At what point do we have to provide the privacy information?
When you collect personal data from the individual it relates to, Article 13 of the UK GDPR says that you must provide them with privacy information:
“…at the time when personal data are obtained…”
This applies when you collect personal data:
- directly from an individual (eg when they fill-in a form); or
- by observation (eg when you use CCTV or track people online).
A bank collects personal data from an individual in branch when they fill in a form to apply for a current account. The bank provides information to the individual on the application form to let them know why they need the data and what they do with it. The individual can review this information as they fill in the form.
The bank provides its customers with a mobile-banking app so they can manage their current account on the move. The app uses an individual’s location on their smartphone to inform them of nearby offers they can benefit from if they use their debit card. The app provides individuals with information about location tracking at the time of first log-in. App users can choose to accept or decline this use of their personal data.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 adopted guidelines on Transparency, which have been endorsed by the EDPB.
How long do we have if we obtain personal data from other sources?
When you obtain personal data from a source other than the individual it relates to, Article 14 of the UK GDPR says you must provide them with privacy information:
“…within a reasonable period after obtaining the personal data, but at the latest within one month…”
This applies when you obtain personal data:
- from another individual or organisation (eg if you buy in personal data, or it is shared with you); or
- from a publicly accessible source (eg the open electoral register).
The UK GDPR further clarifies that if you plan to use the personal data you obtain to communicate with the individual it relates to, or to disclose to someone else, the latest point at which you must provide the information is when you first communicate with the individual or disclose their data to someone else. Bear in mind that the one month time limit still applies in these situations. If, for instance, you plan on disclosing an individual’s personal data to someone else two months after obtaining it, you must still provide that individual with privacy information within a month of obtaining the data.
Whatever the situation, you must consider the specific circumstances of your use of the personal data in deciding when it would be reasonable to provide privacy information to an individual. You are accountable for demonstrating that what you did was fair. In practice this means that you need to think carefully about the reasonable expectations of individuals and what effects your use of their data may have on them.
The need to provide people with privacy information as soon as possible after obtaining their personal data is strongest where:
- your use of the data is likely to be unexpected or unwelcome;
- your use of the data is likely to have a significant effect on individuals; or
- you have obtained special categories of personal data or criminal conviction and offence data.
A council obtains the names and contact details of the members of several voluntary groups in its area, from each group’s secretary. It intends to send letters to the members to invite them to a training event it is running on child safeguarding. The council assesses that the voluntary group members are unlikely to be significantly affected by, or object to, this use of their data. As such, it provides the members with the appropriate privacy information at the point at which it first communicates with them about the training event, two weeks after obtaining their data.
The council also obtains the names and contact details of members of other voluntary groups in its area. It intends to disclose their details to a market research company that is conducting a survey on the council’s behalf to gauge public opinion on council services. The council assesses that the voluntary group members are less likely to expect their data to be used in this way and may object to being contacted by the market research company. As such, it decides to provide the voluntary group members with information about its intention to pass their details on to the market research company as soon as it obtains their personal data, and well in advance of any disclosures actually taking place. The council also uses this opportunity to seek the consent of the voluntary group members to use their data for the new purpose.
Prior to obtaining personal data, it is good practice to use a data protection impact assessment (DPIA) to identify the risks of what you plan to do, and then build in appropriate measures and safeguards, including deciding when to provide individuals with privacy information and what your lawful basis is for a further use of personal data. The use of a DPIA is a legal requirement when what you plan to do with personal data is likely to result in a high risk to individuals’ rights and freedoms, particularly when new technologies are involved.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are l no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 published the following guidelines which have been endorsed by the EDPB:
Guidelines on Transparency
Guidelines on Data Protection Impact Assessments (DPIA)
Can we put privacy information on our website for people to find?
The UK GDPR says that you must “provide” individuals with the necessary information in an “easily accessible form”. This applies equally if you collect personal data from the individual it relates to or if you obtain personal data from another source.
You can meet this requirement by putting the information on your website (this is often how organisations deliver privacy information), however you must proactively make individuals aware of this information and you need to give them an easy way to access it. Simply putting it on your website, in case people happen to look there, is not enough.
In practice, the way in which you provide privacy information to individuals will depend on the circumstances of how you collect or obtain their personal data. Some of the different techniques you can use to deliver this information are covered later in this guidance in the section ‘What methods can we use to provide privacy information?’