The First Data Protection Principle – Lawfulness, Fairness and Transparency
The First Data Protection Principle under the General Data Protection Regulation (‘GDPR’) is that of “lawfulness, fairness and transparency”. This goes further than under the previous legislation, where the right was that of being ‘informed’. In this blog we are going to look in some detail at what that means. By way of background, there are a total of six data protection principles, the others being those relating to purpose, data minimisation, accuracy, storage and security.
Firstly, in order to be lawful, any processing of personal data needs to fall within one of the six legal bases, which are:
- Legitimate Interests
- Legal Obligation
- Vital Interests
- Public Task
Once you have established the lawful basis (or bases, if there are several) of processing, you need to ensure that the processing is not otherwise ‘unlawful’, which is to say contrary to law, such as a breach of the Human Rights Act 1998, a breach of an enforceable contractual agreement or a breach of industry-specific legislation.
Also, if you are processing special category personal data, ensure that you meet the requirements for processing this type of data.
Next, the process needs to be ‘fair’. You need to consider how the processing may affect the individual or group of individuals concerned, and be able to justify any adverse impact.
Generally, you should ensure that you are only handling personal data in a manner which people would expect, and ensure that the data is not used in a way that would have unjustified adverse effects on a person or people, for example such as being bombarded by spam electronic communications. Try to think further than simply how you are using the personal data and ask yourself whether you should be doing so. This also needs to be considered more widely in the context of all six data protection principles, such as data minimisation and purpose. Just because you have been processing personal data in a particular way in the past, does not mean that you should continue to do so; challenge yourself as to what you are doing and why.
One highly relevant aspect of the issue of fairness is how you obtained the information; for example, if the data was obtained in a misleading manner, it is unlikely that the processing activity will be considered to be ‘fair’.
Whilst processing may negatively impact on an individual, this does not necessarily render the processing ‘unfair’. The question is whether any detriment to the individual can be justified or not. For example, personal data will be processed for the purpose of imposing fines for breaking the speed limit. Naturally the fine will have an adverse impact on the individual concerned, and is thus detrimental, but it is not ‘unfair’.
Finally, the processing of personal data needs to be ‘transparent’. You generally need to honestly and openly comply with the rights of the individual to be informed as to how their data will be processed.
Data will either be collected from the individual themselves or from a third party, and the rules as to what information you need to give to the individual about the use of their personal data vary, depending on how you have obtained it.
Where personal data has been received directly from the individual concerned, you will need to advise them of the following:
- the identity and contact details of the data controller
- the contact details of the data protection officer or the person responsible
- the purposes of the processing
- the legal basis of the processing
- the details of any legitimate interests
- the recipients of the personal data
- if the data is being transferred outside of the EEA to a country where there is no adequacy decision
- retention periods
- the data subject’s rights (i.e. to access, rectification, erasure, restriction of processing, data portability and any automated decision-making and profiling)
- the right of the data subject to withdraw their consent
- the right of the data subject to lodge a complaint with the ICO
- in the event that there is a statutory or contractual requirement to provide the personal data, the consequences of failing to do so.
Additionally, where the data has been obtained from a third party, you will also need to advise the data subject of the categories of personal data processed and the source from where the data was obtained.
Where personal data has been obtained from a third party, you will need to notify the data subject of the fact that you are processing their personal data within a reasonable period, but in any event this needs to be within a month or when you first communicate with the data subject, if this is earlier.
You need to consider how you will communicate this to data subjects. This is normally done through a privacy notice, which you may post on your website, send electronically or send as a hard copy.
In conclusion, and as can be seen from the above, compliance with this first principle is onerous, and will require some thought by your organisation, to ensure that these requirements are met. Data controllers are responsible for, and also need to be able to demonstrate compliance with, all six data protection principles.
If you have any queries about this, or any other matter relating to data protection compliance, please do not hesitate to contact us at Ordered Data Protection Consultants