Harbour authorities, marina operators and boatyards will from the 25th May 2018, need to consider how to comply with the new data protection rules introduced by the EU, (General Data Protection Regulation ((“GDPR”)). GDPR replaces the 1995 EU data Protection Directive and UK Data Protection Act 1998.
The aim of this direction, is to make all harbour staff, customers and stakeholders aware of how information is gathered, held and processed by Newlyn Pier and Harbour Commissioners. This direction will also cover responsibilities, Definitions, Individuals rights, GDPR principles, the legal requirements for the data processing and the processes we will have to abide by in order to be compliant.
The responsibility for GDPR compliance lies with the Duty Holder, represented by the Harbour Master and or Deputy in his absence.
Personal Data – means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly by reference to an identifier such as a name, id number, location data, and online identifier or to one or more factors specific to the physical physiological genetic, mental, economic cultural or social identity of that natural person.
Processing – means any operation or set of operations which is performed on personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination restriction erasure or destruction.
Some of these rights may not apply dependant on the lawful basis for processing.
GDPR requires that personal data must be:-
The new lawful basis for data processing are:
With the above taken into account NPHC must ensure that there is a lawful basis for processing data and that basis is determined before the data is processed.
Data can be classed under multiple lawful basis, however NPHC will classify data under the most appropriate category as per ICO recommendation.
Due to the nature of our operations and our large customer base, the majority of our processing comes under the “Contract” Lawful Basis.
Legitimate Interests will apply if there are no other suitable lawful basis for processing, but there is a legitimate interest. GDPR specifically mentions the use of client and employee data, marketing, fraud prevention and IT security as potential legitimate interests, however we must be aware that this is not an exhaustive list. Should NPHC use legitimate interests as the primary Lawful Basis, the UK Information Commissioners Office, (“ICO”) recommend that we conduct a “Legitimate Interest Assessment” (LIA), which comprises a three part test which is described below:
Step 1 = Purpose test, Is NPHC pursuing a legitimate interest? If so what is it?
Step 2 = Necessity test, Is the processing necessary and reasonable for the purpose described in step 1 and why?
Step 3 = Balancing test, Do the individuals interests override the legitimate interest, if not why not?
The main emphasis of GDPR is that all assessments or information audits are recorded. At present there are no standard format for these tests/audits however they must be recorded in order to show the thought process to the ICO should we be audited. A NPHC Format of the “LIA” and Information audits can be found in the GDPR Information Folder.
This is quite clear in GDPR and NPHC must ensure that data processing must be targeted and proportionate in achieving the organisations aim. In layman’s terms NPHC cannot rely upon what we deem a legitimate interest if there is another reasonable and less intrusive way to achieve the same result. With this in mind we must be clear that NPHC’s interests must be balanced against an individual’s interest; for example if one of our customers would not reasonably expect NPHC to use data in a particular way, or it would cause them unwarranted harm, their interests are likely to override NPHC’s interest. However, NPHC interests do not always have to align with that of the individual. If there is a conflict, NPHC’s interest may still prevail so long as there is clear justification for the impact on another’s individual interest.
An information audit is to be carried out and recorded. The information held by NPHC will be reviewed and NPHC is to clearly define what information is held, the purpose for holding the information, in what format the information is held and the lawful basis for processing.
GDPR sets a high standard for consent, and any existing consents will be reviewed to ensure they comply with GDPR standards. If any existing consents do not meet GDPR standards they will be refreshed.
Consent means offering individuals real choice and control, and must be a positive opt-in. Consent cannot be inferred by silence or inactivity. In order to achieve this NPHC will email all affected customers, staff and stakeholders and request a positive opt in. Should no reply be forthcoming this cannot be deemed as consent.
The procedures for this have only changed slightly as any request will have to be responded to within one month under GDPR rather than the present forty-day timeline. Any refusal must be mitigated as stated above however, the individual must be referred to the supervisory authority and to a judicial remedy. Any requests that become onerous or unreasonable may be charged.
In order for NPHC to comply with its transparency obligations under the first GDPR principle, which is to demonstrate that it meets the requirements for the lawful basis of processing and to provide the information to which individuals whose data are processed are entitled to receive a “Privacy Notice” The Privacy notice must be concise, transparent, intelligible and easily accessible. It must be written in clear and plain language and available free of charge clearly setting out the lawful basis for processing as well as the purpose of that processing.
Privacy Notices will vary depending on the lawful basis for processing.
As stated above GDPR comes into force on the 25th May 2018 and as a Trust Port we must ensure that we continue to be both transparent and have clear consent from our affected users in order to retain their data. I believe the nature and type of data we hold simplifies GDPR for us however we must ensure that we review our processes, conduct the relevant information audits and document all interaction when it comes to GDPR.
R M J Parsons