GDPR: Retaining and Providing Personal Data to PSA
As many providers within the phone-paid services industry will already be aware, the law surrounding data protection will change shortly. The General Data Protection Regulation (EU) 2016/679 (GDPR) is due to come into effect on 25th May 2018. In addition, the UK Data Protection Bill [HL] 2017-19 (DP Bill) – which is currently progressing through Parliament - will supplement the GDPR and update the UK’s data protection laws.
This Notice sets out our current expectations around the retention and provision of personal data to the PSA arising from specific rules in the PSA Code of Practice (the Code) and directions for information made by the PSA under the Code. These rules and directions for information require providers to provide, or be able to provide, information to PSA, which may include ‘personal data’.
We believe that the new data protection laws will not affect a provider’s ability to retain and provide PSA with personal data when requested under the Code. Our current view is that all consumer data should be retained for a minimum of two years from collection. However, this Notice outlines our intention to consult on proposed new expectations, including in relation to retention of specific types of data, to be issued as formal Guidance. We expect to consult during the early part of summer 2018.
PSA’s current expectations
Disclosure of personal data
Where we use the Code (as approved by Ofcom under the Communications Act 2003) to direct providers to supply information, they are able to provide us with personal data under the exemption from non-disclosure set out at section 35(1) of the Data Protection Act 1998 (DPA 1998). The text of the exemption is as follows:
Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.
We note that the ‘non-disclosure provisions’ do not include additional conditions that are required under Schedule 2 of the DPA 1998. However, in our view the condition set out at paragraph 3 of Schedule 2 will be satisfied for the purposes of disclosure. This states that:
The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
Our view therefore is that providers have a clear legal basis for disclosing the personal data to the PSA when requested to do so under the Code.
Providers should note that for sensitive personal data (as defined in s2 DPA 1998) explicit consent of the data subject is required before this data can be provided to PSA. In such circumstances, we would expect providers to ensure that they make all reasonable efforts to obtain consent from the consumer, where the data is required by a direction or a Code provision.
We are aware that in some situations a Level 2 provider may not be in possession of personal data that would be of regulatory benefit to PSA. For example, we understand that where operator billing/charge to bill is the payment mechanic used to bill a consumer of a phone-paid service) the Level 2 provider is normally not provided with the consumer’s MSISDN. In such a scenario, we note that the Level 2 provider would normally only be provided with an identifier. As a result, we will normally direct the Level 1 provider to provide us with the required MSISDN data in these circumstances.
Retention of personal data
As mentioned above, s35(1) exempts providers from the non-disclosure provisions. Therefore, as with disclosure our view is that providers are able to retain documents for any period specifically directed by PSA under the Code or required under PSA Code rules. This removes the need for providers to be concerned about retention periods. The Code currently requires providers to maintain various records that are likely to include personal data through the following provisions:
• Proof of Consent to Charge – paragraph 2.3.3
• Proof of Consent to Market – paragraph 2.4.2
• Evidence of Complaint Handling – paragraph 2.6.6
• Evidence of Due Diligence on clients – paragraph 3.3.1
We currently consider that such data should be retained for a minimum period of two years from the point at which it is collected, which ensures that it is available for regulatory purposes, as required, for a reasonable period. This period allows PSA to consider and where necessary investigate and address any compliance issues identified through consumer enquiries or PSA monitoring. It also ensures that PSA is able to maintain fairness and proportionality when considering deadlines for responses to PSA correspondence).
The GDPR and DP Bill
Disclosure of personal data
We believe that providers will continue to be able to provide personal data to PSA under the new data protection laws, where such data is required through a direction under the Code or by specific Code rules. Article 6(1)(c) of the GDPR states that processing (including storage) will be lawful if:
Processing is necessary for compliance with a legal obligation to which the controller is subject.
In terms of further requirements of the first and other principles under the GDPR, paragraph 5(2) of Schedule 2 of the DP Bill provides an exemption for data controllers in relation to disclosure of personal data where this is done as a result of an enactment. The relevant enactment for providers of phone-paid services is the Communications Act 2003 under which the Code is approved and enforced.
