Act Now Training has teamed up with Damar Training on materials and expertise underpinning its new Data Protection and Information Governance Practitioner Level 4 Apprenticeship.
The apprenticeship, which received final approval in March, will help develop the skills of those working in the increasingly important fields of data protection and information governance.
With the rapid advancement of technology, there is a huge amount of personal data being processed by organisations, which is the subject of important decisions affecting every aspect of people’s lives. This poses significant legal and ethical challenges, as well as the risk of incurring considerable fines from regulators for non compliance.
This apprenticeship aims to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address these challenges.
Ibrahim Hasan, Director of Act Now, said:
“We are excited to be working Damar Training to help deliver this much needed apprenticeship. We are committed to developing the IG sector and encouraging a diverse range of entrants to the IG profession. We have looked at every aspect of the IG Apprenticeship standard to ensure the training materials equip budding IG officers with the knowledge and skills they need to implement the full range of IG legislation in a practical way.”
Damar’s managing director, Jonathan Bourne, added:
“We want apprenticeships to create real, long-term value for apprentices and organisations. It is vital therefore that we work with partners who really understand not only the technical detail but also the needs of employers.
Act Now Training are acknowledged as leaders in the field, having recently won the Information and Records Management Society (IRMS) Supplier of the Year award for the second consecutive year. I am delighted therefore that we are able to bring together their 20 years of deep sector expertise with Damar’s 40+ year record of delivering apprenticeship in business and professional services.”
This apprenticeship has already sparked significant interest, particularly among large public and private sector organisations and professional services firms. Damar has also assembled an employer reference group that is feeding into the design process in real time to ensure that the programme works for employers.
The employer reference group met for the first time on May 25. It included industry professionals across a variety of sectors including private and public health care, financial services, local and national government, education, IT and data consultancy, some of whom were part of the apprenticeship trailblazer group.
If your organisation is interested in the apprenticeship please get in touch with us to discuss further.
During the current coronavirus pandemic, the health and social care sector as well as the emergency services are all providing an amazing service to those who are in need of urgent medical treatment. This will almost always require the sharing of personal data between organisations.
Even during a pandemic, it is important to note that GDPR still applies to ensure individuals’ privacy is protected whilst vital services are provided. On 19th March 2020 the European Data Protection Board has issued a statement on the processing of personal data in the context of the COVID 19 in which it emphasised this point:
“Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way.
It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”
The first data protection principle in Article 5 (1) requires Data Controllers to process personal information “lawfully, fairly and in a transparent manner”. Processing personal data is only lawful if one or more of the six lawful bases listed in Article 6 (1) applies.
If a Data Controller processes personal data about a person’s health (which is a class of Special Category Data) then they must additionally identify one of the ten lawful bases set out in Article 9 (2). These are more detailed than those in Article 6, and are fleshed out further in Schedule 1 of the Data Protection Act 2018. However, there are some overlaps. For example ‘consent’ is a lawful basis in Article 6 (1)(a) and ‘explicit consent’ appears in Article 9(2)(a). Similarly ‘vital interests’ appears in both Articles 6 and 9, however there are differences between the two which we explore below.
Article 6 (1) (d) provides that the processing of personal data is lawful if the processing is necessary to protect the vital interests of the data subject or of another natural person. This raises three points for discussion.
What are vital interests?
When will processing be ‘necessary’?
When can it be used to protect the vital interests of ‘another natural person’?
GDPR Recital 46, specifically refers to processing for the monitoring of epidemics and it seems this lawful basis is intended to be used in situations such as the current pandemic. But what about other interests? Are they vital?
During a recent GDPR workshop one delegate asked whether a person’s financial interests could be classed as a ‘vital interest’ (after all, we all need money to live). The answer is no because the word ‘vital’ is interpreted very narrowly. Recital 46 refers to processing that is “necessary to protect an interest which is essential for the life of the data subject or that of another natural person”. The ICO’s interpretation of this is that this generally only applies where it is necessary to protect someone’s life.
