Fair and transparent processing
In order to process personal data fairly, the processing must be in line with the data subject’s expectations. In other words, only use the data for the reasons you collected it. Would the data subject expect it, if you wanted to do something else with it? And would you be happy to tell the data subject what you are doing with their data because this is now required by the GDPR?
There are exemptions to this principle. For instance, when solicitors are processing personal data of a third party in connection with a matter which is confidential or where the information would be regarded as privileged they do not need to comply with the requirement to ensure transparent processing and to provide the information required to ensure transparent processing as set out below when to do so would conflict with the provision of the legal service being provided.
The transparency principle means you have an obligation to supply all data subjects whose data you are processing with the following information when you are collecting personal data obtained directly from them – unless they already have this information or the exemption applies. Most organisations will deliver this information in a privacy notice which can be accessed through their website. Think about delivering the required information in a way that suits your clients. You may wish to provide some of this information to new clients when you send out your terms of engagement and then refer them to your website. You may want to make the privacy notice available in your office if that is how your clients interact with you. If you are processing the data of a child or vulnerable person, then you must adapt your privacy notice to ensure that it is clear and written in a way that will be understood.
Information which must be made available when personal data is collected:
- Identity and contact details of the controller
- Contact details of the data protection officer, if applicable
- Purposes of processing and the legal basis of the processing
- The legitimate interests you are relying on
- The recipient or categories of recipients of the data
- Information about transfers to third countries, including how to ensure that it will be safe
- The period for which the data will be stored/criteria used to determine that period
- The consequences of failing to provide information if the processing is based on a statutory or contractual requirement
- The existence of any automated decision making/profiling etc; how it works and the consequences of this processing for the data subject
You must also tell the data subject about:
- Their right to request access to, rectification of, erasure of, restriction of processing, or to object to processing the data; and the right of data portability
- The right to withdraw consent to processing (where processing is based on consent)
- The right to lodge a lodge a complaint with the Information Commissioner’s Office
You have a duty to ensure that the information is delivered in an appropriate manner and you will be the best judge of how to that, but do avoid complex, legalistic language.
Although the obligation is not retrospective, there is an expectation that organisations will provide up-to-date information to individuals whose data they already hold. This may be done through your website, but you must decide how best to do this to ensure transparency.
If you receive personal information about an individual from a third party and not directly from the data subject, then you have an obligation to provide that third party with fair processing information unless:
- They already have that information, or
- It would be impossible, or it would involve disproportionate effort, or
- The personal data must remain confidential where legal professional privilege applies
Information must be provided to a data subject in this case within a reasonable time after having received the data, but within one month or when the data is being used.
Case Study
Our high street firm has written a privacy notice which covers the relevant information for fair processing for clients and others whose data it processes in the course of its business. The privacy notice is on the firm’s website and clients will be directed to where the information can be found. The firm has also decided to send the relevant information from the privacy notice to new clients along with its terms and conditions as it recognises that not all their clients access their website.
Another privacy notice has been produced for all existing and new staff.
Marketing
Most law firms will carry out marketing to some extent. If law firms are gathering information through their websites, then they must have a fair processing notice/privacy notice describing what is happening to the contact details that they are collecting in this way.
If law firms are carrying out any direct marketing activities using email addresses, then they must also comply with the Privacy and Electronic Communications Regulations 2003. These generally require that consent is in place before direct marketing emails are sent.
From 25 May 2018, it is likely that this consent will have to be GDPR compliant.
Law firms can send direct marketing emails to existing clients without consent as long as:
- They provided the individual with the option of opting out of receiving such messages at the time the data was collected, and
- They provide an opt-out every time a message is sent
These rules do not apply to business-to-business marketing and so sending an email to a named member of staff at an organisation does not require consent.
Create a record of data processing
All law firms should know what personal data they are processing and why, and be able to identify what is happening to it.
GDPR guide for law firms
Data protection regulations from the perspective of a legal practice
- Ten steps
- Law firms as data controllers
- Create a record of data processing
- Marketing
- Client confidentiality, legal privilege and limited exemptions
- Sharing data with third parties
- Data retention
- Data protection officers
- AML and data protection
- Security
- Reporting personal data breaches
- Requests for copies of personal data
- Appendix 1 - Consent
- xCreate a record of data processing
- Appendix 2 - Example of a data protection policy
- Example of Privacy Notice
- xClient confidentiality, legal privilege and limited exemptions
- xData retention
- xSharing data with third parties
- xData protection officers
- xSecurity
- xReporting personal data breaches
- xRequests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy