12 Data Protection, Data Capture and Privacy Policy
Licensing Objective: Preventing gambling from being associated with crime and disorder.
12.1 Introduction
12.1.1
This section looks at various aspects of Data Protection and areas within the Protection of Freedoms Act (POFA) that impact on the bingo premises environment.
12.1.2
The section is not exhaustive within these areas, but there are several additional references where a more comprehensive level of information can be found.
12.1.3
One key document to read is The Guide to Data Protection produced by the Information Commissioner’s Office (ICO) which can be viewed along with other reference guides by using the links at the end of this section.
12.2 Data Protection Act
12.2.1
General Data Protection Regulations (“GDPR”) and established a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to expect their personal details to be kept private. The legislation itself is complex and can be interpreted in different ways; however, it is underpinned by a set of common-sense principles. If you make sure you handle personal data in line with the spirit of these principles, then you will go a long way towards ensuring that you comply with the letter of the law.
12.2.2
The Act applies to a particular activity – processing personal data – rather than to particular people, or organisations. So, if you “process personal data”, then you must comply with the Act and, in particular, you must handle the personal data in accordance with the data protection principles. Broadly, however, if you collect or hold information about an identifiable living individual, or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of the Data Protection Act is therefore very wide as it applies to just about everything you might do with individuals’ personal details.
12.2.3
Schedule 1 to the Data Protection Act lists the data protection principles in the following terms.
12.3 The Data Protection Principles
(a) Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’).
In practice, this is self-evident: organisations need to make sure their data collection practices don’t break the law and that they are not hiding anything from data subjects. To remain lawful, you need to understand the law and the rules for data collection. To remain transparent with data subjects, you should state in your privacy policy the type of data you collect and the reason you are collecting it.
(b) Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’).
In practice, organisations should collect personal data only for a specific purpose, clearly state what that purpose is, and collect data only for as long as necessary to complete that purpose. Processing for archiving purposes in the public interest or for scientific, historical or statistical purposes is given more freedom.
(c) Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
This means that organisations must process only the personal data that they need to achieve its legitimate purposes. Doing so has two major benefits: in the event of a data breach, the unauthorised individual will have access to only a limited amount of data, and data minimisation makes it easier to keep data accurate and up to date.
(d) Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
The accuracy of personal data is integral to data protection. The law requires that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
(e) Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’).
In practice, it means organisations need to retain personal data for only as long as necessary for legitimate purposes. For some businesses, this will be as long as the individual remains a customer, though the data may be kept thereafter for as long as the business has on ongoing legal reason or potential legal risk in relation to that data.
(f) Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The law does not detail any required measures but generally it is important to follow industry standards and stay up to date with practices and tools.
12.4 Questions Relating to Data Protection
Do I need to notify the Information Commissioner?
12.4.1
If your organisation processes personal data on a substantial scale, you usually have to notify the Information Commissioner about this. Failure to notify is a criminal offence.
12.4.2
Notification is how an organisation informs the Information Commissioner about its processing of personal data. The Information Commissioner is required to maintain a register and they use these details to make an entry in the register describing the processing. The register is available to the public for inspection on their website http://ico.org.uk/.
12.4.3
The main purpose of notification and the public register is transparency and openness. It is a basic principle of data protection that the public should know (or be able to find out) who is processing personal data, plus other details about the processing (such as why it is being carried out).
12.4.4
Notification serves the interests of individuals by helping them understand how organisations process personal data.
12.4.5
However, it is not intended (nor practical) that the register should contain very detailed information about an organisation’s processing. The aim is to keep the content general, with enough detail to give an overall picture of the processing. You only need to give more detail to satisfy specific statutory requirements or if there is particular sensitivity.
12.4.6
The Act provides an exemption from notification for some organisations. The exemption is available for:
a) organisations that process personal data only for:
- staff administration (including payroll);
- advertising, marketing and public relations (in connection with their own business activity); and
- accounts and records;
b) some not-for-profit organisations;
c) organisations that process personal data only for maintaining a public register;
d) organisations that do not process personal information on computer; and
e) individuals who process personal data only for domestic purposes
Do I have to reply to a subject access request?
