A recent legal settlement against the Home Office has highlighted the importance of having a clear, defined purpose for processing data which is transparently communicated to data subjects.
The case saw a complainant, who was a victim of county lines trafficking, share sensitive and confidential information with the Salvation Army for the purpose of receiving care services. Those services are provided by the Salvation Army to victims under a Victim Care Contract (VCC) with the Home Office. The complainant alleged that confidential information supplied to the Salvation Army solely for the purpose of receiving care services was unlawfully shared with the Home Office via a central database and contained legally privileged information relating to her separate legal claim against the Home Office.
Having reached a settlement, the Home Office has been keen to emphasise that no finding was made against it and that no compensation was paid in relation to any data breach. The trafficking authority, the Single Competent Authority management board, has however stated that there was “minimal guidance” on data processing by the Salvation Army under the VCC.
The Home Office has since provided the Salvation Army with revised guidelines, intended to prevent the inappropriate disclosure of information to government officials and ensure consent is provided where necessary. The complainant’s legally privileged information was deleted, and the complainant was also compensated received a £5,000 settlement fee. The Salvation Army does not appear to have been involved in the dispute and resulting settlement.
What can organisations learn from this case?
The data protection principles sit at the core of compliance requirements under our data protection regime. Transparency, data minimisation and purpose limitation are three of the seven core principles.
Data controllers are obligated to be clear and transparent with data subjects about the personal data they collect, use, or otherwise process. Effective transparency will ensure data subjects are fully informed from the outset of the relationship how their data is used by an organisation, including third-party recipients and the purposes/lawful bases for use. We recommend that data processors make clear where they act on behalf of a third-party and, identify that third-party, especially where they are the first point of contact for any data subject.
- Data Minimisation
During any audit, data controllers should ask whether the data they hold is necessary for the purpose. Limited coverage on the above case suggests that information was collected being collected which was irrelevant to the victim’s claim for trafficking. If the data is unnecessary to achieve the purposes, it is unnecessary additional liability (as well as storage expense!).
- Purpose Limitation
The purpose limitation principle requires data controllers to be clear about purposes from the outset. It also states that personal data may only be used for a new purpose if either this is compatible with the original purpose, consent is obtained, or where there is a clear obligation or function set out in law.
While we cannot suggest that the Home Office were at fault or in breach of the principles (as not such finding has been made in this regard), we can highlight the importance of the principles and likely outcomes where those principles are not met.
We recommend that public bodies and organisations serving those bodies scrutinise their data processing practices, agreements and guidance to ensure they are a) fit for purpose and b) reflect real-life practices under the arrangement. Does the data processing agreement marry up to the data actually collected? Is there a training requirement for those collecting personal/confidential information? Is there a limitation as to what can be shared? Are the data controller/data processor roles correct in practice?
Risk assessments should also be performed where data processing activities could pose a risk to individual data subjects, such as determining access rights to databases.
For any questions or concerns about your business’s activities relating to data protection please don’t hesitate to contact Stephens Scown’s data protection team.