Winchester Vacancies

GDPR: updating privacy notices

Data inspection iStock 000008204804XSmall 146x219Are you caught in a last minute rush to update your privacy notice to comply with the forthcoming General Data Protection Regulation (GDPR)? Ibrahim Hasan considers what is involved.

Under the Data Protection Act 1998 (DPA), the requirement to issue privacy notices is tucked away in Schedule 1 Part 2. The GDPR brings privacy notices into the foreground and introduces a more prescriptive framework about the information Data Controllers must provide to Data Subjects as well as the manner and timeframe.

What is the purpose of a privacy notice? In the words of the ICO, “…being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”

Contents

Under Article 13 of GDPR, where data is obtained directly from the Data Subject,the following information must be providedat the time the data is obtained:

- the identity and contact details of the Data Controller and where applicable any representative

- the contact details of the Data Protection Officer where applicable

- the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))

- where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;

- the recipients or categories of recipients for the personal data (if any)

- details of international transfers and their legal basis

In addition the Data Subject must be given the following information necessary to ensure fair and lawful processing:

- the period for which the data will be stored or, where this is not possible, the criteria used to determine that period

- the existence of the Data Subjects’ rights e.g. Data Portability and Subject Access, Rectification, Erasure etc.

- where the processing is based on consent, the fact that consent can be withdrawn at anytime

- the right to lodge a complaint with the supervisory authority (the ICO)

- where the data is collected from the Data Subject due to a statutory or contractual requirement, whether the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data

- details about automated decision making, including profiling, and the logic and consequences of such processing

Article 14 contains a similar list to the above to be included in a privacy notice to Data Subjects where their data is not collected directly from them.

Format

GDPR (Article 12) states that the privacy notice must be concise, transparent, intelligible, easily accessible and free of charge. It must be written in clear and plain language, particularly if addressed to a child. Information in a privacy notice may be provided orally to a data subject on request e.g. in the form of a pre recorded message. Other ways of providing the information include leaflets, cartoons, info graphics and flowcharts. The mobile phone company, O2, has even produced a video!

So where to start? The Article 29 Working Party (A29WP) has published Guidance on Transparency, which addresses privacy notices. The ICO GDPR guide contains useful checklists and their privacy notices code is worth a read (though it is primarily drafted with the DPA in mind).

Examples

Our consultant, Scott Sammons has produced a sample GDPR privacy notice – read it here. Other examples below:

Transport for London I Essex County Council I Halifax Bank I Decoded Legal (law firm)

Age UK (charity) I Act Now Training

The DFE has produced suggested texts  for privacy notices for schools and local authorities to issue to staff, parents and pupils.

There are a number other steps that you should be taking to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine. As the Information Commissioner  has said: “It’s important that we all understand there is no deadline. 25th May is not the end. It is the beginning.”

Ibrahim Hasan is a solicitor and director of Act Now Training. This article first appeared on the Act Now Blog. Information on the company's courses can be found on Local Government Lawyer's courses and events section.