Tue | Nov 26, 2024

Ben Rapp | All’s fair in love and data protection

Published:Tuesday | November 12, 2024 | 12:07 AM
Pause
Ben Rapp writes: Before you can make use of the lawful bases and conditions, you must understand what data you are collecting, what you are doing with it, where you are sending and storing it, with whom you are sharing it, and for how long you keep it.
Ben Rapp writes: Before you can make use of the lawful bases and conditions, you must understand what data you are collecting, what you are doing with it, where you are sending and storing it, with whom you are sharing it, and for how long you keep it.
Ben Rapp
Contributed
Ben Rapp
1
2

This article aims to place focus on demystifying data protection and help to understand how businesses can be compliant and more efficient. We’ll focus on the first standard of Data Protection Act (DPA) – lawful and fair use.

The DPA is founded on eight standards for proper stewardship of personal data. Let’s touch on that word ‘stewardship’. The underlying principle of data protection is that personal data does not belong to you – the controller – but to the person to whom it relates – the data subject. Since it’s their data – not yours – the onus is on you to demonstrate your justifiable need to collect, use and keep it, and that your processing of it is fair.

Let’s also address ‘sensitive data’. While all information about a person that is held in a form that allows the person to be identified is ‘personal data’, some information is considered particularly sensitive. There is a specific list in the DPA:

(a) Genetic data or biometric data;

(b) Filiation, or racial or ethnic origin;

(c) Political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature;

(d) Membership in any trade union;

(e) Physical or mental health or condition;

(f) Sex life;

(g) The alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject;

COMPLIANCE WITH STANDARDS

The collection and processing of sensitive data places additional responsibilities on you as a controller. These include the appointment of a data protection officer and greater attention to security measures. However, there is a direct implication for your compliance with the first standard, too.

To ensure fairness, the law requires you to demonstrate that your collection, processing and storage of data is justified. It provides a number of what is often referred to as ’lawful bases’; for each separate piece of processing, you need to identify and document the basis you are using. The selected basis must be catalogued in your internal records and disclosed to your data subjects as part of your privacy notice. When you are processing sensitive data, you also need to identify a so-called ‘condition for processing’, which is combined with the lawful basis to provide your justification.

Before you can make use of the lawful bases and conditions, you must understand what data you are collecting, what you are doing with it, where you are sending and storing it, with whom you are sharing it, and for how long you keep it. This exercise of ‘data mapping’ is the fundamental basis of a data protection programme. You can’t make a proper start on compliance until you know what you’re working with. The results of the data mapping are compiled into your ‘record of processing activities’, which also acts as the basis for your registration with the Office of the Information Commissioner.

To complete that work, you need to go through the list and, for each entry, answer one crucial additional question: why are we collecting, processing, storing and sharing this personal data? In doing that, you can work out which lawful basis and, where relevant, condition apply. This will help you understand whether your processing is lawful and fair. It’s the first point at which you may need to consider changing how you operate to ensure compliance.

The lists of bases and conditions are too long for this column. All controllers should familiarise themselves with these lists in sections 23 and 24 of the DPA. There is complexity and room for confusion aplenty in this undertaking; even if you do your own data mapping and compile your own record of processing activity, you may want help in your compliance with the first standard. In particular, when you identify the processing of sensitive personal data – and remember that all employers inevitably process some sensitive data, so almost all controllers will have some exposure – you need to be careful to ensure that you properly understand your justifications for that processing and that you have the right safeguards in place.

ADDITIONAL REQUIREMENTS

Depending on the applicable lawful basis, additional work may be required to demonstrate compliance. For example, if you believe you are processing on the basis of consent, you will need to be able to show that you have collected that consent properly; there are a number of specific rules set out in the DPA and they accompany The regulations that speak to this. Similarly, if instead you identify processing that serves your own legitimate interests – and you should be reassured that this is often the right choice – you will need to show that you have assessed the balance between your interests and the rights of the data subject through a process called a ‘legitimate interest assessment’.

The greater the volume, complexity and sensitivity of the personal data you process, the greater the importance of proper data mapping and an accurate record of processing activity, because the greater the risk your processing could pose to data subjects. However difficult this regulation may seem, remember that we are all data subjects of many controllers, and when the boot is on the other foot, we surely want to know that our personal data is lawfully and fairly processed.

Ben Rapp is a data protection expert and group chief executive officer of Securys Limited. Send feedback to info@securys.com.jm and columns@gleanerjm.com.