Introduction  

Plunging into the pool of data protection regulation can seem intimidating. While legacy specialists may not often deal with data protection in their everyday activities, it's important to have a reasonable working knowledge of the basics. 

We've had data protection regulation in the UK since the mid-1980s, however data protection only came to wider attention when the EU General Data Protection Regulation (GDPR) – now transposed into the UK GDPR following Brexit and supplemented by the UK Data Protection Act (DPA) – took effect in May 2018. This was largely because of potentially huge financial penalties for non-compliance hitting the headlines. While many horror stories being peddled about penalties for minor infringements were over hyped, the lack of large fines doesn't mean we can think of GDPR as a non-event. We've seen private individuals becoming increasingly aware of their data privacy rights and willing to exercise them, often in the context of a wider grievance. Even if regulatory action is still relatively rare, dealing with a data protection complaint can present an unwelcome disruption.

Be aware of what's covered  

Data protection legislation regulates the collection and handling of personal data by your organisation (the organisation being the 'data controller', not an individual staff member, as is sometimes the belief). 'Personal data' covers data relating to an identifiable, living individual. A deceased person's data is not subject to data protection law, although other laws such as the Access to Health Records Act 1990 and duties of confidence can still be relevant.  In any event, the personal data you hold relating to the legator's family and other relatives, beneficiaries, personal representatives and other individuals – whether in personal or professional capacity – will be regulated under GDPR and DPA.  Personal data recorded about your own individual staff or volunteers, internally or in external communications will also be covered.  Personal data does not just mean contact details. It can extend to any opinions recorded about an individual, including negative comments in internal communications (e.g. an email or message on your system between colleagues venting their views about a difficult family member). It can also apply to personal data within instant messages and WhatsApp communications sent in a work context. You can't necessarily 'get round' the rules by using messaging services on a mobile device and, once a data subject access request (or DSAR) is likely to be served, it's a criminal offence for an organisation or staff member to intentionally delete or amend the personal data held with a view to avoiding disclosure.

Remember that individuals have rights to see the data recorded about themselves

As said above, individuals can use a DSAR to obtain a copy of the personal data that's held about them by your organisation or staff/volunteers.  The exceptions allowing you to reject such a request are limited and the timescales for responding are tight. In many cases, the task of searching for personal data can be resource intensive. We recognise this is particularly acute when you are in an already stretched team.  However, lack of resource is not recognised as a legal basis to delay or limit your response. Often, you can procure external IT help in searching for data and filtering 'hits' to more manageable levels. However, prevention is better than cure and having some rules about what staff record (or don’t record) about individuals and control on where communications are saved is recommended to reduce the work you have to do later.  

Have relevant policies/training for you staff

One of the most important new features of the GDPR was the introduction of an 'accountability' principle. This means that simply saying you are complying with the rules is not enough. You must be able to demonstrate what you are doing to comply. In other words, documenting good data protection practice is essential.  There are some 'easy wins' here. For instance, an external facing privacy policy that individuals can access to find out what personal data your charity – including the legacy team - may be collecting about them; what you use it for; who it may be shared with; the legal basis for your processing of that data; how long it will be retained (or the criteria you use to retain data) and what rights individuals have to access their data, object to certain uses or complain if they think their rights are being violated.  It's important that you also put in place internal rules for your staff in relation to their handling personal data and that you back this up with periodic training. 'What guidance or training has your client given its staff?' is often one of the first questions we are asked by the Information Commissioner Office (ICO) when they investigate a data incident.  What's appropriate will differ for each organisation, depending on its size and complexity of its data processing. However, particular points to remind staff on should include only recording the personal data that's necessary for your purpose; storing personal data/correspondence in the correct places on your system; taking precautions to keep data secure; not sharing data inappropriately (e.g. other than with relevant staff who have a need to know or externally when here is a clear legal justification) and having a process for promptly reporting any suspected security breaches.  Keep policies up to date and make sure that they are relevant to legacy operations.  Ensure you have appropriate data processor contracts in place with companies that handle any personal data on your behalf or data sharing agreements where you share/receive personal data with/from external parties.

Ensure you have a data retention policy 

Having a written retention/disposal policy is strongly recommended. This should recognise your other legal obligations (e.g. maintaining transaction records for tax law) and the needs of different teams. There is no set timescale and personal data should only be retained for as long as 'necessary' in connection with the purpose for which it's held. This may mean only a few years for marketing but we're conscious that for a legacy team there may be a need to retain data on a much longer-term basis to establish that your charity had a previous connection with a deceased individual in case they leave a legacy which is subsequently contested by a dependant under the 1975 Act.  This may be justifiable, provided you document your reasons in a retention policy. You should also ensure that such retained data is limited to what you need and safeguarded from being used for unrelated purposes, such as fundraising.

Finally - keep an eye on the regulations

UK data protection laws are potentially changing in the near future. The government is about to pass an amended Data Protection and Digital Information Act. The fundamental principles of the GDPR and Data Protection Act should not change radically, but there may be some helpful modifications for charities, notably more flexibility around sending e-marketing to individuals you had previous contact with and potential tightening of rules around DSARs that may allow you to refuse vexations applications not made in good faith or that constitute an abuse of process, although further guidance may be needed on what this means in practice.

Like even the best Olympic diver, when it comes to data protection compliance it's unrealistic to expect a perfect score.  However, with due preparation, you should be able to minimise the need to somersault, pike, tuck or twist your way through difficult regulatory issues at a later date.

<< BACK TO HOMEPAGE