Andre Palmer | Tell the truth, keep it simple, stay in the lane

Issues such as principles of privacy and the first standard of data protection, which is the need to process data fairly and lawfully, have been discussed before. Let us look into the need for transparency. This principle runs through data protection as a defining obligation and is the true foundation of fairness in processing.

The rule is that before you collect and process data, people need to know what you plan to collect, what you intend to do with it, why you think it is fair and lawful, for how long your ae going to keep it, and where and with whom you plan to share it. This is what privacy notices are for – that transparent declaration of your processing to your data subjects. Of course, sometimes you will obtain personal data not from the person themselves, but from other sources, in which case you must ensure that the data subject is given the same what, why, where, who, and how long. You can’t rely on them figuring out for themselves that you have their data.

A quick pet peeve: it is a privacy notice, not a privacy policy. You need one of the latter as well, but they are different things. The notice is just that: information that you provide to persons to keep them informed. The policy is your internal control document that instructs your staff on how to handle personal data. Please don’t ask persons to ‘agree with’ or ‘consent to’ your privacy notice – that is simply incorrect – but of course, you do need to ensure that your staff undertake to abide by your privacy policies.

COMPATIBLE PURPOSE

The second standard is shorter and simpler than the first but has very real implications. It requires that data collected is only processed for the purposes ‘compatible’ with those for which it was originally collected. Remember that when you set out the purposes of processing in your privacy notice and make sure that if you decide to use the data for another reason, you can demonstrate that it is compatible. What does that mean in practice? The acid test is referred to as ‘reasonable expectation’ – if the average person might reasonably be expected to understand that their data would be used this way when they first provided it, then you are OK. If not, then you are likely stretching too far.

Of course, when you come up with a new purpose of processing existing data, don’t forget to update your privacy notice and tell your data subjects that it has been updated. And as a data subject yourself – we all are – you might want to read those updated privacy notices from time to time to see if your own reasonable expectations match the controllers’ understanding.

ADEQUATE, RELEVANT, AND LIMITED DATA

Compatible purpose isn’t the only limitation. The third standard is that personal data should be adequate, relevant, and limited to what is necessary for the purposes for which it is collected. In reality, that is three separate requirements in one standard, so let’s unpack them.

Adequacy of data is another aspect of fairness, especially where the data is being used to support decision-making. You must be able to demonstrate that you have collected all of the data that you need to make a fair and properly informed decision. This also extends to ensuring that in other contexts, you have all the data you need to, for example, allow the data subject to make the best of a system or an app that you are providing.

Relevancy of data is there to ensure that you keep your mind focused on the task at hand – the specified purpose of processing – and avoid collecting data just because you can or because you think it might come in handy some day. Personal data is not supposed to be like that drawer in everyone’s house where you keep odd screws and half-used batteries just in case.

Limitation, sometimes referred to as ‘data minimisation’, is the crucial part of the third standard. You must, making reference to adequacy and relevance, be able to demonstrate that you need the data in order to fulfil the specific purpose. Need - not want. If it is possible to achieve the same result without a particular bit of data, you shouldn’t collect it in the first place. Commonly, we find plenty of examples in our practice where personal, identifiable data is being collected and used when aggregated or anonymised data – which is out of scope for the Data Protection Act – would serve just as well.

Data protection is a route to efficiency and cost-saving as well as an obligation and a human right. A good data-protection programme is a business transformation, not just a burdensome compliance exercise.

Andre Palmer, head of practice at Securys Limited, a global data protection firm. Send feedback to info@securys.com.jm.