Risk-based approach to GDPR compliance

In practice, we are coming across some confusion about the GDPR’s risk-based approach to compliance. It is important not to confuse this compliance concept with the risk facing your business or organisation.

Risk is the possibility of something happening which may cause loss, harm or damage, and it is usually assessed in terms of likelihood x severity.

In a GDPR compliance context, and where a risk-based approach is relevant, this means risk to the rights of individuals that may result from you processing their personal data. In other words, risk to individuals, not to your business or organisation.

GDPR compliance obligations that refer to risk include accountability measures, security measures, data breach notification, Data Protection Impact Assessment (DPIA), and privacy by design.

While the term “risk” is not defined in the GDPR, Recital 75 provides useful guidance.

When undertaking risk assessment, risk for GDPR compliance purposes (risk to individuals) must be understood and distinguished from the important operational risks affecting your organisation (risk to you) including possible regulatory sanctions, reputational harm and/or legal action that might result from GDPR non-compliance.

Privacy Notices and GDPR

With the prospect of increased regulatory activity ahead, it is important for businesses and organisations to ensure that their Privacy Notices are compliant.

Under GDPR, data controllers must provide individuals with mandatory information about the processing of their personal data and their rights, and the most effective way to do this is by a Privacy Notice (sometimes referred to as a Privacy Policy or a Privacy Statement, but the name is not important – what matters is the content and how it is provided).

Privacy Notices are an essential part of GDPR transparency obligations, and it should be transparent to individuals that their personal data is being processed, to what extent, and what their rights are.

More than one Privacy Notice version may be needed depending on the category of individuals involved (customers, employees, etc.).

The information has to be provided in a clear, easily accessible format at the time personal data is obtained from individuals, or within one month when obtained from another source.

The mandatory categories of information to be provided are set out in Articles 13-14, and include purposes of processing, legal basis for processing, legitimate interests for processing (if applicable), data sharing, international transfers, and data retention.

Working all this out, with documentation to meet the requirements of accountability, can be challenging for businesses and organisations.

It may be necessary to refresh data mapping or review justifications for legal basis.

Privacy Notices should also align with the Records of Processing Activities (Article 30).

Privacy Notices are a critical part of GDPR compliance, but they are not a once-off exercise, and must be kept under review to reflect your processing activities.

FP Logue secures social welfare payments for client who refused to apply for Public Services Card

FP Logue received confirmation recently that the Department of Employment Affairs and Social Protection has agreed to pay social welfare benefits to a client who refused to register for the Public Services Card (PSC).

Our client had presented a passport and proof of address with an application for benefits and received a formal decision from the Deciding Officer that the payments would be available for collection in the local post office in due course.

Some days later our client was informed by a member of staff that the approval had been a mistake and that the payments would be suspended until such time as an application for the PSC was processed. Our client refused to make the application and asked for written reasons to be provided. The position was subsequently confirmed in writing that payments were suspended until a PSC application was processed.

We wrote to the relevant official on our client’s behalf pointing out that there was no requirement under social welfare law for an applicant to register for the PSC and that the payment had been unlawfully suspended and that our client had been grossly misinformed as to their rights by officials.

We have now received confirmation that payments have been released confirming our assertion that a PSC registration is neither mandatory nor compulsory for the purposes of accessing social welfare benefits.

Introducing #InfoLaw2019 – 22 March

It’s nearly a year since GDPR came into force and we are beginning to see what the world looks like post-GDPR. Just yesterday we saw the French regulator hand out a €50 million fine to Google and it seems there is more to come. We are seeing the rise of the non-profit complainant taking on cases for individuals. DPOs are beginning to find their feet and the first cohort is starting to experience what it is really like to hold this position in the public sector and large organisations.

There are still many questions on people’s minds:

  • Will there be an avalanche of litigation?
  • What is the DPO really supposed to do?
  • Will the GDPR change the way the State and the public sector handle personal data?
  • How are big organisations adapting?

#InfoLaw2019 you can find out the answer to these questions and more from some of Ireland’s leading lawyers, DPOs and industry professionals. We’ll give more details of speakers and topics in the next week or two, check our website for more details or you can order your discounted early-bird ticket below:

Data controllers at risk if they presume mixed personal data can’t be accessed by data subjects without third party consent

Privacy written in tiles

The biggest data protection myth out there is that third party personal data cannot be disclosed under a subject access request that covers “mixed” personal data, i.e. information that contains personal data of more than one individual.

