gdpr walkthrough lawful basis for processing

Transcription

1 gdpr walkthrough lawful basis for processing disclaimer: this is not legal advice

2 lawful basis for processing introduction Your Lawful Basis for Processing is your justification that you are allowed to process someone s personal data. Personal data belongs to the data subject and if you are going to process it in any way, then you need a lawful reason. There are six Lawful Bases for Processing. Technically this is not new as it existed in the Data Protection Act 1998 as conditions for processing. Processing is a very broad term Under GDPR and is defined in: Article 4(2) processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Whether you re viewing the data, just keeping it, or even deleting it, pretty much everything counts as processing. what does the ico state? 1. You must have a valid lawful basis in order to process personal data. You must be able to prove to ICO that your choice of Lawful Basis is valid.

3 There are six available lawful bases for processing. No single basis is better or more important than the others which basis is most appropriate to use will depend on your purpose and relationship with the individual. The ICO is writing a one-size-fits-all guide and doesn t care which method you use, just that it is legal. There are differences between the rights data subjects get, and how difficult compliance is to prove. Although none are intrinsically better than the others, there will be a best fit for your business. Consent is difficult and requires maintenance. Ultimately the best option is the one that fits best, which for most businesses will be contract. Most lawful bases require that processing is necessary. If you can reasonably achieve the same purpose without the processing, you won t have a lawful basis. This is because you have to declare your purpose for processing in your privacy statement in advance. Your processing has to be necessary for your purpose because your data subject has only agreed to processing for that specific purpose. You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. The ICO has stated it will be considered inherently unfair if you try and swap your Lawful Basis for Processing after you have started processing. This is because different Lawful Bases come with different rights to the individual, therefore swapping later could be seen as an attempt to unfairly deprive them of the rights you agreed to in the first place.

4 Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. This is so people know what rights they have under the chosen basis for processing, and can agree with why you are processing the data in the first place. This essentially sets out the rules in advance, making it harder for you to change them later and easier for the data subject to complain, if you try. If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent). The ICO is telling you that it is technically possible to change your purpose for processing after you have started processing. However this may not be very practical for most businesses. Note that the ICO is writing it s guide for public bodies and research institutes as well. For example Article 89 talks about derogations for Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. Special Category data is given extra protection under GDPR and will attract more serious fines from the ICO if there is a breach or it is processed unlawfully. Essentially GDPR starts off by making it illegal to process any Special Category data, then has a list of legal exceptions. Special Category data includes characteristics like racial or ethnic origin. The most likely condition for processing will be explicit consent. You can see the full list in Article 9. If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. Criminal Convictions get a higher level of protection in Article 10. Specifically any comprehensive database must be kept only under the control of the official authority. Any kind of processing of Criminal Conviction Data must be made legal by Union or Member State law.

5 contract There is very little change to the old Data Protection Act However the fines for getting it wrong are considerably higher, so you might want to review your implementation. Article 6(1b) states that contract is a lawful basis for processing where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract According to the ICO says this doesn t even have to be a formal written contract as long as it meets the definition of a contract under law. However, remember that the burden is on the controller (you) to prove compliance. This might be difficult without a formal document, but you might be able to prove this with something like a recorded phone call. what does the ico state? 1. You can rely on this lawful basis if you need to process someone s personal data: to fulfil your contractual obligations to them; To put this into perspective, if you have an employee you are typically obliged to pay them weekly or monthly. This means you have a Lawful Basis for Processing their bank account information to fulfil that contractual obligation. or because they have asked you to do something before entering into a contract (eg provide a quote). The ICO specifically mentions that you can process information to provide a quote. You can t then use the information for another purpose, or store it. This means you can t add every enquiry you ever receive onto a mailing list.

6 2. 3. The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply. For Contract to be valid as your Lawful Basis for Processing, additionally you need to be able prove to the ICO your processing was necessary and no more intrusive than necessary to fulfil the contract. This is so your data subjects can have a reasonable expectation of how you might use their data when they sign the contract. You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning. Article 5(2) says The controller shall be responsible for, and be able to demonstrate compliance The burden is on you and you need to be able to prove you chose your Lawful Basis for Processing before you started. checklist Review your existing processing and document your decision to and where you rely on this contract and ensure that you justify your reasoning. Identify a separate condition if you need to process special category data. If you have contracts with children under 18, consider if they have the competence to enter into the contract. If not, consider an alternative basis such as legitimate interests. Demonstrate the child s rights and interests are properly considered and protected. Add information about your purposes and lawful basis in your privacy notice.

