Covid -19 pandemic creates difficulties for many.

The Covid-19 pandemic has created difficulties for many, especially employees and employers. Many business owners have not been able to continue paying their employees. This has resulted in the laying off of many employees. For employees, apart from anxiety over their own health and despite mortgage moratoriums et cetera, this has created financial difficulties. For employers, and especially SMEs the pandemic has the potential to deal a death blow to a business that took years to build up.

As noted in a previous blog, when set in this backdrop, data protection concerns seem trivial. Nevertheless, just as fundamental rights and freedoms cannot be trampled on in a health crisis, neither can data protection rights. Indeed, because more sensitive categories of personal data are now being processed (health data, particularly)), more care should be taken to ensure that data protection rights under the GDPR are being respected and enforced.

There must be at least one legal basis to process data and all principles must be abided by.  What is often forgotten is that even where derogations from the GDPR apply, the principles must still be respected and applied in any personal data processing operation.  Covid-19 pandemic has created difficulties for many. While the rules should be obeyed even under extreme circumstances, these same data protection rules (such as the GDPR) do not hinder measures taken in the fight against the Coronavirus pandemic.  It is conceivable that in times of emergency such as now, some data protection rules may be relaxed but it is unlikely they will ever be suspended or waived. Still, there have been many questions to GDPRXpert from clients unsure of aspects of GDPR, especially in the specific context of this pandemic. This  Covid-19 pandemic creates difficulties for many.  At this time, we will take a look at some of the most common questions we have been asked.

Question 1.

I have many of my employees working from home at least temporarily. Are there any special precautions employers need to take in relation to personal data?

Answer.

Many people work from home, but clearly these numbers have increased since the pandemic. The first thing that those working from home must do from the outset is create the mindset that they are still working in the office. Remember, it is not feasible for employers to go and assess the suitability, or otherwise, of all ‘work from home locations’ (WFHL),so some basic and normal ground rules need to be emphasised.

Employees must secure their data just as if they would in the office. To do this they must take the normal precautions and act as if  present  at their place of employment.  It is paramount they don’t allow family members, or anyone else, to just walk in to where they have set themselves up. For example, they should never leave personal data on view on a computer screen. Data protection consultants GDPRXpert frequently remind a client that is often the small oversight or lack of attention that leads to data being compromised. Employees should log off when leaving their work station or lock an area if too many people are coming and going. Working from a laptop on a couch is not a good idea if  sharing an apartment or house with others! There should be strict controls on the ability to download personal data from an organisation’s system files.

If no relevant data protection policies are in place, now is the opportune time to enact some to govern how company assets and information can be accessed, where information can be stored, and how information can be transmitted. Employees must be quickly made aware of, and become competent about, the types of information considered to be confidential, trade secret, or otherwise protected. There is much anecdotal evidence of an upsurge in phishing attacks.

In the US there has been a huge rise in fraud schemes related to Covid-19, with many businesses receiving fake e-mails purportedly from the Centre for Disease Control (CDC). These emails contain malicious attachments so employees at WFHL need to be extra vigilant. In all cases these fraudsters are attempting to have their targets access and verify personal information or credentials. Employers must train their employees on how to detect and handle such scams and keep them informed about the latest threats. It is a good idea to have regular video conferencing with staff to facilitate Q&A sessions and update everyone on the latest threats. It also helps staff morale.

Only those whose essential job duties place them in the ‘need to know’ employee classification should have access to ‘special category data’, which includes health data. It is best practice to carefully review any Bring Your Own Device (BYOD) agreements, if any are in place between you and employees. In this scenario, and where special category data are being processed, it is vital that all information is encrypted in transit and while at rest on the device.  For example, many in the healthcare field are now working remotely and collecting health data. In the absence of special arrangements these remote employees should be utilizing company-issued equipment and not saving company data to personal laptops, flash drives, or personal cloud storage services such as Google Drive.

