The impact of GDPR on local authorities
The General Data Protection Regulation (GDPR) came into force in May 2018. It introduced some key principles for personal data handling, such as lawfulness and data minimisation.
There is certainly a need to effectively address the issues of data vulnerability and cybersecurity, due to the large increase in data exchange between countries with different levels of data protection.
However, the introduction of the GDPR caused serious concern across organisations, particularly in the public sector, in relation to compliance.
Governmental bodies had to review how they processed personal data to minimise the amount of personal data processed and retained.
It was clear from the beginning that compliance would become a burden, especially in terms of costs, considering the large amount of services carried out by local authorities and with respect to the related data collected and held.
The implementation of new processes, procedures and controls to comply with the GDPR forced both the private and public sectors to increase resource towards setting up compliance programmes.
Despite the data controller having data protection responsibility for data breaches, suppliers are tending to prefer to be identified as such.
Local authorities, in particular, had to designate a data protection officer (DPO) and ensure that their data processing is limited to what is necessary to act in the public interest and for fulfilling their statutory duties.
Further, as the GDPR affects every department of an organisation, it was essential to understand what kind of data each team handles and to raise awareness of the sensitivities around data processing and the implications related to the handling of their data.
The effects of the GDPR on outsourced services for local authorities has been significant.
Local authorities have had to introduce new evaluation criteria at tender stage to assess bidders on their level of compliance with the GDPR. They have had to obtain from existing suppliers all necessary guarantees on their levels of compliance and security.
As such, contracts need to reflect the current GDPR legislation and ensure that the roles of the parties involved in the processing of personal data are clearly identified. Identifying who is the data controller and who is the data processor is crucial.
Despite the data controller having data protection responsibility for data breaches, suppliers are tending to prefer to be identified as data controllers, rather than data processors.
Indeed, all organisations are data controllers while carrying out their day-to-day business activities, but what happens under a contract for the delivery of services on behalf of a local authority?
Organisations are arguing that, for the purposes of the GDPR, they are data controllers, since they collect data while delivering commissioned services and use professional judgement in order to assess, for example, service users’ needs. They argue that the degree of control over the processing operation classifies them as data controllers, as they determine the means of the processing.
In many cases, suppliers are collecting data for their own business purposes. This causes confusion for the purposes of the contract.
Undoubtedly, once a supplier is appointed to deliver certain categories of services, it will interact directly with the service users, who can be defined under the GDPR as data subjects.
However, the supplier relationship with the service users is created only on the basis of the services commissioned by the local authority under a specific contract.
The local authority’s requirements for a particular service are usually set at the tender stage, and give the supplier a clear picture of the type of data that needs to be collected (categories of service users affected by the services), why data needs to be collected and the professional judgement to be used by a diligent supplier to successfully deliver the services.
This means that for the purposes of the contract, the local authority is a data controller and the supplier is a data processor.
This position is strengthened by the fact that local authorities have statutory duties to fulfil, which creates a direct obligation to their residents and a direct relationship with them as data subjects.
The body with the relevant statutory duty cannot transfer its data protection responsibilities to another organisation. This cannot be ignored by suppliers, and even if they take some technical decisions on how the data is processed, this does not change their position to one of data processor.
However, if suppliers collate data outside the instructions given by the local authority under the contract, they will become data controllers and will be in breach of the GDPR, unless they are able to prove that they determine the purposes for which and the means by which personal data is processed.
Too often, legal advisers are describing everyone as joint data controllers, which does not reflect the true position under the GDPR.
In many cases, suppliers are collecting data for their own business purposes. This causes confusion for the purposes of the contract, as suppliers tend to insist on being described as data controllers for this reason.
However, as the contract deals only with the operations required at the local authority’s instruction (and therefore the data collected only at the local authority’s instruction), suppliers are properly described as data processors only under the contract terms.
Too often, this can allow legal advisers to simply describe everyone as joint data controllers, which does not reflect the true position under the GDPR.
Therefore, it is important for both suppliers and local authorities alike to distinguish between their ‘own’ data related exclusively to their business, and the data collected under the relevant contract.
The Information Commissioner Office (ICO) has provided guidance on the GDPR , which is useful for organisations and their lawyers to help assess data protection roles and responsibilities.