by Rebecca Elliott, Solicitor
For a long time I have found that very few people really understand the implications and requirements of Data Protection Legislation and simply add it in to agreements because they have to.
This week after some work with our Data Protection Officer, Nicola, it finally clicked into place for me as to exactly why we are insisting on the certain requirements in, what seems like, everything we do.
And the answer… well its really just common sense so I wanted to share this.
Data Protection in the context of the Data Protection Act 2018 relates to personal data, so anything that identifies a person e.g. name, address, date of birth, address, email address.
When this is collected from someone that person will be aware of the reasons they are providing the information (or at least they should be). For example, they are signing up for a course and need to provide their email address so that course materials can be sent over or their phone number so that if there is a change of venue this can be communicated.
It is not necessary to go into this level of detail so long as the person providing the data knows that it will be used to facilitate the course they are signing up to.
Further, it might not be appropriate to go through this sort of detail in a phone call or enquiry email so the person (the data subject) can be referred to a Privacy Statement.
Privacy statements are documents that explain exactly how data will be used and how long it will be kept for. This might include if the information is going to be passed on to third parties. These are often found on an organisations website as links can easily be provided.
So, carrying on with the example of signing up for a course, the person or the organisation providing the course may not be doing this themselves, they may be using an independent 3rd party expert to present the course. It may therefore be necessary for participant’s names, email addresses and contact numbers to be passed on. And this is fine, as long as the data subject was aware of this at the time they gave their details.
The third party will then become either a Data Processor or a Data Controller in their own right of that data.
A Data Processor only uses the data as specifically told. For example if they are told that they can email out course materials then they can but they should not use the email address for any other purposes e.g. requesting feedback on the course.
If however you do wish to pass the discretion to use the personal data as they see fit then that third party will become a data controller. They send whatever they see fit to the email addresses without your direct say so.
As a Data Controller the third party must ensure that they abide by the Data Protection Legislation and will be liable in their own right for any data breaches. Just because they have the discretion to use the data as they see fit, it must still be compliant with the data protection legislation.
However, again, if you are passing on Data to a third party to act as a Data Controller you must have made the data subject aware that you would be doing this when you collect their Data. This reinforces the need for a comprehensive and robust privacy statement.
So whenever you are going to be collecting and handling people’s personal data always think carefully about why and how you wish to use this data and make sure the correct safeguards are in place. Data Protection Legislation is not in place to make life difficult nor discourage the use and sharing of data, rather to make sure it is handled in the right way whenever it is used or shared.
If you have any questions about Data Protection do not hesitate to contact our Data Protection Officer on firstname.lastname@example.org