20 FAQs about data protection.
- Do we need to bother about the data protection legislation? What impact could it have on us?
- Do I have to register ('notify')?
- What if we don't pay the data protection fee?
- How do the authorities decide who to investigate?
- We hear there are scams involving notification. How can we tell if the correspondence we have received is genuine?
- Someone working for one of our sub-contractors now wants copies of all the information we have in which his name appears. Do we have to provide it?
- Some of our customer records are still held in paper form. Are they covered by the GDPR?
- Do we really have to get our customers to agree that we can send them marketing information?
- Do we have to get our customers to agree if we want to sell our mailing lists or disclose customer details to third parties?
- What do we have to do, if we want to use a third party to do payroll processing or direct mail marketing for us?
- If we conduct our direct mail marketing through a foreign firm, what do we have to do to stay on the right side of the law?
- If I take notes at a recruitment interview, can I be forced to show them to the interviewee?
- Is there any problem over us monitoring our employees' use of office phones, internet access or email system?
- Do we have to provide employees (or customers) with copies of the information we hold on them?
- Do we have to provide former employees with copies of the references that we have given about them to third parties?
- We are thinking of installing CCTV. Will we land ourselves with any data protection obligations if we do?
- We have a problem with petty pilfering, of employees' belongings as well as stock, and want to install continuous CCTV. Will that cause us problems?
- Do we need to tell customers if we operate a CCTV system?
- We put up CCTV cameras to deter break-ins, and caught one of our staff stealing. Can we use the tapes for disciplinary or court proceedings?
- What sort of penalties might we suffer for breaching the GDPR?
1. Do we need to bother about the data protection legislation? What impact could it have on us?
Broadly speaking, the EU General Data Protection Regulation (GDPR) is designed to prevent individuals and organisations from 'processing' information about any living individual who can be identified from that information, unless:
- they have a legally acceptable reason (or reasons) for doing so; and
- they can prove that they treat the information properly.
'Processing' covers practically anything that can be done with information - obtaining it, collecting it, sorting it, analysing it, discussing it, destroying it or even just filing it. The individuals to whom the information relates may be people (for instance, customers, or suppliers, or employees) with whom you have dealings now, with whom you hope to have dealings in the future, or with whom you have had dealings in the past. Most businesses cannot function without taking account of the GDPR's provisions: even defunct businesses might still be 'processing' (for example, holding) information.
You must have a ‘lawful basis' to use personal data. The most common business reasons are likely to be one of the following:
- You have a person's consent to use their data.
- It is necessary to perform your contractual obligations or to do something before entering into a contract at the individual's request (eg providing a quote);
- You need to use the data to comply with a legal obligation; or
- Using the data is in your ‘legitimate interests'. This is broad, but you need to be specific - saying ‘we need to process customer data' is not enough, whereas ‘we have a legitimate interest in marketing our goods and services to our customers in order to grow our business' provides more detail that usefully explains why you need to use the data.
Other lawful bases that are less likely to be applicable to businesses include protecting an individual's ‘vital interests' (eg protecting their life) and performing a public task (mainly applicable to public authorities).
Anything relating to anyone's race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (for ID purposes), physical or mental health, sexual life, sexual orientation, or the commission of offences is high risk, and can only be justified if you hold it for one of a list of specified reasons.
Beware of falling foul of the GDPR if you:
- Process information unfairly - for example, without letting the individual know that you have it and what you are going to do with it.
- Collect information for one purpose, and then use it for another.
- Collect too much information - if you are trying to sell people egg-timers, you do not need to know their shoe size.
- Fail to ensure that information is accurate and up-to-date.
- Hold on to information for longer than you need it.
- Fail to let individuals know what you have on them when they ask to see it (unless one of the statutory exemptions applies).
- Fail to keep information secure.
- Send information outside Europe for processing, except to a limited list of countries with adequate data protection laws of their own.
- Fail to keep adequate records that enable you to demonstrate compliance with the principles of the GDPR.
2. Do I have to register ('notify')?
The GDPR removes the requirement for organisations to ‘notify' the Information Commissioner's Office (ICO) of their data processing activities. However, from 25 May 2018 there is still a fee that must be paid by most businesses.
Yearly fees range from £40 to £2,900 depending on the size of your organisation. If you are currently registered with the ICO, you only pay when your current registration expires.