It is true to say that the risks for the employer are numerous, so all care should be taken in relation to BYOD agreements. Any employer should seek to ensure that those practices do not compromise the security of, and your right of access to, your information and data, and that your policies comply with all attendant legal obligations.

In the conventional office working setting it is easy to have a quick word in an employee’s ear if an employer becomes aware of any breach of, or indiscretion concerning, a BYOD agreement. It is more complicated when employees are working remotely. Best and safe practice is  for employers to  consider periodic reminders of the BYOD policy and offer training sessions, as well as ongoing education regarding the importance of protecting the employer’s trade secrets, confidential and proprietary information and data. There should be strict controls on the ability to download personal data from an organisation’s system files.

 

“There is no questioning the advantages of BYOD agreements. It is a growing trend, one that may already be occurring at your company. Employers are implementing policies and practices that permit, or even require, their employees to use their personal electronic devices (e.g., laptops and smart phones) and data services (e.g., backup and file-sharing software) for work-related purposes.  The appeal of such Bring-Your-Own-Device (BYOD) practices for both employers and employees is undeniable. Employers avoid the up-front costs and administrative hassle of purchasing laptops and smart phones as well as employees’ demands for the latest and greatest gadgets, and employees do not have to carry around multiple devices. Overall, this is a much simpler and more efficient way of doing business, right?”(Elaine Harwell, Senior Counsel, Procopio).  There are security considerations nevertheless, and here are some aspects that demand careful attention.

 

Your BYOD policy should cover a broad range of topics, including:

  • Which employees are permitted to use personal devices for work purposes;
  • Acceptable and unacceptable use of personal devices for work purposes;
  • Your ownership of and right of access to all employer data on employees’ personal devices and employees’ lack of privacy rights in that data;
  • Your security and data protection protocols;
  • Your employees’ obligations with respect to maintaining the security of employer data (e.g., a provision requiring employees to protect all devices that contain employer data with a password or PIN);
  • A disclaimer that the employer is not responsible for the security of the employee’s personal data;
  • Reimbursement for the employee’s use of his or her personal devices; and
  • Rules and/or restrictions regarding work-related use of personal devices outside of working hours.

Question 2.

Can an employer let employees know the identity of a co-worker who has contracted Covid19?

 

Answer.

We know that personal data includes an identifier such as a name.  Processing includes inter alia, “…disclosure by transmission, dissemination or otherwise making available…” Therefore, sharing the name of an employee who has contracted Covid-19 constitutes personal data processing. ‘Data concerning health’ under Art.4 GDPR includes any personal data related to the physical or mental health of a natural person …which reveal information about his/her health status. In this instance we have an employee’s name, which is ‘ordinary’ personal data, and data concerning health, which falls under ‘special category data’ under Art.9 GDPR. Processing rules vary depending on the categorisation of the data involved. The legal bases for processing also differ, again depending on the category of the data.

In line with the confidentiality principle, the general rule is that the identity of an affected employee should not be disclosed to his/her colleagues or any other third parties without some legal basis or very strong justification. Having been informed by previous experiences we know that the smaller the business is, the more easily the identity of the co-worker will become known. Even in larger companies a person’s absence will be noticed and lead to unhelpful speculation, much of it on social media, as to who exactly has the virus.  This speculation would be upsetting for those wrongly identified as having Covid 19. It is usually not necessary, and often will not serve a legitimate purpose to disclose the identity of an employee with Covid 19. Employers are under a legal obligation to ensure the health and safety of employees Safety, Health and Welfare at Work Act 2005 ). Informing employees of an infectious disease in the workplace would be a statutory duty (also a common law duty with an attached duty of care). Indeed, employers should carry out a risk assessment to identify the risks of a coronavirus outbreak at work, and implement steps to minimise that risk. That said, (even in the absence of obligations under  health and safety legislation) it would be expected that employees would be informed of any case of Covid 19 in a work setting in order that staff could self isolate or work from home.

