Chapter 3

Definitions in the GDPR and Territorial Scope

Definitions

Meaning of ‘personal data’

3.1Personal data means any recorded information ‘relating to’ an ‘identified or identifiable’ living individual (or ‘data subject’)1. An identifiable living individual means a living individual ‘who can be identified, directly or indirectly, in particular by reference to:

(a)an identifier such as a name, an identification number, location data, or an online identifier, or

(b)one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual’2.

3.2This definition has a number of elements, which need to be considered separately:

There are (as before) two tests as to whether a piece of recorded information is personal data. Both have to be met:

whether a living individual is ‘identified or identifiable’ from that information, either alone or in combination with other information; and

whether the information relates to that living individual.

Meaning of identification

3.3A person is ‘identified or identifiable’ from personal data if the content of the data in some way distinguishes or sets them apart from other people. It is far broader than merely ‘biographical’ information about their name, date of birth, education, employment etc (although it will also include those types of facts about them). It does not need to record something unique to that person, even within a small group; but merely something which marks them out from others, ascribes them to a category, or tells you something about them; especially if that feature differs from the description of others.

Identifying someone ‘directly’ means doing so from the information in question (which may be only a part of what the controller holds about them). Identifying them ‘indirectly’ means doing so from a combination of the information in question and other information available.

The following examples of recorded information would be likely to ‘identify’ the persons to whom they refer:

The address given by an internet service provider (ISP) to a person’s laptop.

This information would identify the individual user directly – as the holder of that address – without recourse to other information. It would also be possible for the ISP provider to identify the individual indirectly, by name or some other identity, by looking at the record of who held that ISP address.

Example: indirect identification

Consider the following written statements. Assuming that the other information about those individuals was also held, the statements would ‘identify’ them indirectly:

‘Our highest-performing student in that year came from Hong Kong’ [identifying the home country of that student. His or her identity can be established by comparing the statement with the list of grades attained by students in that year].

‘Three of the fifteen qualified mechanics in our workshop are female’ [The identities of those who are female can be established by comparing this statement with the list of employees].

3.4In the UK, under the former Data Protection Act 1998 (‘DPA 1998’), the only information which could be referred to indirectly in this way was information which was in the ‘possession’ of the data controller (or likely to come into their possession). This limitation was in fact at variance with the 1995 Directive, which made no such distinction3. It ignored the situation where other information about the data subject was in the public domain (eg via the press), or known to third parties; as opposed to being held by the data controller. The DPA’s approach caused recurrent confusion in this country, when (for example) a controller had to decide whether it would be fair to release information publicly about an individual, which might be damaging to them if combined with other information that might be available in the public domain. The courts had to get round the problem by elaborate formulations in cases such as those referred to below4. The GDPR has meant the removal of this unfortunate distinction from the UK’s law, with the Data Protection Act 2018 (‘DPA 2018’) following suit, so that the UK now conforms to the European rules as they were previously intended to apply. The additional information which could lead to an indirect identification may potentially exist in any place or form where it is accessible to another person. The information does not need to be in the public domain.

Example: indirect identification

The ‘National Statistics Authority’ publishes an annual collection of interesting statistics. This year it has compiled a list of children who have passed musical instrument examinations years earlier than usual. The numbers passing the final grade (Grade 8) in each instrument are very small, even across the country. Those children will be identifiable, even if only to their families and friends in their local areas; or from any local publicity about them, such as press reports or school newsletters. If the statistics are to be published, therefore, the Authority needs to bear in mind that they meet the first test for constituting personal data; namely, that the individuals concerned are identifiable from the information (indirectly in this case).

3.5Recital 26 states that in determining whether an individual is identifiable, account should be taken of ‘all the means reasonably likely to be used’ to identify a person, either by the controller or by another person5. All ‘objective factors’ should be taken into account, such as the ‘costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and [later] technological developments’. In other words, not every theoretical means of identification should be taken into account; but it is right to assess what information is realistically available; which, if it were combined with the information in question, would identify the person. If such information exists, the information in question is likely to be regarded as identifying the person. Underlining the intended breadth of the scope, the ICO advises that the controller should consider all the means likely to be available to a determined searcher (eg an investigative journalist, or an estranged partner) who has a particular reason to want to identify an individual. As technological search capabilities become more sophisticated, and the information available online about individuals multiplies, it seems likely that the threshold for meeting the test of identifiability will continue to fall.

Identifiers’: as indicated above, an identifier includes a ‘name, an identification number, location data, or an online identifier’6. The list is not exhaustive, and these are only examples. While identification numbers featured in the previous Directive (and can be expected to increase with the greater use of ‘pseudonymisation’7), ‘location data’ and ‘online identifiers’, such as Internet Protocol (‘IP’) addresses (of computer devices owned by individuals) or those which enable the profiling of individuals from their use of websites, bring the language into the 21st century; and reflect the rapid advances in technology since the DPA 1998.

Factors’: these are more personal ways of identifying a person8. The majority were present in the previous Directive (although again not referred to in the DPA 1998), namely those concerning a person’s identity in:

‘physical’ terms (eg their appearance, or health);

‘physiological’ terms (eg organisms in their body);

‘mental’ terms (eg their intellectual capacity; or mental health);

‘economic’ terms (eg their employment, or standard of living);

‘cultural’ terms (eg their ethnic or national background); or

‘social’ terms (eg their class, or their family background).

Some of these factors are likely to overlap.

3.6To this list, the GDPR adds:

‘genetic’ factors (eg a person’s DNA)9; and

a further type, ‘biometric’ data, which is introduced in Article 9 (see para 3.12 below).

Meaning of ‘relating to’

3.7The second part of the test of personal data is that the information has to relate to the living individual. The information will not be the personal data of an individual if, while it enables them to be identified, it is not in some sense about them.

