FSFRebecca Posted February 6, 2018 Share Posted February 6, 2018 Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year. I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525] Thing you need to know: • GDPR stands for: General Data Protection Regulation • The new regulation comes into effect from 25th May 2018 • Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them! Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11. This is what early years settings might like to think about in preparation. • Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. • Use the audit sheet to document the audit process • Collate details from 'To Do' list - make action plan • Complete action plan! This is #6 of 12 threads which will help you think about what you need to do to be ready for 25th May 6. Lawful basis for processing personal data One of the key points of GDPR is that you must have a lawful basis for processing personal data. A lawful basis means ‘a reason’. The reason needs to be legally defensible (so not just ‘because you thought it was a good idea’). There are 6 potential lawful basis'. We will go through each one in turn, so you can work out what your legal basis is for each of the categories of personal data you process. The first lawful basis is one most of you will already be aware of ‘Consent’. Consent is focused on quite heavily throughout the GDPR. As well as a requirement to make consent more of a conscious choice (rather than through pre-ticked boxes for example) it requires controllers (i.e. you) to think more carefully about the language they use when explaining what data subjects are consenting to. Basically, it means that if you want to process someone’s personal data, it will be lawful if you’ve explained to them (and they agree) exactly what you’re taking, how and why you’ll use it, and when you’ll delete it/return it to them. You don’t need to rely on consent though, and there will quite a few occasions where it’s better not to. You can also process personal data for one of the following 5 reasons: Contract – A lawful basis for processing data would be if it was “necessary for the performance of a contract to which the data subject is party”, for example if an existing parent wanted to take advantage of your home drop off service in the school minibus it would be necessary to know their home address in order for you to fulfill that contract. Unlike with 'Consent', the data subject can't ask for their data to be deleted if they want the contract to continue. Your lawful reason for processing can also be ‘Contract’ if you need some data before you can enter into a contract with the data subject. For example, if a parent wants a brochure about your nursery so they can decide whether they want to send their child to your setting, you will need their address to be able to send it to them. Contract does not cover ‘Special Category’ data. If you want to process that you cannot rely on contract alone – you must also identify a separate condition. Take a look at this ICO guidance for what is included in special category data: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/. What this means is that you can’t say that you will only allow a child to attend (and for their parents to take out a contract with you to that affect) if you are told which religion they are. If you want to know that information, you will need to rely on a different ‘lawful basis’. Compliance with a legal obligation – This basically means that if the law says you must collect certain data, then you can, for example, to ensure your own compliance with the statutory framework. Because it applies to your statutory obligations, this will be quite a common reason for settings to process personal data. If you are processing based on this, then the data subject does not have the ‘right to erasure’ (which means they can’t ask for their data to be deleted while it’s still being used to fulfill the statutory obligation). Consequently, there will be some personal data that parents won't be able to refuse to give you/ask you to delete if they want their children to continue attending the setting. Compliance with a legal obligation is also one of the conditions in which you can lawfully process special category data, so can be used if you are collecting data about health for example. Vital interests – You can process personal data if you’re doing so to protect someone’s life, and that someone does not have to be the data subject themselves. Generally, this relates to health data and it’s fairly unlikely that you’ll use this within a setting. So, if for example, you are caring for a child with a medical condition you would need to hold more personal data about them than you would about a child who does not have a specific medical need. It will be ok for you to ask for this data and keep it as it will enable you to act in the child’s best interests in the event of a medical emergency. Public interest - You can justify processing someone’s data if it’s to perform a specific task in the public interest if it’s laid out in the law, or if you’re a public body fulfilling your tasks. This is mostly relevant to government departments or companies doing something to do with public administration. Legitimate interests – This is a relatively flexible potential lawful reason for processing, which essentially just says that if you have a ‘legitimate reason’ to do it for yourself or a third party you can collect and store data. If you are relying on this lawful basis to process data, you need to make absolutely sure you can really justify it. Generally, it can be used if you’re processing data in a way that most people would reasonably expect, and which doesn’t have much of an impact on the data subject. You would need to explain why you needed to process the data though, prove that you couldn’t have achieved the goal without processing the data, and be positive that the result of that processing is more important than any impact you had on the data subject. You need to be especially careful if using this for a child’s data. An example of when you might use this is for you to collect data about a parent’s car registration. The statutory framework does not require you to collect that, but if you have a nursery carpark, and the car park attendant needs to know who is on site for security purposes, then you have a legitimate interest in knowing which car belongs to which parent. Whatever your official reason, you should always remember to document what it is in your privacy notice. You also need to stop processing it once the purpose you collected it for has been fulfilled. For example, you can collect parent contact details, so you can get in touch with them while their child is at your setting, but you can’t hold onto them after the child has left to invite them to fundraisers unless you have a lawful basis to do so (in this case you’d probably be looking for consent). 1 Link to comment Share on other sites More sharing options...
Mouseketeer Posted April 5, 2018 Share Posted April 5, 2018 Hi Rebecca Do you think it’s possible to have more than one ‘lawful basis’ recorded on the audit against a document? I’m thinking about my registration forms for example, some of the info is legal obligation (framework) but then something like agreeing to emergency treatment could be Vital interest or is it still consent as the parents are signing to agree to it? This paperwork cleansing might be good for the soul but it opens a bunch of questions ....we should all compare homework when done and see if we come up with the same basis...maybe a lawful basis quiz :-D Link to comment Share on other sites More sharing options...
FSFRebecca Posted April 5, 2018 Author Share Posted April 5, 2018 2 hours ago, Mouseketeer said: Hi Rebecca Do you think it’s possible to have more than one ‘lawful basis’ recorded on the audit against a document? I’m thinking about my registration forms for example, some of the info is legal obligation (framework) but then something like agreeing to emergency treatment could be Vital interest or is it still consent as the parents are signing to agree to it? This paperwork cleansing might be good for the soul but it opens a bunch of questions ....we should all compare homework when done and see if we come up with the same basis...maybe a lawful basis quiz :-D Hi Mouseketeer - Lauren and I have been working on an enrolment form - I'll post it up later this afternoon - just doing final tweaks to it! We have tried to answer some of the questions you have raised above 1 Link to comment Share on other sites More sharing options...
Mouseketeer Posted April 5, 2018 Share Posted April 5, 2018 Thanks both, I’ll be interested to see it :-) Link to comment Share on other sites More sharing options...
Recommended Posts