7 legal obligation Legal Obligation is how your business is able to process data relating to things like Payroll, then pass the tax information onto HMRC. Your business doesn t need a contract or consent for this processing as you are legally obliged to do the processing under EU or UK law. Additionally when using Legal Obligation as your Lawful Basis for Processing your data subjects have no right to erasure, portability or to object. This means your staff can t complain or demand you erase your accounts data if the processing was done what does the ico state? 1. You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation. 2. Remember as per Article 6(3) the legal obligation must be in Member State or EU law. The ICO also confirms the legal obligation you re complying with doesn t have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. Some of the laws that you have legal obligations under, will have been written a very long time before data protection was a consideration. If they don t mention processing of data explicitly you will need to be confident that you could prove to the ICO that the law still makes your processing necessary in order for Legal Obligation to be a valid basis for processing. This does not apply to contractual obligations. The obligation must come from a common law or statutory obligation. Meaning it was either created by a Judge or an act of Parliament. A contractual obligation that could be written between two businesses can t be used as loophole to try and legalise processing data on 3rd parties. If you want to process data under contract, then take a look back at the contract section.

8 The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply. This is one of GDPR s core concepts data minimisation. You should process the minimum amount of personal data required to fulfil your legal obligation. You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning. You should start with a data flow diagram of your business processes. This will help you discover how you gather and process data. For each process make sure you have a Lawful Basis for Processing and your justification of how it applies documented. You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation. If challenged the ICO will want to know specifically which law you are complying with. Sources we already know are written statutory law, common law or a court order. Here the ICO weakens it s position slightly and also states that you can refer to a government website or to industry guidance that explains generally applicable legal obligations if it clearly sets out your obligation. Websites can change quickly, so if you are relying on one, take a screenshot with a time and date. checklist Purpose complies with legal obligation. Review your existing processing and document your decision to rely on legal obligation as your lawful basis for processing and justify why processing is necessary for compliance with the legal obligation in question. Identify the specific legal provision or appropriate source of advice or guidance that clearly sets out your obligation. Include information about your purposes and lawful basis in your privacy notice.

9 vital interests This Lawful Basis for Processing is more likely to apply in emergency situations. A Vital Interest is defined as an interest which is essential for someone s life. We can see this in GDPR s Recital 46 which states: The processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis The Vital Interest must only apply to the data subject or another natural person, which is to say it doesn t apply to a legal person such as a company. When the processing of the personal data is for the Vital Interests of a 3rd party, GDPR wants you to use another Lawful Basis where possible, such as Consent, Public Task, or Legitimate Interest. Health data is included in the special categories of data which get extra protection under Article 9. Article 9(2)C provides the exception that allows you to process special category data under Vital Interests and states the prohibition on special category data doesn t apply when: processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; what does the ico state? 1. You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone s life. This is the main purpose of Vital Interest, and one example of where it is likely to apply would be a life and death situation in a hospital.

10 The processing must be necessary. If you can reasonably protect the person s vital interests in another less intrusive way, this basis will not apply. Recapping on GDPR s core concept of Data Minimisation, you need to keep processing to the minimum required for your purpose. You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. Health data is part of the special categories of data under GDPR which has extra protection. The exception under Article 9(2)C only applies where the data subject is physically or legally incapable of giving consent. To get a better understanding of what this might mean, take a look at the NHS s consent for treatment page You should consider whether you are likely to rely on this basis, and if so document the circumstances where it will be relevant and ensure you can justify your reasoning. Vital Interests is primarily to be used in emergency scenarios. You should consider if your business is likely to experience any particular emergency scenario. If you think a scenario might be likely then write this down and make sure you can justify your use of Vital Interests as oppose to another Lawful Basis for Processing. checklist Review your existing processing and identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in the future. Document where you rely on this basis, justify the reasoning and inform individuals if relevant. In most cases the protection of vital interests is likely to arise in the context of health data. This is one of the special categories of data, which means you need to identify a condition for processing special category data.