Some exemptions apply. For example, if you only use personal data for staff administration, advertising and marketing, or for accounts and records, you will not need to pay. If you do not know whether you should pay, the ICO provides guidance on their website or seek legal advice.
3. What if we don't pay the data protection fee?
If you do not pay the data protection fee, the ICO will send you a reminder. If you still don't pay the fee, or tell the ICO why you are no longer required to pay it (eg if your use of personal data has changed and you now fall within an exemption), the ICO will issue you with a notice. After a further 21 days, if you still haven't paid the fee or explained the situation to the ICO, you will face a fine of up to £4,350.
4. How do the authorities decide who to investigate?
Although the Information Commissioner's Office (ICO) can conduct investigations of its own accord under the GDPR, it most frequently carries out assessments when it has been tipped off by someone - a customer, a supplier, a past or present employee, or even a business rival - asking for an assessment. They might, for example, contact the ICO because they were not satisfied with your response when they exercised their right to ask for the information you hold about them.
The GDPR also includes a requirement for organisations to report certain kinds of data breach to the ICO, for example where there is a data loss as a result of the loss or theft of a device containing information on identifiable individuals. In most cases, the breach must be reported within 72 hours of you becoming aware of it. If the breach poses a high risk to individuals' rights, they should be informed without delay. Whether you have to report a breach or not, it must always be documented internally. Record keeping as a whole is a vital part of your data protection compliance.
5. We hear there are scams involving notification. How can we tell if the correspondence we have received is genuine?
You hear right: in the past there have been several lucrative scams involving bogus notification enforcement authorities demanding money in return for submitting applications to notify. The Information Commissioner's Office is based at Wycliff House, Water Lane, Wilmslow, Cheshire SK9 5AF. Take a look at their website for the latest information on scams, or ring the data protection advice line (0303 123 1113, or textphone 01625 545 860) if you want to check out any official-looking documents. Or alternatively, ring your legal adviser and check, first, whether the demand is from a genuine source, and secondly, whether you should actually have registerd anyway.
6. Someone working for one of our sub-contractors now wants copies of all the information we have in which his name appears. Do we have to provide it?
Probably not, but consider taking legal advice. In a case in this area, the Court of Appeal decided the fact that someone's name appears in a document does not in itself make it 'personal data'. It will only be 'personal data' where its inclusion in the document affects the named individual's privacy. In deciding whether the individual's privacy is affected, the judges said it is important to consider:
- whether the information is biographical - ie, whether it gives details in addition to the name
- whether the focus is on the named individual, or whether the mention of his (or her) name is just peripheral to the purpose of the document
The judges said that the Act was not to be used as 'an automatic key' to force disclosure to individuals of any information in which their names are mentioned. However, this is a difficult area, which requires good legal judgement. The Information Commissioner has produced guidance on what is - or could be - personal data, in the form of a series of questions with worked examples: it is designed for public authorities, but is quite short, free of jargon and gives a good idea of how the ICO's collective mind is working, so it is worth consulting if you have problems in this area ('Determining what is personal data'). Take legal advice if you are still uncertain as to whether records you hold constitute 'personal data' and therefore have to be disclosed.
Please note that this reflects the position under the Data Protection Act 1998 and it is too early to tell if the answer will be different given the GDPR's broader definition of personal data.
7. Some of our customer records are still held in paper form. Are they covered by the GDPR?
It really depends on what is in them. The GDPR applies to ‘identified or identifiable natural persons', so if your records merely trace your dealings with customers which are limited companies, without any mention of individuals, you do not need to worry.
However, any information about identifiable natural persons (ie personal data), which can be anything from a name to an IP address, other than exempt information, will mean you have to comply with the GDPR. In particular this means that such information is subject to the GDPR's data protection principles, that information shall be:
- fairly and lawfully processed in a transparent manner
- for limited purposes
- adequate, relevant and not excessive
- accurate and up to date
- kept no longer than is necessary
- processed securely
The individuals to whom the information relates also get the right to correct it if it is inaccurate. Holding such information is in itself a form of processing, so if such manual files exist and do make reference to identified or identifiable individuals, you need to make a decision as to whether you wish to continue holding them, and if so, ensure that you comply with the provisions of the GDPR. It does not, however, require you to digitise or computerise such information. Take legal advice, if in doubt.