12.4.7
Yes, unless an exemption applies. One of the main rights which the Act gives to individuals is the right of access to their personal data. An individual may send you a “subject access request” requiring you to tell them whether you are processing their personal data and, if so, to provide them with a copy and with certain other information.
12.4.8
In most cases, you must respond to a valid subject access request within 30 calendar days of receiving it. However, you do not have to grant subject access in respect of personal data to which an exemption applies. An exemption might apply because of the special circumstances in which you are processing or because of the nature of the data.
What should I do if an individual complains about what I am doing with their personal data?
12.4.9
You should carefully consider such a complaint. It is good practice to provide a reasoned response to all complaints and, depending what the complaint is about, the Data Protection Act may require you to do so. The Act may also require you to stop, or change, what you are doing with an individual’s personal data following a complaint. In particular, you might have to:
a) correct or delete information about an individual which is inaccurate;
b) stop processing their personal data for direct marketing; or
c) stop processing their data completely or in a particular way (depending upon the circumstances).
What does “fair processing” mean?
12.4.10
The first data protection principle requires you to process personal data lawfully and fairly. Ensuring fairness in everything you do with people’s personal details is, in the Information Commissions Office (ICO) view, central to complying with your duties under the Data Protection Act. In practice, it means that you must:
a) have legitimate reasons for collecting and using the personal data;
b) not use the data in ways that have unjustified adverse effects on the individuals concerned;
c) be open and honest about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
d) handle people’s personal data only in ways they would reasonably expect; and
e) make sure you do not do anything unlawful with the data.
12.4.11
Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with you. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.
Can I use personal data for a new purpose or disclose it to a third party?
12.4.12
It depends. You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will likely be able to use their personal data for the new purpose if it is fair to do so.
12.4.13
As you develop the goods and services you offer, you should think about whether your customers are likely to reasonably expect you to use their personal data to offer them these products. If you are unsure about this, you should explain your intentions and, at the very least, give your existing customers
an easy way to opt out. If you intend to make a significant change to what you do with personal data, you will usually need to get your customers’ consent.
12.4.14
Individuals should generally be able to choose whether or not their personal data is disclosed to another organisation, unless one of the Act’s specific exemptions applies (such as where the disclosure is necessary to carry out a contract with the individual). If you did not make your intention to disclose information to a third party absolutely clear at the outset, at a time when the individual could choose not to proceed, then you will usually need to get the individual’s consent before making such disclosures.
Must I encrypt all the information I store on computer?
12.4.15
Not necessarily. The Data Protection Act does not require you to encrypt personal data. However, it does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction. Encryption might be a part of your information security arrangements – for example, in respect of confidential personal data stored on laptops or portable storage devices.
On the other hand, you might not need to encrypt data which always remains on your premises, provided you have sufficient other controls on who can access it and for what purpose. Even where you do encrypt personal data, you will probably need to take additional steps to comply with the Act’s information security requirements.
What should I do if I lose personal data?
12.4.16
If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on your systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. You will need a strategy for dealing with the breach, including:
a) a recovery plan, including damage limitation;
b) assessing the risks associated with the breach;
c) informing the appropriate people and organisations that the breach has occurred; and
d) reviewing your response and updating your information security.
12.5 The Role of the Information Commissioner’s Office
12.5.1
The Information Commissioner is the UK’s independent authority who upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Information Commissioner has responsibilities in respect of freedom of information as well as data protection.
12.6 What Does the ICO do?
12.6.1
The Data Protection Act makes the Information Commissioner responsible for:
a) promoting good practice in handling personal data, and giving advice and guidance on data protection;
b) keeping a register of organisations that are required to notify him about their information-processing activities;
c) helping to resolve disputes by deciding whether it is likely or unlikely that an organisation has complied with the Act when processing personal data;
d) taking action to enforce compliance with the Act where appropriate; and
e) bringing prosecutions for offences committed under the Act (except in Scotland, where the Procurator Fiscal brings prosecutions).
