Record of Processing – No. 6

Record of Processing – No. 6

Introduction and comments

This week we looked at ‘record of processing’ which is a new requirement under the latest data privacy legislation. We also looked at the production of a Policy Document for the special categories of personal data (Data Protection Act 2018).

In case anyone is wondering where the timetable posting in “What, When and How” has gone, as it slipped off the list of recent blogs it has now been put as a menu item at the top of each page.

 

Review of action points from prior session

  • To do 14  Using the Information Asset Register you made in Blog No. 2, draw up a table identifying the contracts/DSAs/ISAs required for review.
  • To do 15  Review the contracts you have in the practice to ensure they are GDPR compliant using the exemplars and the checklist (see resources used).
  • To do 16  Where contracts should be in place but have not been found use the template letter to write to the contracted organisation requesting a GDPR compliant contract.
  • To do 17  Check the returned contracts from any external organisations you have contacted against the checklist provided.

Work covered this week

 

1) Record of Processing

What is a ‘record of processing’?

Under the new data protection regime, data controllers must now pay the Information Commissioner’s Office (ICO) a data protection fee. This fee replaces the need to ‘ notify’ or register (what was the case in the DPA 1998).  For further information on data protection fees, please visit the Information Commissioner’s website: https://ico.org.uk/media/for-organisations/documents/2259094/dp-fee-guide-for-controllers-20180601.pdf

There is a new requirement for Data Controllers to retain records of processing. This includes the purpose of processing, data sharing and retention. The Record of Processing must be made available to the Information Commissioner if required.

What information needs to go into a record of processing?

The following items must be included in your record of processing:

  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

You can also use the record of processing to document your compliance with other aspects of GDPR and Data Protection Act 2018.

How do we complete a record of processing?

Your Information Asset and Data Flow registers (see Blog No.2) contain the information needed to complete the Record of Processing.

Use the template provided.

If you add a new information asset or flow, you will also need to update your record of processing at the same time.

You can publish your record of processing on your website. It can support your transparency requirements (Fair Processing/Privacy information to data subjects).

What do you need to consider?

Public authorities (including GP practices) cannot use ‘legitimate interest’ as a legal basis for processing.

You must identify the legal basis (Article 6 GDPR) for processing personal data from the list below.

You will need to consider lawful bases in relation to the assets and flows and this needs to be incorporated within the record of processing.

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Special categories of data

For processing special categories of data (such as racial or ethnic origin, data concerning health etc) you also need one of the following legal bases (Article 9 GDPR).  The legal bases in bold are the ones which you are most likely to use.

  1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. processing relates to personal data which are manifestly made public by the data subject;
  6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards
  9. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

 

For certain other types of data e.g. DBS checks for employment and Health Data, you require another legal basis under the Data Protection Act 2018. These are detailed in Schedule 1 of the Data Protection Act 2018. Most likely it will be one of the following, but it is important to check when carrying out this exercise.

Employment, social security and social protection

1.1 This condition is met if —

(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b) when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule

Health or social care purposes

2.1  This condition is met if the processing is necessary for health or social care purposes.

2.2  In this paragraph “health or social care purposes” means the purposes of

(a) preventive or occupational medicine,
(b) the assessment of the working capacity of an employee,
(c) medical diagnosis,
(d) the provision of health care or treatment,
(e) the provision of social care, or
(f) the management of health care systems or services or social care systems or services.

Template Record of Processing

2) Policy Document

There is a legal requirement for you to have a policy document for the special category of data listed within Schedule 1, DPA 2018 that you process.  This policy document must be referred to within your Record of Processing. This policy document demonstrates that you meet the requirements of the Data Protection Act 2018 and must be retained according to the data retention period plus six months.

What is needed within the Policy Document?

  1. Explain how the Data Controller’s procedures (for this asset) complies with the six GDPR principles (see the Policy Document Template for the list of six principles); and
  2. Retention and erasure information.

If it is decided that you will not comply with the retention and erasure processes, you will need to record the reason why within the record of processing.

 Policy Document Template

 

Resources Used

Output Documentation

Learning points

  • There is no longer any need to notify/register with ICO, but on renewal, you will still need to pay a fee as a Data Controller.
  • There is a legal requirement to keep a record of processing.
  • Legal bases for processing must be documented in the record of processing.
  • New data assets and flows must be updated in the record of processing.
  • There is a legal requirement to have a policy document for each category of data processed.


Practice checklist

  • To do 18 Check your renewal data for registration with ICO, you will need to change to the new payment regime on renewal.
  • To do 19 Complete the Template Record of Processing
  • To do 20 Check the legal bases for processing for different categories of data
  • To do 21 Using the Policy Document Template, create Policy Document for each category of data

Next session on 16.08.18

(Blog No.7 due 21.08.18)

We have a three-week break, and the next session will be mid-August when we will be looking at our fair processing notices (privacy notices).

 


Comments are closed.