The Data Protection Act 2018 (DPA 2018) requires anyone ‘processing’ personal data to have a lawful basis for doing so. Processing, in relation to personal data, means:
“any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction)”
For the purposes of this article, we want to focus on the ‘collection’ aspect. We often see cases where the client has provided either brief or full details relating to another person, usually a spouse or partner etc., yet where that other person was not present at the fact find meeting and there is no evidence that he or she has seen the firm’s privacy notice and accepted whatever lawful basis the firm relies upon for processing data.
That may seem harmless, but, strictly, it is problematic.
When you collect personal data from the individual it relates to, Article 13 of the GDPR says that you must provide them with privacy information:
“…at the time when personal data are obtained…”
However, there is an acknowledgement that sometimes this will fail, in which case article 14 comes into play.
When you obtain personal data from a source other than the individual it relates to, Article 14 of the GDPR says you must provide them with privacy information:
“…within a reasonable period after obtaining the personal data, but at the latest within one month…”
So this is a backstop solution to the situation where information, however brief, is obtained about an individual who is not directly present at the meeting. However, ICO guidance states that, while there is a maximum of a month to remedy the situation, this period will be shorter, as soon as possible, where:
- your use of the data is likely to be unexpected or unwelcome;
- your use of the data is likely to have a significant effect on individuals; or
- you have obtained special categories of personal data or criminal conviction and offence data.
As mentioned, this is a not uncommon situation and most advice firms will have experienced this on occasion. Even where advice is clearly being provided to one party, it is often appropriate to have some information about a partner as that might influence the advice. While there is the possibility to remedy the data protection position in relation to that other person retrospectively, it is vastly preferable to pre-empt the problem by ensuring that the pre-meeting confirmation/pack includes mention of the need for both parties to see the privacy notice and agree to its terms – or not.
In the, to be hoped probably unlikely, event that the other party objects/does not agree to the terms of the privacy notice, then NO information should be obtained and advisers need to consider how the absence of that information affects their ability to create a suitable solution. In some cases it will be sufficient to warn in the fact find and the suitability report that such information is not known and could have had a bearing on the advice. In other cases, it could be that the absence of partner information would render the adviser in a position where no personal recommendation should be provided as per COBS 9.2.6:
If a firm does not obtain the necessary information to assess suitability, it must not make a personal recommendation to the client or take a decision to trade for him.
A word about children
You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.
In the UK, if you are relying on consent as your lawful basis for processing, only children aged 13 or over are able to provide their own consent. For children under this age you need to get consent from whoever holds parental responsibility for the child.
Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.
An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.