We have written before (see here) about the situation where a privacy notice (and if required, consent) is covered with say, one party of a couple but where that individual then provides personal data about his or her partner. In our experience, many firms are still not handling this correctly.
Under the regulations, for children under the age of 13, you need to get consent or other lawful basis in relation to whoever holds parental responsibility for the child. Therefore, in a fact find situation, storing the children’s names and other details presents no data protection issue. But what about children who are aged 13 or older, or an adult?
Older children and adults
One firm thought that it would be ok if only the first name of the older child or adult is recorded. This is not automatically true – it depends on whether the individual is identifiable by dint of the context in which the information is given. So, if we gather information on Julie or John, who is the client’s partner then that person can clearly be identified by inference from other information. If we literally simply capture the name and nothing else then there is no personal data and arguably no issue but in the context of a fact find it is likely to be accompanied by additional information such as date of birth. Of course, it could be argued that sometimes that information would be in the public domain and so there are no privacy issues. There are public records of births, marriages, civil ceremonies and the like so some information would escape being considered as personal data on those grounds. But firms need to have a clear policy as to when ‘consent’ is required and when not.
The safe approach
Despite suggesting above that it could be acceptable to rely on the fact that information gathered about the other individual might be in the public domain and so does not constitute personal data, this is not really a very robust way to proceed. Can you be sure that ALL the information you obtain will be public domain? Unlikely when advisers usually need to know more private details such as income, health and so on.
Accordingly, whatever your lawful basis, consent, contract etc., it must be applied to any and all living individuals (child exceptions apart) where personal data related to that individual is processed (processing includes obtaining and storing it). So, just because you have a lawful basis with one individual, that does not confer a lawful basis for any other individual. Imagine fact finding with a client who, in response to questions about potential inheritance divulges that he expects to inherit from his father, who is seriously ill with a number of named conditions and has a shortened life expectancy and has been told X and Y by his doctor and his estate is worth £X and the house is worth £Y. It should be obvious that, while the son has every right to know that information, the firm needs to have established a lawful basis with the father to have it!
When you collect personal data from the individual it relates to, the rules require that you must provide them with privacy information:
“… at the time when personal data are obtained…”
However, there is an acknowledgement that sometimes this will fail, for example when the adviser is meeting only one partner but information is obtained about the other partner. When you obtain personal data from a source other than the individual it relates to, the rules state that you must provide them with privacy information:
“…within a reasonable period after obtaining the personal data, but at the latest within one month…”
So this is a backstop solution to the situation where information, however brief, is obtained about an individual who is not directly present at the meeting. However, ICO guidance states that, while there is a maximum of a month to remedy the situation, this period will be shorter, as soon as possible, where:
- use of the data is likely to be unexpected or unwelcome;
- use of the data is likely to have a significant effect on individuals; or
- special categories of personal data or criminal conviction and offence data are involved.
Of course, the ideal solution is to avoid this retrospective remedial work by being clear in advance of the meeting who is being advised, whose information will be required and who will be at the meeting, and to ensure that the firm’s privacy process is applied to all relevant individuals before any information is obtained.
Reading some privacy notices it is often unclear exactly what lawful basis is being relied upon. Normally we would expect an adviser firm to rely on ‘performance of a contract’ or ‘consent’. But these often get mixed up in the text, with a clear statement early in the privacy notice about performance of a contract but then the document is required to be signed by the client, which is implicitly (or explicitly in some cases) tantamount to consent. This matters because the rules place obligations on firms to maintain clear records of all consents obtained (when, what for, when they will need to be refreshed – consent needs to be renewed occasionally, the consensus is usually every two years). Ask yourself, “Do we maintain accurate and comprehensive consent records?”
The consent/contract confusion often arises because the firm is still incorporating the privacy process into other documents, such as a client agreement that they do want to have signed. That creates two problems. First, that it is then very unclear what the client is signing for and second, the rules state that the privacy documents should be separate from any other documentation.
Finally, it is not uncommon for the water to be muddied even further with the occasional mention of ‘legitimate interests’ being thrown in for good measure.
Legitimate interests should not be used on a blanket basis. The ICO states:
“Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.”
It is intended to be used sparingly and must include the undertaking of a three-part test. Firms need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms;
- Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.