Our Example. Sam becomes acutely ill at work and his employer phones the ambulance service. The employer gives the paramedics Sam’s name and address. The employer can rely on the vital interest’s lawful basis to share this information. If the paramedics need access to Sam’s health records,then the GP will be able to share them for the same reason but will additionally require an Article 9 lawful basis (see below).
However, in our view vital interests can also include situations where there is a risk of significant harm to life. Therefore if an elderly person is forced to self-isolate and depends upon a group of volunteers collecting their essential prescription medicines, then sharing that person’s name and address is arguably necessary to protect their vital interests.
The processing must be “necessary” in order to protect a person’s vital interests. The key question is whether a Data Controller can reasonably protect a person’s vital interests without the processing (sharing their personal data). If they can then the processing will not be necessary. If they cannot then it will be lawful. In the above example, if the employers refused to give the paramedics Sam’s name and address then this could potentially threaten their ability to offer him life-saving treatment. Therefore the sharing of Sam’s personal data is necessary to protect Sam’s vital interests.
Protecting the Vital Interests of Other Persons
Those familiar with the Data Protection Act 1998 will know that the lawful basis in Article 6 (1)(d) is very similar to the one listed in paragraph 4 of Schedule 2 of the 1998 Act. Unlike the old DPA, the GDPR extends this lawful basis to processing that is necessary to protect the vital interests of “another natural person.”However, Recital 46 cautions that “Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis”.
Back to our example. When the paramedics take Sam away in the ambulance, they ask for the names of any employees she may have come into contact with because they are concerned for their health. Can the employer rely on Article 6 (1) (d) to share their names? The answer is no if the employer can find an alternative lawful basis such as consent.
Consequently, as the ICO notes, the processing of one individual’s personal data to protect the vital interests of another is likely to happen only rarely. The ICO gives an example of the processing of a parent’s personal data to protect the vital interests of their child.
What about processing of personal data to save the lives of many others, for instance in a pandemic situation? Recital 46 suggest that this lawful basis may be used to process personal data for this purpose. But it also states that this basis should only be used where processing cannot be based on another legal basis. This could include “legal obligation” or “official authority”.
Special Category Data
A Data Controller sharing health information (or any other Special Category Data) also needs to identify a lawful basis under Article 9 of GDPR. This allows processing if is “is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.”
This basis is more rigorous than its counterpart in Article 6. It permits the processing of Special Category Data if the processing is necessary to protect the vital interest of the data subject or of another natural person but only “where the data subject is physically or legal incapable of giving consent.” This clearly allows medical practitioners to share health data in emergency medical situations where a patient is unable to consent to it.
If a patient is fit and able (physically and mentally) of giving consent, then a Data Controller cannot rely on Article 9 (2)(c).
Example, a volunteer group has compiled a database of the names and addresses of residents who need their prescriptions collecting. They share these names and addresses with volunteers. The group has asked volunteers to log details of any residents who have COVID 19symptoms in order that they can take steps to protect the lives of the volunteers. The group can only process this information if the person with symptoms explicitly consents to their information being shared (and they understand exactly why their information is being shared). If they are physically able to consent (or refuse to give consent) then the group cannot rely on the vital interests condition.
Although the temptation may be to assume that sharing health data is permissible in the circumstances, the vital interests’ condition in Article 9 (2) (c) has its limits.
Volunteer groups may need to take steps to obtain consent from data subjects and be prepared to explain exactly why they want this information. Article 9 does provide further lawful conditions which may be relevant (Articles 9 (2) (h) and (I)). We will consider the use of these in a future blog post.
Many established charities and recently formed volunteer groups are also now providing essential support services for those members of the community who are at risk, or vulnerable or in need. In order to do this these services may need to share personal data about such people, and often about their health. Whilst this is laudable, they too must be mindful of the GDPR implications. Our recent blog post about Covid 19 volunteer groups goes into more detail.