Data Protection Toolkit - Frequently Asked Questions
This FAQ contains some guidance and advice on the types of questions and scenarios we are regularly asked by the community and voluntary sector. Though we're trying to provide assurance in many cases, you should read more widely about a topic if you're still unsure about what to do.
Useful information and links to guidance, such as that which the Information Commissioner's Office provides, are included. We'll continue to add questions as we get them.
1. We're a very small group with only a couple of unpaid staff. We don't store data electronically. Does data protection apply to us?
This can be as much as collecting or storing information, even if the only personal data that you have is on your employees or volunteers. Most organisations have a legal obligation to process personal data in this respect, in which case data protection laws would apply.
Data protection laws will apply no matter how your personal data is held, either electronically or on paper. The size or purposes of your organisation (charity, community group, sports club, small business) won't provide an exemption from the laws.
If you are truly confident that you don't process any personal data in the course of your work, then you aren't bound by data protection laws. It is quite unlikely that an active group that works with people would not be covered by data protection laws.
The data protection legislation that will apply to you are:
- The General Data Protection Regulation (GDPR)
- The Data Protection Act (DPA) 2018
- The Privacy and Electronic Commuication Regulations (PECR)—if you have a website or carry out electronic direct marketing
GDPR Article 2 - Material scope
Organisations that determine the purposes for the personal data that they process (controllers) are required to pay an annual data protection fee to the Information Commissioner's Office. In most cases where you process personal data, your organisation is a controller (otherwise it would be a processor).
However, there is an exemption from the 'data protection fee' for not-for-profit data controllers, which depends on the purpose of the data processing. If all of the personal data that you process is not processed electronically, you will also be exempt from the fee. If you're unsure about whether you qualify for this exemption, the ICO's self-assessment is very quick and easy to complete.
If you have CCTV for crime prevention purposes then you will have to pay a fee—regardless of your not-for-profit status or data processing activities.
If an exemption doesn't apply to you, you will have to pay the fee every 12 months. For small organisations and charities who are not otherwise exempt, the annual fee is currently £40.
Exemption from the fee does not exempt you from data protection laws if you meet the definition in Question 1.
After the UK withdraws from the European Union on 29 March 2019 the provisions of the GDPR will continue to apply then as they do now, subject to any future changes which will, in any case, take some time to be decided upon.
As with other "direct EU legislation", the Regulation will be retained as part of the UK's domestic law under Section 3 of the European Union (Withdrawal) Act 2018). The Data Protection Act 2018 interlocks with the GDPR and introduces some derogations and exemptions to clarify the UK laws.
There may be implications for the "adequacy" of the UK as a destination for transfer of personal data once it leaves the EU, and continuing membership for the UK Information Commissioner on the European Data Protection Board is doubtful. The European Commission will ultimately rule on this, unless a bi-lateral agreement is reached before the Brexit date.
So while there is the possibility of change, for the meantime and for the intents and purposes of your organisation's work, the main provisions of the GDPR will continue apply as they do now.
Update: Please see the article What happens to data flows after a no deal Brexit? and the links below.
ICO, Data Protection Act 2018
Deloitte, GDPR & Brexit: is there a need for an adequacy decision?
DCMS, Data Protection Act 2018 — Factsheet: Overview
DCMS, Data protection if there's no Brexit deal
ICO, Guide to the GDPR: International Transfers
The GDPR does not include a general age limit at which a person is considered to be a child for the purposes of obtaining consent apart from in the case of online services offered to a child.
The concept of competence is key when you are relying on consent as the lawful basis for processing. Remember that you may be able to use another lawful basis other than consent, and in the case of children's data an alternative may be more appropriate. Even if you do decide to use another lawful basis (for example, legitimate interests) you will still need to take the child's age and understanding into consideration.
The consent must be 'informed' to be valid under the terms of the GDPR. If you are seeking consent from the child, you must ensure that they have the competence to understand what they are consenting to, as they are not as likely to understand the risks and consequences as an adult. You can seek consent from the person with parental responsibility if you don't think a child is competent to consent for themselves.
A privacy notice aimed at a child should be written in a way that it can be understood by them. If you are seeking consent from the person with parental responsibility, you can have two privacy notices: one for the parent and one for the child.
In the case of providing online services to children in the UK, if the child is under the age of 13 you require consent from the person with parental responsibility (with the exception of online preventative or counselling services), as specified by the UK Data Protection Act 2018. You should have appropriate age-verification procedures in place and should also be able to verify the identity of the person giving consent for the child as the person with parental responsibility. Other countries in the EU may have decided on different age levels, which can be between 13 and 16, so take care if offering online services to children outside of the UK. In Ireland the age is 16.