In relation to special categories of personal data (referred to as ‘sensitive personal data’ under the DPA 1998), our view is that this remains unchanged under the new data protection laws: The explicit consent of data subjects will be required before such data can be provided to PSA. Again, in such circumstances, we would expect providers to ensure that they make all reasonable efforts to obtain such consent from the consumer where such data is required by a direction or a Code provision.
Our position in relation to issuing directions to the most appropriate person in the value chain remains the same under the new data protection laws.
Retention of personal data
We have been approached by a number of providers asking for retention periods for various data required by the Code and for the purposes of PSA enquiries and investigations (or other regulatory benefit). We understand that definitive retention periods for specific types of data would be helpful to providers looking to ensure compliance with their obligations under the new data protection laws.
Given the differing impacts that laying down specific retention periods may have on various providers, we intend to issue a consultation on proposed Guidance in this area. Such Guidance should assist providers in complying with their information obligations under the new laws. Such obligations include ensuring consumers are made aware at the outset that their personal data is also being processed (including being stored) for PSA’s regulatory purposes, the period for which their data will be stored, and that PSA may be a recipient of such data.
The proposed Guidance will cover data required under the Code and appropriate retention periods for such data. The proposed Guidance will also include retention periods for related or other data that are likely to be of regulatory benefit to the PSA particularly during an enquiry or investigation and therefore may be the subject of a direction under the Code. This will include:
• Promotional Material, including all versions of online promotion, and data on when and where they were placed – section 2.2
• Proof of Consent to Charge or Market, including but not limited to specific data about user purchase history and behaviour, and/or handsets or other devices – paras 2.3.3 and 2.4.2
• Evidence of Compliant Handling, including any correspondence with a consumer, or records of communication with a consumer, and records of the outcomes of any enquiry or complaint – section 2.6
• Evidence of Due Diligence, including Know-Your-Client checks, and ongoing records of risk assessment and testing – Para 3.3.1
Confidential non-personal data
Providers will be aware that the GDPR and DP Bill only relate to personal data. Such data is distinct from non-personal data which is confidential. Paragraph 1.6 of the Code covers confidential information supplied to PSA, whether as part of an investigation or otherwise. It makes clear that such data will be kept in confidence and not divulged to any third party without consent or existence of a Code or other lawful basis, except where we need to share such data with law enforcement agencies. This will remain the case when the GDPR and DP Bill come into effect.
07 June 2018: Addendum
Providing personal data at the enquiry stage
Further to the above industry notice published on 26 March 2018, the PSA has recently received a few queries concerning the provision of personal data to the PSA, where the information has been requested by the PSA at preliminary enquiry stage, rather than under the formal powers in the PSA Code of Practice (“the Code”).
As providers will be aware, where concerns have been raised about a service by either consumer contacts or by monitoring of a service, the PSA will in the first instance make preliminary enquiries of the provider. This approach is in line with regulatory best practice and is consistent with the principles of both fairness and proportionality.
Change in PSA’s lawful basis from “consent” to “public task”
Under the Data Protection Act 1998, the PSA obtained consent from consumers to process their personal data. This consent included the passing of consumers’ details to providers to enable PSA to make preliminary enquiries and investigate where appropriate. The consent also covered the obtaining of information about the consumer from providers.
Under the GDPR, which came into effect on 25 May 2018, the PSA now processes such data on the basis that it is necessary for the performance of a task in the public interest, (Article 6(1)(e)). The PSA therefore no longer relies on the consent of individual consumers when processing their personal data. The PSA’s new basis for processing personal data has been clearly stated in its privacy notice which makes clear that personal data will be used to process consumers’ complaints (under the public task lawful basis), including the carrying out of enquiries. Consumers are also informed that the PSA may need to obtain information about them from their mobile network, as well as the provider of the service and intermediaries. Complainants who contacted the PSA prior to this new approach have also been informed of the new legal basis for processing their personal data. Consumers will therefore be aware, and very likely have an expectation, that their data will be processed by providers as part of the PSA’s preliminary enquiries.
“Legitimate interests” basis for providing personal data at the enquiry stage
Some providers have recently queried whether consumer consent will be required for them to pass that consumer’s personal data to the PSA in response to a preliminary enquiry. In our considered view, the most appropriate legal basis for providers to process such data is that it is in the legitimate interests of the provider and/or their consumers (Article 6(1)(f)).