Example:

William is aged 92. He is housebound, and lives in a 12th floor flat in the northern part of Notown. There are only three male housebound users of the council’s home care service who are aged over 90 in that area. Before the council’s home care service was reduced last year, his carer called every day; now she calls only twice a week. Although the information (in a council report) in the first extract below, describes something which affects William as one of the users of the service, it is a statement about the service in general, rather than specifically about William. He would probably be identifiable from this description, at least to his family, as well as to the council itself and individual staff, but the information does not relate to him, because it is not about him, as opposed to being about the service; and so is not his personal data:

‘There are about 250 users of Notown’s carers’ service in the northern area of the authority, for whom the service has been reduced. This includes housebound users in high-rise flats in the most elderly age-group (90 upwards), and the council needs to pay especial attention to their needs.’

Contrast this with:

‘William’s service has been reduced to twice a week, along with most of the other 250 users in the northern area of the authority’.

The second statement relates to William, and the reduction in service that he has suffered; while also conveying that the service in general has been reduced, and how many others have been affected.

The second statement is, therefore,William’s personal data.

3.8With that caveat, the Information Commissioner has long advised in the UK that there are many ways in which information can relate to an individual, and that a broad approach should be adopted10. Her current guidance can be seen as grouping the likely factors into three categories: the content of the information; the purpose of the processing; or, whether there is likely to be an impact on the individual. The factors underlying these groupings are as follows. Information is likely to relate to an individual if it:

is obviously about them;

is linked to them;

is being processed to inform or influence actions or decisions affecting them;

is of biographical significance about them;

focuses or concentrates on that individual; or

has the potential to have an impact on that individual.

Six ways of ‘relating to’ an individual

1.Beryl’s medical record is ‘obviously about’ her.

2.Fred is in a post for which the salary band is £20–£25,000 pa. When the salary information is ‘linked’ to his post, it relates to him.

3.Gina has made a complaint, which has been investigated and will be considered at a meeting this afternoon. As well as her original complaint, the papers which will be used at the meeting to ‘inform or influence’ the decision relate to her.

4.Indira works in Human Resources. The record of her attendance at the meeting in example (3) above is ‘biographical’ about her (in a minor, but sufficient, way), since it records what she was doing at that time.

5.The record that the Human Resources department attended 72 meetings last year about complaints (such as the one in example (3)) is not Indira’s personal data, even though she was one of the HR staff whose attendances contributed to the total, because it does not ‘focus’ on her. In contrast, the record at (4) focusses on her attendance specifically.

6.A record of the fuel consumption of two identical delivery vans, which were recently purchased by Getit There Deliveries Ltd, shows that Stan used more fuel for the equivalent distance than Frieda. As a result, the manager asks Stan to drive more carefully; and indicates that he will watching the fuel costs of his van to ensure that they are not excessive. The record of the fuel consumption has had an ‘impact’ on Stan (influencing him to drive more carefully), and that information relates to him.

3.9As these examples show, information can often ‘relate to’ an identifiable individual, and thus become personal data about that person, where there is a dynamic relationship between a set of circumstances and the individual, which the information describes; or, because of the effect on that person, described in the information.

‘Special category’ (formerly ‘sensitive’) personal data

3.10The DPA 1998 contained a category of what in the UK were called ‘sensitive’ personal data which required to be given additional protection. The term now adopted in the UK, ‘special categories’ of personal data, was in the 1995 Directive11. It reappears in Article 9.1 of the GDPR, with some changes of scope, and has been adopted with minor variations in the UK legislation12.

3.11‘Special category’ personal data are either:

data revealing:

racial or ethnic origin;

political opinions;

religious or philosophical beliefs; or

trade union membership;

or data of the following types:

genetic data;

biometric data for the purpose of uniquely identifying a person;

data concerning health;

data concerning a living individual’s sex life or sexual orientation13.

3.12The terms ‘genetic’ and ‘biometric’ data have been added to the category, as compared with the previous list of ‘sensitive data’14. Personal data consisting of information as to the commission or alleged commission by a person of an offence, or as to any proceedings for an offence, or their outcome (‘disposal’) or any resulting sentence, have been omitted from the definition of special category data and now fall under the Law Enforcement directive (see Chapter 17 below).

3.13The starting point for the processing of special category data is that it is formally prohibited; although a significant number of exemptions then permit processing where the circumstances apply that are described in the exemption. It is, therefore, vital to be clear as to the basis on which such data are being processed. The UK legislation adds to the list of exemptions in the GDPR (as permitted by the Regulation) in DPA 2018, s 10 and Sch 1, Pts 1–215. The grounds or lawful bases of processing in the UK are set out at Chapter 5 below.

Processing

3.14‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means. This can include: collecting, recording, organising, structuring, storing, adapting or altering data. It also encompasses the retrieval, consultation, use, disclosure, alignment (ie with other data); or, combination, restriction, erasure or destruction of the data. Disclosure includes transmitting or disseminating the data, or otherwise making the data available16. Within these categories, the breadth of activities which count as the ‘processing’ of data has not changed with the introduction of the GDPR/DPA 2018. In effect, as the ICO has said previously, any activity relating to personal data, is ‘processing’ (including merely holding the information).

3.15Apart from the layout, the definition of ‘processing’ in the DPA 2018 differs from that in the ‘pre-Brexit’ GDPR only in omitting the words ‘whether or not by automated means’; which has no practical effect on the meaning. The scope (‘pre-Brexit’) of the UK definition covers17:

processing covered by the GDPR;

processing added to the UK regime as the ‘applied GDPR’18;

processing for law enforcement purposes by crime-fighting agencies (under Part 3 of the Act)19;

processing for security or intelligence purposes (under Part 4 of the Act).