11 Public Task Public Task essentially applies to organisations like Public Authorities, but it can still apply to any organisation or business if they carry out tasks in the public interest and have a basis in law for doing so. The term Public Task doesn t actually appear in in the GDPR, but it is commonly used to refer to Article 6(1)C which states processing of personal data is legal where: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller You need to be able to prove you are either exercising official authority, or carrying out a task in the public interest. For a private company the ICO gives an example of a water company which exercises special legal powers to carry out utility services in the public interest. Here the water company would not need specific legal authority for all of its processing, as long as it s processing was necessary to complete its overall task which did have a clear basis in law and which was foreseeable to the data subjects. Public Task is particularly relevant to Public Authorities as GDPR specifically prevents them from using Legitimate Interest as a legal Basis for performing their tasks in Article 6(1)(f). what does the ico state? 1. You can rely on this lawful basis if you need to process personal data: in the exercise of official authority. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law. Article 6(1)C doesn t mention anything about law. The set out in law requirement comes from Article 6(3) which starts with The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: (a) Union law; or (b) Member State law to which the controller is subject.

12 It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. Remember Public Authorities are prevented from using Legitimate Interest. Public Task can be used by businesses, but only where both their task has a public interest and they have a basis in law for the processing. You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law. This allows for older laws which might not mention the processing of data at all. You should be able to prove that to perform your task requires the processing of the personal data. The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply. Returning to GDPR s core concept of Data Minimisation, you need to keep processing to the minimum required for your purpose. Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis. When you are documenting the business processes which use this lawful basis make sure you also document the relevant law or Lawful Basis you are relying on in each case. checklist You have considered alternative lawful basis and you are confident that processing is necessary for a relevant task, function or power, which is clearly set out in law. Document your lawful basis so that you can demonstrate that it applies. You need to identify a clear basis in either statute or common law for the relevant task, function or power for which you are using the personal data. Update your privacy notice to include your lawful basis, and communicate this to individuals. Demonstrate there is no other reasonable and less intrusive means to achieve your purpose. Identify an additional condition for processing special category data, if relevant.

13 legitimate interests Legitimate Interests provides a way to process personal data without consent. This has obvious advantages to businesses, but could also increase your risk. The burden is on you as the controller to prove compliance and you will need to document a Legitimate Interest Assessment (LIA) to prove this legal basis is appropriate. Legitimate Interests appears in Article 6(1)(f) and is described as a lawful basis for processing where: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. what does the ico state? Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. There is additional risk by not asking for consent or having another more solid lawful basis such as Legal Obligation, so you should be careful how you use Legitimate Interests and consider other Lawful Bases for processing where possible. It is likely to be most appropriate where you use people s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. This is likely if you have a relationship with the data subject, such as them being a customer, and the processing you are performing is considered normal or standard practice with little or no negative consequences to the data subject. If there are negative consequences then you may still be able to use Legitimate Interests if the benefit of your processing is so profound that it is considered to override the interests of the data subject. This might be the case with something of great societal benefit.

14 Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority. GDPR specifically curtails Public Authorities using Legitimate Interest for their public duties, instead they should look at using Public Task. Public Authorities can still use Legitimate Interest but only for processing which is not part of their public duties. There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to: identify a legitimate interest; A legitimate interest should be something reasonably specific which has a benefit either to your company, a third party, or society in general. show that the processing is necessary to achieve it; You must show that you have considered if there is any other way to achieve the benefit without processing the personal data. balance it against the individual s interests, rights and freedoms. Consider the impact the processing will have on the data subject s rights and freedoms in context with the benefit from the processing. A minor benefit which causes significant negative consequences for the data subject is unlikely to be considered lawful. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. The inclusion of 3rd Party and Societal Benefits is a change from the previous Data Protection act 1998 The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. Don t forget Data Minimisation, GDPR only wants you to process data where it is necessary.

15 You must balance your interests against the individual s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. Until we have some case law to test the boundaries we won t have a clearer picture of what might be considered reasonable. Legitimate Interest is not intended as a way to avoid consent. If you think the data subject would object then make sure you have a very strong justification of the benefit of the processing. Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required. You can download a copy of the latest Legitimate Interest Assessment from the ICO from this website. You must include details of your legitimate interests in your privacy notice. You can download a sample Privacy Notice from this website. checklist Check that legitimate interests is the most appropriate basis. Understand your responsibility to protect the individual s interests. Conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that you can justify your decision. Identified the relevant legitimate interests. Checked that the processing is necessary and there is no less intrusive way to achieve the same result. Done a balancing test, and you re confident that the individual s interests do not override those legitimate interests. Only use individuals data in ways they would reasonably expect, unless you have a very good reason. Not using people s data in ways they would find intrusive or which could cause them harm, unless you have a very good reason.

