Things to Check in a Data Privacy ProjectPosted in : Business Legal on Data Security on 5 July 2017
In his latest video article on Data Privacy, David Fagan of Business Legal points out areas of concern for data processors when embarking on a data privacy project. David looks at issues such as managing the outsourcing of personal data, dealing with the requirement to re-use or re-purpose data, and the archiving of personal data including appropriate retention periods.
Note: David Fagan is speaking at the Data Protection Update: Ensuring your HR Department is GDPR-Compliant conference at the Radisson Blu Hotel, Dublin Airport on 6th March 2018. Book now to secure your place!
Data flow in a privacy project
It's important not only to be concerned with the project that you are dealing with but also to have an understanding of where the data is coming from and some of the data flows in any project.
For example, if you're dealing with the technical issue of an outsourcing of personal data, or processing, or outsourcing of storage, legally speaking this will be a disclosure, possibly. That is to say, it is a transfer of personal data between legal entities or individuals, and it may also be a transfer. A transfer being a transfer of data across jurisdictions.
These two matters bring certain legal challenges. In essence, in order to disclose data, you need to be in a position to do so legally which means that there must be a valid legitimate reason for that process.
Transferring data between jurisdictions
In order to transfer data, you have to comply with certain requirements for the transferring of data across jurisdictions. Transferring data within the EU is very simple. Transferring data to some other approved jurisdictions is also quite simple. However, outside of that it becomes more difficult to transfer data and certain requirements have to be met.
If you are required to re-use or repurpose old data, that is to say data which has been gathered for one purpose but you now wish to use it for another purpose. This might require that there is original consent or some other legitimiser from the data subject, or in connection with the circumstances in which you wish to use the data.
Reusing or repurposing data
The biggest difficulty that arises when an organisation which is to re-use or repurpose data is that the data must only be used with consent, or it must be used with the original purpose being connected to the further use.
Quite often, the further use is unconnected to the originally considered use and this means a fact that someone has given the organisation their data for one purpose and the organisation now wishes to use it for a different purpose. This is generally unlawful.
Issues related to storing data
Storing data can raise issues, particularly when that storing is in relation to archiving data. To give a practical example: in order to decide the appropriate period of time for which data must be kept, that will really be based on the data itself, and the type of the data.
So, to take perhaps, an example in a hospital. Some data may need to be kept for longer than other data, for legitimate reasons. The time to do this most easily, is at the time that the data is last being considered by the medical professional dealing with the file.
Retention periods and data privacy
It is very difficult to take data which is several years old and decide the appropriate retention period. So again, it's important that the retention period be decided at the archiving of the file rather than at the end of the process or rather than at some time in the future when some data archiving project is underway. It's very difficult to decide an appropriate archiving period or retention period at that point in time.
And in fact, in any processing it's always important to consider how the data was obtained in the first place. There are many data-privacy projects where the project itself would be lawful, if only it weren't for the fact that the data was unlawfully gathered, or was unlawfully still in the possession of the organisation.
Unfortunately, in many such cases it's not possible to sanitise that data, or make it legal because the data was unlawfully gathered, or is unlawfully currently in the possession of the organisation. It is not possible then to use it for a lawful and legitimate purpose thereafter.This article is correct at 05/07/2017
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.