Exclusion Schemes and compliance with data protection law
Organisations that run exclusion schemes and use Disc for processing personal data must comply with Data Protection law, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA’18). It can be a daunting and confusing area of regulation, but vital to the lawful processing of data and so must be fully understood, and followed.
Here, we de-mystify the GDPR and DPA’18 requirements to help organisations running banning schemes like shopwatches, for example, to understand and meet their obligations.
Who is the Data Controller?
If an organisation processes information that can be used to identify a living person (‘personal data’) for business purposes, then it is a Data Controller and is responsible for complying with the law (see GDPR Articles 24-26, 30-36).
The Data Controller is the organisation or individual that decides the purposes (the ‘why?’) and the means (the ‘how’) of that processing. It must be registered on the UK Information Commissioner’s Office’s (ICO) ‘Register of Fee Payers’ which can be accessed here. For smaller organisations it costs £40 a year or £35 by Direct Debit.
As a Data Controller, the organisation is responsible for ensuring that it abides by the ‘Data Processing Principles’ (GDPR Article 5) which are listed here. These are general principles, but the law obliges Data Controllers to carry out specific tasks which, taken together, go a long way to ensure the organisation’s compliance with them.
About the Lawful Basis for Processing, Data Subject Access Requests and Data Breaches
The purpose of the GDPR is to provide rights to every living person (‘Data Subject’) wherever GDPR applies (GDPR Articles 12 -23) and to do so, it imposes specific obligations on Data Controllers.
1) Lawful basis for processing
Data Controllers can process personal data only once they have identified (and documented) a ‘lawful basis’ for doing so (GDPR Articles 6 and 9).
There are six types of “lawful basis” for processing, including ‘consent’. However, while consent is the best-known lawful basis, Data Controllers who need to process personal data necessarily without Data Subjects’ consent, may do so under the lawful basis of ‘legitimate interest’ (see ‘Legitimate Interest Assessment’ below).
2) Data Subject Access Requests
Irrespective of which lawful basis is chosen, Data Subjects can require Data Controllers to provide access to (or copies of) all the personal data they hold about them through a ‘Data Subject Access Request’. Controllers must respond to such a request within 30 days (although they may take longer to get the data to them if, for example, the Subject needs to prove who they are). Organisations can’t charge a fee for providing this information. And if Subjects can show that any of the data held is incorrect, they have the right to demand that it is put right.
In most cases, Data Subjects have other rights too – for example, they can oblige a Data Controller to delete all their personal data and to stop collecting it in the future. They can also require the Controller to transfer their data to another organisation. However, as we shall see below, these rights depend on which lawful basis the Controller has chosen for its processing (see Legitimate Interest Assessment below).
3) Data Breach notifications
A data breach is an ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Where a breach represents a ‘material threat’ to the Data Subject’s rights and freedoms, the Controller must notify the ICO and any Data Subjects affected, within 72 hours. It is down to the Controller to decide if a specific breach actually represents a ‘material threat’ to a Subject’s rights and freedom. To ascertain this Controllers can use the ICO’s online assessment tool here.
What Obligatory Documentation Do You Need To Provide?
Data protection law requires Data Controllers to produce, and abide by, specific items of documentation.
1) Record of Processing Activity
Data protection law (GDPR Articles 5 and 24) requires that Data Controllers document the way they and their organisation process personal data. This includes their internal procedures relating to processing personal data, a comprehensive description of precisely what kind of personal data they process, how it is processed and why, and their choice of lawful basis for processing Data Subjects’ personal data.
This document, often called the Record of Processing Activity must also describe the ‘technical’ (think ‘digital’) and ‘organisational’ (think ‘manual, physical’) security provisions for which the Data Controller is responsible. And if it can be shown that there is a legitimate reason to process Subjects’ ‘special category’ data (such as ethnicity) or prior criminal convictions or offences, Controllers must quote the ‘derogations’ in DPA’18 which enable this (Schedule 1 Part 2 (10) and Part 3 (36)).
The Record of Processing Activity does not need to be made public – but if the ICO receives a complaint from a Data Subject (see Privacy Information below), they will ask to see this document to assess internal processes for themselves. More detailed guidance on what a Recored of Processing Activity should look like can be readon the ICO’s webiste here.
2) Privacy Information
Irrespective of the lawful basis used to justify processing personal data Controllers must inform Data Subjects about every aspect of that processing (GDPR Articles 12 -14): what kind of data is being processed, for what purposes, with whom it may be shared, for how long it may be retained – in short, absolutely everything. This is to ensure compliance with the Controller’s obligation to operate in a transparent way regarding Subjects. This information must also include contact details if Subjects wish to submit a Data Subject Access Request.
Privacy Information must be communicated in ways which are most accessible and convenient to the Data Subject. If it can be provided to Subjects where and when their personal data is recorded, a hard-copy ‘Privacy Notice’ can be given to them. Where that’s not possible, or where it has been taken from them without their knowledge, organisations must ensure that full privacy information is made as available as possible – for example, displayed on a public website or on a notice board or poster where Subjects can see and read it.
If Data Subjects can show that full privacy information has not been provided to them, or if it’s not as available as reasonably possible, they can complain to the ICO. In this case, organisations run the risk of being fined by the ICO and even, in some cases, separately taken to court by the Subject.