GDPR Article 7 - Conditions for consent
GDPR Article 8 - Conditions applicable to child's consent in relation to information society services
ICO, Guide to the GDPR: Consent
ICO, Guide to the GDPR: Children
ICO, Children and the GDPR: Guidance
The purposes of the photograph will inform whether it is personal data. The examples that the ICO gives considers the case of a photograph of a large crowd with no one person or small group of people as the focus of the image. In this case, so long as the photograph is not being used to determine the identity of any individual in the scene (as would be the case for most photos intended to publicise and event), it's not considered to be personal data.
If a photograph is likely to identify someone, for example, a photograph of a single person or a smaller group of people, then it could be considered personal data. If the photo is going to be displayed or published (on a display board, advertising, websites or social media), it is wise to obtain permission first.
You should explain how the photograph will be used, preferably at the time or in advance, so that the people are aware what will happen with their image. If it's clear what you're doing in this case, you don't normally need to provide a privacy notice.
In the case of young children who would not be considered able to consent for themselves, you should seek parental consent. The ICO has produced separate guidance about taking photographs in schools.
6. A funder requires us to provide community background and other sensitive information about programme participants. How can we do this under data protection laws?
Often, funders ask an organisation to provide monitoring information on programme participants so that they can gauge the success of projects on underrepresented groups, or because their own Section 75 duties requires it (in the case of government authorities). In other cases, you may wish to monitor equality of provision for your own purposes.
Data protection law does not prevent the processing of personal data for monitoring purposes, providing that the processing is carried out in line with the data protection principles .
You organisation is being funded to provide employment and training advice to unemployed people in the local community. The funder requires that you ask programme participants about their age, gender, community background and disabilities, and report back to them about the numbers or percentage of participants in each category.
Step One - Think about the legal basis for collecting and sharing the information
As with the processing any personal data, you need a lawful basis to satisfy what you intend to use it for.
In most cases you will be able to rely either on the consent of each individual to collect and share their information for this purpose, or undertake an assessment that to do so is necessary in order for the funder to achieve the purpose of equality of opportunity (a ' legitimate interest ' of a third party). See more about using legitimate interests and carrying out this assessment here.
Consent must be 'freely given', or it is not considered to be valid. E ven if the person has agreed, they must be free to withdraw their consent for that information to be processed at any time. This means that their providing the monitoring information to you is optional, and can't be used as a condition for you to refuse the service if they don't agree or they withdraw their consent. You therefore need to carefully consider the possible impact of using consent for this purpose.
Step Two - Consider the nature of the data you are dealing with and if if falls under the definition of 'special category data'
Many of the types of sensitive personal data that are frequently monitored in this way will be considered ' special category data ' under the GDPR. For example, information about an individual's:
- race or ethnicity,
- religious of philosophical beliefs (e.g. 'community background'),
- political opinions,
- health or disability,
- sexual orientation.
Note that age and gender are not special category data.
If some of the information you collect for this purpose meets the definition in Article 9 of the GDPR, you will need to consider whether you are doing so under one or more of a set of conditions, in addition to the lawful basis.
Step Three - Determine if your processing meets a condition for processing special category data
There are 10 possible conditions detailed in Article 9 of the GDPR. It is likely that one of the following two conditions could be applied in respect of the funder's request:
● you have the explicit consent of the data subject for the processing (Article 9(2)(a)), or
● the processing is in the substantial public interest (Article 9(2)(g)) as set down by the UK Data Protection Act 2018 Schedule 1 Part 2
The benefit of relying on explicit consent is that your lawful basis and condition for processing special category data will align.
However, you should only use explicit consent if the consent obtained has been 'freely given', and where the person is able to withdraw their consent without suffering detriment. This will me an that the individual should not be obliged to agree or to provide the information to participate in your programme or project.
For explicit consent, a clear statement (either oral or written, but preferably written) should be used to affirm the participant's agreement (see ICO guidance on explicit consent). The statement should cover what you intend to do with the information, for example: " I consent to you using this information to monitor participation in this programme and acknowledge that you may share this information, in an anonymised form, with [funder]".
Name the funder or funders if it is possible to do so in this consent statement, or link to a list of funders if there will be many.
If using a written or online form, an unticked box should be provided so that the person has the option of giving their explicit consent.
Substantial public interest (equality of opportunity)
If using the data for equality monitoring purposes is not optional for the data subject, you will need to consider an alternative to using consent for you lawful basis as well as the condition for processing special category data.
The UK Data Protection Act specifically cites "equality of opportunity or treatment" ( Schedule 1 Paragraph 8) as a substantial public interest condition for processing some types of special category data.
