The issue of providing information to Data Subjects and how that information is provided, is perhaps something not many businesses have not given much thought to lately. Indeed, our experience has shown that many businesses have ignored it completely, beyond having a basic privacy notice.
In this blog we cover two issues relating to the provision of information to Data Subjects:
- Bringing privacy notices and policies to the Data Subject’s attention; and
- The level of information provided to Data Subject’s in those notices/policies.
Key Terms
What is a data subject?
A data subject is a ‘natural’ person (a human being) who has given their personal data to the controller and who can be identified, either directly or indirectly, from that data. Examples include customers, employees and job applicants.
What is a data controller?
The data controller is the party who dictates how data subjects’ data is processed and for what purpose. The data controller can be an individual person or a company.
What is a data processor?
The data processor simply processes the personal data on behalf of the data controller. For example, a payroll software that processes pay slips, wage payment and pay rises on behalf of a company using their platform.
Why businesses need to consider how they provide information to Data Subjects
Even a cursory view of website privacy notices will show that businesses often provide only a basic level of information to data subjects, believing that doing so complies with the GDPR.
There are many reasons why this is the case, possibly the businesses already had a ‘fair processing notice’ in place to comply with the Data Protection Act 1998 and they believed that simply tweaking that notice was sufficient. Alternatively, they may believe (or have been advised) that providing only the minimum of information mandated by Articles 12 -14 of the GDPR was sufficient. Whatever the reason, in the majority of cases those initial views no longer hold true.
It is almost six years since the GDPR came into being and almost four years since it came into force. During this time guidance provided by the ICO, the European Data Protection Board and other institutions has matured and case on specific provisions has developed. In particular, the ICO and EDPB have provided detailed guidance on the Controller’s Article 5(2) ‘Accountability Principle’ duty that requires Controller’s to be able to demonstrate their compliance with the Article 5(1) Data Protection Principles.
The Accountability Principle means that businesses (whether Controllers or Processors) have to take a more considered approach to the provision of information, meaning more detailed information has to be provided to Data Subjects on all aspects of data processing.
The developments in data protection law and guidance since the GDPR’s introduction is accompanied by increased Data Subject awareness of their rights. This knowledge has led to what has been described as the ‘weaponizing of data protection’, the increasing exercise of these rights by data subjects and their lawyers to obtain redress for a breach of those rights.
This has led to a steady rise in breach of data protection, misuse of private information and breach of confidentiality claims. While recent judicial decisions have clarified the requirements for bringing such claims and on their value, the courts have not sought to prevent genuine claims.
Bringing Privacy Notices and Policies to Data Subjects’ Attention
It is convention (but not a rule) that inward facing information on data processing (i.e., that for employees) is contained in a ‘privacy policy’, while that related to external data subjects (e.g., contractors, clients, customers, service users) is in a ‘privacy notice’.
If in the course of business, you send an email to a named individual, you have either before sending that email, or at the time you send the email, to provide that individual with all relevant information mandated by Articles 12-14 of the GDPR?
Article 12 imposes a duty on Controllers to take appropriate measures to provide any information required by Articles 13 and 14 (regarding personal data you have obtained from the Data Subject or from elsewhere (respectively) and regarding any communication you have received or entered into in relation to Data Subject rights under Articles 15 to 22 and 34.
Mandated information can be provided in writing, or by other means, including, electronically and additional provisions apply where information is provided to a child.
Providing information in a privacy policy or privacy notice is fine but the Controller has to demonstrate that the policy or notice has also been brought to the Data Subject’s attention, otherwise that data processing may be unlawful.
A solution is to include (and draw the individual’s attention to) a link to your privacy policy or notice in email footers.
How much information your business should provide to your data users?
In addition to the information mandated by Article 12 – 14, the GDPR Article 5(1)(a) (Lawful, Fair and Transparent Principle) imposes a duty on Controllers to ensure that it has a basis in law for processing personal data. It should be noted that this Article 5 requirement is separate for the Article 6 (and in the case of special categories of personal data, Article 9) lawful basis for personal data processing.
The Fairness and Transparency requirements of Article 5(1)(a) impose a duty on Controllers to be ‘clear, open and honest’ with data subjects from the start about how you will use their personal data. Included in this requirement could, for example require you to provide Data Subjects (or at least make available to them) information about how you have implemented the Article 5(1) data protection principles, complied with the Article 25 Data Protection by Design and by Default principles and what technical and organisational measures you have implemented to comply with Article 32 (data security requirements). This is not an exhaustive list, but some of the key requirements on which you may need to provide information.
The ICO provides that in order to make your clear and intelligible, that you may wish to ‘layer’ your privacy notice/policy.
The Accountability Principle also requires Controllers to effectively manage and respond to Data Subject complaints and those who fail to do so can find themselves embroiled in correspondence with angry Data Subjects, who complain to the ICO.
The ICO’s response is generally to require the Controller to respond to the Data Subject, dealing with the complaint and explaining why the Controller failed to properly address the complaint at the outset.
Our experience is that such responses must be well managed and that failing to adequately respond to Data Subjects complaints (particularly in response to an ICO letter) often leads to further correspondence and increasingly, damages claims. In any event, such complaints are time consuming, costly to deal with, and can often damage the Controller reputationally.
To comply with its Accountability Principle duties, it is important that Controllers understand what information has to be provided to Data Subjects (including that required over and above the mandatory Article 12 – 14 information) and that this is reflected in their privacy notices and policies. The policies/notices should be updated to reflect any changes in data processing activities and that Controllers can demonstrate they have brought those notices/policies to the attention of Data Subjects.
Businesses who are unsure what information to provide to Data Subjects and how/when to provide that information should seek expert legal guidance. Get in touch to find out how our specialist lawyers can help.