Last reviewed 22 May 2018
With effect from Friday 25 May, any business that controls or processes data will have to have a lawful ground for doing so under the new General Data Protection Regulation (GDPR). As Andrew Woolfall outlines in this special report, businesses will have to identify specific reasons for keeping hold of personal data and justify this upon one of six lawful grounds. If there is no appropriate lawful ground, the data cannot be held.
One of the central themes of the new regulation is that of data minimisation and only holding the absolute minimum amount of personal information that is required for specifically defined tasks. Where there is no lawful ground for holding personal data, it must be deleted. Given that by “data”, we mean any information that identifies — or can easily be used to identify — an individual, a huge amount of material within a transport business is caught by the regulation. It covers not just what is stored on computers but also that in traditional “hard copy” documents. It also includes photographs, closed-circuit television camera (CCTV) footage and sound recordings. Tachograph and drivers’ hours records, maintenance records, audit reports, telematic data, training records, proof of delivery documents, timesheets, payroll records, HR files and site attendance logs all contain elements of personal data and therefore are all subject to GDPR and the concept of establishing lawful grounds for holding the information.
Many business owners and managers are finding the concept of data minimisation frustrating given our, often natural, desire to cling on to as much information as possible, just in case it may be required at some point in the future. This mindset, however, will have to be changed. If it helps to overcome the natural inclination to be frustrated by this, much of the legislation makes sense when one looks at it from an individual or personal perspective. While businesses often see the data as one of their own assets, data protection legislation and in particular the GDPR approaches data from the context of it belonging to the individual. The individual then “lends” that data to the organisation for it to be held or processed for a specific task. That task must be based upon a lawful ground. The processing must also be limited to that task so that the data is not given for one purpose and then abused and used in other ways.
Often, it also helps many business owners or managers to think about their own personal data and other organisations, outside of their companies, holding and processing that data. Do they want their information to be subject to possible abuse?
The need to be able to show a lawful basis for holding and processing personal data is not something new — the Data Protection Act 1998 requires the existence of “conditions for processing” and the permitted conditions under that old legislation are similar to what is set out under GDPR. However, experience is now showing that many businesses have never really sat down and scrutinised their obligations under the 1998 Act and it is only now, with the introduction of GDPR and all the publicity that it is receiving, that many are giving this issue the attention that it deserves. Under GDPR, there is now a need for businesses to document the data that they hold, categorise the lawful ground and inform the individual accordingly.
The GDPR gives six grounds upon which a business or other organisation can control or process personal data. These are the following.
Pursuant to a legal obligation.
In pursuance of a contract.
To protect the vital interests of the data subject or some other person.
To perform a public task.
In pursuance of a legitimate interest.
With the consent of the data subject.
In the run up to the implementation of GDPR, many managers, or indeed businesses, are becoming fixated with the idea that “consent” is the principal ground to be relied upon. In many cases, this will not be correct. As is set out below, it may well be that other grounds are much more suitable than seeking the consent of an individual. Consent can be problematic in terms of how it is obtained and how often it must be renewed.
Changing the use of the data held
It is also worth remembering, as will be explained further below, that during its lifecycle within a business, the basis upon which data is held and processed may change. This may, or may not, require a change in legal ground. If the new purpose is broadly in line with the original ground then official guidance suggests that a change of legal ground will not be required. However, where there is a clear difference, a new ground needs to be identified and documented. For example, data may initially be held under a legal obligation. Once that obligation expires, the business may still wish to retain all or part of it by virtue of claiming a legitimate interest or by seeking consent. The classic example here might be tachograph data. A goods vehicle operator has a legal obligation to collect the tachograph information generated by the driver. By virtue of the EU drivers’ hours rules and regulations, this must be kept for a minimum period of 12 months. However, after the 12-month period has expired, the legal obligation will fall away. The business may, though, still want to retain some of that data — especially if there are infringements that might be prosecuted or the information might be relevant to something else such as an accident. Arguably, it could be said that this new purpose is broadly similar to the original legal ground. However, if the purpose of retaining it is to provide management information, such as daily distances driven, locations visited, etc the business could look to rely upon “legitimate interests”. This is not an isolated example. Given that the haulage industry is so heavily regulated, legislation, operator’s licences and the expectations of the Traffic Commissioner often require data to be held for varying periods of time. There may be an initial legal obligation to keep it but the operator may well have other reasons, beyond the minimum legal period, for holding the data for much longer.
Where the lawful basis of holding and processing data will change over time, this should be made clear at the very outset to the data subject in the privacy notice. One thing must be remembered though, a data controller cannot begin holding and processing data based upon consent and then subsequently change to another ground — this is expressly forbidden by the GDPR.
The sanctioned six…
As described above, the GDPR sets out six lawful grounds for holding and processing data. The official guidance issued by the Information Commissioner’s Office (ICO) states that “at least one of these must apply whenever you process personal data”. This implies that data can be held on multiple grounds at any one time. However, best practice dictates that when an operator is assessing its data, a primary ground should be selected. This will then determine what rights an individual has with regards to the information. The primary ground should be notified to the individual but if ever there was a dispute and the ICO was to rule that the principal ground was not valid, where there were multiple grounds, the operator could then seek to rely on an alternative (though it should be borne in mind that in such circumstances, the operator will inevitably be on the “back foot” in seeking to justify a “second” choice).