Any information disclosed should always be limited to the minimum necessary for a specific purpose. Someone’s identity, normally and generally, should be disclosed only where absolutely necessary and on a strict need to know basis. As evident from a notice by the DPC the key word may be ‘generally’. “Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.”  The DPC also states that “the identity of affected individuals should not be disclosed to any third parties or to their colleagues without a clear justification.”We note it does not state ‘without a clear legal basis under GDPR’. There is a world of difference between the two.  Any test of what is ‘clear justification’ either does not exist, or is a subjective test. Who decides what a ‘clear justification’ is? Does a justification have to be set within a legal basis?  The ultimate arbiter on this is the CJEU.  It is a facile exercise to set out a justification for an action, rather than ground it on a legal basis.

 

 

From a practical perspective, to allay fears amongst all employees who are wondering how close their contact was with the infected employee, a common sense approach would be to ascertain whether the infected employee would consent to his identity being made known to his/her co-workers, with the aim of more effectively safeguarding those co-workers. For example, if a worker in a very large manufacturing plant became infected it would cause undue stress to many employees if no other information was forthcoming from the employer. Employees will worry and wonder about how close they were to the infected individual. If an employer is too specific about the area of the plant where the infected employee worked, it may be tantamount to naming the individual. The circumstances and details of any particular case will determine the nature and quality of the dilemma facing the employer.

 

There is no avoiding the reality that not knowing who exactly in your place of employment has contracted Covid-19 will cause undue stress on that person’s co-workers.  As noted many times, data protection rights under the GDPR, and data protection and privacy rights under the Charter and the European Convention on Human Rights respectively, involve a balancing exercise with other rights. In cases like the present one, the unprecedented circumstances involved in the whole scenario suggest to us that a common-sense approach is an option that many will consider.  It is an approach that carries some risk. In normal circumstances a person’s identity should not be disclosed, but in very extreme situations, such as the present one, a justifiable case could be made for releasing a person’s identity.

This action is still fraught with danger, and if an employee files a complaint it will be up to the DPC at first instance to give a decision. An employer’s justification in releasing the identity of the coronavirus victim may not withstand scrutiny by the DPC.  The best advice is not to release a person’s identity unless you have obtained explicit written consent from the employee. Where explicit consent is not forthcoming our advice would be to state that a co-worker, who cannot be named at this time, has contracted covid-19. How much more information is conveyed to co-workers is dependent upon the particular, and possibly unique, circumstances of an individual situation.

There will be cases   where, for example, an employer will conclude that the health and safety of all employees is best served by disclosing the identity of the employee with Covid-19. In such a situation, and because of the statutory duty on the employer by virtue of health and safety, there is at least an arguable case. Remember, although set in a different work context, ‘the indications of impending harm to health arising from stress at work must colleagues may be infected, but they should only reveal their names if national law allows it; if they can justify that such a step is necessary: and only after the affected workers have been be plain enough for any reasonable employer to realise he/she should do something about it’. (Hatton v Sutherland [2002] 2 All E.R. 1)

Ultimately, the roadblock may be formed by the twin concepts of ‘necessity’ and ‘proportionality’ that permeate through the GDPR and EU law.Views on the issue are by no means unanimous across the EU. A most recent guidance note from the European Data Protection Board says ‘employers should inform staff that colleagues may be infected but they should only reveal their names if national law allows it if they can justify that such a step is necessary; and only after the affected workers have been informed/consulted beforehand.’ Earlier we saw the slightly differing view from the DPC guidance. The U.K. ICO also takes a slightly different view. “You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals  and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees as well as a duty of care. Data protection doesn’t prevent you doing this.” The identity of affected individuals must not be disclosed to their colleagues or third parties without a clear justification.

The Appropriate Lawful Bases.