12.7 What is an Enforcement Notice?
12.7.1
If the ICO consider it appropriate to do so, they may serve an enforcement notice if the Information Commissioner is satisfied that an organisation has failed (or is failing) to comply with any of the data protection principles. In deciding whether to do this, they have to consider whether the failure to comply has caused, or is likely to cause, damage or distress to anyone.
12.8 Does the ICO Have Powers of Audit and Inspection?
12.8.1
The ICO have the power to conduct an assessment or “audit” of an organisation’s processing of personal data in order to establish whether that processing follows good practice. Following an audit they will inform the organisation of our conclusions.
12.9 Can the ICO Impose Penalties for breaching the Act?
12.9.1
The Information Commissioner has a statutory power to impose a financial penalty on an organisation if they are satisfied that:
a) there has been a serious breach of one or more of the data protection principles by the organisation; and
b) the breach was likely to cause substantial damage or distress.
12.9.2
The power to impose a financial penalty only applies if:
a) the breach was deliberate; or
b) the organisation knew (or should have known) that there was a risk of a breach which was likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it.
12.9.3
The Information Commissioner will take account of the circumstances of each case when he decides the amount of any financial penalty. The maximum penalty under the GDPR is €20 million or 4% of annual global turnover. For more on financial penalties, see the “Information Commissioner’s guidance about the issue of monetary penalties” on their website.
12.10 Samples from Bingo Companies
12.10.1
Bingo Companies should state their data capture and processing terms within a suitable Privacy Policy, which must be separate to (and agreed separately from) their commercial Terms and Conditions. The Privacy Policy should include how the company will manage the customer’s personal data and the level of privacy a customer can expect. Samples of various provisions for these policies are set out below.
12.10.2 Buzz Group Ltd – Privacy Policy
(Please see Resources Centre)
12.10.3 Park Resorts Policy and Procedures Data Capture policy
(Please see Resources Centre)
12.11 Protection of Freedoms Act and Using CCTV
12.11.1
When using, or intending to use surveillance systems including CCTV and the storing of information, organisations will need to consider their obligations in relation to:
a) Freedom of Information Act 2000 (FOIA)
b) Protection of Freedom Act (POFA)
c) The Human Rights Act 1998 (HRA)
d) Data Protection Act 199
And ideally be familiar with:
e) The ‘Surveillance Camera Code of Practice’
f) ‘In the Picture: A data Protection Code of Practice for Surveillance Cameras and Personal Information’ a guidance document from the ICO.
g) The Employment practices code (ICO)
h) Data Protection – The Employment Practices Code supplementary guidance (ICO)
i) CCTV Strategy for Scotland (The Scottish Government)
j) Privacy Notices Code of Practice (ICO)
k) Data Sharing Code of Practice (ICO)
Key areas relevant to the reference documents above are detailed within this section and a list of the websites and the links to the relevant documents are included at the end of this section.
Protection of Freedom Act (“POFA”)
12.11.2
Unlike the Data Protection Act, the POFA applies only to England and Wales and therefore is not applicable to the rest of the UK. The Scottish Government has produced its own CCTV Strategy for Scotland (See Resources Centre):
12.11.3
The POFA in particular has an important role in regulating surveillance systems, creating the role of the Surveillance Camera Commissioner, which the Information Commissioner has a memorandum of understanding with to ensure effective cooperation. The Surveillance Camera Commissioner is charged with promoting good practice regarding surveillance cameras and to encourage compliance with the POFA code.
12.11.4
The POFA code is also an important document to refer to when your issue is not a data protection one. It provides advice and guidance on issues such as operational requirements, technical standards and the effectiveness of the systems available. The 12 guiding principles are the key component of the POFA code and these are referenced throughout the ICO code.
12.12 The 12 Guiding Principles of the Surveillance Camera Code of Practice
The Development or use of Surveillance Camera Systems
1. Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
2. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
The use or processing of images or other information obtained by virtue of such systems
5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
6. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
12.13 The Employment Practices Code Supplementary Guidance
A link to this document is shown at the end of this section.