3) Legitimate Interest Assessment
As a Data Controller, you must specify the lawful basis on which you are processing Data Subjects’ personal data (GDPR Article 5(2)). If it’s believed that the Subjects whose data you wish to process would not consent to your processing their data, but you believe you have a justifiable reason for doing so, then ‘Legitimate Interest’ can be chosen as your lawful basis (GDPR Articles 12/14). If so, a ‘Legitimate Interest Assessment’ must be completed.
There are three elements to a Legitimate Interest Assessment:
- Legitimate Interest Statement – This asserts your organisation’s justification for processing Subjects’ personal data necessarily without their consent. For example, the Data Controller might assert its right to protect its members’ property and the safety and security of their staff and customers from the impact of crime and anti-social behaviour. If members offer a service to the public, it might additionally be asserted that they have a right to ‘withdraw the implicit licence to enter’ their premises – in other words, to ban Subjects from their property.
- Data Protection Impact Assessment – The second element of the document demonstrates that your organisation has considered the impact on the rights and freedoms of the various types of Data Subjects whose personal data it proposes to process. For example, adults, non-adults (see our separate Factsheet on Young People and Watch Groups), vulnerable people etc. For each type of Data Subject, every possible impact should be identified and, for each, the risk that it represents to the Subjects’ rights and freedoms. This assessment should include the likelihood, as well as the severity, of each impact, and what measures are in place to mitigate them (GDPR Article 35).
- Balance of Interests Assessment – The last element must show that Controllers have balanced the interests of their organisations (as defined in the Legitimate Interest Statement) against the rights of Data Subjects (as defined in your Data Protection Impact Assessment) and have concluded that the organisation’s rights outweigh those of the Subjects in relation to the specific purposes and uses of the data processing it is proposing.
Together, these three elements constitute the Legitimate Interest Assessment. It’s not a public document – but if the ICO investigates data processing following a complaint made to it by a Data Subject, Controllers must be able to show this document to justify the use of Legitimate Interest as the lawful basis for processing Subjects’ personal data necessarily without their consent.
4) Data Processor Contract
Data Controllers are held responsible for their employees’ compliance with data protection law (see Rules & Protocols below). But if Data Controllers use an outside organisation or individual to process personal data on their behalf, it is a legal obligation to have in place a formal ‘Data Processor Contract’ (DPC) with them (GDPR Article 28).
Sometimes, for example, if you want to use Google or Dropbox or a global Cloud service provider to process your data (and just storing data is ‘processing’) you’ll have to agree to their Terms & Conditions which, if you look hard enough, include a Data Processor Contract.
According to GDPR, Data Processor Contracts must include eight obligatory clauses – read about them here – plus any others that the Controller may want to include.
What Rules & Protocols Do Controllers Need To Be Aware Of?
‘Rules & Protocols’ are not obligatory under, or referred to in, Data Protection law. However, they define the obligations that Data Controllers place on those individuals who may access and use the information for which they are responsible – and are essential.
The purpose of Rules & Protocols is to make it clear to any individuals that act outside the rules, that they do so without the consent of the Data Controller. In effect, they are acting as Data Controllers in their own right, deciding the purposes and means of processing the data and, as such, they are responsible for their own actions.
Where an employee or member of your organisation breaks the rules, it isn’t enough simply to assert (in court perhaps?) that he or she knew what the rules were, and intentionally broke them. Organisations may still be held ‘vicariously responsible’ (and liable to prosecution and fines, etc.).
To avoid this, Data Controllers must ensure that all individuals who have access to your data not only certify that they have read, understood and agreed to abide by your Rules & Protocols but, for example, are regularly reminded of their obligations. You should also be able to show that sufficient technical (think digital) and organisational (think physical, manual) security measures are in place to make it as hard as possible for your employees or members to break your rules.
Disc Support for Compliance with Data Protection law
We provide Disc to customers who are Data Controllers in their own right. We are therefore Data Processors on their behalf, in accordance with our own Data Processor Contract. Customers are also welcome to offer us their own DPC if they prefer.
While our customers are responsible for their compliance with the law, we provide consultancy to assist them in this. Among our services, we provide on-demand webinars on compliance, as well as a full set of ‘Model Documents’ including Record of Processing Activity, Privacy Notices (for Offenders and Members), Legitimate Interest Assessment (including all three necessary elements) and sample Rules & Protocols.
The Disc system itself aligns with the critical concept of ‘data protection by design and default’ as defined by GDPR. Features include (configurable) automated irrevocable personal data deletion periods, obligatory member-certification to (configurable) Rules & Protocols and other ‘must-read documents’ including Privacy Notices, automated periodic ‘forced’ re-certification by members, availability of Privacy Notices on public-facing elements of Disc for offenders, fully documented ‘technical’ security provisions to the highest level of online security certified to ISO27001:2013 standards, built-in GDPR-compliant Instant Messaging system and other vital features.
For more on how business crime reduction schemes can comply with data protection law, watch our free video webinar here. At the end of the webinar we’ll send you a Guide (PDF format) covering the same subject matter as this blog from which you can download invaluable ‘model documents’ to help you ensure compliance of your own scheme.