The General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 has been in effect now since the 25th of May 2018. Despite the regulator (UK Information Commissioner’s Office (ICO)) working hard to provide advice and guidance to businesses there are still a number of myths and misconceptions around data protection.
Alice Wilson, who has worked in data protection for over eleven years, works for Higher Education, Further Education Shared Technology and Information Services (HEFESTIS) which provides a Data Protection Officer (DPO) Shared Service for colleges and universities in Scotland, is the DPO for West Lothian College and in this article shares the common misunderstandings and myths of data protection law.
Myth 1 – Data Protection is a Barrier!
Data Protection law is not new – the first UK Data Protection Act (DPA) was in 1984. Data protection is not there to restrict business in handling personal data. It provides a legal framework for organisations to operate in and to meet individuals’ right to privacy (linking with Article 8 of the European Convention on Human Rights – the right to respect for private and family life, home and correspondence). It is rare that data protection would be the reason for a business not to process personal data for a specific purpose. So if an organisation states can’t share due to GDPR – generally this is incorrect and in some instances it is used as a convenient excuse not to share! This is a really unhelpful position and perpetuates the belief that data protection is more restrictive rather than helpful.
The key to compliance is ensuring the data protection principles are followed. That appropriate documentation is in place including policies and procedures in place to ensure data is used appropriately, is kept safe and that there is greater transparency around how it is used.
Myth 2 – Consent
Consent from the individual is considered to be the only way that organisations are allowed to process personal data. This is one of the most common myths with people considering that is the only way that an organisation can handle data and is a myth that existed even before GDPR.
Under data protection there is more than just consent which allows processing of personal data. There are five other conditions for processing personal data – contract, legal obligation, vital interests, public task and legitimate interest. For the college, the majority of processing will be public task. Contract and legal obligation are the other two lawful conditions which apply.
For consent to be valid under GDPR there is a list of conditions that must be met for consent to be valid. GDPR has strengthened the rules around consent in that it must be a fully informed and freely given choice.
Myth 3 – GDPR stops sharing & Data Protection Officer (DPO) says No!
As referenced earlier data protection law has been in place since the 1980s. GDPR and the new UK Data Protection Act 2018 has strengthened individuals’ rights and provided more
powers to ICO. If organisations were complying with the 1998 Act complying with GDPR should not be too onerous.
It is not unusual for data protection or ‘the DPO says no’ to be used as a reason to not share data. It’s worth noting that if data was shared prior to GDPR it’s highly likely there is the legal basis for sharing and it can occur. The college has a clear legal framework under a number of laws to share data. For example, the college regularly shares student data with Scottish Funding Council (SFC) under the Post-16 Education (Scotland) Act 2013. Data protection and the DPO does not prevent sharing where there is a legal basis to do so.
There are also instances where data protection does not prevent the sharing of data with appropriate bodies when it comes to a life or death matter – for example, if a vulnerable young person goes missing. Not sharing data in such instances also goes against the college’s duty of care to the staff and students. The ICO would not fine an organisation for sharing life-saving data, that can help protect a vulnerable person.
Myth 4 – Individuals Rights
The myth around consent then links with incorrect assumptions around the individuals (data subjects) rights. Some people incorrectly believe that the right to erasure (commonly known as the right to be forgotten (RTBF)) is an absolute right. As already referenced some people think that companies cannot use their data without explicit consent. However, this is not the case, for example, certain organisations have a legal requirement to hold data on people. For example, HMRC have legal requirements to hold personal data for tax purposes so this means that individuals cannot exercise their right to erasure and request HMRC delete all their data. This applies for other organisations too, including the college.
Common Sense Approach to Data Protection
There are some aspects of data protection that should be a matter of common sense. One way to approach this is to step back and consider it from the individuals’ perspective – stand in their shoes – what are their expectations? Is this processing justified, proportionate and necessary for the purpose it was collected for? To aid in this process, look at what the privacy notice informed them of when the data was first collected.
Data protection training will assist in dispelling the myths surrounding data protection. In particular, for employees that handle sensitive data and/or large volumes of data for specific purposes and could benefit from extra training and guidance. At the college MIS and HR handle large amounts of personal and sensitive (special category) data. Therefore, specific training related to their area of work would help provide greater clarity over how that data should be used. It’s also important to continue raising awareness of data protection law and dispelling the myths and misconceptions of GDPR and DPA.