The HSE and other public health authorities would be seeking details concerning any Covid- 19 case in any context. Certain information is always needed so that authorities can effectively carry out their functions. Only recently Covid-19 was declared a ‘notifiable’ infectious disease under recent legislation. Medical doctors are mandated to report cases to the Medical Officer under the Infectious Diseases (Amendment) Regulations 2020. There is no equivalent legislation covering employers. Strangely, employers are not mandated to report infectious diseases to the Health and Safety Authority. Employees under the 2005 ct are mandated to report to their employer or the employer’s nominated registered medical practitioner if they become aware of any disease which affects their performance of work activities that could give rise to risks for the health , safety, and welfare of others at work. A clear duty is imposed on all employees to protect themselves and others. However, employers under the 2005 Act are under a legal obligation to protect employees from issues that affect their health and safety, in a negative manner. Clearly, this could easily be construed to include the novel coronavirus. This could act as a lawful basis for processing personal data.

Processing could also be justified on the basis of Art.6 (1(d) that it is ‘necessary to protect the vital interests of the individual data subject (employee) or other persons (other employees or other people). An employer could also find a legal basis for processing the personal data under Art.6 (1) (f) GDPR where “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party…”  Where an employer relies on this legal basis, he/she should document the ‘legitimate interests assessment’ that has been made.

In certain cases the person’s identity will be needed. For example, authorities may need to interview the employee who has contracted the disease. Recital 46 GDPR states “some types of processing may serve both important grounds of public interest (lawful under Art.6 (1) (e) ) and the vital interests of the data subject (Art.6(1)(d)), as for instance where processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread…”  Where the employer shares information, the sharing should be in compliance with GDPR and, most especially, the principles. In many cases employees themselves may fully consent to having their identities made known or they will make it known themselves.  If so, in those cases the personal data will have been ‘manifestly made public’.

It is questionable whether the consent of an employee to processing of his /her own personal data would constitute valid consent. It has not been definitively set out in the context of the employer/employee relationship but Recital 43 makes it clear consent is not a valid legal ground “where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority…” GDPRXpert has not found any case law to support the view that an employer/employee relationship would satisfy the ‘clear imbalance test’. Undoubtedly, the average employee could feel pressurised into giving consent.  It is something that will fall for future decision on a case by case basis. What is noteworthy is that the reference to a clear imbalance in the context of an employment relationship, which had been included in an earlier draft of the GDPR, was deleted in the enacted regulation.

Health Data Processing

Where data concerning health are involved, the situation changes. As we know there is a general prohibition on the processing of ‘special category’ data, which includes data concerning health. There are a number of exceptions to this broad prohibition, including under Art.9 (2) GDPR and sections of the DPA 2018. These provide potential legal bases for processing health data for the purposes of Covid-19 containment. S.46 DPA 2018 and Art.9(2)(b) permit the processing of health data where necessary and proportionate for the purposes of exercising or performing any right or obligation under Irish employment law – employers are legally obliged to ensure the safety, health and welfare at work of their employees. Specific measures to safeguard the fundamental rights and interests of the data subject (employee) must be taken.

Perhaps the most appropriate legal basis for processing health data is found under Art.9(2)(i) GDPR and s.53 DPA 2018, both of which provide exceptions to the general rule. Here the processing is deemed necessary for reasons of public interest in the area of public health such as protecting against cross border threats to health. Both must be underpinned by law (EU/Member State) providing suitable and specific measures to safeguard rights and freedoms of the data subject (employee). Examples of suitable safeguards would be limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.

S.52 DPA 2018 and Art.9(2)(h) GDPR also offer a sound legal basis as both provide, inter alia, for processing for the purposes of preventative or occupational medicine, and for assessment of the working capacity of an employee. Necessity and proportionality are always underlying considerations.

Question 3.

Can employers ask for travel and medical information from employees and from visitors coming to the workplaces of employers?

Answer.

Employers as we noted earlier are under a legal obligation to protect the health of their employees and to maintain a safe place of work. (Safety, Health and Welfare Act, 2005). There would be justification for employers asking employees and visitors about recent travel, in their efforts to prevent or contain the spread of Covid-19 in the workplace. This would be especially so, where they are worried about any possible travel to Covid-19 hotspots. Employers have a legal obligation to protect the health of their employees and maintain a safe place of work. In this regard, employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms. If travel has taken place as part of an employee’s duties then those details are known already to an employer. The question then becomes one of asking about personal travel destinations and the presence of any Covid-19 symptoms.

