Watch Groups like shopwatch schemes or banning schemes, for example, will of course inevitably come into contact with young people and in most cases there is no issue – as long as they comply with the law!
Common law entitles any owner or manager of private premises open to the public to ‘withdraw the implicit licence to enter’ the premises from anyone, for any reason. The reason, however, must not have anything to do with ethnicity, gender, marital status, sexual orientation, disability, religious beliefs – or age.
So far so good: a Watch Group can ban a young person from its members’ premises because he or she has been reported for a qualifying incident – as long as it’s not because of their age, or any other of these ‘protected characteristics’.
…and Data Protection law
If a Watch Group needs to process the personal data of young people (which it almost certainly will need to do at some point) it must comply with data protection law, namely GDPR and, in the UK, the Data Protection Act 2018.
GDPR says that if any organisation wants to process the personal data of a young person – defined in the Data Protection Act as under 13 years of age – on the ‘lawful basis’ of consent then they must secure additional consent from someone in a parental or guardian role.
This, however, does not apply to Watch Groups, the vast majority of which do not rely on ‘consent’ as their lawful basis for processing but on ‘legitimate interest’.
Where organisations base their processing of personal data on legitimate interest, GDPR does not apply any specific age-related restrictions to that processing. Instead, it requires that the Data Controller conducts a ‘Legitimate Interest Assessment’ which includes a so-called Data Protection Impact Assessment (DPIA).
Defining the impact of Data Processing on young offenders
It is in the DPIA that the Data Controller must consider the impact on the rights and freedoms of the different types of Data Subjects whose data it processes.
Young people, it’s pretty obvious, are different from ‘adults’. They are likely to be more impressionable, more ‘easily led’, less aware of the consequences of their actions. Therefore, they must be included as a specific ‘type’ of Data Subject in the DPIA, and considered separately.
By the way, it’s up to the Data Controller to decide what “young people” actually means: over 13? Over 16? The decision is entirely the Data Controller’s.
The DPIA must identify any threat to the rights and freedoms of each type of Data Subject, and if there is any risk, it must show how the Data Controller mitigates that risk. In the case of young people, the Controller might require that, where a young person is reported for a qualifying incident, their data will not be shared with members of the Watch Group (as would be the case for ‘adults’). Instead, the data may simply be retained in their local Disc database and shared only with appropriate people (e.g. parents, school or public agencies such as police or an early intervention team).
Additionally, for example, in the DPIA the Controller might stipulate that the young person is treated as any other offender (i.e. as an ‘adult’) if they are reported for a further or subsequent qualifying incident.
As always, it’s down to the Data Controllers to make up their own minds on this, but whatever the decision, Disc enables the smooth and consistent application of the rules for the Watch Group and exclusion scheme.
For more on how business crime reduction schemes can comply with data protection law, watch our free video webinar here. At the end of the webinar we’ll send you a Guide (PDF format) covering the same subject matter as this blog from which you can download invaluable ‘model documents’ to help you ensure compliance of your own scheme.