required records of processing activities (paragraph 27) and data protection statements (paragraph 29): templates to assist in this are available from the Office of Intercollegiate Services; xi. Consider the use of external training to embed specialist knowledge of data protection matters in the College; xii. Review the Colleges GDPR timetable to ensure maximum co-ordination between Colleges and pan- Cambridge activities; xiii. Review current data breach reporting procedures to ensure GDPR compliance (paragraphs 31-32). These were all agreed by LA&E at its meeting on 3 March Contents of the paper Differences in Principles between the Data Protection Act (DPA) and the GDPR Lawfulness of data processing What is consent? Roles and duties of a Data Protection Officer Records of data processing 29 Content of data protection statements Data breach procedures Appendix Structure of the GDPR and key Articles External resources GDPR (the Regulations) Information Commissioner s Office (ICO) GDPR overview ICO: 12 steps to take now Article 29 Working Party (EC): Guidelines on Data Protection Officers

3 Differences in Principles between the Data Protection Act (DPA) and the GDPR 10. The following statements are paraphrased from the specified Schedule and Article: DPA (Schedule 1) GDPR (Article 5) Personal data shall be: Personal data shall be: processed fairly and lawfully processed fairly, lawfully and transparently processed only for specified and lawful processed only for specified, explicit and purposes legitimate purposes adequate, relevant and not excessive adequate, relevant and limited accurate and kept up to date accurate, kept up to date and rectified if inaccurate not kept for longer than necessary not kept for longer than necessary processed in accordance with individuals Not in Article 5 but robust requirements in rights Articles protected by measures to prevent protected by measures to prevent unauthorised or unlawful processing and unauthorised or unlawful processing and to to prevent accidental loss or destruction prevent accidental loss or destruction not transferred outside of the EEA without adequate protection Not in Article 5 but robust requirements in Articles In addition, Article 5 states that data controllers are required to demonstrate compliance with all of the above. 11. While similar, the highlighted words indicate a move towards greater transparency and accountability, and an emphasis on a proactive approach to information management and security ( privacy by design and default ). It is these concepts that impose new requirements on Colleges in the management of personal data and record-keeping. 12. Article 24(1) imposes a very all-encompassing duty: Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

4 Lawfulness of data processing 13. Article 6 outlines the legal options for Colleges to process personal data (highlights by the author of this paper): 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) (b) (c) (d) (e) (f) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. 2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX. (The Article goes on to explain more fully where (c) legal obligations and (e) public interest apply, and that further rules and constraints may be set out by either the EU or by individual member states, as referenced in Chapter IX of the GDPR.) 14. Attention is drawn specifically to point (f) legitimate interest and especially the subsequent sentence: legitimate interests is in many cases the most-used (or fall-back) legal reason for current personal data processing by Colleges. Neither the GDPR nor wider EU law defines public authority : it is for member states to determine which organisations are defined as such. The UK government has not yet done so, but the ICO has indicated informally that, as universities and the Colleges are public authorities under the Freedom of Information Act, it would not be unreasonable for them to be so designated under the GDPR. 15. Consequently, as a worst-case scenario, Colleges will need to review which of the other five lawful reasons [(a)-(e) above] would apply for the processing of all categories of personal data. One key area of risk already identifies is the storage and processing of personal data relating to alumni and other donors/supporters of the College: the Colleges Development Directors Committee is in extensive discussions with the Joint Committee on Development and CUDAR about the immediate management of that risk. 16. Otherwise, the College is likely to rely on (a) consent, (b) contract and (c) legal obligation to manage personal data of other cohorts of data subjects (e.g. applicants, students, staff). For some specific processes (e.g. disciplinary procedures, complaints), additional consent at the point of first engagement will need to be considered as the most appropriate option, in order to ensure that the data subject is aware fully of the extent of data processing and data sharing. 17. Article 6 also outlines, however, that where lawful processing is not undertaken due to (a) consent or (e) the public interest, processing for other non-stated purposes may be considered providing that a full (documented?) consideration of the context of collection, of the link between the collected data and the non-stated purpose, and of the impact on the data subject of the possible consequences of further processing takes place.