In Ireland the DPC has given recommendations on Covid-19 and these support the view that it is reasonable to ask an employee such questions. Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. It is advisable to be sensible when asking employees to provide personal information about their likelihood of risk and not to ask for more than you genuinely need.

Out of the 28 national data protection authorities of European Union member states, some 20 EU countries have issued specific guidance regarding COVID-19 and data protection so far. We are beginning to see several core principles emerge from this guidance:

  1. COVID-19 sensitive personal data, such as medical symptoms and diagnosis, travel history, and contacts with those who have been diagnosed can be processed on the basis of safeguarding public health.
  2. The fact that an employee has tested positive for COVID-19 can be disclosed, but identifying information about the individual, in particular the individual’s name, should not be disclosed.
  3. European DPAs have scrutinized if not discouraged or prohibited mass surveillance techniques by data controllers, such as use of questionnaires or temperature checks, other than those performed by health authorities.
  4. Security measures must still be implemented to protect COVID-19 personal data.

What the foregoing has shown is that some issues around data protection in the context of the Covid-19 pandemic are complicated. The coronavirus pandemic has brought forth evidence of how interpretations of some articles in the GDPR vary within jurisdictions. Member states (MS) have been given some latitude in making changes and additions to the GDPR, but Covid-19 has exposed a lack of consistency in interpretation of portions of the GDPR across the EU. This is something we will look at closely in the future, and as the pandemic expands in a potentially lethal manner globally.

Patrick Rowland, GDPRXpert.ie.

We are GDPR and Data Protection consultants with bases in Carlow/Kilkenny and Mayo, offering a nationwide service.

For more details visit www.gdprxpert.ie

The GDPR and Elections on the Horizon

What with the never-ending Brexit saga and the continuing toxic political stalemate, it may not be popular to delve into any topic with political associations. Nevertheless, this is the intention, and it is one that is primarily inspired by the upcoming European and Irish local elections. Both sets of elections have a novel element, to the extent that they will be the first Euro and local elections to take place since the introduction of the GDPR and The Data Protection Act 2018.

Key actors on this changed set include a number that may play the role of the data controller. In previous blogs and on our website,  we have seen how the notion of accountability of controllers and joint controllers is a central feature of the GDPR. Individual election candidates, political parties, data analytics companies and public authorities responsible for the electoral process can all act as controllers. It is not within the scope of this blog to discuss all facets, and so the less ambitious plan is to look at election candidates in the light of canvassing related activities. Data protection issues arise whenever personal data is being collected, and at election times it is collected in different forms. Canvassing door to door, direct mail marketing, and electronic direct marketing may raise concerns. More data protection issues surface in relation to requests for representation. Inevitably, organisations that receive these requests must also come under the same scrutiny.

 

Getting Started.

The focus of this article lies within the confined context of elections and electoral activities, and the application of Union and National law within this defined landscape.  Micro-targeting of voters by unlawful processing of personal data is still fresh in peoples’ minds following on from Cambridge Analytica and other similar disclosures. A starting point is to acknowledge, as stated by the UK’s Information Commission Office (ICO), that, “engaging voters is important in a healthy democracy, and in order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so; this includes the handling of the personal data that they collect and hold”. (ICO, Guidance on Political Campaigning; more details here). This is especially true since the inception of the GDPR, The Data Protection Act 2018 and the E-Privacy Regulation.

The Very Basic Ground Rules.

