We are living in the information age and it’s becoming increasingly important for all organisations, including bat groups, to keep up with the best data protection practices. The way existing data protection legislation is interpreted is changing and new legislation - the General Data Protection Regulation (GDPR) - came into force in the UK from 25th May 2018.
This web page is aimed at providing some general information about GDPR and offer some guidance on the things that should be considered regarding the data you hold. We have also prepared a set of Frequently Asked Questions that aims to help bats groups comply with GDPR.
BCT are unable to be prescriptive or give specific advice, however we hope you find this information useful. General data protection enquiries can be routed through the relevant bat group contact, however we may not be able to give a definitive answer, although we will try to help. Contact Steve Lucas for bat groups in Wales, Claudia Gebhardt (Liz's maternity cover) for bat groups in Scotland, and Abby Packham for bat groups in other parts of the British Islands.
1. Why we all need to address the issue of data protection
Data Protection is a bit of a minefield and has historically been open to interpretation. That is one thing that has not changed! However, the UK Information Commissioner, Elizabeth Denham, stated in January 2017: “There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a game changer for everyone”. We really need to make sure we keep up with the changes.
We should view the upcoming changes as an opportunity to future proofing the way we deal with data via a review of our data protection practices, guidance and advice. Ignoring data protection carries a reputational risk AND a financial one too. Apart from anything else, addressing this issue is the right thing to do!
Although the information presented here gives an overview and guidance on data protection BCT cannot be prescriptive about the way bat groups should handle data.
2. The basics of data protection
Let’s start with a definition of what is data:
- Personal data is: any information which identifies an individual e.g. name, photograph/video, sound recording, IP address, applicant or employee number.
- Sensitive personal data is: personal data relating to the individual e.g. race or ethnic origin, political opinion, religious beliefs, physical or mental health, trade union membership, sexual life or criminal activities. Special conditions apply to the processing of sensitive personal data, including an obligation to obtain the explicit consent of the individual. (We will not be addressing this particular data set here but for further information about this please see this ICO guide)
Is the ‘data’ ‘personal data’ for the purposes of the Data Protection Act 1998 (DPA)?
Data becomes personal data if a living individual can be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller. Identification does not have to be by a person’s name.
- “Data Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data
- “Data Processor” in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
The concepts of data controller and data processor are essentially unchanged under the GDPR, but the GDPR imposes legal compliance obligations directly on Processors in addition to Controllers (further details below).
The Data protection principles (as per DPA) are:
- Fairly and lawfully processed.
- Processed for limited purposes
- Adequate, relevant and not excessive.
- Accurate and up to date.
- Not kept for longer than necessary(to be specific: ‘not be kept longer than necessary for the purpose for which it was processed’ )
- Processed in line with the rights of individuals.
- Not transferred to other countries without adequate protection
3. What’s new under GDPR?
The principles set out under GDPR are very similar to the DPA, namely that personal data must be treated:
- Lawfully, fairly and transparently;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary for the purpose to which they are processed;
- Accurate and kept up to date;
- Permits identification of data subjects no longer than necessary;
- Processed in a manner to ensure appropriate security of the personal data.
With regards to the second bullet point it’s worth noting that GDPR legislation states that: further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
Under GDPR, a Controller must only appoint a Processor under a binding written agreement, which states that the Processor must:
- only act on the Controller’s documented instructions;
- impose confidentiality obligations on all personnel who process the relevant data;
- ensure the security of the personal data that it processes;
- abide by the rules regarding appointment of sub-processors;
- implement measures to assist the Controller in complying with the rights of data subjects;
- assist the Controller is obtaining approval from Data Protection Authorities where required;
- at the Controller’s election either return or destroy the personal data at the end of the relationship; and
- provide the Controller with all information necessary to demonstrate compliance with the GDPR.
4. The rights of the individual
GDPR sets out the rights of the individual:
- The right to be informed - encompasses the obligation to provide ‘fair processing information’, typically through a privacy notice
- The right to access - GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing
- The right to rectification - Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure - Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
- The right to restrict processing - Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.
- The right to data portability - It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to object - Individuals must have an objection on “grounds relating to his or her particular situation”. We can challenge this if we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
- Rights in relation to automated decision making and profiling - GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Individuals have the right to access their personal data and supplementary information. They may also verify the lawfulness of the processing. This applies regardless of whether data is kept in digital, paper or other format. Some questions worth considering:
- How easy would it be to locate all information effectively?
- Can you verify the number of copies of the data?
- Can you access the information in a timely and cost – effective manner? Under GDPR you need to be able to act within 1 month (maximum) of a request and you must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- Have you got a mechanism for deleting/destroying all the data if you are asked to?
There are six available lawful bases for processing data:
- Consent - Under GDPR consent must be: Freely given, specific, informed and unambiguous.
- Contract - You can rely on this lawful basis if you need to process someone’s personal data
- Legal Obligation - You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation
- Vital Interest - You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life
- Public Task - You can rely on this lawful basis if you need to process personal data. It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest
- Legitimate Interest - It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests
Some more points to bear in mind:
- The GDPR acknowledges that data protection rights are not absolute and must be balanced (proportionately) with other rights – including the “freedom to conduct a business”.
- GDPR builds on existing principles and adds tighter obligations and restrictions.
- The concepts of “controller” and “processor” are essentially unchanged under the GDPR, BUT their respective obligations are significantly amended (see points above).
- The GDPR introduces a duty on all organisations to report certain types of data breach to the Supervisory Authority as soon as they become aware of the data breach.
- Individuals must be notified if adverse impact is determined [Specifically: “Controllers must report a data breach to the relevant DPA within 72 hours of their becoming aware of that breach, except where the data breach is unlikely to result in any harm to data subjects”]
- Children under the age of 13 can never, themselves, give consent to the processing of their personal data in relation to online services.
- Controllers that rely on “legitimate interests” should maintain a record of the assessment they have made, so that they can demonstrate that they have given proper consideration to the rights and freedoms of data subjects.
- Controllers should be aware that data processed on the basis of legitimate interests is subject to a right to object - which can only be rejected where there are “compelling” reasons
- Higher penalties for non-compliance (up to £17,000,000 or 4% of turnover)
5. What steps should you take to become compliant with data protection?
In order to demonstrate compliance and regardless of which lawful basis you rely on, there is a need to document your decision and ensure that you can justify your reasoning.
The Information Commissioners Office states “It is important that you determine your lawful basis for processing personal data and document this. This becomes more of an issue under the GDPR because your lawful basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.” This documentation of your decision should address the six GDPR principles including principle 5 which refers to data retention
There are a series of steps you can take in order to document your decision:
- Discover: Identify what personal data you have and where it resides
- Control: Manage how personal data is used and accessed
- Protect: Establish security controls to prevent, detect and respond to vulnerabilities
- Report: Action data subject requests and keep required documentation
- Review: Analyse your data and systems, stay compliant and reduce risk
6. Further information
The Information Commissioner's Office (ICO) in the United Kingdom, is a non-departmental public body which reports directly to Parliament and is sponsored by the Department for Culture, Media and Sport (DCMS). The ICO upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. They have provided extensive set of guidance and resources via their website:
- Guide to the General Data Protection Regulation (GDPR)
- Data protection self-assessment
- Lawful basis for processing
The National Council for Voluntary Organisations (NCVO) have also provided some useful guidance
Other sources of information: