Angus MacLeod, Partner at Wright, Johnston & Mackenzie LLP, explains what you should put in a privacy notice and when you need to give one.
Transparency is a key principle of the GDPR: data controllers must ensure they process personal data lawfully and fairly, and in a transparent manner.
The idea behind this is to engender trust: if individuals know how their data is to be processed, they can better control its use and can more easily challenge the processing should they be unhappy with it.
It means that data subjects should be given a range of information about how their data is to be processed. This information, normally provided in the form of a privacy notice, should be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- provided free of charge.
What must a privacy notice contain, and when should it be provided?
The GDPR is very specific about the information to be given to data subjects and when it is to be given.
There are two scenarios provided for:
A. The personal data is collected from the data subject themselves
B. The personal data is obtained in some other way.
In Scenario A, the privacy notice needs to be provided at the time when the personal data are obtained and should state:
- Who the data controller is, and their contact details.
- If the data controller has a data protection officer (DPO), the DPO’s contact details.
- The purposes for which the data are intended to be processed.
- The legal basis for the processing.
- Where the legal basis is the legitimate interests of the data controller or a third party, what those interests consist of.
- Where the legal basis is consent, their right to withdraw consent at any time.
- With whom the personal data might be shared (either named third parties or categories of third parties)
- Whether the data controller intends to transfer the personal data overseas, and what protections will exist in the event of such a transfer.
- The period for which the personal data will be stored, or the criteria used to determine that period.
- The existence of the data subject’s rights to access, rectify and erase data, to restrict or object to its processing, and their right to data portablity.
- The right to lodge a complaint with the ICO.
- Whether the provision of the personal data is a statutory or contractual requirement, or necessary to enter into a contract.
- Whether the data subject is obliged to provide the data and what the consequences might be of failing to do so.
- If the data is to be used for automated decision-making including profiling, meaningful information about the logic involved in that decision-making, as well as what the significance and envisaged consequences of that processing might be for the data subject.
In addition to the list for Scenario A, the privacy notice should summarise the categories of personal data concerned and give its source.
In Scenario B, the privacy notice should be provided within a reasonable time (not exceeding one month) from the obtaining of the data. However, if the data are to be used to communicate with the data subject or disclosed to a third party, the privacy notice should be given no later than the time either of those things happens.
Must we always do this?
There are some derogations from the obligation to provide this information.
In both Scenario A and Scenario B, if the data subject already has the information, you need not provide it again – unless something has changed in the interim.
In Scenario B only, there are some other exemptions worth exploring. The one for obligations of professional secrecy will be of particular interest to solicitors.
The example given in guidance is of a patient who seeks their doctor’s advice in relation to a genetic condition. The patient gives the doctor medical information about themselves, but also about a number of close relatives who have the same condition. The doctor is not required to give a privacy notice to the relatives as to do so would necessarily involve a breach of the doctor’s obligation of secrecy to their patient. Where solicitor-client confidentiality applies, it will create a similar exemption.
For a much more detailed review of this topic, the Article 29 Working Party’s guidance on Transparency was published on 13 April 2018 and is very useful:
In due course the ICO will no doubt update their own guidance to reflect the WP29 paper so it’s worth keeping an eye on their website also.