5 What is consent? 18. Article 7 explains what is meant by consent (highlights by the author of this paper): 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. 19. Consent therefore is defined as an opt-in process (rather than the previously-widely-used opt-out mechanisms for marketing and sales). There is a requirement (in data protection statements, whether gaining consent or otherwise) to be clear and transparent about the full range of data categories and processing used, so that consent can be seen to be unambiguously given for all purposes. 20. It is worth noting that paragraph 4 covers circumstances where consent is linked to a contractual obligation (e.g. matriculation of a student or employment of a member of staff). Colleges will need to be clear where the withdrawal of consent for processing would have a significant impact on the continuing relationship (e.g. where the withdrawal of consent to pass on disability information to the University would make it unable for a student to take their examinations under special conditions). Colleges are therefore advised not to rely on consent for the processing of personal data relating to staff or students if at all possible. 21. In addition, Article 9 (which covers the lawful processing for special categories of data) outlines that explicit consent is required for such data if there is no alternative legal basis: there is no definition of explicit consent and it is hard to envisage how it could be any different or more stringent than the definition of consent above. 22. It implies, however, that for processes that use such data (i.e. data relating to protected characteristics), the College might be mindful to seek consent for that process at the point of first contact with it. For example, if a student wishes to instigate a disciplinary investigation of another student on the grounds of racism, the College should consider seeking consent from both the complainant and the alleged offender at the start of the investigation for data collection, processing and sharing, rather than relying solely on the general data protection statement provided to students as part of matriculation. Roles and duties of a Data Protection Officer 23. The term Data Protection Officer (DPO) represents a new role defined under the GDPR. Organisations designated as public authorities under the GDPR are required to appoint a DPO: for other organisations, there is no requirement to do so but Colleges will need otherwise to nominate a person to act as a general co-ordinator of GDPR-related activities. 24. The new DPO role is related much more to governance and counsel over the proper interpretation of the GDPR: it should not be interpreted as a parallel or expanded role of existing data protection officers (dpo) nominated in Colleges under the DPA. The current dpo role is usually an operational one: he or she coordinates the activity within a College relating to subject access requests, data breach notifications and investigations, advising on the content of data protection statements, and providing training and advice in DPA matters.

6 25. The new DPO role is not an operational role and must be discrete from data protection operational activities. Article 39 outlines what the person appointed is responsible for (highlights and [additions] by the author of this paper): (a) (b) (c) (d) (e) to inform and advise the controller or the processor [the College] and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor [the College] in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; to cooperate with the supervisory authority [the ICO]; to act as the contact point for the supervisory authority [the ICO] on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 26. In addition, the DPO is: a. required to ensure that any other duties/responsibilities they hold are not in conflict with these roles; b. appointed on the basis of their professional qualities and, in particular, expert knowledge of data protection law and practices ; c. to be in a position where he or she reports to the highest management level, without interference or instruction or risk of penalty or dismissal; d. provided with appropriate resources to carry out their duties, including their own professional development; and e. accessible to any data subject for the discussion of any issues or management of their rights. A person can act as a DPO for more than one organisation, making the appointment of a DPO for two or more Colleges a possibility. 27. In essence, therefore, Colleges will need to consider the appointment of both a DPO and a dpo (and note that the dpo will need to adopt a different name), alongside the associated resource and training costs. 1 Records of data processing 28. Article 30 outlines the records a College must hold to meet its obligations of transparency of data processing. The records should include: a. identity and contact details of the data controller (usually the College); b. a description of the technological and organisational measures to ensure information management and security; c. the purposes of any processing of personal data; d. a description of the categories of data subjects; e. a description of the categories of personal data; f. the length of time the personal data will be retained for (where possible); g. details of third party recipients of personal data, and particularly those outside the EEA (and an indication of how the transfer is compliant with the GDPR); h. associated records of data sharing agreements established with those third parties; i. circumstances where personal data is processed on behalf of others (e.g. the University), including the data processing activities and how information management and security is maintained. 1 subject to confirmation (or otherwise) that Colleges are public authorities under GDPR. If they are not, the related tasks of the DPO will still need to be vested in a role within College (although the required independence of the role will be less of an issue).

7 29. In order to meet these requirements, Colleges are advised to undertake data audits for each category of data subject across the College. Templates to facilitate this process can be provided by the Office of Intercollegiate Services. Content of data protection statements 30. Articles 13 and 14 outline the information to be provided to data subjects relating to personal data provided by them and obtained through other means. This information is generally provided in a data protection statement (DPS) 2 : these should include (paraphrased from the Articles): a. identity and contact details of the data controller (the College); b. contact details of the Data Protection Officer (if applicable); c. purposes of the processing of the personal data and the legal basis of the processing; d. the legitimate interests (if that is the legal basis of the processing); e. whether the data provided by the data subject is required for statutory or contractual purposes, and the consequences of not providing the data; f. the categories of personal data obtained by the College from other sources, what those sources are, and which of them constitute publicly-accessible information or data; g. the existence of any automated decision-making or data processing and the implications of such processing; h. the length of time the personal data will be retained for (or a description of when it will be deleted); i. people or organisations that the personal data is passed on to, and why; j. any transfers of personal data outside the EEA, with reassurance it meets the requirements of the GDPR; k. the rights of the data subject to access, rectify, erase or port (sic) their personal data; l. the rights of the data subject to withdraw consent or restrict processing (if relevant); m. the right of the data subject to lodge a complaint with the ICO. Data breach procedures 31. Articles 33 and 34 outline the changes in requirements imposed by the GDPR on both the College and the ICO in the management of a personal data breach, whether that is through the accidental or illegal loss of deletion of the data, or the release of personal data to others without the proper authority. 32. Personal data breaches will be required to be communicated to the ICO without undue delay and in any event within 72 hours of the breach being identified (unless the breach is unlikely to result in a risk to the rights and freedoms of the data subjects). The breach report will need to include: the nature of the breach, including an approximate number of data subjects involved and the categories of personal data affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and measures being taken to mitigate the stated consequences. 2 the University and the Colleges also use a variety of other interchangeable terms, including data protection notice, data processing statement, data notice, privacy notice, data consent request, personal data notice, privacy policy and so on

