In this article I address one aspect of the first data processing standard, the duty to process personal data fairly and what this actually means from a practical point of view. The main action to be taken away from this article is that, as the entity responsible for the collection of personal data, you need to ensure that you send privacy notices to all persons whose personal data you collect whether directly or through a marketing firm you have contracted to act on your behalf. Failure to do so can attract financial penalties.
Section 22(4)(c) of the Jamaican Data Protection Act, which is very similar to the European
General Data Protection Regulation requires that:
Whether the personal data has been obtained directly from the data subject or not, the company that is responsible for the collection of that personal data shall provide the data subject with the following information generally referred to as a privacy notice,:
- the identity and the contact details of the controller
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients of the personal data, if any;..
- the period for which the personal data will be stored,
One implication of this, translated into normal language, is that marketing companies, PR/marketing departments or even charities that develop lists of persons from directories or social media platforms or other such public sources have a duty to inform the persons whose data they are collecting. These persons, referred to as data subjects in the Data Protection Act, are to be informed of the fact that their personal data is being collected along with the other information outlined above. Failure to inform the data subject, will put you in breach of the Data Protection Act, notwithstanding that this information was collected from the public domain.
The well known company Monsanto, recently received a fine of 400,000 euros for contracting PR firms that did just that; collect personal data of persons for the purposes of PR and marketing. In the Monsanto situation public relations firms, at the behest of Monsanto, collected from public sources, personal data on some 200 persons consisting of French and European political figures or members of civil society including journalists, environmental activists, scientists and farmers, who could influence the debate or public opinion on the renewal of the authorization of glyphosate (a major substance in one of the Company’s best known products – RoundUp weedkiller) in Europe.
The personal data being collected and maintained contained information such as the organization the individual is attached to, the position held, the work address, the work landline number, the mobile phone number, the work e-mail address, events attended by or organized by the individual, people they worked with, contacts with reps of Monsanto and, in some cases, the Twitter account, for each of these individuals.
The French Supervisory authority received complaints from data subjects whose data was collected and stored by these PR firms, indicating that they had not been informed of the existence of this processing of their personal data. The checks carried out by the French Supervisory Authority revealed that this list had been compiled and was maintained on behalf of Monsanto by several companies specializing in public relations and lobbying, as part of a major lobbying campaign.
In its defense Monsanto claimed that the obligation to inform the data subject was on the public relations company who compiled and maintained the list and in any event, the persons would have had little interest in being informed insofar as the data in question was public and they would reasonably expect that their data would be processed in this manner. The French supervisory authority found that it was Monsanto that contracted the PR firms and in contracting the public relations company for the reason described, it would be Monsanto that would dictate the purpose and means of processing to the PR company. In addition to finding that it was the responsibility of Monsanto to advise data subjects of the fact of processing, the supervisory authority also found that the contracts used to engage the PR firms did not include specifications required by the GDPR. The specifications required by the GDPR are similar to the Jamaican Data Protection Act that states that where processing of personal data is carried out by a data processor on behalf of a data controller, must ensure that the processing is carried out under a contract which is evidenced in writing; and under which the data processor is to act only on instructions from the data controller. For these contraventions Monsanto was fined €400,000
It should strike the discerning reader that there was no form of “data breach” or allegation of lack of information security nor was there any form of unlawful access to the personal data. This was simply a case where a company contracted a third party PR firm, and that PR firm collected information on behalf of the principal company and there was a failure to notify the data subjects of the fact of the collection of their data and the contract did not contain the required terms. Leaders of companies need to quickly disabuse themselves of the idea that data protection is something that IT can deal with or lead on or something legal can deal with solely. Of the eight data processing standards only one of the standards speaks about information security controls.
The Data Protection Act establishes an entire framework that must be implemented, maintained, monitored and regularly improved upon. It will require new skills sets that do not rest squarely in your existing IT security service provider or legal service provider. There now remains one year, three months and one day before the expiration of the transition period of two years provided by the Data Protection Act. Identifying all the personal data you or your service providers are processing and ensuring that it is being done in accordance with the first part of the first data processing standard is one of several activities that have to be completed in the next 15 months. IT is only through ownership and assertive leadership from the top can an organization hope to comply with the Data Protection Act. The first step is to sensitize yourself and your team as to what needs to happen and then get help from a company with the requisite skill sets and relative experience in this domain.
Chukwuemeka Cameron is an Attorney with a Masters in IT and Management is a privacy practitioner, trained Data Protection Officer, a certified ISO 27701 lead implementer and the founder of Design Privacy a firm that helps companies comply with privacy laws. Feedback can be sent to [email protected].