It is important for all organisations, including bat groups, to keep up with the best data protection practices and comply with General Data Protection Regulation (UK GDPR).
This web page is aimed at providing some general information about GDPR and offering some guidance on the things that should be considered regarding the data you hold.
BCT are unable to be prescriptive or give specific advice, however we hope you find this information useful. General data protection enquiries can be sent to the relevant Bat Group Officer contact, and while we may not be able to give a definitive answer, we will try to help. Contact Claudia Gebhardt for bat groups in Scotland, and Abby Packham for bat groups in other parts of the British Islands.
The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to Parliament and is sponsored by the Department for Culture, Media and Sport. The ICO upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
1. The basics of data protection
Let’s start with a definition of what is data:
- Personal data is any information which identifies an individual. Identification doesn’t just mean the person’s name: e.g. name, photograph/video, sound recording, IP address, applicant or employee number.
- Sensitive personal data is personal data relating to the individual e.g. race or ethnic origin, political opinion, religious beliefs, physical or mental health, trade union membership, sexual life or criminal activities. Special conditions apply. (This category isn’t covered further here so for further information please see this ICO guide)
There are different people involved in the processing of personal data.
- Data Controller is the person, agency or any other body (e.g. the bat group) which determines the purposes and means of processing personal data.
- Data Processor is any person who processes the data (e.g. outsourcing statistical analysis to someone not part of the bat group).
GDPR imposes legal compliance obligations on Controllers and Processors.
2. Rules under GDPR
The principles set out under GDPR are that personal data must be treated:
- Lawfully, fairly and transparently;
- Collected for specified, explicit and legitimate purposes;
Furthermore GDPR legislation states that further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary for the purpose to which they are processed;
- Accurate and kept up to date;
- Permits identification of data subjects no longer than necessary;
- Processed in a manner to ensure appropriate security of the personal data.
Under GDPR, a Controller must only appoint a Processor under a binding written agreement. For details on what that entails please see this ICO guide.
There are six lawful bases for processing data: consent, contract, legal obligation, vital interest , public task and legitimate interest. Please read more about these bases here, and find a guidance tool to which basis you need here. You can find a template for the assessment of use of legitimate interest here.
3. Rights of the individual
GDPR sets out the rights of the individual:
- The right to be informed - encompasses the obligation to provide ‘fair processing information’, typically through a privacy notice
- The right to access
- The right to rectification
- The right to erasure
- The right to restrict processing - individuals have a right to ‘block’ or suppress processing of personal data.
- The right to data portability - allowing them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to object - Individuals must have an objection on “grounds relating to his or her particular situation”. This can be challenged if you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
- Rights in relation to automated decision making and profiling - safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Individuals have the right to access their personal data and supplementary information. They may also verify the lawfulness of the processing. Individual rights can vary depending on the lawful basis of the data processing. See this link for more information.
Some questions worth considering:
- How easy would it be to locate all information effectively?
- Can you verify the number of copies of the data?
- Can you access the information in a timely and cost – effective manner? Under GDPR you need to be able to act within 1 month (maximum) of a request and you must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- Have you got a mechanism for deleting/destroying all the data if you are asked to?
4. Being compliant with data protection
The ICO states “It is important that you determine your lawful basis for processing personal data and document this." This documentation of your decision should address the six GDPR principles including principle 5 which refers to data retention.
There are a series of steps you can take in order to document your decision:
- Discover: Identify what personal data you have and where it resides
- Control: Manage how personal data is used and accessed
- Protect: Establish security controls to prevent, detect and respond to vulnerabilities
- Report: Action data subject requests and keep required documentation
- Review: Analyse your data and systems, stay compliant and reduce risk
Some more points to bear in mind:
- GDPR places a duty on organisations to report certain types of data breach promptly to the ICO.
- Children under the age of 13 can never themselves give consent to the processing of their personal data in relation to online services.
- Controllers should be aware that data processed on the basis of legitimate interests is subject to a right to object - which can only be rejected where there are compelling reasons.
- There are penalties for non-compliance (up to £17,500,000 or 4% of turnover).