Post-Brexit, the GDPR and ‘applied GDPR’ are merged. In legislative terms, Article 2 of the ‘UK GDPR’ (which defines its material scope) is amended to include processing outside the scope of EU law before exit day, or processing on activities under the common foreign and security policy (so that they are effectively moved from the DPA 2018, s 21, to the GDPR, Article 2; as are the exclusions of personal or household processing, and processing for the law enforcement (Part 3) or intelligence services purposes (Part 4)). Article 2 is also redrafted to apply to ‘automated or structured processing’, which is defined as processing wholly or partly by automated means, or processing by other means which forms part of a filing system, or is intended to do so (Article 2(5)).

Controllers and processors

3.16A ‘controller’ (formerly called a ‘data controller’ in the UK) means the natural or legal person, public authority, agency or other body who or which, alone or jointly with others, determines the ‘purposes’ and the ‘means’ of the processing20. The controller is the legal person who determines why the data are being processed, and how they are to be processed. If a person working with personal data has discretion to decide how, or why, the data are processed, they should be regarded as a controller. There may be more than one controller for a given piece of information (eg if two or more controllers hold the data jointly; or, if the data have been ‘shared’ between them – see Chapter 10 on ‘Data Sharing’).

3.17The definition is varied in the UK in the following respects in relation to general data processing:

(a)Where the processing is under the GDPR, and takes place only for purposes required by an enactment, and by means required in the enactment, the controller is the legal person on whom or which the obligation falls to carry out the processing21. See example (a) below;

(b)Each government department is treated as a separate controller from any other government department;

(c)The controllers of the Royal Household, the Duchy of Lancaster (a part of the government), and the Duchy of Cornwall (held by the Prince of Wales) are specified officials22;

(d)Government departments, or the office holders in (c) above (as distinct from individual employees), are immune from prosecution from certain (although not the main) data protection offences under the GDPR and DPA 201823; and

(e)The controllers in respect of the House of Commons and House of Lords are specified officials, with certain exemptions from prosecution similar to those above24.

Example (a): statutory controller:

Lisa runs an MOT testing centre in Glasgow. She is required by statutory regulations for [an imaginary] new-style MOT to record the name and address of the vehicle owner when she tests their car; and to enter those details electronically onto the MOT certificate. The regulations lay down how the names and addresses are to be recorded. Although Lisa has no discretion over how she records the personal data, she is treated as a controller for that purpose, because she has the statutory responsibility to carry out the processing.

3.18The obligations of controllers and processors differ. Establishing whether an organisation is a controller or a processor is often fundamental to understanding the relationships, and respective obligations, between one organisation and another. In relation to a given piece of information, a legal person can be a controller for one type of processing of the data, and a processor for another type of processing of the same data. For example, if Controller A contributes information to a ‘data sharing’ arrangement with Controllers B–D, but also carries out some routine processing operations on some of the shared data on behalf of its partners – such as keeping the information up to date, or inputting new data – it will be a controller in relation to the operation as a whole; but a processor for these latter activities. In such a case, it will be necessary to identify in the sharing arrangement which role applies to which operation, in order to determine who is responsible for carrying it out; and which organisation bears what level of accountability if there is a data breach.

3.19A ‘processor’ (formerly called a ‘data processor’ in the UK) is a living individual or legal person, public authority, agency, or other body who or which ‘processes’ personal data on behalf of the controller. If, for example, an organisation contracts out the paying of its salaries, or the disposal of its confidential waste (including personal data), the legal persons providing those services will be processors. Other examples may include information technology (‘IT’) service providers, or ‘Cloud’ service providers. Processors have acquired new responsibilities under the GDPR which mean that they have to take on a greater role alongside controllers (eg to assist in the event of a data breach). The fundamental distinction between the two remains, however, that the controller may exercise some discretion or judgement over how they undertake a piece of processing; whereas a processor is obliged to carry out an operation determined by the controller.

New obligations on processors, and contracting between controllers and processors

3.20Under the DPA 1998, it was the responsibility of the data controller to specify (by contract or agreement) what the data processor had to do in relation to security25. In addition, under that Act, the data controller bore the whole responsibility for any breach of the Act’s requirements. The position under the GDPR is more balanced as to responsibilities. The need for a detailed contract or agreement remains; and is extended beyond security with a specific series of requirements as to its components. The DPA 2018 does not alter these requirements under the GDPR.

3.21Under Articles 28–30 of the GDPR, controllers are obliged to use only processors who (or which) provide sufficient guarantees as to how they will: implement the GDPR’s requirements in relation their processing for the controller; and, ensure the protection of the data subject’s rights (Article 28(1)). The guarantees should cover the expert knowledge, reliability and resources necessary to implement the required technical and organisational measures, including for security (see Recital 81)26.

3.22A contract (or other legal agreement) has to be made that is binding on the processor, in relation to the controller, and which sets out:

the subject-matter and duration of the processing;

its nature and purpose;

the type of the personal data to be processed;

the categories of data subjects which will be involved; and

the obligations and rights of the controller (Article 28(3)).

3.23When drawing this up, the parties should take into account the specific tasks and responsibilities of the processor, the type of processing to be carried out, and the risks involved to the rights and freedoms of the data subject. In other words, the contract or agreement should be specific and detailed, and an organisation should be able to show how it has taken these elements into account.

3.24It follows that a key responsibility of staff handling (or advising on) data processing matters for a controller is to ensure that the controller identifies and keeps abreast of its processing operations; and that it has in place effective contracts, or other enforceable agreements, covering all such arrangements. Similarly, a key responsibility of a processor (or those advising a processor) is to ensure that it is in a position to understand, and to meet, these contractual or other legal obligations placed on it.