8. Do we really have to get our customers to agree that we can send them marketing information?
The law in relation to direct marketing is particularly fast-moving. If you want to stay on the right side of it, always tell customers exactly how you want to use their personal information and get evidence that they agree to such use. Whatever your grounds for using personal information under the GDPR, it is vital that you document them. Keep records of everything.
If you have existing customers on your database and want to send them marketing information relating to products and/or services similar to those you have previously supplied to them, you may continue to do so, but you should always offer them the ability to opt out of receiving further mailings. Note that individuals have a legal right to stop you sending them direct marketing at any time and this should be easy and obvious to do.
9. Do we have to get our customers to agree if we want to sell our mailing lists or disclose customer details to third parties?
To be on the safe side, you should always obtain your customers' express consent before you disclose any information about them to third parties. There are alternatives to obtaining express consent, but you should seek specific legal advice before attempting to use them.
10. What do we have to do, if we want to use a third party to do payroll processing or direct mail marketing for us?
The GDPR requires that you enter into written agreements with anyone who is processing personal information on your behalf (‘data processors') and sets a number of points that such agreements must cover at a minimum. You need to obtain written guarantees that they will keep the information secure and only use it in accordance with your instructions. As the ‘data controller', it is your responsibility to ensure that the information is used lawfully.
11. If we conduct our direct mail marketing through a foreign firm, what do we have to do to stay on the right side of the law?
Make sure that you have put a data processing agreement in place and that the firm you are using is based in a country with data protection rules which are considered to be adequate under English law. Laws of the states in the European Economic Area (the EEA - member states of the EU, plus Liechtenstein, Norway and Iceland) are considered acceptable.
If the data is to be transferred to a country outside the EEA (known as a ‘third country'), various ‘appropriate safeguards' will be recognised including ‘adequacy decisions' made by the EU Commission, binding corporate rules, standard data protection clauses provided by the EU Commission or a supervisory authority such as the ICO (but note that GDPR versions have not been published yet), compliance with codes of conduct approved by supervisory authorities, and certification schemes. If your data turns up in the hands of people who should not have it, as the data controller, it is you that the ICO will be coming after.
This is a complex legal area, so if you do want to get some of your information processed outside the EEA, take good legal advice first.
12. If I take notes at a recruitment interview, can I be forced to show them to the interviewee?
Generally speaking, you should presume that anything you write down or record about an individual may be shown to that individual at some point in the future. This includes any comments or personal opinions that you write down about interviewees. There are certain exemptions which may mean that you can delay or prevent disclosure, but they are very narrow, and very strictly interpreted, so you should always seek legal advice before relying on them.
13. Is there any problem over us monitoring our employees' use of office phones, internet access or email system?
Take a look at the Information Commissioner's Code of Practice for employers relating to the monitoring of staff at work. Or failing that, take legal advice. The Code is quite detailed, but the general principle is that you must make employees aware of how they will be monitored in the workplace (for example, by looking at their telephone, email or internet usage, or monitoring their movements by CCTV or vehicle tracking systems) and use the least intrusive methods of monitoring available to achieve your goals. This principle has recently been confirmed by the European Court of Human Rights, which found that a college which monitored an employee's use of the telephone without informing her, breached her right to respect for her private life and correspondence. Covert surveillance is allowed only in very limited circumstances, such as where there is suspected criminal activity. You will also have to take steps to ensure that you do not fall foul of associated legislation relating to the interception of communications.
14. Do we have to provide employees (or customers) with copies of the information we hold on them?
Generally, yes, if they ask for it, so be careful about the information you hold on individuals. The 'subject access request' must be in writing, and you must be certain that the person asking for the information is the person who is entitled to see it. In most cases, the information must be provided free of charge, and you must respond to the request within one month of receipt (this can be extended by two months for complex or numerous requests). There are exemptions which you can use to withhold certain types of information, and you are specifically required to protect the rights of third parties, if they can be identified from the information you are disclosing. The Information Commissioner's Office (ICO) has information on its website including a good practice note for small and medium-sized businesses on how to handle subject access requests.
15. Do we have to provide former employees with copies of the references that we have given about them to third parties?
References are exempt from subject access requests if such requests are made to the person or organisation which gave the reference, but if a request is made to the recipient of the reference, the reference must generally be disclosed. The circumstances in which the reference was given - if, for example, a duty of confidentiality was imposed on the recipient - can have an impact on whether the reference is disclosable, so it is always advisable to seek legal advice in these circumstances.
