It’s now nearly half a year since the General Data Protection Regulation (GDPR) has been in enforcement, and two and a half years since it was first announced. While more and more organisations are becoming better informed about the regulation, lingering misconceptions persist, not only to the detriment of those that act on misguided information, but also with the people whose data they handle. This article will clarify two of the most damaging misconceptions for public authorities such as higher education institutions.
No, ‘consent’ is not a cure-all, and should be avoided as the legal basis for processing
To the great annoyance of the general public plagued by consent permission notices, many misinformed businesses and organisations are still under the impression that the only way personal data can be processed is by gaining consent.
If personal data is collected or handled for the purpose of fulfilling a task or providing a service that the person has appointed you to do (e.g. to provide education and assessment), this, very reasonably, is in itself considered lawful ground for processing, and does not require consent.
For the private sector, consent may be used as a means to collect and use data for purposes other than what the person asked for or for purposes reasonably related to what was asked (e.g if an email provider wants to sell their customer’s personal data to a political campaigning agency, informed consent may allow them to do so). As a fundamental human rights law, GDPR requires the consent to be given freely and unconditionally. The consent giver must also have the right to withdraw it at any time.
Public authorities will need to take special care to prove that consent was freely given, especially between the education institution and student due to the power imbalance in the relationship (the same goes for consent given in employer/employee context). This will be a difficult task, as the existence of power imbalance is seen as invalidating free consent by default. Furthermore, public authorities are restricted from using ‘Legitimate Interest’ as grounds for processing. Coupled with the fact that consent can be withdrawn at any time, an institution will be generally better off validating their lawful ground of processing by proving the data is needed for fulfilling a requested task or service as mentioned earlier, or in the context of research, show that it is needed for the public interest.
All requests for right of erasure must be responded to, but no necessary accepted
For any institution, if a person asks to have their personal data erased, the first action to be taken is to verify the identity of that person. The second important step is to check if certain national laws require that data to be kept for any specified amount of time (e.g. for tax purposes), or if it is needed in connection with a legal proceeding.
Other grounds for an institution to reject the request would be if the personal data is still required to provide in full the goods and services as requested by that person. So a current student signed up to a course cannot have their personal data erased, if that data is needed to provide the course and assessment to the student.
There are also grounds for exemptions for archiving purposes in the public interest, if the deletion of the data will seriously impair the objectives of scientific, historical or statistical research, or if the personal data was collected in the exercise of official authority vested in the institution.
Regardless of whether there are grounds to accept or reject a request, the institution is required to give a response ‘without undue delay’ (or within a month).
Check your national laws and consult with your DPO
The GDPR allows each member state to define derogations for public authorities and several clauses. There will be many factors that affect the required action for compliance, and so each instance must be assessed case by case. As most of the EU member states have mandated that public authorities appoint a Data Protection Officer (DPO), do take advantage of this resource, and consult them with any questions you may have.
Disclaimer: This article contains general information only. Nothing in this article constitutes legal advice. Consult a suitably qualified lawyer or DPO on any specific problem or matter relating to GDPR.
Writen by Miho Tanaka Gumpp
Miho will facilitate a Knowledge Exchange on GDPR First Lessons Learnt during OEB on Thursday, Dec 6 from 16:30 – 17:30.