Contracts/agreements

3.25Under the terms of the contract/agreement, a processor is not to engage another processor without the prior written authorisation of the controller. This can be given generally, or reserved for agreement in each specific case. If there is a general authorisation, the controller is to be informed of any additions or replacements, and to have an opportunity to object (Article 28(2)). The second processor is to acquire the same obligations, by contract or other legally enforceable agreement, as applied to the first processor; and the first processor is to remain responsible to the controller for performing any obligations which the second processor fails to perform (Article 28(4)). The contract or agreement has to commit the processor to observing these conditions (Article 28(3)(d)).

3.26The contract/agreement is to stipulate the following27:

(i)that the processor will process the personal data only on ‘documented instructions’ from the controller (including with regard to any transfers of personal data to a third country or to an international organisation28), unless the activity by the processor is one required by EU member state law (or, post-Brexit, by domestic law). In the latter case, the processor is to inform the controller before undertaking the processing, unless prevented by law from doing so on ‘important grounds of public interest’. In other words, other than exceptionally, the controller must have given the processor detailed written instructions as to the processing before it can be carried out; including as to any transfers to other jurisdictions (which includes servers located, for example, in the USA);

(ii)that the processor will ensure that those authorised to do the processing have committed themselves to confidentiality, or are under a statutory obligation of confidentiality. The processor thus takes on responsibility for vetting their staff, and for obliging them to give personal undertakings that they will handle the personal data to be processed for the controller confidentially. This would not apply if those staff were already subject to such an obligation under statute;

(iii)that the processor will take all measures required of them under the security requirements of the GDPR29. In practice, however, the Article leaves the controller and processor to negotiate what level of security is appropriate, and who is to meet which requirement. The controller needs always to have in mind, however, that it has the responsibility for securing sufficient guarantees from the processor (Article 28(1)); and for agreeing appropriate terms with the processor as to the latter’s responsibilities (Article 28(3));

(iv)that the processor will take appropriate technical and organisational measures, so far as possible, to fulfil the controller’s obligations to respond to the rights of data subjects as laid down in Articles 12–23 of the Regulation (eg the rights of access, and to rectification, erasure, or the restriction of processing). The processor’s obligation is limited, however, by the caveat that it should take into account the ‘nature of the processing’. This appears likely to mean that it is restricted by the scope and type of the information being processed for the controller; so that the processor would not be obliged to exceed boundaries related to them in rendering assistance to the controller with individual rights. This seems to leave much scope for disagreement. Controllers would be well-advised to negotiate these terms closely;

(v)that the processor will assist the controller with the appropriate security measures; with the notification of data breaches to the ICO and to individuals (where required under Articles 33–34); and, with the controller’s obligations in relation to data protection impact assessments (in Articles 34–36). Again, these requirements on the processor are limited by taking into account the ‘nature of the processing’, and also ‘the information available to the processor’ – see the comment above;

(vi)that after the end of the processing service, the processor will delete or return all personal data to the controller (at the choice of the controller); and will delete existing copies, unless required by EU or member state law to store the personal data; and

(vii)that the processor will make available to the controller all information to demonstrate their compliance with the obligations in Article 28. The processor is also to allow audits and inspections by the controller, or another person ‘mandated’ by the controller; and to contribute to them.

3.27As an alternative to creating an individual contract, there is also an option to base the contract or agreement referred to above wholly or partly on standard clauses produced by the EU Commission, or by the ICO after Brexit; including where these form part of a certificate granted to the controller or processor30.

3.28Processors become liable to financial penalties under the GDPR31. If a processor infringes the GDPR by ‘determining the purposes and means of processing’, it will be considered to be a controller in respect of that processing (Article 28(10)). This would, however, not affect its status for the purposes of any liability it may have, in its capacity as a processor.

3.29Processors have similar recording obligations to those of controllers32. They are to maintain a record of all categories of their processing activities, containing the names and contact details of the controller, any other processors, the categories of processing, any transfers of personal data to a third country outside the EU and, where possible, a general description of their security measures. Post-Brexit, processors are obliged to implement security measures appropriate to the risks, in cases where Article 32 of the UK GDPR does not apply33.

Restriction of processing

3.30The restriction of processing means that personal data are required to be marked and stored, and may otherwise only be processed:

with the consent of the data subject;

for the establishment, exercise or defence or legal claims, or for the protection of the rights of another individual or legal person; or

for reasons of ‘important public interest’ (defined pre-Brexit, in relation to the EU or a member state)34.

3.31Restriction arises at the instance of the data subject in certain circumstances; such as, for a temporary period, if he or she contests the accuracy of the data (see paras 8.268.33).

Profiling

3.32‘Profiling’ means any form of automated processing of personal data which consists of using the data to evaluate aspects of that person’s activities or preferences; ie the tracking of individuals’ personal data, usually of their online activities, to build up a picture of their preferences of characteristics. It may be used, for example, to analyse or predict a person’s performance at work, economic situation, health, personal preferences (eg as to products), interests, reliability, behaviour, location or movements35.

3.33Profiling is likely to include activities such as:

the use of ‘cookies’ to track customers’ or users’ preferences, analysed through their browsing of an organisation’s website;

the electronic tracking of individuals’ location or movements through their mobile telephone;

the collection of financial information about individuals in order to assess their credit-worthiness;

the measuring of information about the work performance of members of an organisation’s staff by its Human Resources department.

Pseudonymisation

3.34‘Pseudonymisation’ (a new term in the GDPR) means ascribing an identity to an individual (such as a customer or reference number), and keeping the ‘key’ to the new identity separate and in a safe location; so that only the creator of the identifier has access to it. As a result, processing of the individual’s personal data takes place in a way that the data can no longer be attributed to the specific data subject without the use of the key. Pseudonymising data is seen as a way of encouraging the wider use and sharing of personal data, while increasing its security. Unlike anonymised information, where no individual is identifiable, the data subject remains identifiable to the holder of the key. As a result, the information concerned remains the personal data of the individual36.

