NEWLYN PIER & HARBOUR COMMISSIONERS

GDPR Policy and Privacy Notice

Introduction

Harbour authorities, marina operators and boatyards will from the 25th May 2018, need to consider how to comply with the new data protection rules introduced by the EU, (General Data Protection Regulation ((“GDPR”)). GDPR replaces the 1995 EU data Protection Directive and UK Data Protection Act 1998.

Aim

The aim of this direction, is to make all harbour staff, customers and stakeholders aware of how information is gathered, held and processed by Newlyn Pier and Harbour Commissioners. This direction will also cover responsibilities, Definitions, Individuals rights, GDPR principles, the legal requirements for the data processing and the processes we will have to abide by in order to be compliant.

Responsibilities:

The responsibility for GDPR compliance lies with the Duty Holder, represented by the Harbour Master and or Deputy in his absence.

Definitions: GDPR states the following definitions for information.

Personal Data – means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly by reference to an identifier such as a name, id number, location data, and online identifier or to one or more factors specific to the physical physiological genetic, mental, economic cultural or social identity of that natural person.

Processing – means any operation or set of operations which is performed on personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination restriction erasure or destruction.

Individuals Rights:

  • The right to be provided with specific information, at the same time the data is obtained , including the purposes of the processing for which the personal data are intended; the legal basis for the processing and where relied upon, the legitimate interests pursued by NPHC as the data controller.
  • The right of access to a copy of their personal data, free of charge, although a “reasonable fee” may be charged when requests become manifestly unfounded or excessive, particularly if repetitive.
  • The right to rectification if personal information is inaccurate or incomplete
  • The right to erasure, in certain specified circumstances
  • The right to restrict processing in certain specified circumstances
  • The right to data portability, although not in relation to data processed for the purposes of legitimate interests
  • The right to object, including to processing based on legitimate interests (unless overridden by compelling legitimate grounds)
  • Rights in relation to automated decision making and profiling.

Some of these rights may not apply dependant on the lawful basis for processing.

Data Protection Principles under GDPR:

GDPR requires that personal data must be:-

  • Processed Lawfully, fairly and in a transparent manner
  • Collected and processed only for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to only what is necessary
  • Accurate and up-to-date
  • Kept for no longer than is necessary
  • Processed securely

Lawful Basis:

The new lawful basis for data processing are:

  • Consent – Individuals have given clear consent for their personal data to be processed for a specific purpose
  • Contract – Processing is necessary for a contract that NPHC has with the individual, or because they have asked the organisation to take specific steps before entering into a contract
  • Legal obligation – Processing is necessary to comply with the law, (not including contractual obligations)
  • Vital interests – Processing is necessary to protect life
  • Public task – Processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law
  • Legitimate interests – Processing is necessary for the organisations legitimate interests or the legitimate interest of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

With the above taken into account NPHC must ensure that there is a lawful basis for processing data and that basis is determined before the data is processed.

Data can be classed under multiple lawful basis, however NPHC will classify data under the most appropriate category as per ICO recommendation.

Due to the nature of our operations and our large customer base, the majority of our processing comes under the “Contract” Lawful Basis.

How does NPHC determine what are “Legitimate Interests”?

Legitimate Interests will apply if there are no other suitable lawful basis for processing, but there is a legitimate interest.  GDPR specifically mentions the use of client and employee data, marketing, fraud prevention and IT security as potential legitimate interests, however we must be aware that this is not an exhaustive list.  Should NPHC use legitimate interests as the primary Lawful Basis, the UK Information Commissioners Office, (“ICO”) recommend that we conduct a “Legitimate Interest Assessment” (LIA), which comprises a three part test which is described below:

Step 1 = Purpose test, Is NPHC pursuing a legitimate interest?  If so what is it?

Step 2 = Necessity test, Is the processing necessary and reasonable for the purpose described in step 1 and why?

Step 3 = Balancing test, Do the individuals interests override the legitimate interest, if not why not?

The main emphasis of GDPR is that all assessments or information audits are recorded.  At present there are no standard format for these tests/audits however they must be recorded in order to show the thought process to the ICO should we be audited.  A NPHC Format of the “LIA” and Information audits can be found in the GDPR Information Folder.

How does NPHC determine what is necessary and how do we balance?

This is quite clear in GDPR and NPHC must ensure that data processing must be targeted and proportionate in achieving the organisations aim. In layman’s terms NPHC cannot rely upon what we deem a legitimate interest if there is another reasonable and less intrusive way to achieve the same result. With this in mind we must be clear that NPHC’s interests must be balanced against an individual’s interest; for example if one of our customers would not reasonably expect NPHC to use data in a particular way, or it would cause them unwarranted harm, their interests are likely to override NPHC’s interest. However, NPHC interests do not always have to align with that of the individual. If there is a conflict, NPHC’s interest may still prevail so long as there is clear justification for the impact on another’s individual interest.

Present Data

An information audit is to be carried out and recorded. The information held by NPHC will be reviewed and NPHC is to clearly define what information is held, the purpose for holding the information, in what format the information is held and the lawful basis for processing.

Consent

GDPR sets a high standard for consent, and any existing consents will be reviewed to ensure they comply with GDPR standards. If any existing consents do not meet GDPR standards they will be refreshed.

Consent means offering individuals real choice and control, and must be a positive opt-in. Consent cannot be inferred by silence or inactivity. In order to achieve this NPHC will email all affected customers, staff and stakeholders and request a positive opt in. Should no reply be forthcoming this cannot be deemed as consent.

Subject Access Requests

The procedures for this have only changed slightly as any request will have to be responded to within one month under GDPR rather than the present forty-day timeline. Any refusal must be mitigated as stated above however, the individual must be referred to the supervisory authority and to a judicial remedy. Any requests that become onerous or unreasonable may be charged.

Privacy Notices

In order for NPHC to comply with its transparency obligations under the first GDPR principle, which is to demonstrate that it meets the requirements for the lawful basis of processing and to provide the information to which individuals whose data are processed are entitled to receive a “Privacy Notice” The Privacy notice must be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language and available free of charge clearly setting out the lawful basis for processing as well as the purpose of that processing.

Privacy Notices will vary depending on the lawful basis for processing.

Summary

As stated above GDPR comes into force on the 25th May 2018 and as a Trust Port we must ensure that we continue to be both transparent and have clear consent from our affected users in order to retain their data. I believe the nature and type of data we hold simplifies GDPR for us however we must ensure that we review our processes, conduct the relevant information audits and document all interaction when it comes to GDPR.

R M J Parsons
Harbour Master
Newlyn Harbour

Download Full GDPR and Policy Notice >