Many of the lawful grounds require that the holding and processing of data is “necessary” to achieve the outcome. If it isn’t necessary then the ground cannot be relied upon. For example, one of the grounds set out below is that of contract — the idea that the information is held as it is necessary to perform a contractual obligation. If, as part of the data a business has collected from a driver there is information as to whether that person is left or right handed, and that information is not required to perform the contract, then that ground cannot be relied upon for holding and processing that piece of information. Another ground will have to be used to justify it and if no other ground is available, that bit of data will have to be destroyed.
Looking at the six grounds in more detail…
This will be the primary ground that many operators hold data upon. It justifies the holding and processing of data where it is necessary for the business to comply with the law. For a typical goods vehicle operator, this will justify holding and processing personal data in relation to drivers’ hours and tachograph records, maintenance documentation, including driver defect reports, driver’s licence information and Driver CPC training records and historic pay information. Legal obligations are imposed either directly by the law (such as the European Drivers’ Hours and Tachographs Rules) or sometimes indirectly (for example, the requirement to check driver’s licences in order to avoid being prosecuted for causing or permitting offences such as “no licence” or “no insurance”). Legal obligations can also be imposed by bodies such as the Traffic Commissioner (for example, the requirement to keep and be able to produce up to 15 months’ worth of maintenance records) and also by “non-transport” legislation such as that driven by HMRC or health and safety. Where there is a legal obligation to hold information, the consent of the individual is not required.
Where the data controller or processor has a contract with an individual, or specific steps are being taken prior to entering into a contract, this can be a legal justification for holding and processing the individual’s personal data. However, the processing of the data must be necessary to either enter into or fulfil the contract. If the contract can be performed without the processing of the data then this basis will not apply. For example, if among a driver’s bank details you keep information as to how long he or she has been with his or her bank, that information is not relevant to the employment relationship — it is not needed to actually pay the driver — and therefore the ground of “contract” could not be used to justify holding that information. Another ground would have to be sought or the data deleted.
The legal basis of “contract” will justify the holding of much “HR” data including names, addresses, dates of birth, National Insurance numbers, bank details, payroll records, etc. All this information is necessary in order to properly employ an individual and then pay them for the work they perform. Similarly, any necessary information contained in collection or delivery documents can be justified under the “contract” basis.
Here, the holding and processing of information can be justified if it is necessary to protect someone’s life. While this ground is similar to one which existed in older legislation, under GDPR, the “vital interests” need not necessarily be those of the data subject. This means that you can hold one person’s information if it is necessary to protect the life of someone else. Vital interests could include holding next of kin information which is then disclosed to a hospital in an emergency situation. It is also likely to cover the disclosure to a hospital of someone’s medical history who is admitted with life-threatening injuries when that individual themselves cannot provide the information.
As the ICO has already advised, the protection of vital interests is most likely to arise in the context of health data. Such information falls within the “special category of data” which requires extra special care.
This legal ground can be relied upon where an organisation needs to process personal data either to perform a specific task in the public interest or in the exercise of official authority. Here the specific task, public interest or exercise of official authority must be laid down in law. It is mainly going to be applicable to public authorities and not something which can be easily justified by haulage companies or other goods vehicle operators. The only exception to this might be organisations such as utility or private water companies that are using their vehicles to carry out public functions.
The Data Protection Bill 2017, currently before Parliament and due to come into law in the near future, is attempting to clarify this ground, stating that public tasks will include the administration of justice, parliamentary functions, statutory functions and governmental functions, though this is not intended to be an exhaustive list.
This is perhaps the widest and most flexible ground for holding and processing personal data. Again there is a requirement that holding and processing the personal data is necessary to pursue the legitimate interest. It will cover much of the data held by operators that does not fall in either the “legal obligation” or “contract” grounds. It can be used to justify retaining information beyond a legal obligation, where there is a realistic prospect of a prosecution, civil action or public inquiry. This might, for example, apply to maintenance records or driver defect reports. The information has to be held by law for 15 months but thereafter, if the defect report relates to a prohibition, offence or other serious incidents, an operator might want to keep that data for up to five years in case it is referred to at some point in the future by the Traffic Commissioner in a public inquiry scenario.
Legitimate interest will also justify holding and processing information such as vehicle telematic data or CCTV and dashcam footage. The same can be said for audit reports or driver performance monitoring.
The core principle that underpins this ground is that while consent from the individual is not required, the data is only held and processed in a way that the individual would reasonably expect and which has a minimal impact upon their privacy. The ICO official guidance suggests that where a business might seek to rely upon “legitimate interest” as a ground, a three-part test is applied. This involves the following.
Identifying the clear purpose or outcome that the business is trying to achieve.
Confirming that the only way in which the purpose or outcome can be achieved is to retain and if necessary process the personal data involved.
Balance the above against the individual’s own interests, rights and freedoms.