Filing system

3.35Recital 15 explains that, in order to avoid the protection of the GDPR being circumvented, it should be ‘technologically neutral’, and should apply to both processing by automated means, and to manual processing where the data are contained (or intended to be) in a filing system. The pre-Brexit GDPR has thus applied to processing of personal data wholly or partly by automated means, and to processing other than by automated means of personal data which form part of a ‘filing system’, or are intended to form part of a filing system37. Post-Brexit, the definition in the UK of ‘automated or structured processing’ is worded slightly differently, as described at para 3.15 above.

3.36The DPA 2018 slightly alters the wording. A ‘filing system’ is any ‘structured set of personal data’ which are ‘accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis’38. Under the DPA 1998, there was much debate about the extent of what the Act defined in the UK as a (paper-based) ‘relevant filing system’; or, as to the degree to which such a system had to be organised in order for its contents to count as ‘data’ (and therefore potentially to be personal data). In the private sector, paper records were covered by the 1998 Act only if they fell within such a filing system; were destined to be input into an electronic system; (or, exceptionally if they formed part of certain types of paper files such as health records). In the public sector, the position was more complex because ‘unstructured manual data’ (essentially loose or unfiled papers, which fell outside these categories) were also covered by the 1998 Act; although only limited individual rights applied to them. The 2018 Act effectively maintains these distinctions39. It arguably extends the scope of filing systems, thereby expanding the range of paper records covered by them. The definition makes clear that it treats systems which have the same function, but which are sited within different parts of an organisation, or dispersed geographically within it, as a single filing system.

3.37There appears still to be some doubt, however, over the precise extent of a ‘structured set of personal data’ in relation to information held on paper. The reference to personal data that are ‘accessible according to specific criteria’40 must certainly, as before, include files that are organised by name and then by subject matter (eg an HR file for ‘Kieran Smith’, sub-divided by subjects such as leave records); or, files that are organised by subject matter (eg ‘Leave Records’, or ‘Pay statements’), with a sub-divider or a separate file for a name (‘K. Smith’) under each category. In her initial overview guidance on the GDPR produced by the Commissioner, the new definition was considered at that time, to be broad enough to include ‘chronologically ordered sets of manual records containing personal data’ (eg all the paper correspondence and documents relating to ‘Kieran Smith’ in one file, provided they were kept in date order). This advice no longer appears on the ICO’s website, however, as at the date of writing. According to Recital 15, moreover, files or sets of files which ‘are not structured according to specific criteria’ fall outside the GDPR; including any cover pages in such papers. (Example: on this basis, a loose box or bundle of papers, provided that they were not intended to be organised into a filing system, would still be excluded).

Greater clarity would be helpful in guidance, therefore, in order to delineate any extent to which the GDPR/Act do now apply to a greater proportion of paper records than previously. The basic position remains, however, that paper in a filing system is potentially part of personal data in both the public and private sectors, by virtue of the GDPR; while loose papers are brought under the regime for the public sector only (and with only limited individual rights attaching to them) by the DPA 2018 (and, post-Brexit, by Article 2(1A) of the UK GDPR). The manual unstructured processing of personal data is brought within the scope of the UK regime before Brexit by DPA 2018, s 21(2). That provision is repealed after Brexit by the DPPEC Regulations, but the Regulations transfer the inclusion of manual unstructured processing from the Act to the UK GDPR, under Articles 2(1A) and 2(5)(b). The obligations on public authority controllers are, however, quite limited. Provisions listed in DPA 2018, s 24(2), do not apply to such data. As a result, only one of the data protection principles (principle (d), on accuracy) applies to manual data. Requirements such as those concerning: lawful bases (Articles 6 and 9); Privacy Notices (Articles 13 and 14); data portability (Article 20); the right to object (Article 21); or, international transfers (Articles 44–49; including, after Brexit, those based on adequacy regulations or standard clauses), do not apply to manual data. There is also only a limited right of access (see paras 7.467.49). The DPPEC regulations do not alter this position in substance after Brexit.

Recipient

3.38‘Recipients’ have to be declared in a number of circumstances; eg in access requests, or privacy notices41. A ‘recipient’ is simply a natural or legal person, including a public authority, agency or other body, to whom or which personal data are disclosed, whether or not they are also a ‘third party’. A ‘third party’ is a natural or legal person who is not the controller, processor, data subject, or another person who is authorised to process the data under the direct authority of the controller or processor. There is a distinction, however, in that public authorities which receive personal data ‘in the framework of a particular inquiry’, and in accordance with EU or member state law (or post-Brexit, in accordance with domestic law), are not classed as recipients. In a case of that kind, their processing of the information has only to comply with the relevant data protection rules for that type of processing42.

Example: inquiries

If a public authority is obliged to examine a health and safety issue, and gathers evidence for its inquiry, it will not be a ‘recipient’ in that context. It would not, therefore, be necessary for another controller, which disclosed evidence to them for the purposes of that inquiry, to declare them to be a ‘recipient’ – eg in the context of an access request by a data subject whose personal data had been disclosed.

Consent

3.39‘Consent’ is given specific features under the GDPR, and is significantly upgraded in relation to what needs to be demonstrated. It was an uncertain basis for processing an individual’s personal data under the DPA 1998, which did not define it. Article 4(11) of the GDPR supplies a robust definition of the consent of the data subject, as: any ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’43 The consent needs, therefore, to be a statement or other clear type of action, showing agreement to the specific processing concerned. It also needs to be informed (ie the data subject should be aware at least of the identity of the controller, and the intended purposes of the processing but see also para 3.47).

3.40Recital 32 clarifies that consent can still be given orally, as well as in written form. It may include ‘ticking a box’ on a website, or another statement which clearly indicates the ‘data subject’s acceptance of the proposed processing or his or her personal data’, as constituting consent. Silence, pre-ticked boxes or mere inactivity by the data subject, on the other hand, do not constitute consent.

