IT Panel blog - The role of the data controller cont.

7 December 2017

GDPR - The role of the data controller cont.

Welcome to Chapter 3. A brief update for those who have missed our words of wisdom so far. There is a new play about to hit town in May 2018. Sitting somewhere on the Aristotelian theatrical scale between a comedy and a farce, with plenty of melodrama (for those who get it wrong) and a smattering of history, the overall production is markedly more interesting than watching paint dry.

The Europeans have invented a new Data Protection regime. It is far more comprehensive than the previous regime and places more duties on the Bar and chambers than ever before.

In order to assist you, we have broken down the data protection play into a number of scenes, dubbed Chapters. There is an Introduction (the Programme) [ here], Chapter 1, (the Players) [ here], Chapter 2 (Roles of Principal Members of the Cast) [ here].You cannot really follow the plot, unless you read these - so please do. Seriously, it could save you a lot of anguish in the long run.

This Chapter 3 finishes off (no, not kills off; that is reserved for the theatre!) the data controller's role with regards to Principle 1. See the Bar Council Guidance for more information on the points covered.

Chapter 2 concluded with a look at thefirst data protection principle, namely that data should be processed "lawfully, fairly and transparently" - or rather, one third of it as space precluded a look at the words "fairly and transparently". We will remedy that situation now.

Fairness

"Fairness" can be dealt with relatively quickly. It is not believed that the GDPR changed the meaning of fairness under the Act, which includes holding a balance between the data subject and the data controller.

Transparency

What does "transparency" mean? In a nutshell, "openness about who you are and what you are doing in your dealings with your clients and others".

You need to look at GDPR Arts 12-14. These cover the situations where (1) you collect data relating to that data subject from him or her (Art.13), and; (2) You receive personal data that has not been obtained from a data subject (Art.14). Actually, the requirements in each Article are very similar, but before you breathe a sigh of relief, they are very detailed.

In addition to the requirement to notify, other major points to note are the requirement to notify the legal basis for processing, including the nature of legitimate interests which you rely on, and the period for which you will be keeping the data - see below.

What do these Articles mean for the Bar and Chambers?

1. Where you or your Chambers obtain data relating to a data subject from that data subject (e.g. a client, a witness, a pupillage applicant, a prospective employee), you have to give that person certain details about who you are and what you are doing with their personal data. These are:

  • Your identity and contact details
  • If you have a representative or data protection officer, their contact details (unlikely to arise for the Bar but listed for completeness)
  • The purposes for which you are processing any data (e.g. to provide legal advice or draft a particulars of claim)
  • The legal basis for processing the data (e.g. most obviously "to enable me to provide legal services". Less obviously e.g. "for fee disputes" - see Guidance)
  • The categories of personal data involved (Article 14 only - fairly obviously as if they are giving you the information, they know what they are handing over)
  • If you are processing data in pursuance of your own legitimate interests, (or a third party's) - Art 6.1(f) - what those interests are. You will have considered and recorded this when preparing your Data Protection Policy.
  • Details of who is going to receive any of the client personal data - e.g. my solicitor etc - or categories of these persons - e.g. the probation service, the courts etc - see Guidance for a fuller list
  • Details of likely transfers of personal data if any, to a third country or international organisation - please see Art.13.1 (f) for the full requirements
  • How long you will store any personal data, or, if you cannot determine the actual time, the criteria used to determine the period. You will have considered data retention periods when preparing your Data Protection Policy, and you will need to notify data subjects of the retention period which you adopt
  • The rights the client has: for access to his or her personal data, rectifying inaccuracies, deletion of personal data, restrictions on processing and the right to port that data to another data controller (these will probably become standardised words)
  • The right of the data subject to withdraw consent to your continued processing of personal data (i.e. the opposite of Art 6.1(a) and Art.9.2 under which consent is explicitly given)
  • The right to lodge a complaint with the Information Commissioner's Office (again, standard words will cover this)
  • Whether the provision of personal data to the barrister arises from a statutory requirement or a contractual one (or a requirement necessary to enter into a contract). In the case of the Bar, it is likely to be contractual.
  • Whether the client is obliged to provide his/her personal data and the consequences of failure to do this (e.g. you cannot do the work).