If I had €10 every time a data controller made this claim I wouldn’t need to write this update because I’d have already retired a rich man and would be sitting in my vineyard in the South of France enjoying the good life.

The reality is that there is no presumption against disclosure of third party personal data in a mixed access request. Obviously third parties have privacy rights which cannot be adversely effected but that doesn’t mean they have to consent to disclosure. A data controller has to balance competing interests and make a decision in line with the GDPR, that’s what the law says.

While it may be a difficult to decision to make in some circumstances, generally there should be no real issue since the GDPR facilitates the processing of others people’s personal data as long as it is lawful, responding to a subject access request is no different.

Litigation risk

Data controllers are risking legal proceedings or complaints to the Data Protection Commission if they wrongly assume that all third party data must be purged when responding to subject access requests.

In many situations the rationale for the subject access request is to access information about other people, for example family members or professionals and in those circumstances data subjects may have a very strong legitimate interest in accessing mixed data.

B v General Medical Council

The English Court of Appeal considered this issue in the case of B v General Medical Council [2016] EWCA Civ 1497 which concerned a request by a patient to access a report prepared by the General Medical Council after the patient had complained about his treatment by a doctor. The doctor objected to the release of the report saying it contained both his and the patient’s personal data and therefore his right of privacy prevented the report being released to his former patient.

The General Medical Council nevertheless decided that on balance the rights of the patient favoured releasing the report to him. The doctor successfully appealed to the High Court but that appeal was overturned in the Court of Appeal on the basis that there is no presumption in favour of refusing access to mixed data and the data controller is best placed to make that evaluation and in this instance had done so correctly and lawfully.

Data controllers need to take heed

This case shows that data controllers have a wide margin of discretion but nevertheless have to weigh up the competing interests when handling a subject access request for access to mixed personal data. There is no presumption that mixed data must be refused or that the third party data subject must consent to release.

Any data controller that handles a subject access request based on these presumptions risks litigation or a complaint to the Data Protection Commission.

This article was also published on LinkedIn

The Right to access environmental information: The protracted reality

From our guest intern Patrick Barrett LLM:

Collins English Dictionary defines ‘expeditious’ as “quick and efficient”.  In today’s fast paced society, where people bemoan their lack of free time and hectic schedules, the expectation of expeditious service has become customary.

European law provides a right of access requests to environmental information held by public bodies. If an applicant is unhappy with the outcome of their request, they may seek an expeditious review from an independent adjudicator called the Commissioner for Environmental Information.

The Office of the Commissioner for Environmental Information (OCEI) is an independent statutory body, run by the Commissioner, Mr. Peter Tyndall. The OCEI is quick to point out what it is not on it’s website; it is not a court; it is not formal or adversarial; and it does not assist or advise the public in making Environmental Information requests.

Therefore, the appropriate question is; what does the OCEI do? More precisely, how has the Office performed over the previous four years? In comprehensively analysing the 77 decisions made between 2014 and 2017, the objective findings are as follows:

  • How long are reviews taking on average?

There are 77 listed decisions in the four-year period 5 of which do not record the date of appeal. Therefore, it is only possible to ascertain the length of time in 72 cases.

Length of times vary, from 34 days in Francis Clauson and The Commission for Energy Regulation (CEI/16/0022) to a protracted 959-day review in Lar McKenna and EirGrid (CEI/13/0015). Overall the median time calculated stands at 381 days per decision.

  • What type of information is being considered in appeals?

The breakdown of AIE Regulations considered by the Commissioner are as such:

Number of times considered:

Article 3 (Interpretation)                                                                    33

Article 7 (Action on request)                                                               28

Article 9 (Discretionary grounds of refusal)                                       24

Article 10 (Incidental provisions related to refusal)                           12

Article 8 (Grounds that, subject to Art.10, mandate a refusal)          11

Article 6 (Request for Environmental Information)                            6

Article 11 (Internal review of refusal)                                                 5

Article 4 (Scope)                                                                                  4

Article 12 (Appeal to Commissioner)                                                  1

Article 15 (Fees)                                                                                  1

 

  • What are the outcomes from appeals to the OCEI?