16 If you process children s data, you take extra care to make sure you protect their interests. Considered safeguards to reduce the impact where possible. Considered whether you can offer an opt out. If your LIA identifies a significant privacy impact, you have considered whether you also need to conduct a DPIA. You are keeping your LIA under review, and repeating it if circumstances change. Included information about your legitimate interests in your privacy information.

17 consent Article 4(11) of the GDPR defines consent as: any freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Article 6(1)(a) provides a lawful basis for processing where: the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Data controllers must be able to demonstrate valid consent. For consent to be valid the data subject must have given it freely, with a genuine option and genuine control. They can not be coerced or ransomed into giving consent which also means consent can t be a pre-condition of some other service. The need for consent to be freely given also makes it difficult for a public authorities to rely on consent, the data subject may feel they have no real alternative due to the inbalance of power making the consent invalid. Employers should also be careful when using consent for the same reason. The privacy notice must be specific about the processing, allowing the data subject to make an informed choice. Consent should be unbundled and asked for separately from any other lawful basis for processing such as contract. Additionally consent should also be unbundled from any other consent for a different purpose such as consent to receive marketing s and to have your data sold to a 3rd party on the same form. As the controller you must obtain an unambiguous indication by clear affirmative action that the data subject agrees to the processing. This means they must take a positive action to consent and rules out any pre-ticked boxes or consent by default. Additionally the controller needs to prove the data subject can withdraw consent at any time without detriment.

18 what does the ico state? The GDPR sets a high standard for consent. But you often won t need consent. If consent is difficult, look for a different lawful basis. Generally you should consider if there is another, better fitting Lawful Basis for Processing first. Consent has numerous technical requirements, and additionally requires evidence and maintenance. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation. Data subjects should give their consent freely and willingly. They should also be able to withdraw consent just as easily as they gave it, and without undue negative consequences. Check your consent practices and your existing consents. Refresh your consents if they don t meet the GDPR standard. You may need to re-contact any existing data subjects and ask them to re-opt-in. Consent requires a positive opt-in. Don t use pre-ticked boxes or any other method of default consent. The data subject must take positive affirmative action. You must be able to provide evidence that they gave consent and knew what they were consenting to. 5. Explicit consent requires a very clear and specific statement of consent This could include something like a written statement or voice recording, rather than just ticking a check box. Keep your consent requests separate from other terms and conditions. Consent requests should be clear and prominent. Be specific and granular so that you get separate consent for separate things. Vague or blanket consent is not enough. Consent requests should be unbundled from both other consent requests for other purposes and any other processing under another lawful basis.

19 Be clear and concise. You must consider your audience and make sure the information is clear and intelligible to them. This is especially important if you are expecting children to consent. Name any third-party controllers who will rely on the consent. If you are going to provide the data you collected under consent to any 3rd party controllers they should be named in your privacy statement. Make it easy for people to withdraw consent and tell them how. It must be at least as easy to withdraw consent as it was to give it. This means you should at least provide a way to withdraw consent using the same platform or mechanism such as website or mobile, that the consent was given on. Keep evidence of consent who, when, how, and what you told people. As the controller you must be able to prove that the data subject provided valid consent. Keep consent under review, and refresh it if anything changes. There is no specified time limit to renew consent, it will probably depend on the relationship with the data subject and the purpose of the processing. Avoid making consent to processing a precondition of a service. Consent must be given freely, which means it can t be coerced by forcing data subjects to provide consent in order to use a service. If the processing is necessary for the service then consider contract. If the processing is not necessary for the service then you can t ransom consent out of the data subjects. Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent. This is due to the imbalance of power in the relationship. If you need to use consent where a data subject may perceive negative consequences of refusing consent then you should be very careful. If possible provide an alternative to giving consent (or a way of opting out) which does not cause any negative consequences for the data subject.

