In the latest of our series of GDPR myth-busting blogs, a new post by Deputy Commissioner (Policy) Steve Wood tackles some misconceptions which have sprung up around how the new data protection law might affect your Christmas.
“He’s making a list,
“He’s checking it twice,
“He’s gonna find out who’s naughty or nice,
“Santa Claus is in contravention of Article 4 of the General Data Protection Regulation (EU) 2016/679.”
This comical rewriting of the classic Christmas song has been doing the rounds on social media in recent weeks. There have even been suggestions that Father Christmas should be reported to the IC Ho Ho Ho...
Others have been pondering how we at the ICO manage to process personal data relating to our office ‘Secret Santa’ while some have asked if naughty children can utilise their ‘Right to be Forgotten’ to make sure they still get a present.
Yet these jokes do raise a more serious issue.
Excellent progress has been made in raising awareness about GDPR, among both organisations and the general public, and customer feedback to the ICO demonstrates that. But it remains true that some are still misunderstanding or misapplying the new legal regime for data protection more than six months on.
Some of the misconceptions about GDPR and the new Data Protection Act 2018, many of which we sought to address through our series of myth-busting blogs last year, are still being circulated in the media and by some organisations and the general public. In short, they are using a sledgehammer to crack a roasted chestnut.
So let’s look at some of the myths we have seen reappearing in recent weeks in a festive context.
You can’t contact parents to tell them what stall they will be running at the school Xmas Fayre because you don’t have their express consent
This actually happened to a member of staff at the ICO and is one of many myths which have at their source the common miscomprehension about consent.
In short, you don’t always need consent to comply with GDPR - it is not the only lawful basis on which you can use someone’s personal information. For example, in this case, the school or PTA had a legitimate interest in being able to contact parents and volunteers.
Churches cannot ask for Christmas prayers for named parishioners who are ill or sick, because their health data is protected
This is another case caused by confusion surrounding the need for consent.
The new laws exist to give people more rights and freedoms, not to act as a barrier to small community groups. If this is something that the parishioner concerned might reasonably expect and welcome and the church can justify processing their health data, then it is unlikely to be breaching the law.
Children can’t write public letters to Santa as their parents’ permission will be needed
This is a case which came up in Germany recently, where children would traditionally post their letters to Santa on a tree in the town of Roth. The town council – which granted children's wishes such as visiting the fire station or having the Mayor come to their school - halted the practice because parents’ permission was needed under GDPR.
While the GDPR does give special status to the data of children, a simple form including both the child’s letter and a parent’s signature eventually solved the problem. Again it is all about proportionality, balance and reasonable expectations.
You can’t give a delivery driver directions to someone else’s home
Difficult as it might be to believe, we were asked this question after a local shopkeeper was apparently told that giving a parcel delivery driver directions on how to reach a house in the village breaches the GDPR.
The GDPR doesn’t prevent you from giving out directions. If it sounds too far-fetched to be true, then it probably is.
GDPR means you can’t get a refund if you buy something online as a ‘guest’ rather than a ‘registered user’ and it turns out to be faulty
This was suggested in a recent news article. GDPR has no detrimental effect whatsoever on your rights under consumer protection legislation.
Christmas cards are banned if you don’t have the recipients’ consent
No, GDPR doesn’t ban Christmas cards, even in corporate context. If you are sending Christmas cards to friends, family, neighbours etc you don’t need their consent.
If you’re sending corporate Christmas cards, you need to be more careful and consider whether it contains direct marketing – especially if it addressed to an individual. In particular, if sending a corporate Christmas greeting electronically, eg by email, then be sure to comply with the Privacy and Electronic Communication Regulation (PECR) rules on electronic marketing.
Politicians and schools who run Christmas card design contests for children now face excessive regulation
No, they don’t, despite what some media reports may claim. They are asked to observe basic data protection principles for example relating to security, data minimisation which they should have - and most likely will have been - observing for years under the previous legal regime.
Parents can’t film or take pictures of their child’s Nativity play
This old chestnut was also a common misconception under the previous Data Protection Act 1998 and is an example of where some organisations routinely but incorrectly cite data protection laws as a reason for not doing something.
Schools may have their own reasons for preferring parents don’t photograph or record performances – for example, child safeguarding issues or commercial considerations - but as long as the filming or photography is for your own personal purposes, then there is nothing in data protection laws past or present which prevents this.
Protecting your data at Christmas
Away from the myths, many people will be buying ‘Internet of Things’ devices for their homes this Christmas, or smart toys and devices which process personal data for their children. We have published advice for parents and for retailers on this topic.
And one final piece of advice from all at the ICO – whatever you do, don’t forget to have a Merry Christmas and a Happy New Year.
Steve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.