Guidelines in relation to legal basis for private sector sharing of personal data
This note is seeking to give guidance in relation to the sharing of personal data in relation to individuals from data controller to data controller in the private sector. It is prepared in recognition of an increasing desire on the part of some data controllers to consider sharing personal data collected for one primary purpose such as providing a service to an individual for another purpose such as entering the personal data of that person on an industry wide database or other such broader database.
The sharing of data in relation to individuals, even with their consent, must still meet the requirements of the Data Protection Acts for justification for the particular processing envisaged.
All processing of personal data must be in compliance with the provisions of Sections 2 & 2A and where the data is sensitive Section 2B of the Data Protection Acts. In essence, this legal basis requires that personal data only be processed where it is necessary to do so for a substantial reason in the particular circumstances. Even in such circumstances all processing must still be carried out in such a manner as to safeguard the fundamental rights and freedoms of the individual concerned.
The key issue to be decided in the context of any processing of personal data is to establish under which of the provisions in Sections 2, 2A & 2B (where the processing relates to sensitive data) can the processing be deemed legitimate. Sharing of personal data is considered to be processing and therefore must have an appropriate basis in the Data Protection Acts.
As a minimum to ensure fair processing, the person must be appropriately informed in accordance with the requirements of Section 2(1)a of the Acts as outlined in more detail in Section 2D. This requires that the persons must be informed as to all uses that will be made of their data including to whom it will be disclosed.
Once appropriate and detailed information is supplied to all persons under the requirements of Section 2(1)(a) of the Acts, the additional conditions of Section 2A must also be met. Section 2A(1) relates to consent. Where this consent is sought as a condition for the provision of the service in question rather than on a purely optional basis, then the strong view of the Commissioner is that it is doubtful that it can be considered to be freely given and therefore should not normally be solely relied upon as a justification for the sharing of personal data. This is especially so where such sharing is on a systematic, routine basis.
In such circumstances, one of the other conditions of Section 2A must also be met. The most likely in relation to the sharing of personal data is Section 2A(1)(d):
(d) the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
Accordingly, any sharing of personal data would need to be able to clearly demonstrate that it is necessary for the legitimate interests of the data controller concerned and not prejudice the fundamental rights and freedoms or legitimate interests of the data subject. Therefore this provision requires that any sharing strike a clear balance between the interests of the data controller and the data subject. The strong view of the Data Protection Commissioner is that in order to override the legitimate interests of the data subject, the data controller must be able to demonstrate unequivocally why it is necessary for their legitimate interests to override the rights of individuals by sharing their personal data with others.
Additionally, where the personal data to be shared relates to the “the commission or alleged commission of any offence by the data subject” which would, of course, include fraud, it would constitute sensitive personal data and the conditions of Section 2B of the Acts also need to be met before any sharing of personal data takes place.
Section 2B again envisages the explicit consent of the data subject providing a basis for the processing of personal data under this Section. However, for the reasons outlined above a consent given in these circumstances should not normally be considered to be freely given and so cannot be solely relied upon by a data controller.
Section 2B(1) outlines additional conditions which would legitimise such processing. The most relevant in this context are likely to be:
(vi) the processing is necessary -
(1) for the administration of justice,
(11) for the performance of a function conferred on a person by or under an enactment, or
(111) for the performance of a function of the Government or a Minister of the Government,
(vii) the processing –
(I) is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings, or
(II) is otherwise necessary for the purposes of establishing, exercising or defending legal rights
This makes clear that sensitive personal data in relation to the commission or alleged commission of an offence may only be processed by a data controller itself for the purpose of pursuing legal action or where the processing is performed further to a specific statutory obligation or for the administration of Justice. These latter categories may only be carried out by an official authority. Accordingly, for clarity the sharing of personal data by a data controller with An Garda Síochána in relation to the commission or alleged commission of an offence is legitimate under the Acts and may take place. No other sharing of information between data controllers in relation to the commission or alleged commission of offences, including in relation to fraud, may take place in compliance with the Data Protection Acts.
» Permanent Link