The outcome of decisions by the Commissioner are:

46 refusals to release information, 26 findings that information should be released, and 7 decisions stating the request be reprocessed.

The Commissioner has recorded 32 affirmations, 27 annulments and 18 variations.

  • How many are threshold decisions?

With regard to the 77 decisions 28 concern the issue of whether the information requested is environmental information.

Almost 1 in 8, i.e. 9 decisions, question whether the entity is within the scope of public authority. There are 2 decisions that relate to both definition of public authority and environmental information.

From our analysis the time to make decisions is decreasing. However it is doubtful that the timeframe meets the legal requirements of EU law. The Aarhus Convention clearly states at Article 9(1):

In the circumstances where a Party provides for such a review by a court of law, it shall ensure that such a person also has access to an expeditious procedure established by law that is free of charge or inexpensive for reconsideration by a public authority or review by an independent and impartial body other than a court of law.

A cursory glance at the dictionary definition of expeditious may serve as a poignant reminder that applicants expect, and are entitled to, prompt and efficient recourse.

Commission releases legal submissions in Nowak data protection case

Since July 2017 it is now possible to get access to legal submissions in CJEU cases which are held by the European Commission. Since the Commission is a party or intervener in a wide range of cases, particularly the more important ones, this means that there is a now a high degree of transparency regarding the arguments of parties in CJEU cases.

We requested access to the pleadings in the well known case of Peter Nowak v. Data Protection Commissioner which concerned the issue of whether an exam script could be personal data.

You can follow the request below using the AsktheEU.org service

The case concerned a request by Mr Nowak for access to his exam script in a professional accountancy exam. The request was refused on the basis that his exam script was not personal data and therefore not accessible under the Data Protection Acts. The Data Protection Commissioner agreed and dismissed his claim as “frivolous or vexatious” i.e. the request was bound to fail.

Each of the Circuit Court, High Court and Court of Appeal agreed and dismissed his appeals. However the Supreme Court held that Mr Nowak was entitled to appeal and as a matter of EU law there was doubt as to whether Mr Nowak’s exam script was personal data. In that case the Supreme Court stayed proceedings and made a preliminary reference to the CJEU.

Both Ireland and the Data Protection Commissioner argued for a narrow definition of personal data. In particular the Data Protection Commissioner acknoweldged that the exam result itself was personal data but the answers to the exam questions in this particular case were not personal data since there were no special circumstances such as, for example, where the exam requires the candidate to expose factual personal information.

Ireland made similar arguments.

The Court ultimately rejected this narrow interpretation and found that information becomes personal data because of the content, purpose or effect which links it with an identifiable individual. In terms of each of these the CJEU found that the information contained in an exam script was linked to the candidate and was therefore personal data and, in principle, accessible under the subject access right.

C 434 16 Observations Ireland EN

&nbsp

C 434 16 Observations Data Protection Commissioner EN Redacted

 

Sandra Conway appointed to board of the Transparency Legal Advice Centre

FP Logue associate, Sandra Conway, was today appointed to the Board of Directors of the Transparency Legal Advice Centre (TLAC).

TLAC is Ireland’s only independent law centre specialising in providing free, independent legal advice and referral services to anyone making disclosures of wrongdoing. TLAC was established by Transparency International Ireland following the introduction of the 2014 Protected Disclosures Act which has lead to a substantial increase in the volume of people reporting concerns arising in the course of their work.

Transparency International Ireland continues to support public bodies to create a supportive work environment for employees, including sign-posting the facilities offered by TLAC to public sector employees and continues to operate the Speak Up helpline providing support to witnesses, whistleblowers and victims of corruption and other wrongdoing. Since 2011 it has provided information and referral services to over 900 people.

Sandra volunteered with the Speak Up helpline in 2011 as it launched before joining the business integrity initiative at Transparency International Ireland until Jan 2014. She is delighted by the developments within the organisation and proud to support TLAC as a member of the Board.

FP Logue welcomes Sandra’s appointment to TLAC since it fits with the firm’s commitment to transparency and the protection of people who expose corruption and wrongdoing.