Charlotte Smith and Hannah Peto set out some of their top tips to consider when advising on data protection matters.
Local authority legal teams deal with a range of issues and data protection matters can occur on a day-to-day basis, whether as a stand-alone issue or as part of a wider piece of advice, such as part of a contract negotiation. We have set out below some of our top tips to consider when advising on data protection matters.
1. Check if the Supplier is a Controller or Processor
In many services contracts, the supplier will be a processor for local authorities, however, sometimes the supplier is a controller (or even a joint controller) and therefore the data protection clauses in template contracts may need to be adapted for that scenario.
2. Ensure Contracts Reflect GDPR Requirements
Art.28 GDPR sets out the requirements for controller to processor contracts and must be complied with in all controller-processor scenarios. Also, ensure any amendments to data processing provisions still comply with Art.28 GDPR and that required provisions are not omitted in error.
3. Comply with the ICO Data Sharing Code of Practice
Art.26 GDPR requires joint controllers to set out their responsibilities “by means of an arrangement”. A data-sharing agreement between individual controllers is also good practice. When drafting data sharing clauses and agreements, consider the ICO Data Sharing Code of Practice.
4. Update Contracts to Reflect Brexit Changes
If you are using template data protection provisions, be mindful that there have been some changes to data protection law as a result of Brexit. For example, the GDPR has been updated to reflect language we use in the UK (“Supervisory Authority” is amended to be the “ICO” and/or “foreign designated authority”).
5. Get Ready for the International Data Transfer Agreement
Earlier this year, the ICO’s new International Data Transfer Agreement and SCC Addendum came into force. These will replace the current EU standard contractual clauses (SCCs). The SCCs can still be used for contracts concluded on or before 21 September 2022 and you will have until 21 March 2024 to get the new IDTA in place.
6. Diarise GDPR Deadlines
Timescales are a key part of GDPR compliance and the ICO can exercise its enforcement powers if timescales are not complied with. Key timescales include the time to respond to Subject Access Requests which is one month (this can be extended for up to 3 months in certain circumstances). And if you suffer a personal data breach, you have 72 hours to report to the ICO if it meets the threshold for reporting, including weekends and bank holidays.
7. Know Your Lawful Basis
You can only process personal data if you can meet an Art.6 lawful basis and so this should be identified before any processing begins. In addition, you may only process special category personal data if Art.9 conditions are met. There are also additional Data Protection Act 2018 conditions for special category and criminal conviction data.
8. Be Careful of the Consent Lawful Basis
Consent is one of the Article 6 lawful bases you can use. However, the standard of GDPR consent is high – it must be “freely given, specific, informed and unambiguous” and made “by a statement or by a clear affirmative action”. Therefore, it may not always be the most appropriate lawful basis to use. It can also be difficult for public bodies to rely on the lawful basis of consent if there could be an imbalance of power and consent is not freely given (see GDPR Recital 43).
Charlotte Smith is a Senior Associate and Hannah Peto is a Trainee Solicitor at Sharpe Pritchard LLP.
For further insight and resources on local government legal issues from Sharpe Pritchard, please visit the SharpeEdge page by clicking on the banner below.