This condition can only be relied upon to the extent that the use is necessary to achieve the aim of monitoring the equality of opportunity or treatment with a view to promoting or maintaining equality.
You should also note that this condition covers only personal data relating to racial/ethnic origin, religious or philosophical beliefs, health data, and the person's sexual orientation. It does not cover the other types of special category data (notably data about a person's political opinions). This suggests that if you do need to collect information about a person's political opinion (for example a political view or who they vote for), it will need to be a conditional add-on.
What else do we need do?
Inform the data subject
Irrespective of what lawful basis or condition you rely on, you must make clear to the individual what information you are collecting this information and how it will be used, including who it will be shared with. This should be clearly set out in your privacy notice and the point at which you collect the information.
Data minimisation (anonymisation)
Whatever you process, you should be mindful of the ' data minimisation ' principle (limiting personal data to what is necessary for its purpose).
- First of all, if it were possible to anonymise the information at the point of collection so that even you could not link it to an individual, that should be considered.
- Alternatively, i n the case of reporting back to the funder, you should provide anonymised results (e.g. 45% of participants from X community background), rather than sharing information that would identify any individual on the programme.
- If this is not possible, you need to be able to justify why it is necessary for you to transfer special category data about a named individual to a funder. You may have to engage with the funder to establish if this is truly necessary.
You should also pay particular attention to how long you retain this information for and in what format.
- If the data hasn't been anonymised at the point of collection, can you justify holding on to this special category data for the duration of a programme after it has been shared with the funder?
- If so, on what lawful basis and for what purpose can you retain the information for longer?
- If you rely on consent for retaining this information, was the consent you obtained sufficient to enable this?
- Was the individual told how long you retain the data for?
Your rule of thumb should be whether the person would expect you to hold on to the data after the initial analysis has been completed.
Another important principle in the GDPR is that of 'purpose limitation'. If you have collected data for one purpose (in this case, monitoring for equality of opportunity), you shouldn't use it for another purpose that is not compatible with this. Most importantly, you should also not use any of this information to support or make decisions about whether or how you provide the service to the individual.
ICO, Guide to the GDPR: Special Category Data
ICO, Monitoring under section 75 of the Northern Ireland Act 1998 [pdf]
ICO, Guide to the GDPR: Consent
ICO, Anonymisation Code of Practice
Article 29 Working Party, Guidelines on Consent under Regulation 2016/679
UK Data Protection Act Schedule 1 Paragraph 8
If you're a charity, you're almost certainly going to have to process the personal information of your trustees as part of a legal obligation or good business practice. You have a legal duty to provide trustee declarations to the Charity Commission. If you're making reimbursements to trustees (for out-of-pocket expenses, for example) you have to disclose this information to the Commission and retain the payment forms as part of accounting records for six years. Charitable companies also have to retain records on resolutions and decisions by members for ten years.
Trustees' personal data should not be treated any differently from any other person's data with regard to data protection. You should make sure that trustee information is adequately covered in a privacy notice , that it is processed fairly and with an appropriate lawful basis , such as legal obligation or legitimate interest.
Trustees may need access to personal information on occasion in the course of discharging their duties, for example, to access the Register of Members. As with any other use of personal data in your organisation, this should be limited to what is necessary for them to perform their task. You should ensure that trustees return any copies of personal information that they might have after leaving their position.
8. Someone has made a request for their data, but providing a response may harm them or create a danger for someone else. What can we do?
However, the right of access ( Article 15 of the GDPR) is not absolute, and you might have a genuine reason for wishing to refuse to provide the information. In some situations, confirming that you process their data or giving the data to the person could be harmful to them or another person.
An abusive partner requests their personal data that a domestic abuse helpline collected when providing help to the abused victim. The very act of confirming that such data exists could expose the victim to further harm.
Sharing a counsellor’s notes with a patient who requests them under the right of access. In certain situations, this could put them in risk of the danger of self-harm if they are in a vulnerable state.
If you receive a subject access request, your first step should be to make sure the person making the request is who they say they are. However, you should use only reasonable means to establish the person's identity, and you can't use this process as a deliberate obstruction to avoid responding to a valid request.
The next step is to decide whether you are obliged to comply with the request.
The GDPR allows you to refuse a request if it is "manifestly unfounded or excessive". The onus is on you to show that it is, and if a request could be complied with if the individual provided further clarification, you should be seeking such clarification.
Article 15(4) also allows you to refuse the right to supply a copy of the data if doing so would “ adversely affect the rights and freedoms of others”. This may apply in the case of the first example. Again, it would fall to you as the data controller to be able to demonstrate that this is the case.