12.13.1
Guidance for the Employment Practices Code falls in to 4 areas:
a) Recruitment and Selection
b) Employment Records
c) Monitoring at Work
d) Information About Workers Health
Item ‘c’ is more relevant to the operational side whereas items a, b and d are more personnel related.
Monitoring at Work is then separated in to 5 areas:
a) Emails
b) Internet access
c) Video and Audio Monitoring
d) Covert Monitoring
e) Key Points and Actions
Three of these areas which are highlighted are particularly relevant in a bingo premises.
12.13.2 Video and Audio monitoring
An impact assessment of video and/or audio monitoring should be completed and the following should be considered.
a) Can video and audio monitoring be targeted at areas of particular risk, for example where there is a risk to safety or security?
b) Can monitoring be confined to areas where workers’ expectations of privacy will in any case be low, for example areas to which the public have access?
c) Can video and audio capability be treated separately?
d) Will the employer be in a position to meet its obligations to provide subject access to and, to the extent that it might be necessary, remove information identifying third parties from audio and video recordings?
12.13.3 Covert Monitoring
a) Covert monitoring should not normally be considered. It will be rare for covert monitoring of workers to be justified. It should therefore only be used in exceptional circumstances
b) Ensure that any covert monitoring is strictly targeted at obtaining evidence within a set timeframe and that the covert monitoring does not continue after the investigation is complete.
c) Deploy covert monitoring only as part of a specific investigation and cease once the investigation has been completed.
d) Do not use covert audio or video monitoring in areas which workers would genuinely and reasonably expect to be private.
- If embarking on covert monitoring with audio or video equipment, ensure that this is not used in places such as toilets or private offices.
- There may be exceptions to this in cases of suspicion of serious crime but there should be an intention to involve the police.
e) Ensure that information obtained through covert monitoring is used only for the prevention or detection of criminal activity or equivalent malpractice. Disregard and, where feasible, delete other information collected in the course of monitoring unless it reveals information that no employer could reasonably be expected to ignore.
12.13.4 Key Points and Actions
a) In a covert monitoring exercise, limit the number of people involved in the investigation.
b) Prior to the investigation, set up clear rules limiting the disclosure and access to information obtained
12.14 Ensuring Effective Administration
The use of CCTV comes with the legal responsibility and effective administration.
12.14.1
Establishing a clear basis for the processing of any personal information is essential, and the handling of information relating to individuals collected from surveillance systems is no different. It is important that you establish who has responsibility for the control of this information, for example, deciding what is to be recorded, how the information should be used and to whom it may be disclosed. If you are the organisation that makes these decisions, then you are the data controller and you are legally responsible for compliance with the DPA.
12.14.2
You will also need clear procedures to determine how you use the system in practice.
12.14.3
Have you identified clearly defined and specific purposes for the use of information, and have these been communicated to those who operate the system?
12.14.4
Are there clearly documented procedures, based on the code, for how information should be handled in practice? This could include guidance on disclosures and how to keep a record of these. Have these been given to the appropriate people?
12.14.5
Has responsibility for ensuring that procedures are followed been allocated to an appropriate named individual? They should ensure that standards are set, procedures are put in place to meet these standards, and that the system complies with this code and legal obligations, such as an individual’s right of access.
12.14.6
Are proactive checks or audits carried out on a regular basis to ensure that procedures are being complied with? This can be done either by you as the system operator, or a third party.
12.14.7
You should regularly review whether the use of surveillance systems continues to be justified. It is necessary to renew your notification with the ICO annually, so this would be an appropriate time to consider the ongoing use of such systems.
12.15 Checklist for Users of Limited CCTV Systems Monitoring Small Retail and Business Premises
A useful checklist to run through if you are installing CCTV is included in Appendix A.
12.16 Website Links (See Resource Centre)
Appendix A
Checklist for users of limited CCTV systems monitoring small retail and business premises