Read more about: Data protection and information law,
25 April 2022
Local authority legal teams deal with a range of issues and data protection matters can occur on a day-to-day basis, whether as a stand alone issue or as part of a wider piece of advice, such as part of a contract negotiation. We have set out below some of our top tips to consider when advising on data protection matters.
In many services contracts, the supplier will be a processor for local authorities, however, sometimes the supplier is a controller (or even a joint controller) and therefore the data protection clauses in template contracts may need to be adapted for that scenario.
Art.28 GDPR sets out the requirements for controller to processor contracts and must be complied with in all controller-processor scenarios. Also, ensure any amendments to data processing provisions still comply with Art.28 GDPR and that required provisions are not omitted in error.
Art.26 GDPR requires joint controllers to set out their responsibilities “by means of an arrangement”. A data sharing agreement between individual controllers is also good practice. When drafting data sharing clauses and agreements, consider the ICO Data Sharing Code of Practice.
If you are using template data protection provisions, be mindful that there have been some changes to data protection law as a result of Brexit. For example, the GDPR has been updated to reflect language we use in the UK (“Supervisory Authority” is amended to be the “ICO” and/or “foreign designated authority”).
Earlier this year, the ICO’s new International Data Transfer Agreement and SCC Addendum came into force. These will replace the current EU standard contractual clauses (SCCs). The SCCs can still be used for contracts concluded on or before 21 September 2022 and you will have until 21 March 2024 to get the new IDTA in place.
Timescales are a key part of GDPR compliance and the ICO can exercise its enforcement powers if timescales are not complied with. Key timescales include the time to respond to Subject Access Requests which is one month (this can be extended for up to 3 months in certain circumstances). And if you suffer a personal data breach, you have 72 hours to report to the ICO if it meets the threshold for reporting, including weekends and bank holidays.
You can only process personal data if you can meet an Art.6 lawful basis and so this should be identified before any processing begins. In addition, you may only process special category personal data if Art.9 conditions are met. There are also additional Data Protection Act 2018 conditions for special category and criminal conviction data.
Consent is one of the Article 6 lawful bases you can use. However, the standard of GDPR consent is high – it must be “freely given, specific, informed and unambiguous” and made “by a statement or by a clear affirmative action”. Therefore, it may not always be the most appropriate lawful basis to use. It can also be difficult for public bodies to rely on the lawful basis of consent if there could be an imbalance of power and consent is not freely given (see GDPR Recital 43).