Individuals now have enhanced rights, and these are strengthened and particularly relevant in the electoral context. These rights place onerous responsibilities on candidates seeking office. Primary responsibilities fall on the candidates and affiliated parties where that is the relationship. Public authorities also have responsibilities under the GDPR and the various Electoral Acts. Whoever is processing the personal data, previously viewed as purely mundane, such as names and addresses, must now pay more attention. Simple names and addresses represent ‘personal data’ under the GDPR. Processing of such data must now be done lawfully, fairly and in a transparent manner, and for a defined specified purpose.  Another limitation (purpose limitation) means the personal data are now less likely to be strategically stored with ulterior motives in mind. Data cannot be further processed in a manner incompatible with the purposes for which the data were initially collected. (Note: a few strict exceptions to this rule). There must be some lawful basis for personal data processing. All data protection principles must be followed without any ‘cherry-picking’.

Pre-election days.

Most of us are well used to the barrage of literature that ends up on our hall floors in the run-up to elections. S.39 DPA 2018 specifically allows for the use of personal data for the purpose of communication in writing (including newsletter or circular) with the data subject.  It is qualified and is limited to  ‘specified persons’, namely: a political party; a member of either house of the Oireachtas, the European Parliament or a local authority; or a candidate for election to the office of  The President of Ireland or for membership of any of the above mentioned. Here the DPA 2018 provides a lawful basis for processing. There is a useful guidance booklet available at the DPC website.  Section 59 DPA 2018 expressly modifies Art. 21 GDPR, so that there is no right to object to electoral direct marketing by post. When communicating by text, e-mail, phone or fax a candidate must have prior consent from the constituent. If contact is then lawfully made, it must be clear about its origin, and it must incorporate an easy opt- out.

Frantic times precede elections and normal rules should apply, but it is probably unrealistic for the office of the DPC to expect candidates to include the amount of information described within this pamphlet with their canvassing materials. What is more unrealistic is to expect the same information to be given by a candidate when going door to door. Time constraints make this impractical. It will be interesting to hear from candidates after the elections about how the new regulations and the DPA 2018 affected their campaigns. Just as interesting will be any feedback from constituents concerning the information they were given regarding data protection rights from candidates. Under Art.9 GDPR there is a general prohibition on the processing of special categories of personal data but there are exceptions to the rule. Section 48 DPA 2018 expressly permits one of these special categories of personal data (revealing political opinions) to be processed. Provided safeguards are taken to protect the data subject’s fundamental rights and freedoms,  such data can be processed in the course of electoral activities by a political party, a candidate for election to, or a holder of, elective political office in the State. (Note: applies to Referendum Commission also). The specific purpose is the compiling of data on people’s political opinions. Section 48 DPA 2018 provides a lawful basis.

 

Requests for Representation

In the course of canvassing at election time, candidates receive numerous requests for representation regarding access to services or the provision of services. Whilst such requests are genuine, they represent a higher level test of a candidate’s knowledge or ability, as perceived by the voter, in the run-up to the election. If a voter gets a favourable and swift response from the candidate the chances are he/she will also get a vote. It is only proper that no short cuts are taken to get this information quickly before Election Day.  When we speak of ‘candidates’, it is important to distinguish between candidates who are current officeholders seeking re-election, and those running for election who do not currently hold any office.  All elected representatives should be aware of, or quickly become familiar with S. 40 Data Protection Act (DPA) 2018. In fact, they should be more conscious of, and extra vigilant in their responsibilities because the number of requests will increase exponentially at election times. Being knowledgeable on S.40 potentially benefits the representative’s reputation. Passing on the relevant specifics of that knowledge to the constituent will deliver benefits to both parties. After the introduction of the GDPR, the office of the DPC issued interpretive guidelines on S. 40 DPA 2018.  Data protection consultants GDPRXpert have the document available here.  We will now look at some of the main points from the guidelines.

 

Some Guidelines on Requests for Representation.

Sections 40(1) and (2) DPA 2018 gives the legislative basis to elected representatives for the processing of personal data of constituents. This includes the special categories of personal data from Art. 6 GDPR. Processing is allowed where the elected representative either receives a request for representation directly from the data subject or where the elected representative receives a request for representation from another person on behalf of the data subject. In all cases, the elected representative must be able to demonstrate that they are compliant with the principles of data protection.  At a minimum, representatives are obligated to meet their transparency responsibilities set out in the GDPR (especially Arts. 12, 13 &14). An elected representative has an obligation to be certain at all times they are acting upon a request from the voter.