It is clear that legitimate interests can cover commercial interests. However, as is stated above, if an individual could not reasonably anticipate his or her data being used for such purposes, it will make justification all the more difficult.
Legitimate interests can be claimed for some marketing activities. This includes direct marketing. However, the data controller has to be satisfied that the use of the information for marketing purposes will not come as a surprise to the individual and will not be something that they could be anticipated to object to. For example, an existing client of a business might reasonably anticipate receiving information about other services provided by an organisation. This may even continue for a short period after the last purchase or interaction. However, if a client or customer has not used the business for many years then there is a strong argument to say that the individual is no longer interested in receiving that business’ services and therefore the business does not have a legitimate in continuing its direct marketing approach.
The ICO guidance advises that legitimate interests may also cover the disclosure of personal data to a third party. This could include advising the Traffic Commissioner of issues involving a driver. While there is a legal obligation under the terms of the operator’s licence to notify the Traffic Commissioner of convictions incurred by a driver, that same obligation could not be used if a driver was only arrested but had not yet appeared at court and therefore had not been convicted of any offence. However, if there were real public safety issues relating to the individual and the driving of goods vehicles, it could be argued that there was a legitimate interest in disclosing those concerns to the commissioner in order that regulatory action could be taken against the driver to prevent an accident or harm. The operator will have to demonstrate that the disclosure was justified but, given the Traffic Commissioner’s often stated desire to be made aware of potential risks, such a course of action could well be lawful.
Consent is the one ground that many operators feel compelled to rely upon to justify holding or processing personal information, whether that relates to their employees or customers. Under the GDPR, consent has to be given on a fully informed basis. The individual has to easily understand what he or she is agreeing to. It also has to be freely given — it cannot be “extracted” from an individual in return for other promises or threats. The obtaining of consent should be kept separate from any contracts, providing inducements or being linked to the suggestion that the data processor will or will not do something in return.
Consent has to be very clear and unambiguous. This means we are likely to see an end to the “pre-ticked” boxes often found on internet websites. By virtue of having to be clear and concise, it also means that if the data is going to be passed on to a third party, such a third party should be identified at the point that consent is given.
Businesses will have to be able to produce clear records of how and when consent was obtained. An organisation can only rely upon consent given “pre-GDPR” if that consent complied with the “post-GDPR” rules. If, for example, it was given by virtue of a pre-ticked box, that consent will not be valid after 25 May 2018.
Consent cannot be inferred from an individual remaining silent. If consent is sought and no reply is received, the fact that the individual might be ambivalent is not enough for the business to assume that consent has been given. It is not enough to give an individual the ability to “opt out” and, where no consent has been given, to infer consent from the fact that the opt out has not been actioned.
Consent should be renewed on a regular basis. Wherever consent is relied upon, the individual should also be given the opportunity to revoke the consent. The individual will have to be told how to do this.
Given the fact that consent has to be freely given and, in the words of the ICO, “means offering individuals real choice and control”, it will be very difficult for employers to rely upon consent in relation to handling and processing personal information from their workforce. The unequal bargaining position between employer and employee will inevitably mean that most employees will feel compelled to agree to an employer’s request for consent, regardless of whether they truly do or do not want to give such permission. This means that in the employment context, businesses should look to rely upon one of the other five lawful grounds before considering whether they have to seek consent. However, consent may be used within a haulage business for justifying the retention of some information relating to a former employee, where there is no legal obligation or legitimate interest. It will also clearly be relevant for marketing purposes, whether a business is selling to its own employees, previous customers or potential clients.
Data audits and privacy notices
It is clear from the GDPR that businesses will have to fully understand what data they hold, why they have it in their possession, the legal basis for doing so and its retention period. All this information will come together in what is often referred to as a data asset register. This requires a full audit of all information within the business so that it can be categorised appropriately. While such an exercise is undoubtedly the largest and hardest part of GDPR compliance, it is the bedrock upon which proper policies, systems and privacy notices can be based. The data audit will also identify whether a business is relying upon “consent” as a ground for holding and processing data and therefore will clarify whether that consent needs to be renewed prior to the GDPR taking effect.
Returning to the key concept that individuals are made aware of what data is being collected and how it is being used, this means businesses will have to provide clear and unambiguous privacy notices which explain to the individual, among other things, what their data is being used for and the ground that is being relied upon. Where legitimate interest is being claimed, the actual interest should be identified. Some businesses may opt for multiple privacy notices — targeted at different audiences. There may be one for their own staff and another for customers or those they market to. Each notice will advise the recipient of the different types of information being held and the legal grounds relied upon. Customers are unlikely to be interested in knowing what staff data a business holds and why and, similarly, staff don’t need to know about customers.
It is important to understand the legal grounds which are being relied upon to justify holding and processing personal data otherwise it inevitably lead to issues with both the individual and the ICO.
While it remains to be seen how the ICO will actually enforce GDPR compliance, if the “policing” of the previous Data Protection Act 1998 regime is anything to go by, the ICO will want to have sight of clear policies and schedules which detail all of the above information and provide the operator’s justification for selecting a specific ground. If this cannot be easily provided, then it is likely enforcement action will be taken.