Are you meeting Data Protection transparency requirements?

This informal CPD article, ‘Are you meeting Data Protection transparency requirements?‘, was provided by Essex County Council, the local authority for Essex, who have a vision for Essex to be a county where individuals, families and communities can thrive and prosper.

The Data Protection Act 2018 applies the UK GDPR (General Data Protection Regulation) standards. This legislation places specific requirements on those processing personal data for business reasons to be transparent about their use of personal data. Let’s look at the specifics. Transparency means being open and honest with people about why you are using their personal data, so it is not used in ways they would not expect. Transparency is fundamentally linked with fairness.

The right to be informed

The UK GDPR provides the individual with the right to be informed. These are set out in Article 13 & 14. To comply with the law you need to ensure that you:

• Provide individuals with how you use their personal data including: your purposes for processing their personal data, how long you will hold and use that personal data, and who it will be shared with.
• Provide this information to individuals when you collect their personal data from them.
• Provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month if you did not collect it directly from them.
• Provide the information in a way that is concise, transparent, intelligible, easily accessible, using clear and plain language.
• Consider using a combination of different techniques including layering, dashboards, and just-in-time notices. 
• Regularly review update your privacy information where necessary. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

What should be in a privacy notice to Data Subjects?

Regardless of how you choose to present your privacy information, it must include the following:

• The name of your organisation and contact details.
• The name of your Data Protection Officer (where required) and your EU Representative (where required) and their contact details.
• The purpose for your processing of personal data (why do you use it).
• The lawful basis for that processing.
• The categories of the personal data, eg contact details, health information.
• Who you share that personal data with.
• Whether the data is used, sent, or support from outside the UK; and if so how it is protected.
• Whether you will use the personal data to make automated decisions or use it to profile individuals.
• How long you will retain the personal data.
• Where the personal data came from.
• What rights the individual has in relation to your processing of their personal data.
• If processing is based on the individual’s consent, how they can withdraw that consent.
• How to make a complaint to the regulator, the Information Commissioner.
  

There are many ways in which you can provide this privacy information. For example, you may have a privacy notice on your website, or you may use a privacy dashboard, just in time notices, pop-ups, icons or other smart device technologies However you provide your privacy information, you must keep the information under review, so that if you introduce new processing activities, or the way you collect or use personal data changes, it is quickly reflected in your privacy notices and provided to those affected by the change of use.

If you buy personal data you must still issue your own privacy notice explaining your use of that data. This applies even if you gathered the personal data from publicly available sources.

We hope you found this article helpful. For more information from Essex County Council, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.

References:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/