3.41A consent should cover all the types of processing carried out for the same purpose or purposes; requiring the controller to make the extent of processing for a particular purpose clear to the data subject in advance. Where there are a number of purposes, the consent should cover them all. If consent is sought by electronic means, the request should be ‘clear, concise and not unnecessarily disruptive to the use of the service for which it is provided’44.

3.42Articles 7 adds further conditions before consent can be used as a lawful basis on which to process an individual’s personal data. [Emphases have been added]:

the controller has to be able to demonstrate that the data subject has consented45. So the controller needs to have a record of the consent (or possibly some means by which to oblige the data subject to confirm it). For this reason, for an oral consent, a record should be made by the controller;

if the consent was given in writing, and the declaration in which it appeared also concerned other matters, the request for the consent should be presented in a manner ‘clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language’46. It should also not contain unfair terms47. So, if the consent was sought and recorded on a pre-prepared form (whether on paper or online), the section, box or other area containing the request, and the place for the data subject’s agreement, need to have been separate from any other part of the agreement. The text of the consent needs be set out clearly and in straightforward language;

the individual must have the right to withdraw his or her consent at any time (and to be informed of this right before giving consent). The withdrawal is to be as easy as the giving of the consent (emphasising its weakness as a basis for processing, from the controller’s point of view). Recital 42 states that consent is not freely given if the data subject has ‘no genuine or free choice’; or if they are unable to refuse, or later to withdraw, their consent ‘without detriment’. If consent is withdrawn, however, this does not affect the lawfulness of the processing prior to the withdrawal48;

when assessing whether consent has been freely given, the ‘utmost account’ is to be taken of whether (amongst other factors) the performance of a contract, including the provision of a service, has been made conditional on the giving of consent to processing of personal data that is not necessary to the performance of that contract49. So the consent needs to be closely focussed on what is integral to the contract’s purpose; and may not be valid to the extent that it exceeds those boundaries. The Commissioner, in her detailed guidance on consent, refers to ‘avoiding making consent a condition of a contract’. Guidelines from the Article 29/EDPB Working Party referred to the need for ‘special caution’ on this point. In general terms, any element of inappropriate pressure on the data subject would render consent invalid. While it will almost always be better to use the contractual lawful basis, rather than consent, in cases involving contractual transactions (see para 5.9 below), the language of the Article does not go this far; the issue in Article 7(4) being whether the terms for which consent is sought are necessary to the contract.

Example: performance of contract made conditional on unnecessary consent

An internet service provider makes the provision of its services conditional on acceptance of terms that allow it to make various uses of the personal data collected which are not necessary to the operation of the contract. These include passing the individual’s data to certain of the advertisers using its site. These wider uses will benefit the provider financially, and probably form part of its planned revenue stream from the contract. They are not, however, necessary to whether the internet service can be provided to the individual. They should form one or more options to which the individual can opt in if they choose. The consent to the wider terms will not be a lawful basis of the processing. The provision of the service itself should be made on the lawful basis that it is necessary to the provision of the contract; not on the basis of consent.

3.43Recital 43 expands the latter theme. Consent will not form a lawful basis for processing where there is a ‘clear imbalance’ between the controller and data subject. An example is given of a controller which is a public authority: the Recital says that will be ‘unlikely’ that the consent was freely given in all the circumstances. At face value, however, this is too broad. It should, it is suggested, be taken to refer to instances: where a public authority has a right to require information from a data subject; where it has an obligation to provide a service, or to enforce a rule, in relation to that individual; or, where it is exercising authority over the individual or placing a requirement on him or her. It should not be understood, it is suggested, that public authorities are intrinsically unable to rely on consent where they are providing a product or service on a discretionary, rather than an obligatory basis in relation to a particular individual (ie where there is no imbalance; or where any imbalance is not relevant to the case).

3.44The Recital states also that consent is to be presumed not to be freely given, even where it is appropriate in an individual case, if it does not allow separate consent to be given to different processing operations (ie if the processing in issue cannot be separated from other proposed processing, so that each type of processing can be made subject to a separate consent).

3.45The ICO makes clear in her detailed guidance that consent remains most likely to be the appropriate lawful basis only where no other such basis applies. In other words, it should be seen as a last resort.

3.46The ICO has advised that consents reached under the DPA 1998 need not be reviewed if they conform to the higher threshold required by the GDPR; but should be reviewed if they do not do so. Otherwise, an alternative lawful basis should be sought.

3.47The former Article 29 Working Party (now the European Data Protection Board or EDPB) produced guidelines on consent, updated in April 201850. For consent to be informed, the purpose, type of data, existence of the right to withdraw, information about any use of the data for decisions based on solely automated processing, or possible risks from any transfers to third countries without an adequacy decision (and appropriate safeguards), should be added to the points referred to in para 3.39. The guidance also stresses the importance of clear language when seeking consent.

3.48See also Chapter 5, at paras 5.45.8 on consent.

Consent – the health service

3.49The National Health Service has developed its own language and scheme for the management of health care data about individuals in data protection terms; known as the ‘Caldicott principles’. This system gives significant prominence to the concept of ‘consent’; although this has a range of meanings in healthcare, in terms of such processing, which go beyond the scope of this book. It should be understood that the GDPR and the DPA 2018 apply to processing in the healthcare sector as much as any other area. In the author’s view, the systems adopted by the NHS dovetail the data protection principles with the general reliance in the provision of healthcare on the patient’s ‘consent’ in a wider sense, including as to treatment, and this may be confusing in some cases.