16. We are thinking of installing CCTV. Will we land ourselves with any data protection obligations if we do?
Images of identifiable human beings can be 'personal data' under the GDPR if they are taken using cameras which can be used to track individuals, which means that the obligations contained in the GDPR may apply to the use of CCTV. Moreover, the GDPR identifies the monitoring of ‘publicly accessible areas on a large scale' as a high-risk activity, and while your use of CCTV may not be ‘on a large scale' this should nevertheless be considered a warning sign that it is not to be taken lightly. It is also good practice to carry out a data protection impact assessment before setting up CCTV.
Make sure you display appropriate signage, informing people of your use of CCTV. This is particularly important under the GDPR as individuals have a right to be informed about your use of their personal data. Only keep recordings for as long as necessary, and always consider whether or not CCTV is actually required for your purposes. Only collect the personal data that you absolutely need.
The Information Commissioner has published a Code of Conduct on the use of CCTV, which requires that any capacity for picking up conversations should be disabled, and deals with matters such as the positioning of cameras, the security of the recording media, the circumstances under which the film can be viewed, and the location and content of warning notices. You also need to notify the Information Commissioner that you are operating a CCTV system.
17. We have a problem with petty pilfering, of employees' belongings as well as stock, and want to install continuous CCTV. Will that cause us problems?
Potentially yes. The Information Commissioner's Code of Conduct says that although the use of CCTV is a common feature of our everyday life 'the public expect it to be used responsibly with effective safeguards in place'. Before installing CCTV you should consider whether you can achieve the same aims without using CCTV. For example, improving lighting, providing lockers for employees' belongings or introducing limited access to stock storage areas.
If you do decide to install CCTV, you should be aware that almost all uses of CCTV will be covered by the Data Protection Act. Failure to follow the Information Commissioner's Code of Practice could mean you fall foul of the GDPR.
18. Do we need to tell customers if we operate a CCTV system?
You need to tell your customers and staff that you operate a CCTV system if it is capable of capturing images of them. The Information Commissioner's Code on the use of CCTV includes advice on the size and positioning of warning notices. Such notices should include details of who is operating the system, why it is in place and how to get further information about it.
19. We put up CCTV cameras to deter break-ins, and caught one of our staff stealing. Can we use the tapes for disciplinary or court proceedings?
Generally speaking you must use CCTV images only for the purpose for which they were recorded. If, however, cameras had been installed to deter break-ins but they caught an employee stealing stock, it would be reasonable for the employer to use the images as evidence in disciplinary and court proceedings. The test is what is reasonable, and that would depend on the circumstances. For example, it might not be reasonable to use images obtained to deter break-ins in proceedings against an employee who was caught committing a minor act of misconduct, such as smoking on the employer's premises.
20. What sort of penalties might we suffer for breaching the GDPR?
The GDPR contains a number of enforcement mechanisms designed to encourage compliance with the new data protection regime. The Information Commissioner has the power to investigate complaints from aggrieved individuals and to require those who process personal information to respond to their enquiries. The Information Commissioner usually attempts to resolve issues by correspondence, but can also order other measures to ensure compliance with the GDPR of both data controllers and data processors (data processors in particular are under much stronger obligations under the GDPR than they were before). The Information Commissioner can also issue substantial fines of up to €20m or 4% of global annual turnover to data controllers where there has been an infringement of:
- the core principles for processing personal data;
- data subjects' rights;
- the provisions of the GDPR relating to international transfers;
- certain specific related laws; or
- orders imposed by the ICO or failure to comply with an investigation.
A second, lower tier of fines of up to €10m or 2% of global annual turnover also exists, covering breaches such as the failure to implement suitable technical and organisational measures to protect personal data, to maintain written records, and to report breaches (this is not an exhaustive list).
These represent the maximum fines and while they should certainly serve as a strong deterrent, the Information Commissioner has pointed out that the ICO is not about to start making examples and putting small traders out of business with fines they couldn't possibly afford:
"It's scaremongering to suggest that we'll be making early examples of organisations for minor infringements or that maximum fines will become the norm."
Nevertheless, data protection compliance is not something to be taken lightly under any circumstances, regardless of the actual threat of financial or other penalties. If in doubt, seek qualified legal advice or contact the ICO.