- Business
- Data Protection
Shorter Reads
1 minute read
Published 22 October 2020
The BBC reported this week that the UK Department of Health and Social Care could share contact-tracing information with police in England, given there is a legal requirement to isolate after a positive test. The news of this practice quickly prompted a flurry of concerned commentary from public health officials and privacy campaigners, with the British Medical Association warning that police involvement could be counterproductive, insofar as it could deter individuals from testing for COVID-19.
Though this news concerns the public sector, the public reaction to it serves as a useful reminder of the importance of transparency to private-sector organisations who process personal data. If you collect individuals’ personal data and share that data with third parties, even if only occasionally, the GDPR requires that you give clear information about these data sharing practices to those individuals at the time when you collect their personal data. This should ideally be communicated via your privacy notice, which must state the recipients of the shared personal data.
Provided your lawful basis for processing the shared personal data is not consent, it is possible for only ‘categories of recipients’ to identified rather than named, individual recipients, but if you opt to take this less specific approach, you will need to be able to demonstrate why it is fair to do so and endeavour to be as specific as possible about the type of recipient (such as what industry or sector it belongs to) and its location. If, however, you are relying on consent as your lawful basis, then your privacy notice should specifically identify the recipients of the personal data, especially if they are third-party independent or joint controllers. Otherwise, there is a risk that the GDPR’s requirement for the consent to be specific will not be met.
As this news story illustrates, the more upfront with individuals you are at the outset about the way you handle their personal data, the more confidence they will have in your organisation. It is more difficult to gain back trust once lost than it is to lose it in the first place.
Shorter Reads
Published 22 October 2020
The BBC reported this week that the UK Department of Health and Social Care could share contact-tracing information with police in England, given there is a legal requirement to isolate after a positive test. The news of this practice quickly prompted a flurry of concerned commentary from public health officials and privacy campaigners, with the British Medical Association warning that police involvement could be counterproductive, insofar as it could deter individuals from testing for COVID-19.
Though this news concerns the public sector, the public reaction to it serves as a useful reminder of the importance of transparency to private-sector organisations who process personal data. If you collect individuals’ personal data and share that data with third parties, even if only occasionally, the GDPR requires that you give clear information about these data sharing practices to those individuals at the time when you collect their personal data. This should ideally be communicated via your privacy notice, which must state the recipients of the shared personal data.
Provided your lawful basis for processing the shared personal data is not consent, it is possible for only ‘categories of recipients’ to identified rather than named, individual recipients, but if you opt to take this less specific approach, you will need to be able to demonstrate why it is fair to do so and endeavour to be as specific as possible about the type of recipient (such as what industry or sector it belongs to) and its location. If, however, you are relying on consent as your lawful basis, then your privacy notice should specifically identify the recipients of the personal data, especially if they are third-party independent or joint controllers. Otherwise, there is a risk that the GDPR’s requirement for the consent to be specific will not be met.
As this news story illustrates, the more upfront with individuals you are at the outset about the way you handle their personal data, the more confidence they will have in your organisation. It is more difficult to gain back trust once lost than it is to lose it in the first place.
Need some more information? Make an enquiry below.
Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?
Subscribe to our articlesPlease note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.
Close