Child’s consent

3.50Article 8 concerns the age at which children may give their consent (independently of their parents) to the provision to them of ‘information society services’51. Article 8 sets the (pre-Brexit) default age at 16 years; but allows member states to set lower age limits in each country, where they are based on consent, down to a minimum of 13 years.

3.51The UK has chosen 13 years as the minimum age52. Services offered to children below that age must (if consent is the lawful basis) receive the consent of the holder of parental responsibility: otherwise, the processing of the personal data of a child below that age (and thus the provision to them of the service) will only be lawful in data protection terms if another lawful basis applies. The controller is to make reasonable efforts to verify a parental consent, ‘taking into consideration available technology’ (Article 8(2)).

3.52Pre-Brexit, section 9(b) of the DPA 2018 excludes preventive or counselling services offered online from the definition; the effect being to exempt them altogether from the requirement for parental consent where such services are offered online. Post-Brexit, this provision is moved to Article 8(4) of the UK GDPR.

Personal data breach

3.53A ‘personal data breach’ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data which are being transmitted, stored, or otherwise processed (see GDPR, Article 4(12)). The breach can be accidental or ‘unlawful’ (in effect, deliberate or negligent). The limitation of the term to a security breach should be noted. This contrasts with wider risks to (for example) the ‘rights and freedoms of natural persons’, with which Data Protection Impact Assessments are also concerned (GDPR, Article 35(1)). The controller will often have to notify a data breach to the ICO (see GDPR, Article 33 and Chapter 15).

Biometric data

3.54‘Biometric data’ means personal data resulting from ‘specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person’ which allow or confirm that person’s unique identification, such as facial images or ‘dactyloscopic data’53. The former include, in the current level of technology, iris recognition data. The latter refer to fingerprints. The key characteristic, of current and future technologies, is that the processing allows the person to be identified uniquely; which can be demonstrated on a scientific basis.

Data concerning health

3.55This means personal data concerning a person’s physical or mental health; but also information about the provision of health care services which reveal information about that individual’s health status54. The course of care of a living individual will thus fall within information concerning his or her health. As under the DPA 1998, data about the health of a deceased person prior to their death, or about the course of their care, is no longer their personal data55. Such information is often treated, however as forming the personal data also of surviving close relatives.

Main establishment and representatives

3.56Pre-Brexit the GDPR introduced the concept of a ‘main establishment’ in the EU, for organisations which have more than one establishment56 within the Union’s area. Pre-Brexit, or within the EU as a whole, the location of the main establishment will determine with which national regulator (or ‘supervisory authority’) the controller may deal on behalf of the organisation as a whole. Where a controller has an ‘establishment’ in more than one EU member state, the place where it conducts its central administration will be its main establishment, unless decisions on the purposes and means of processing are taken in another establishment which has the power to have them implemented (in which case, the latter will be its main establishment). Where a processor has establishments in more than one EU member state, its place of central administration within the EU, or (if none) the establishment where its main processing activities take place (in the context of the activities of the establishment) will be its main establishment57. The definition of a ‘main establishment’ is removed from the UK GDPR, however, along with the concepts of ‘cross-border processing’ and a ‘lead supervisory authority’, after Brexit58. This change means the removal of UK organisations from participation in the ‘one-stop-shop’, whereby controllers or processors carrying out processing which affects individuals in more than one EU (or European Economic Area) state, or having an establishment in more than one such state, need deal usually only with one regulatory authority (eg over data breaches).

3.57Pre-Brexit, or within the remainder of the EU after Brexit, a controller or processor based outside the EU will have to appoint a ‘representative’ to act on its behalf, and to deal with the supervisory authorities in the member states in which individuals to whom it offers goods and services, or whose behaviour is monitored by them, are located. Post-Brexit, the same requirements apply to a controller outside the UK offering goods and services, or monitoring behaviour, within the UK, to designate a representative in the UK, under Article 27(1) of the UK GDPR (with limited exceptions for processing under the former ‘applied GDPR’ – see UK GDPR, Articles 3(2) and 3(2A)).’This requirement does not apply to public authorities; nor to controllers or processors where the processing is only occasional, does not involve processing of special category data (or criminal convictions and offences data under Article 1059) on a large scale, and is unlikely to result in a risk to the rights and freedoms (such as the privacy) of individuals (taking into account factors such as the nature and purposes of the processing)60.

Data Protection by Design, and Data Protection by Default

3.58Controllers are required under the GDPR, both when deciding on a means of processing and when carrying it out, to ‘design in’ data protection considerations; both from the outset, and when the processing is carried out. (The DPA 2018 does not amend these Articles of the GDPR). The controller is expected to adopt internal policies, and to implement measures, to do this. Relevant measures include:

‘pseudonymisation’ of data in order to increase its security;

adoption of ‘data minimisation’ principles in order to reduce the amount of data processed to only that necessary for the purpose;

‘transparency’ with regard to why and how they process data;

enabling the individual to monitor how his or her data are being processed (eg through a secure website portal);

creating and improving security features61.

3.59This is not an absolute standard. Much of it overlaps with other data processing requirements; enabling them to be seen as elements of an overall objective. Controllers are expected to take into account the ‘state of the art’ at the time of their consideration of what data protection by design requires of them. They may also take into account the cost of implementation, the nature, scope, context and purposes of the processing, and the likelihood and severity of any risks to the privacy of individuals. The controller needs, therefore, to make decisions in advance as to what the standard of pseudonymisation, and the various factors, require of it; to, for example, implement it (recording that it has done so), and to review its decisions from time to time.

3.60Linked to this, and overlapping both with it and with other individual requirements, is the requirement for data protection ‘by default’; effectively, that the use of individuals’ personal data is to be minimised as a default position62. The provision obliges controllers, again by appropriate technical and organisational measures, to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This principle applies to the amount collected, the extent of processing, the period of storage, and the data’s accessibility during that period. The measures taken are to ensure that, by default, personal data are not made accessible without the ‘individual’s intervention’ (eg their agreement) to an ‘indefinite number of natural persons’. Thus, other than exceptionally where the individual wishes it, general unrestricted access to the personal data of an individual is not to be permitted.

