The way data is handled and processed is being reformed with the inbound General Data Protection Regulations coming into force on the 25th May 2018.
Preparation and discussions should take place regarding what legal basis personal data is currently being processed under and the process if an individual makes an access request for their personal data.
Legal bases for processing personal data
There are six lawful bases for processing personal data which are identified in Article 6 of the GDPR. They are as follows:
Consent – the individual has made completely clear that their personal data can be processed for a specific process.
Example – an email is received from an individual stating it is okay to go ahead and pass on their address/number to a third party to contact them.
Contract – a contract that has been made between an organisation and an individual makes evident that data processing is required as part of the contract.
Example – an individual requests a quotation for some insurance, the insurer needs to process certain data to prepare this quotation. This is contractual.
Legal obligation – there is a legal necessity for the data to be processed to ensure compliance with the law (outside of the contractual basis)
Example – An employer needs to process personal data to comply with its legal obligation to HMRC to disclose employee salary details.
Vital interests – the personal data processing is necessary to protect an individual’s life
Example – If an individual is rushed to the hospital, the disclosure of their medical history is a necessity to protect their vital interests.
Public task – the processing is needed to perform a task of public interest and this task has a clear foundation in law.
Example – An electrician handling a power outage of a street may require access to personal details such as addresses/phone numbers to ensure he can resolve the issue which is affecting other members of public, as perhaps a fault lies outside or with a certain building.
Legitimate interests – it is necessary to process the personal data for legitimate reasons and/or interests of a third party unless there is an adequate reason to protect the individual’s data, which has more affect than that of the legitimate reasons.
Example – If an individual is signed onto a service that they are currently subscribed to, and a new service which is similar but improved becomes available, they could be contacted about this new service as it may be of legitimate interest for the individual.
Data Access Requests
Another area related to these changes is the process of dealing with individual’s requests for their personal data. Currently individuals can make data requests, so this is nothing new, but the way in which these requests are dealt with will change slightly, to benefit the individual. The main reason individuals may want to access their personal data which is being stored, is so they can be made aware of what is being stored/processed, why so and verify that it is being processed lawfully.
A breakdown of what should be supplied is as follows:
- The reasons as to why their data is being stored and processed
- A description of this data
- Who this data has been shared to or who it is intended on being shared to
- How the data was collected in the first place
- Which lawful basis it is being processed under
Organisations must supply this information free of charge to an individual, unless there are excessive and unfounded requests, then a reasonable fee may be charged due to the time spent on this. This information must be supplied to the individual without delay and within a month at the latest. The exception to this is for numerous or complex requests which can have the period of compliance extended to a total of 3 months, however the requester should be advised of the delay within the original month including an explanation as to why this is the case.
For more information, please visit the ICO “Lawful basis for processing” https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ and “Right of access” https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/