In the third in our GDPR for healthcare blog series, Karen Heaton of Data Protection for Business discusses how to ensure that you are processing data lawfully and the necessity to track the data subjects’ consent.
How many emails did you receive in the run up to 25th May this year about ‘opt-ins’ to receive marketing? I, for one, enjoyed a clear out of my junk mail. Now, only products and services I am actually interested in arrive in my Inbox. Not only that, but now organisations have to take my unsubscribe request seriously. This was clearly not the case in the past.
But were all these emails necessary? Well, that depends on the lawful basis you have for processing an individual’s data and also how you received an individual’s data.
So, to answer this question, you need first to understand a) your data and b) your lawful basis for using that data.
Understanding your data
This is the crux of data protection compliance. Without properly mapping out your data, you will struggle to be compliant with all aspects of data protection. Why? Because if you cannot answer the basic questions of….
- What type of data you have – personal data, or Special Category data – Sensitive / Child
- Where did you source the data
- Who has access to that data
- Which processing activities do you undertake on that data – sending marketing messages, sharing with third parties, analysing data for demographics or other profiling types of activities
- Lawful basis for processing
- Which country is it stored in
….then you may be asking for consent unnecessarily, or not asking for consent when you should be. As well as a raft of other non-compliant activities, by the way (and it’s a long list!).
In short, you are risking a breach of the core Principles of data protection which, as we learned in last week’s blog, attract: higher level fines; risk of prosecution; audits by the ICO and restriction of business activities. For medical practices, in particular, and client facing businesses in general, there is the potential for non-trivial reputational damage from any of these actions.
Lawful basis for processing data
Once you have itemised the personal data within your organisation, then ask yourself which of the following lawful reasons apply to each of the processing activities undertaken on the data. If none of numbers 1-5 apply, then you must seek consent. Medical data and other Special Category data requires explicit consent.
1. Performance of a contract entered into with the data subject
2. Legal Obligation which the Controller must comply with
3. Legitimate Interest of the Controller
4. Vital Interests of the data subject
5. Performance of a task carried out in the Public Interest
6. Consent – the organisation must be able to obtain, maintain and validate lawful consent received from the individual
A small business selling products has a database of around 3,000 contacts and wants to send those contacts a monthly newsletter with their new product information and special offers. Do they need to send all contacts an ‘opt-in’ to marketing email?
If the company can validate that all their contacts are or were customers or had previously asked for information on their products, and the company had an unsubscribe option in place, then probably not (as data was received from customer for either performance of contract, consent or legitimate interest). However, they must ensure that all new customers ‘opt-in’ to marketing emails and that the unsubscribe option is clear and easy to use.
If the company is not sure where some of its contacts came from, then those will require consent to receive marketing emails. In particular, if contact data were purchased from a third party, the third party has the duty to ensure that consent to sell or transfer their contact details was received from the data subject. If this cannot be confirmed, then consent to marketing is required.
Where consent is required to process data, your systems must be set up to track and manage that consent, preferably with a description of how consent was given (e.g. during customer registration process or during a consultation). That way, an audit trail of consent is maintained which will assist in demonstrating your organisation’s compliance with data protection, if questioned.
In the ICO quarterly statistics from Q1 2018, out of 23 industry sectors, the Health sector had the highest numbers of data breaches for any sector – 677 out of a total 3146 reported incidents – 22% of the total.
Medical data is a Special Category of data and a therefore a higher standard for processing and seeking consent is in place. Individuals are much more aware and inquisitive about how their medical information is used.
=>You must understand your all responsibilities as a Data Controller. For Controllers processing Special Category data, your operational risk is increased. Regular internal reviews of procedures and compliance audits is highly recommended.
See you next week!
Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited