In the second of our blog series, we explore how the Europe-wide General Data Protection Regulation (GDPR) will affect an individual’s consent to an organisation holding their personal data from May 2018. (Last week, we looked at what constitutes personal data – i.e. information on an individual, which allows them to be identified).
GDPR Personal Data
The GDPR refers to ‘consent’ and ‘explicit consent’, although both have to be freely given, specific, informed and an unambiguous indication of the individual’s wishes. Under the GDPR, this consent requires clear affirmative action by the individual. So, pre-ticked boxes on forms or assumed consent are not sufficient. You must explain your organisation’s legitimate interests in holding such data. Consent must also be verifiable, so organisations will have to hold records as to how and when consent was given. But individuals have a right to withdraw this consent at any time. Many organisations will need to improve their data storage systems to prove they have individual consent – and to note when this consent has been withdrawn.
The GDPR contains new provisions to enhance protection of children’s personal data. If you target online services at children, you will need to obtain consent from a parent or guardian to store the child’s data. This protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles. The exception to gaining parental or guardian consent would be in relation to preventative or counselling services offered directly to a child. Find out about our work to store and digitise children’s medical records for Cambridgeshire Community Services NHS Trust below.
In September 2015, CAS was approached by Cambridgeshire Community Services NHS Trust to undertake a project to relocate and digitise over 20,000 confidential client health care files. The Trust took the decision to improve their systems dramatically by moving to a new storage facility and at the same, time took the opportunity to digitise the files. Working closely with senior stakeholders within the Trust, CAS proposed to enable increased effectiveness of record keeping and retrieval through secure storage, creating digital versions of documents and providing online access to live files through CAS-Cloud. Read the full story here.
Right to erasure
One particular area which is changing under the GDPR is the right to erasure. The principle behind this so-called ‘right to be forgotten’ is to enable an individual to request the deletion or removal of personal data when there is no compelling reason for continuing to hold it. This right is not absolute; there must be specific circumstances for an individual to be able to request the erasure. For example, when the individual withdraws consent, or if the personal data was unlawfully stored in the first place. Under the current legislation, the right to erasure is limited to instances which cause unwarranted and substantial damage or distress to the individual. But, under the GDPR this threshold is removed. However, there are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request. For instance, if you need to hold it for public health purposes in the public interest, or to exercise or defend legal claims.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), has published detailed, practical guidance for UK organisations on consent under the GDPR. It’s holding a consultation about this guidance, which is open until 31st March. So, why not read the guidance and have your say about whether the ICO is providing the right level of detail about these important changes. You can take part here: https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
Our next blog on the GDPR will focus on accountability and governance for data protection. We’ll explore the importance of ensuring everyone in your organisation understands the need to protect the information which you hold.
And in the meantime, if you’ve got any questions about how CAS can help you meet your data protection responsibilities, from live file storage or document archiving through to IT equipment disposal, give one of the CAS team a call today.
For a free, no obligation quote please contact our specialist team
About Clarks CAS
CAS provides comprehensive and secure document digitisation, information storage and facilities management services. For more than 20 years CAS have worked with NHS Trusts, Financial Services providers, and corporate and private clients. Our head office is just four miles from the City of London, supported by our advanced storage centres across the UK. CAS has an impressive array of International certifications (ISOs), which prove our compliance with the strictest national, European and international laws. They also demonstrate our commitment to provide innovative systems on security, confidentiality and quality control in keeping your files safe and well managed.