 

There will be many situations where “the permission can be implied from the relevant action or request. For example, the raising of the matter by an individual will create an expectation that their personal data will be further processed by the elected representative and other relevant organisations”. (DPC Guidelines 2018 p.4)  A normal expectation is that personal data will be processed.  As part of the representative‘s request for information, the local council, for example, will disclose personal details necessary to satisfy the request. However, best practice is to be sure that the constituent is aware of the likely processing, and we recommend a signed consent form. In many instances, a formal, signed consent form may not be practical. Contemporaneous detailed notes should be taken by the representative, and the DPC suggests this as a good record to demonstrate compliance with S.40DPA 2018.

If any unexpected processing becomes necessary it is advisable to revert to the constituent. An elected representative must be careful not to go beyond the specified purposes for which the consent was given. One recommendation from the DPC is that elected representatives should use Privacy Notices when they collect personal details from people and have a Privacy Notice on their website. All notices should meet the transparency requirements and “satisfactorily address the requirements set out in Articles 12, 13, 14 &30 (where relevant) of the GDPR and also should be clear, accessible and informative to help people understand what will be done with their personal information”. (Office of the DPC, 2018) Simple, best advice: be straight with people on all aspects. Following data protection principles will operate to safeguard both the constituent and the elected representative.

 

Requests From Someone on Behalf of Someone Else

In this scenario, all parties should be extra cautious. Here a request is being made by one person on behalf of another. Common situations include son/daughter on behalf of one or both parents; some family member on behalf of another family member; relative on behalf of another relative; neighbour/friend on behalf of another neighbour/friend, etc. It is no longer sufficient to take the word of one party and accept the bona fides.  Therefore, the elected representative will have to ensure that the individual making the request has the authority from the person whose personal data will be processed on foot of the request. This is a potential minefield and the onus lies on the representative to “demonstrate the data subject has consented to the processing of his or her personal data” (Art.7 (1) GDPR).

Trust is no longer a reliable basis on which to proceed with such a request. Other aspects that merit detailed attention include the competency of the data subject and the legal standing of the person making the request.  For example, is there an enduring power of attorney to manage the affairs of the data subject? Any prudent representative should strive to have a signed consent form provided. Failing that, it will be a decision for the representative whether or not to make a representation.  Where the representative has not been able to fully ascertain the wishes of the individual prior to processing of personal data, he or she should have set out and recorded the specific steps taken to ascertain those wishes. Such records will stand as evidence of reasonable efforts having been made.  This will be crucial at the time the representation is made to the appropriate organisation.

 

Disclosure by an Organisation following a Request under S.40 DPA 2018.

Written Requests

As noted earlier, there is an exponential increase in the number of requests for representation approaching election time.   Section 40 (4) DPA 2018 gives an organisation the legal basis to respond to and process the personal data on foot of a representation from the elected representative. In doing so the organisation must demonstrate compliance with all the data protection principles under Art. 5 GDPR. A precondition is that the disclosure is necessary and proportionate to enable the representative to deal with the request, and safeguards referred to in S. 36 DPA 2018 are taken. Special categories of personal data are allowed to be processed by the organisation under S. 40(4). Where the organisation receives a written representation on foot of S.40 the organisation can assume the constituent has given permission. In other words, it can accept the bona fides of the representative while at the same time satisfying itself it is reasonable to assume the individual would have no objection to the release of the personal data.

Verbal Requests

With verbal representations from an elected representative to an organisation,  it is advisable that a staff member of the organisation logs appropriate details.  Where the elected representative is present when the representation is made it is good practice to have a short form confirming the details signed by him /her. Best practice is for the organisation to have policies and privacy notices in place that outlines how the organisation deals with requests. Ultimately, the organisation decides whether to accede to requests made. In particular, the organisation must ensure they meet responsibilities under Art. 12, 13, 14 and 30 GDPR. Any disclosure must be only what is necessary and proportionate in its impact on the fundamental rights of the individual. An organisation must consider the potential impact and negative implications of any representation and take safeguards to mitigate any risks.