8 33. In addition, there are requirements to communicate to all affected data subjects, again without undue delay (unless the breach is unlikely to result in a high risk to the rights and freedoms of the data subjects). Such communications are required to be in clear and plain English and include the information outlined above. There are circumstances where such personal communication is not required: where general measures (technological and organisational) have been adopted to render the personal data to be unintelligible to any person not authorised to access it (e.g. through encryption or robust password protection); where subsequent actions have removed the risk of the rights or freedoms of data subjects beyond likelihood; where such communications would be one of disproportionate effort, providing that the College instead makes an appropriate public statement so that data subjects are informed in an equally effective manner. 34. Where a College chooses not to make such a personal communication, the ICO may subsequently require the College to do so. Other requirements of the Regulation 35. This paper has set out to highlight the most important aspects of GDPR for Colleges: the Regulation also includes a number of other areas which may impact on College activities to a lesser extent, including: new and expanded rights for data subjects Articles requirements in some circumstances for data protection impact assessments Articles legal constraints of transferring data outside of the EEA Articles large increases of fines for data breaches Articles Dr M Russell 21 February 2017

9 Appendix: Structure of the GDPR and key Articles I: General provisions 1-4 Scope and definitions II: Principles 5 Principles These outline the fundamental structure of the Regulations: replaces Schedule 1 of the DPA (see below for further information) 6 Lawfulness of processing Replaces Schedule 2 of the DPA 7-8 Condition for consent Article 8 relates to consent for children (yet to be defined in the UK but may be <13 years old) 9-10 Processing of special categories of data including Replaces sensitive personal data and Schedule 3 of the DPA criminal convictions 11 Processing which does not require personal data The anonymization of personal data and its removal from the application of GDPR III: Rights of the data subject 12 Provision of data protection statements, data correction procedures and subject access requests Subject access requests will need to be free and responded to within one month of receipt Content of data protection statements information provided by subject Article 13 relates to information provided by the data subject: Article 14 relates to information provided by others Together, these inform the content and structure of data protection statements (DPS). These must be updated and communicated within one month of changes or before when personal data is provided to others (whichever is the earlier). 15 Rules: subject access requests Right to rectification Various rights of data subjects, including: right to rectify the data; NEW: right to erasure ( right to be forgotten ; NEW: right to restrict processing; NEW: right to data portability; right to object to marketing and profiling; IV: Controller and processor Responsibilities of data controllers and data processors and how they interact Records of processing activities Colleges will need to keep records of how they process personal data and for what purposes, recording alongside the legitimacy of the processing and data retention periods. 32 Security of processing The requirement for appropriate technical and organisational measures for the proper management of data security Breach notifications Data breaches to be notified to the ICO without undue delay and not later than 72 hours Impact assessments The role and responsibilities of a Data Protection Officer This will be a mandatory requirement if Colleges are designated as public authorities by the UK government. The role is a governance role (unlike the more familiar operational one) with specific accountabilities and independence from the operation of information management in the College Ability of the EU and the ICO to draft additional codes of conduct to supplement the GDPR V: Transfers of personal data to third countries or international organisations Transfers justified by adequacy decisions There is a requirement for local data protection laws to be demonstrably as robust as GDPR. The EC will provide assessments of these Transfers justified by appropriate safeguards or binding corporate rules These include the adoption of appropriate sections of the GDPR by the receiving organisation, covered by contractual obligations Other related rules VI: Independent supervisory authorities Acknowledges the role of the ICO in the UK, its role, powers and functions VII: Cooperation and consistency Rules to govern EU cooperation VIII: Remedies, liabilities and penalties Rules to govern individual rights to compensation and supervisory authority fines IX: Provisions relating to specific processing situations Authority to include additional rules in specific circumstances X: Delegated acts and implementing acts XI: Final provisions Legal matters of implementation of GDPR