20 checklist Asking for consent Checked that consent is the most appropriate lawful basis for processing Have made the request for consent prominent and separate from the terms and conditions Asked people to positively opt in Don t use pre-ticked boxes or any other type of default consent Use clear, plain language that is easy to understand Specify why you want the data and what you are going to do with it Give individual granular options to consent separately to different purposes and types of processing Name your organisation and any third party controllers who will be relying on the consent Tell individuals they can withdraw their consent Ensure that individuals can refuse to consent without detriment Avoid making consent a precondition of a service If you offer online services directly to children, you should only seek consent if you have an age-verification measure (and parental-consent for younger children) in place. Recording consent 1) Keep a record of when and how you get consent from the individual 2) Keep a record of exactly what they were told at the time Managing consent 1) You should regularly review consents to check that the relationship, the processing and the purposes have not changed

21 special category data Special Category data gets more protection in Article 9 of the GDPR. If you want to process special category data you need both a Lawful Basis for Processing from Article 6 plus a Specific Condition for Processing from Article 9. Special Category data is considered more sensitive, and so needs more protection. For example, it includes sensitive information about an individual s: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation. list of exceptions in Article 9(2) which allow controllers to process special category data (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; (e) processing relates to personal data which are manifestly made public by the data subject;

22 (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.. what does the ico state? 1. Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. One of the differences with the data protection act 1998 is that it now includes genetic data and some bio-metric data.

23 In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked. Article 6 and 9 work in a similar way by first preventing any processing then providing a list of exceptions. If your processing special category data then you need one from each article. There are ten conditions for processing special category data in the GDPR itself, but the Data Protection Bill will introduce additional conditions and safeguards. The Data Protection Bill is currently in Parliament. It will work side by side with GDPR and covers all the areas where Member States are allowed to make little changes like the age of a child which are known in GDPR as Derogations. The Data Protection Bill also covers some non-gdpr topics like immigration and National Security data protection standards. You must determine your condition for processing special category data before you begin this processing under the GDPR, and you should document it. Just like your Lawful Basis for Processing you must include any Specific Condition for Processing in your privacy notice before you start processing data. It should be documented so you can demonstrate compliance to the ICO. checklist Identify both a lawful basis under article 6 and a separate condition for processing special category data under article 9. (They don t have to be linked). Determine your condition for processing special category data before you begin processing under the GDPR and document it.

24 criminal offence data Criminal Offence data is given extra protection under Article 10 in the GDPR but it isn t included in special category data under Article 9. Currently the ICO isn t very specific about processing Criminal Offence Data as it is expecting additional safeguards and conditions for processing to be set out in the Data Protection Bill which is not yet finalised. In general businesses may not have legal authority to perform background checks on employees without some additional reason. Consider if you have a legal requirement or safeguarding issue such as access to children, vulnerable adults or their data which makes the processing reasonable and necessary. what does the ico state? To process personal data about criminal convictions or offences, you must have both a lawful basis under Article 6 and either legal authority or official authority for the processing under Article 10. Article 6 is the Lawful Bases for Processing we have already covered in this course. The legal authority we are waiting for the Data Protection Bill to be defined. The Data Protection Bill deals with this type of data in a similar way to special category data, and sets out specific conditions providing lawful authority for processing it. As stated above the Data Protection Bill hasn t yet be finalised, but it may include lawful authority to process Criminal Conviction Data where you have consent, or the need to defend a legal claim. You can also process this type of data if you have official authority to do so because you are processing the data in an official capacity. Don t forget that the ICO is providing general advice which includes advice to police forces, which may not be relevant to most businesses. You cannot keep a comprehensive register of criminal convictions unless you do so in an official capacity. This in very unlikely to be relevant to most businesses.

25 5. You must determine your condition for lawful processing of offence data (or identify your official authority for the processing) before you begin the processing, and you should document this. If you re going to process criminal offence data, such as background checks on employees or contractors, then information on this should be provided in your privacy notice. This would include your Lawful Basis for Processing under Article 6 and your lawful authority under article 10 which will probably come from the Data Protection Bill once it has been finalised. checklist You must have both a lawful basis under Article 6 and either legal authority or official authority for the processing under Article 10. Determine your condition for lawful processing of offence data (or identify your official authority for the processing) before you begin the processing and you should document this.