3.61Certification can be used as a partial means of showing compliance with either concept, where a mechanism has been approved under powers in Article 42. In practice, this will apply in the future when such certification mechanisms (eg by industry bodies) are available to show good practice, and where national approval mechanisms have been devised and set up. These will involve the United Kingdom Accreditation Service (‘UKAS’), as well as the ICO63.

Territorial scope of the GDPR

3.62The EU-wide GDPR claims extensive territorial application. It specifies that it applies to processing of personal data ‘in the context of the activities of an establishment’ (see para 3.64) of a controller or processor in the Union, regardless of whether or not the processing takes place in the Union. It also applies to processing of the personal data of data subjects who are in the EU, by a controller or processor who is not established in the Union, where the processing activities are related to:

(a)the offering of goods and services to data subjects in the EU, (irrespective of whether a payment is required); or

(b)the monitoring of their behaviour so far as it takes place in the Union64.

Prior to Brexit, DPA 2018, s 207, repeats the pattern of scope of the GDPR, but related to the UK rather than the EU, and to data subjects in the UK.

3.63A controller or processor is ‘established’ in the European Union (or the UK) if there is an ‘effective and real exercise of activity through stable arrangements’ by it. The legal forms of those arrangements, such as whether the controller or processor has a branch, or a subsidiary which has separate legal personality, in that country do not determine whether or not that body is an establishment65.

3.64In Google Spain66, the original case on the ‘right to be forgotten’, the European Court gave a very broad interpretation to an ‘establishment’ under the Directive. The question was whether an establishment in Spain was processing personal data in the context of the activities of its parent company in the United States, when the processing concerned by the parent company was separate from the processing being undertaken by Google Spain. The Court said that the Directive did not require the processing to be carried out by the establishment in Spain, where it was carried out in the context of the activities of the establishment. The subsidiary in that case was intended to promote and sell advertising space offered by the search engine. Thus the activities of a parent company and its subsidiary will be linked if the purpose of the subsidiary is to make the parent company profitable.

3.65The Court confirmed this approach in Weltimmo67, where it said that the presence of only one representative in a country could, in certain circumstances, be enough to constitute a stable arrangement in that country; where he or she acted with a ‘sufficient degree of stability’ through using local equipment to provide the service. The concept of ‘establishment’ in the Directive included ‘any real and effective activity – even a minimal one – exercised through stable arrangements’.

3.66The EU-wide GDPR thus claims to apply to:

Organisations established in the EU which are processing personal data in the EU (eg a French clothing company, processing personal data in Poland because its processor is located there).

Organisations established in the EU which are processing data outside the EU (eg a French company processing personal data in Sierra Leone, because its processor is located there).

Organisations outside the EU, offering goods and services to individuals in the EU (eg a Chinese company, offering cars for sale in Europe; especially if they can be ordered in an EU language and paid for in an EU currency).

Organisations outside the EU which are monitoring the internet activity of individuals taking place within the EU (eg an American company which monitors the use of its social media services by individuals in Italy).

Territorial scope of the UK provisions after Brexit

3.67As indicated above (para 3.62), the pattern of the scope of the DPA 2018 before Brexit has mirrored the GDPR’s provision across Europe as a whole, in a UK context68. Thereafter the territorial application of the Act is governed by amendments to the DPA 2018, s 207, and to UK GDPR, Article 3, made by the DPPEC Regulations69. These are similarly modelled on the same pattern as in the GDPR, but adapted so that the Act and the UK GDPR apply in the following circumstances:

(a)To the processing of personal data in the context of the activities of an establishment of a controller or processor in the UK, whether or not the processing takes place in the UK;

(b) To the processing of the personal data of data subjects in the UK, which is carried out in the context of activities of a controller or processor not established in the UK where the processing activities are related to:

·the offering of good or services to data subjects in the UK, whether or not for payment; or

·the monitoring of data subjects’ behaviour in the UK.

The latter category (b) applies, however, only to ‘relevant’ processing. This excludes processing which, before exit day: falls outside the scope of EU law; was in the course of an activity which, before exit day, was part of common foreign and security policy activities; or, was manual unstructured processing by an FOI public authority. In other words, if data in this category fall within the former ‘applied GDPR,’ those data are excluded from the territorial application of the UK regime to a controller or processor not established in the UK. Where the processing is of one of the types to which Part 2 of the Act does not apply (law enforcement processing under Part 3, or intelligence services processing under Part 4), the Act applies only to processing in the context of the activities of a controller or processor in the UK (irrespective of whether the processing takes place in the UK). As before, the UK GDPR also applies to the processing of personal data by a controller established in a place where UK domestic law applies by virtue of public international law (eg in a UK embassy)70.

3.68Although not an exclusive list, the following have an establishment in the UK (in relation to processing to which the GDPR applies):

An individual who is ordinarily resident in the UK;

A body incorporated under the law of the UK, or a part of the UK;

A partnership or other unincorporated association formed under the law of the UK or a part of the UK;

A person not falling under any of the above, who maintains, and carries on activities through, an office, branch, agency or other ‘stable arrangements’ in the UK71.

3.69The UK government, in guidance issued in December 2018 concerned with cross-border flows of data in the event of the UK leaving the EU without a withdrawal agreement, indicated that regulations under the EU (Withdrawal) Act 2018 were expected early in 2019, to maintain the extra-territorial scope of the UK data protection framework; and also to oblige non-UK controllers who are subject to that framework to appoint representatives in the UK, if they are processing UK personal data on a large scale72. These regulations were subsequently enacted as the DPPEC Regulations 2019.