Through the Privacy Looking Glass: Profiling by UK councils in the performance of their tasks
Locations
Background: There have been recent reports of increased use of profiling tools by public sector organisations to target services more effectively to those in need, in particular in the context of the coronavirus crisis.
These profiling activities may involve the use of existing stores of mainly consumer data compiled by third party data companies and/or the use of sophisticated analytics tools to process existing public authority data-sets.
While there is no doubt that a move towards data-driven solutions can provide a myriad of potential benefits, there are inevitable privacy risks. Nevertheless, as principles-based legislation, the GDPR and related UK Data Protection Act 2018 are designed to be flexible enough to be applied to increasingly sophisticated analytics scenarios.
Purpose Limitation: Much will turn on whether public authorities and/or their data partners can comply with the purpose limitation principle.
In the absence of specific consent, public authorities are likely to need to consider the compatibility of the processing with the original purpose for which they collected the data. Such analysis will involve looking at factors such as the reasonable expectations of individuals, any link with the original purposes and the consequences of the intended further processing.
For data sourced from existing consumer data stores, given the entirely different consumer context in which the data was originally collected, it may be difficult to argue that the disclosure to public authorities for the relevant purposes are compatible with original processing purposes.
In the absence of compatibility, public authorities and their data partners would generally need to consider seeking individuals' consent to the new purpose, unless they can point to a clear legal provision requiring or allowing the new processing in the public interest, e.g. a new public authority function.
In any event, if the data was originally collected on the basis of consent, it is likely that a fresh consent will be required. Public authorities would also need to make sure that they update their privacy notice to ensure transparency.
Legal Basis: Another consideration is whether there is an appropriate legal basis for the profiling. Since, very often, specific and informed consent is unlikely to be an option in respect of existing stores of data, public authorities may seek to rely on the ground that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the public authority. Key to this analysis is a consideration of "necessity" and whether there is a less intrusive way of performing such task/exercising such authority.
Special Category Data: Any processing of special category data, including any inferences about physical or mental health or the processing of information about membership of a racial/ethnic minority will need to comply with a condition for processing special category data. One possible option to consider under the Data Protection Act 2018 is whether the processing is necessary for reasons of substantial public interest, e.g. safeguarding the economic well-being of certain individuals. Reliance on such ground would require an appropriate policy to be put in place.
Transparency: Key to fair and lawful processing is whether there been a sufficiently clear and concise explanation of how the relevant personal data will be used, in particular taking into consideration that some of the personal data may relate to vulnerable individuals. This point poses a specific challenge to public authorities to the extent that they are using data contained in existing consumer data stores compiled by third parties. In such circumstances, public authorities may need to look at whether they could rely on an exemption to the requirement to provide a privacy notice directly to the relevant individuals, e.g. if doing so is likely to render impossible or seriously impair the achievement of the objectives of the processing. Even then, public authorities would need to consider having a publicly-available privacy notice that meets the necessary transparency standards.
Automated decision-making: Another consideration arises from the rules relating to decision-making that is based solely on automated processing and which has a legal or similarly significant effect.
Is there likely to be decision-making?: If solely automated profiling activity is used to inform whether to allocate resources/assistance to a particular individual, then clearly the answer is yes.
Is the decision-making based solely on automated profiling? It would seem possible that algorithmic outcome could prevail without any real human consideration of the relevant issues (it would not be enough to avoid the requirements of the GDPR in relation to automated decision-making if the public authority simply "inserts" a staff member into the process but gives them no real decision-making power).
Is the relevant decision making likely to have a legal or similarly significant effect on an individual? Assuming the decision-making is of a nature indicated above, then the answer is likely to be yes. Again, in the absence of explicit consent or an argument that the decision-making is necessary for entering into, or performing a contract with the individual, public authorities are likely to need to be able to point to a clear legal provision which permits such automated decision-making. A description of the logic involved should also be included in the relevant privacy notice.
Other considerations: Of course, the above issues are just part of the story. Public authorities would also need to address data minimisation requirements and to ensure the security and accuracy of data used in analytics tools, as well as overall fairness of processing, e.g. taking steps to avoid bias in algorithmic decision-making. Linked to the accuracy point is the "age "of the data-set, which in turn ties into whether the public authority/third party data partners have sensible retention policies in place. And of course, individuals' rights to deletion, access, restriction, objection and data portability must be respected.
Conclusion:
The current coronavirus crisis has emphasized the importance and benefits of understanding data and being able to use it in a way that benefits society as a whole. Our current legislative regime does not necessarily stand in the way of these benefits being achieved but imposes robust standards for ensuring that the processing of the personal data of individuals is done in a way that respects individuals' fundamental rights and freedoms.
A phased return to work is taking place in different sectors. Fieldfisher is committed to supporting you through the transition and beyond. We continue to be available to our clients either remotely or in person, with your business as usual matters, as well as for C-19 support. Please review our Covid-19 hub for updates and get in touch if you require further information.