2. As we have said, Art.14 requirements are similar to those in Art.13. Notable additions in the latter case are that (a) you have to give details of where the data originated from and if it came from publicly accessible sources; (b) the information has to be given to the data subject within a reasonable time after receipt and at the latest within one month from receipt; (c) if the personal data are to be used for communication with the data subject, then details have to be given at the first communication with that person; (d) if disclosure to another recipient is anticipated, then the information is to be provided at the latest when the personal data are first disclosed.

3. In the event that further processing of client data for a different purpose arises, you also have to tell the client what that different purpose is, together with any further relevant information arising under 1 above. Plainly, if you are relying on consent, the original consent will not operate in relation to an undisclosed purpose. So, you cannot assume that one consent covers all.

4. Note: if the client already has any of the information above, you are not obliged to give it to him/her again (Art. 13). As Art. 14 concerns the situation where personal data have not been obtained from the data subject, there are one or two more exceptions to the requirement to provide information. Essentially these are:

  • The impossibility of providing information
  • Disproportionate effort in providing information
  • The provision of the required information renders impossible or serious impairs the achievement of the objectives of that processing
  • Obtaining/disclosure is already laid down in EU/UK law and contains appropriate measures to protect a data subject's legitimate interests
  • Where personal data must remain confidential subject to an obligation of professional secrecy regulated by EU/UK law including statutory obligations of secrecy, for example the Bar Code of Conduct duty of confidence and legal professional privilege

5. It is likely that the proposed new Data Protection Act will contain additional exceptions and we will report on these in a final round up of changes.

6. Sorry. You cannot charge for providing all this information. It is free. (Art.12.5). The only exception is that where requests are unfounded or excessive i.e. repetitious, a data controller can either charge a reasonable fee or refuse to act on the request. The burden of proof is on the data controller to show that requests were unfounded or excessive.

7. There are mandates for the manner in which you provide the information under these Articles. The information has to be concise, transparent, intelligible, and easily accessible, and use clear and plain language - especially when dealing with children. Family and Criminal Law barristers please note. The information has to be provided in writing, including electronic means. It can be provided orally if the data subject requests, providing that the identity of the data subject is proved.

8. You will therefore have to look at your privacy notices to make sure that these are up to date with GDPR requirements. These will be needed in respect of:

  • Clients, including direct access clients
  • Public - on chambers' website and/or barrister's own website
  • Candidates - for tenancy, pupillage or mini pupillage
  • Job Applicants.
  • Users of chambers or a barrister's own website

Consultants have been engaged to prepare templates which will assist you.

9. Further guidance is [ here] and on the Information Commissioner's website here (for privacy) and see here (for additional information).

Here are some examples of when you will need to consider notifying data subjects when working on a case:

1. When you are first instructed, you will need to notify the client. Subject to LPP and your duty of confidence, you may also need to notify persons closely connected with the client that you will be receiving their personal data, e.g. family members and employees of a company.

2. When you obtain personal data relating to third parties, you may be able to rely on the duty of confidence/LPP exception. But there will often come a time when you can no longer do so, e.g. after a document (such as a witness statement) has been read in court. Subject to what the new Act may say on this point, you may need to notify. You may also be able to rely on the "disproportionate" exception, e.g. if the solicitor has already notified the data subject or if you don't have contact details for the data subject.

3. If you take a witness statement yourself in a public access case, you will need to notify the witness setting out the matters we have addressed above.

In addition, you or your Chambers will need to notify other data subjects such as pupils and prospective employees.

If all of this has brought you out in a cold sweat, don't panic. The GDPR has to be all things to all men and women. Extensive work is being carried out to help you achieve compliance. However, you should be aware that this is likely to involve more thinking about your processes to get it right. The Riliance system will have additional guidance, draft policies and step by step guides for you to assess your compliance.

Next time

So much for the "data controller"and the First Principle. In Chapter 4, we look at the remaining Principles. 

Bar Council IT Panel

6 December 2017