GDPR briefing

Mar 20, 2020

By Michael McLaughlin, HACT Social Insight Lead in Scotland

In light of the current coronavirus pandemic affecting communities across the world, questions have been raised around the sharing of personal details, in particular of those in need of support.

Whilst we are all at risk of contracting Covid-19, we have seen on platforms such as Mutual Aid UK, various volunteer groups who have mobilised to support those within their communities who are more vulnerable and in greater need.

It may be useful to look at the General Data Protection Regulations (GDPR) and the implications of this on groups and organisations in the field of community investment. In terms of using and storing the data passed on by local people themselves to this end, this is likely to be covered by one of the following legal basis for processing;

  • Consent
  • Contractual
  • Legal obligation
  • Vital interest
  • Public task
  • Legitimate interests

However, when it comes to data sharing with other agencies who are carrying out or coordinating services to those vulnerable members either self-isolating or in need of further support within communities, it may be prudent to be slightly more formal in approach. This will help weigh up the relevant processing basis against the interests of rights and freedom of the people in need of support in these challenging times.

Avoid sharing any unnecessary, especially sensitive or confidential personal information (termed as special category data by ICO), and where possible, setting up a data sharing agreement with partner agencies would help reinforce information management processes. Template data sharing agreements can be found in the ICO Data Sharing Code of Conduct which also provides detailed guidance on the topic.

It is also worth carrying out a data protection impact assessment (downloadable here) before you begin any new or amended project that may involve processing personal data on a larger scale. This will help identify and mitigate against the data protection risks of any programme of work. Please also not that the ICO is not looking to take regulatory actions against any organisation for a slight dip in standards.

All of the organisations HACT works with through the Centre for Excellence in Community Investment carry out their work with the best interests of their community members and residents at heart. Current GDPR guidelines should prove no barrier to this. By documenting what data they are sharing, how this will be shared, and for what reasons, you will protect yourselves against any needless worry, allowing organisations to continue providing the excellent support they have planned.

Please feel free to contact Michael McLaughlin on who can discuss any of this in more detail or point you in the direction of appropriate online resources.

News & views