Under the UK’s data protection regime, businesses that determine the purpose for which customer personal data is collected, used, or stored (collectively known as processing) must provide a privacy notice.
The regime consists of a number of laws including: UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulation 2003 (SI 2003/2436)(PECR).
These laws provide data subjects (i.e. customers whose personal data is being processed) with a number of rights including the right to be informed on how their data is being processed, as well as several transparency requirements that businesses must comply with.
Failure to comply with the UK’s data protection regime can lead to significant fines, reprimands, or other sanctions from the Information Commissioner. For example, Advanced Computer Software Group Limited, a provider of IT and software services to organisations including the NHS, was fined £3.07 million for security failings that exposed the personal information of 79,404 individuals.
In this article, we discuss the key information that businesses must disclose to avoid being in breach of their data protection obligations and facing such penalties.
Controller's Identity – the privacy notice must include the business’ full legal name and contact details.
Data Protection Officer (DPO) – only certain businesses are required to appoint a DPO. This includes where their primary activity requires regular systematic monitoring of data subjects or where special category data (i.e. data to do with race, religion, physical and mental health, political views ect) or data related to criminal convictions and offences is processed on a large scale. If the business is required to appoint a DPO then the DPO’s contact details must be provided for that nominated individual.
Legal Basis – there are six legal bases that allow a business to process personal data including:
1. Consent from the data subject;
2. The processing is necessary for performance of a contract;
3. The processing is necessary for compliance with legal obligations;
4. The processing is necessary to protect the vital interest of an individual;
5. The processing is necessary for performance of a task carried out in the public interest; and/or
6. The processing is necessary for a legitimate interest of the business.
Businesses must disclose the legal basis or bases that they rely on to process the data subjects personal data.
Purpose – businesses must set out a purpose or list of purposes for processing data that accurately reflect their practices. This might include, for example, the purpose of delivering a customer order or dealing with customer request, complaints or queries.
Legitimate Interest – legitimate interest is one of the grounds most often relied upon to permit processing. Where a business is relying on a legitimate interest of the business as the legal basis for processing, then the details of that legitimate interest should be disclosed too. The business must also make sure that their legitimate interest does not override the fundamental rights and freedoms of the data subjects which require protection (this is known as the “balancing test”).
The Recipients – if a business is going to disclose any personal data to third parties, the recipients or categories of recipients of personal data must be set out in a business’ privacy notice. A recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed. This means that even entities within the same business group must be disclosed if they are a recipient of personal data. If categories of recipients are used instead of specific names, their activities, industries, and locations should be clearly described.
International Transfers – if businesses are transferring data to one of their offices or another legal entity in a different jurisdiction, then they must disclose this practice. Recent case law has suggested that businesses who transfer data internationally must disclose the name of the recipient country whether the UK Government considers them to have adequate data protection regimes or not. For countries that have inadequate regimes, the regime also requires businesses to outline the safeguards they have put in place to ensure the same level of protection afforded by the UK. In situations where neither adequate regulations nor safeguards are in place, businesses may still transfer data by relying on one of the exemptions permitted under the regime. For example, by obtaining the data subject’s explicit consent, provided that the individual has been clearly informed of the risks associated with the lack of an adequacy decision and appropriate safeguards.
Data Retention – data retention policies must be disclosed, specifying how long personal data will be stored. There is no specific time limit for data retention under the regime, however, data should not be retained any longer than it is necessary for a business to fulfil its purpose (as explained above). If it is not possible to provide a specific retention period (e.g. because it changes per data subject) then businesses are permitted to instead disclose the criteria they used to determine such periods. Businesses are not permitted to simply state that the data will be retained for as long as necessary to fulfil its purpose.
Data Subject Rights – as briefly discussed above, data subject have a number of rights in relation to their personal data including:
1. the right of access their personal data;
2. the right to rectify inaccurate data about them;
3. the right to require the deletion of their data where there is no good reason for the business to continue processing it;
4. the right to restrict processing (e.g. restricting the use of their unlawfully processed personal data);
5. the right to object to processing (e.g. objecting to the processing of their data for the purpose of direct marketing); and
6. the right to have their data transferred to a third party.
Businesses must disclose all data subject rights in their privacy notice.
Withdrawing Consent – where the legal basis for processing personal data is based on the data subject’s consent, the business must disclose the data subject’s right to withdraw that consent at any time. It is therefore often considered best to rely on more than just consent as a ground for processing.
Complaints – subjects have the right to lodge a complaint with the Information Commissioner. They also have the right to issue a claim against a business that fails to comply with their rights. This information must be disclosed in a business’ privacy notice.
Statutory or Contractual Requirements – where data processing is required under statute it is recommended that businesses disclose the specific legal provision or statute, or signpost subjects to government or industry guidance. Specific reference may not be required where a statutory obligation is widely understood by the general public. For both statutory and contractual requirements, the data subject must be informed of their obligations to provide personal data and the consequences of a failing to do so.
Automated Decision Making - automated decision making includes decisions made by automated means and without human intervention such as an aptitude test used in recruitment. Businesses that use automated decisions making must disclose the existence of such processes. Additionally, they must disclose information about the logic involved in the decision making and, the significance and the envisaged consequences of processing a data subject’s personal data by such means. Decisions made out solely through automated decision making are restricted to the following circumstances:
1. necessary for entering into or performance of a contract between a business and the data subject;
2. authorised by law (for example, for the purposes of fraud or tax evasion); or
3. based on the data subject’s explicit consent.
These circumstances are further restricted if special category data is being processed. In the circumstances referred to in points 1 and 3, businesses are required to implement suitable measures to safeguard the data subjects rights, freedoms and legitimate interests. At a minimum these measures should allow data subjects to
1. obtain human intervention in the decision making process;
2. express their point of view; and
3. obtain an explanation of the decision and challenge it.
Although these rights are not explicitly required to be disclosed under the regime, businesses may want to include such rights in their privacy policy to ensure they are in compliance with their safeguarding obligations regarding automated decision making.
Many businesses collect, use, or store personal data, often without fully realising the extent of the information they are legally required to disclose to remain compliant with the data protection regime. By adhering to these guidelines, businesses can ensure that their privacy notices uphold their customer's right to be informed and meet the necessary transparency requirements.
We specialise in data protection and privacy law. If you're concerned that your business’s privacy notice may not comply with the current data protection regime, or if you need legal advice on any of the issues mentioned in this article, please feel free to contact a member of our team on +44 (0)203 987 0222 or email us at info@ilaw.co.uk.