Mitigating Risks

Mitigating risk must reach a higher level of security in the context of special categories of personal data. These are by their nature sensitive. Extra safeguards are advisable where the representation has been made on behalf of the data subject by another individual due to incapacity or age. Where the personal data falls under the special category class, any safeguards must be strengthened.  It must always be borne in mind that reliance on S.40 (4) DPA 2018 as a legal basis to disclose data on foot of a representation is dependent on certain conditions being met in advance: any processing must be necessary and proportionate and suitable measures must be taken to protect the individual’s rights and freedoms. If an organisation acting on foot of a representation has any concern about the level of awareness on the part of the representative or individual, in relation to the sensitive nature of the personal data, it would be prudent to refer back to both. It is only proper that the individual is fully aware of the implications that will follow the processing of their personal data as a consequence of the request. Both the nature and purpose of the request will influence actions taken. For example, some requests may be time-sensitive and getting explicit consent may not be practical. The DPC advises a common-sense approach be taken.

 

Personal Data of Third Parties

As a general rule, it is not permissible to process the personal data of third parties under S. 40 DPA 2018. This is allowed under very limited circumstances. If a third party has not been involved in a request for representation processing of  personal data of that third party will not be permissible unless one of the following apply: the third party cannot give explicit consent; the processing is necessary in somebody else’s interest and explicit consent has been “ unreasonably withheld” by the third party; the balance favours the disclosure in the public interest; the elected representative “cannot reasonably be expected to obtain” the third party’s explicit consent; seeking the third party’s explicit consent would “prejudice the action taken by the elected representative.

Other Considerations Re Special Category Data

Earlier we noted how S. 48 DPA 2018 allowed for one category (personal data revealing political opinions ) within the ‘special categories’ grouping. However, S. 40 (1) DPA 2018 allows the general processing of personal data within these special categories. The elected representative in processing such categories must “impose limitations on access to that data to prevent unauthorised consultation, alteration, disclosure or erasure of that data” (S.40 (3) DPA 2018).  In conjunction with these limitations, suitable and specific measures that take on board the provisions of the Data Protection Health  Regulations ( S.I No.82/1989 and S.I. No. 83/1989) should be considered, as these remain in force under S. 58 DPA 2018. Both equally apply to the elected representative and the organisation receiving the representation. These regulations provide that health data relating to an individual should not be made available to an individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the individual.

If a person is not a health care professional, he or she should not disclose health data to an individual without first consulting that individual’s own doctor, or some other suitably qualified healthcare professional. Where it has been deemed appropriate to disclose such information to an elected representative it should include a warning in regard to the sensitive nature of the data. The elected representative will need to apply safeguards outlined in S. 40 (3) DPA 2018. Finally, in relation to processing of personal data that involves criminal convictions or offences (Art. 10 data), any disclosure on foot of a representation will necessitate an assurance from the representative that explicit consent has been obtained for the request.

Much of the foregoing is evidence of the complicated nature of data protection in the context of electoral activities.  A high level of awareness is expected from elected representatives and from organisations that receive representations from them. Once the relevant information is provided by the elected representative a decision should be common sense based. The Office of the DPC believes any refusal by the organisation should be easily explained by reference to S.40 DPA, without citing data protection requirements as a general ground for refusal. Where the organisation has followed S.40 (4) DPA 2018, the GDPR, data protection principles and implemented suitable and specific safeguards it should be confident it has acted in compliance with DPA 2018.

Patrick Rowland, GDPRXpert.ie

Data Protection Consultants GDPRXpert.ie, with bases in Carlow/Kilkenny and Mayo, offer their expert service nationwide.

Visit www.gdprxpert.ie to learn more.

 

Latest News