The UK Data Protection Act 2018 sets out specific exemptions to the right of access:
- You may be exempt from complying with an SAR if in order to do so you would also have to disclose information relating to someone else who can be identified but who hasn’t consented to the sharing – provided that it would be unreasonable to do so without that other person’s consent.
- If the data you hold relates to an individual’s health, you may be able to rely on the ‘serious harm’ exemption. This allows data about health issues to be withheld if the disclosure would be likely to cause serious harm to the physical or mental health of the data subject or another person. A controller must seek the opinion of an appropriate health professional if they want to use this exemption. See more about how to apply the serious harm test.
The Data Protection Act is clear that you do not need to tell the person that their request is being denied if this would undermine the purpose of the refusal (Section 45(6)) – for example, if by confirming that you process their data in itself would cause harm. In this case, a 'Neither Confirm nor Deny' response could be given.
You should evaluate these situations on a case-by-case basis, rather than applying a blanket policy. You will need to be able to justify your decision. Keep a record of the request and the reason for your decision to refuse it. If a complaint is made to the ICO or through a court, you may need to provide this record as evidence.
Remember that an individual is entitled only to their own personal data, and not to information that could identify another person, except where the other person has consented to this or it would be reasonable in all circumstances to comply without their consent.
Data subjects can exercise their rights through a third party. This could be their solicitor or another person that they're comfortable can act on their behalf, such as a family member or close friend.
For example, a person could have someone else make a subject access request for them, or ask to have their personal data erased.
You need to be sure that person making the request is entitled to act on behalf of the data subject. It is the third party’s responsibility to provide evidence of this, which could be a written authority or the power of attorney.
Although there are no specific provisions in the GDPR, the High Court Office of Care and Protection in Northern Ireland can empower a third party to act on behalf of a person who does not have the mental capacity to manage their own affairs.
Your service provides domiciliary care for elderly people. One of your healthcare workers is visiting a patient's home where their daughter - who is well-known to you and is the primary contact for her mother - asks what information you have about her mother and the care she's receiving. The daughter does not have the power of attorney, but explains that her mother doesn't feel able to handle the request by herself. It's not clear to you if you should comply with this request.
Charities and voluntary organisations are often in close contact with the relatives of service user. If a relationship like this exists and a family member makes a request on behalf of their relative without having the power of attorney, it is possible to respond to comply with the request, though you would not be legally compelled to do so. It would not be unreasonable to ask for more formal provisions where you have doubts about the suitability of responding to a third party's request.
Children have the same rights over their personal data as adults do. There is no particular age limit. A competent child should be allowed to exercise his or her own rights if they have an understanding and are competent in doing so, unless it is clear that this would not be in their best interests. Where a child would not understand their rights or is not competent in making use of them, an adult with parental responsibility can exercise rights on the child's behalf.
You can send the response directly to the data subject rather than to the third party if you think this would be more appropriate in the situation.
ICO, Guide to the GDPR: Right of Access
ICO, Guide to the GDPR: Children, What rights do children have?
Though an opinion about a person would be considered to be personal data (whether or not it has been given in confidence), there is a specific exception to the right of access for references which have been given in confidence under the UK Data Protection Act 2018 (Schedule 2 Paragraph 24).
This closes a previous loophole under the 1998 Act where the detail of a reference written for someone was exempt, but the same reference received by the other organisation (e.g. a prospective employer) was not.
The exception applies to any personal reference made in confidence for prospective or current:
- education, training or employment positions
- volunteer placements
- appointments to office (e.g. board members)
- provision of services (e.g. pre-contract checks)
This covers any reference given by your organisation (or by an employee where that reference was made in an official capacity), as well as any reference received.
You should omit any confidential references in a response to a Subject Access Request, and you can turn down any requests made by a data subject which seek this information. This includes both who the reference was given by as well as the contents of the reference itself.
One of the motivations behind the GDPR is to ensure that there are consistent levels of data protection across the EU, and to allow the free flow of personal data between them.
Cross-border processing applies where a controller or processor is established in more than one EU Member State, or the processing "substantially affects" data subjects in another Member State (as defined in Article 4(23) of the GDPR). This would apply regardless of the particular EU Member States.
One of the difficulties in cross-border processing is determining which supervisory authority is responsible for regulation and enforcing data subjects' rights.
The Data Protection Commissioner (DPC) has jurisdiction over Ireland, while the Information Commissioner's Office (ICO) is the supervisory authority for the UK. Therefore, it's not immediately clear who you would report a breach to when your processing takes place across the island of Ireland—and trying to figure this out in the 72 hours that you have to report a breach might be a source of stress.
The GDPR provides for a single lead supervisory authority in the case of cross-border processing (a "one-stop shop"). This means that wherever your main establishment is, that's where your lead supervisory authority is going to be. This is the place where decisions on the purposes and means of the processing takes place. So if your central administrative offices were in Dublin and this is where these decisions were made, the Irish DPC is the lead supervisory authority.
However, you should be aware that even if you are established only in one Member State that "concerned supervisory authorities" from other Member States can get involved. If you have a data subject who is resident in another EU country (note that citizenship isn't a factor) they could complain to the supervisory authority in that country, who could then investigate their case and act in cooperation with your own supervisory authority.
Note that this can be a complex subject, with less clear-cut cases such as groups of undertakings, joint controllers and borderline cases. Please read the further information before making a final decision. The Article 29 Working Group guidance has a useful question matrix to help determine the lead supervisory authority for cross-border processing.
Data Protection Commissioner, Cross-border processing and the one stop shop
Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority
12. We hold personal details for emergency contacts. Do we need their permission? Can we collect contact details in an application form to get references?
Sometimes, you find a need to have personal data that has not been collected from the data subject (the person who the information is about). Obtaining the consent of the data subject themselves might be difficult, or doing so might seem to be a needless hindrance to getting on with your work. Depending on what you intend to use those details for, it is reasonable to continue to hold the information without having first sought permission from the data subject.
The use of legitimate interests requires that three tests be satisfied:
- identify a legitimate interest (either for yourself, the data subject or someone else)
- necessity to process the personal data in question to meet this purpose
- achieve balance between the processing and the rights and freedoms of the data subject
Each of these are addressed with the examples below.
You collect emergency contact details (for a family member or friend) from people who attend a daytime course, or you hold emergency contact details on your staff and volunteer files.
- In this case, you can identify a legitimate interest of your own as a responsible service provider, venue or employer to ensure the safety and welfare of people you have an obligation of care towards. It could also be argued that it is in the interests of the individual themselves to have a family member or friend contacted in the event of an emergency.
- You have determined that it is necessary for you to have this information, usually a name, relationship, telephone number or other contact details. There is no legal requirement that you must do so, but this follows best practice and you can forsee a need to use this information.
- On balance, it would be reasonable for family members or friends to expect that their relation will provide their contact information, and that you might use this to contact them in the event of an emergency. You won't use the information for any other purpose, and you will ensure that it is kept securely.
It is good practice to ask that the person providing the details has the permission of their emergency contact, and that they keep you updated if any of those details change.
In this type of scenario it is unlikely that you will have a purpose for the emergency contact details once the attendee leaves the course, or once the member of staff or volunteer no longer works with you. Therefore, you should securely erase the information in keeping with the principle of storage limitation (take care that this is done confidentially when held on hard copy).
In receiving job applications, you ask for contact details so that you can request employment and/or character references.
- You can identify a legitimate interest. It is in your interest to carry out checks on past employment performance and obtain character references to enable you to appoint a suitable candidate.
- It is necessary to carry out the processing activity to meet the purpose of your interest. To do so you will need contact details for the referees so that you can email, phone, or write to them, as well as other information that will help you understand their relationship to the candidate. In most cases, it is only necessary to contact referees once you have a provisionally chosen a candidate for appointment.
- You consider that the balance test is met as you would expect that a candidate would check with their referees that they are happy to supply a reference, and they would expect (especially in the case of a former employer or line manager) to be asked to provide a reference. You are not doing anything unusual with the information, and you only collect and use it for the purpose of obtaining a reference. The candidate will also expect this to happen having supplied you with their chosen referees' information, and that any opinion given by the referee will be used as part of the appointment process. Such references are usually given in confidence, and disclosed only to the recruitment panel.
As with Example 1, you should ensure that you dispose of the contact details and the given reference once they are no longer required as part of the recruitment process. This might form part of your retention policy covering applications for unsuccessful and successful candidates. See also the question above on the disclosure of references under the right of access.
On a side note, relying on a candidate's consent to use the reference for it's intended purpose would not be a good idea. One of the conditions for consent is that it should be "freely-given", and a person should not face detriment for refusing. If a job candidate did not give you their consent to process their personal data (obtain and use the reference itself), you would be stuck as to what to do next. In this case, because you are taking steps prior to entering a contract with the candidate (an employment contract), this would be a more suitable lawful basis. If the person is a volunteer and there is no contract of employment, then legitimate interests presents a possible lawful basis.
PeopleHR.com GDPR - Can I process next of kin details?