The legitimate interests of consumers will be served by the processing taking place as the processing would form part of a timely regulatory process, which seeks to address matters raised in consumer complaints to PSA. As stated above consumers are likely to expect processing of their personal data to enable such matters to be addressed. In circumstances where another person has made a complaint on behalf of the user of the service or the bill payer there remains a clear benefit to them in a regulatory process that looks to safeguard their interests through gaining an understanding of consumers’ experiences of a particular service and deciding how best to address any issues that are identified from such experiences.
The legitimate interests of providers will be served as the PSA’s preliminary enquiries help it to determine whether concerns raised by consumers or through monitoring can be addressed without the need for any formal action. This approach also enables providers to respond to initial concerns before any determination is made and accords with key legal and regulatory principles of fairness and proportionality.
Our view is that providers can confidently rely on the legitimate interests basis for disclosing personal data to the PSA in response to preliminary enquiries.
Reliance on “Legitimate Interests”
An additional benefit for providers relying upon the legitimate interests basis for processing is that there is no need for the provider to seek the consent of individual consumers or bill payers, or to require evidence of consumer consent from the PSA. This is because where another legal basis for processing such as legitimate interests is used by a provider, it is no longer necessary for consent to be obtained.
Where providers do rely on the legitimate interests basis they should make sure that this is clearly set out in their privacy and fair processing notices so that all consumers are made aware that their data may be shared with the PSA, either in the course of its preliminary enquiries on the basis of legitimate interests (of the consumers and the provider), or during formal investigations on the basis of a legal obligation to which the provider is subject.
Special categories of personal data
Providers should be aware that the legitimate interests basis is not available for special categories of personal data (formerly referred to as sensitive personal data). These include a person’s race, political opinions, religious beliefs, health data and sex life or orientation. The PSA does not normally need special category data to carry out its regulatory tasks, including the making of preliminary enquiries and taking enforcement action. Should there be a specific need for special category data to be provided to the PSA, one of the legal bases set out in Article 9(2) of the GDPR (and any condition that applies by virtue of section 10 of the new Data Protection Act 2018), will need to be satisfied. In such circumstances explicit consent will be the most likely basis.
Information not supplied at the enquiry stage
Providers should note that where they do not rely on the legitimate interests basis and as a result do not respond to informal enquiries on the basis of a lack of consumer consent, the PSA may (on a case by case basis and in line with the Supporting Procedures) commence a formal investigation in order to carry out its regulatory function and meet its obligations under the Code and Supporting Procedures.
20 March 2019: Addendum
The United Kingdom is due to leave the European Union (EU) on 29 March 2019 or at a later date if agreed with the EU. In the event of a no-deal Brexit the UK will be regarded as a third country for the purposes of personal data transfers as soon as it has left.
The effect of this is that personal data transfers to the UK from a provider established in a European Economic Area (EEA) country will no longer be permitted unless either the EU has made an adequacy decision in respect of the UK (which is not expected at the point of exit), or one of the appropriate safeguards or derogations are in place or apply. Transfers from the UK to an EEA country will remain unaffected as the UK government has confirmed that UK businesses or organisations will continue to be able to send personal data from the UK to the EEA and third countries deemed adequate by the EU at the point of exit. More information on this can be found here.
However, in the event of a no-deal Brexit EEA based providers will require a legal basis under which they are able to transfer personal data to the PSA under the GDPR. The PSA will expect such providers to ensure that they can continue providing any information (including personal data) requested by the PSA, including seeking the explicit consent of data subjects where necessary. More information on permitted derogations for specific situations can be found here.
If explicit consent is being relied upon we would also expect such providers to act promptly to ensure that such consent is obtained without delay. A failure to act expeditiously (irrespective of the legal basis relied upon) or at all may be regarded as a breach of the PSA Code of Practice.
In relation to the lawful basis for disclosing personal data to PSA, which must still be satisfied, we consider that the legitimate interest’s basis will continue to be the appropriate one for EEA and UK providers alike to rely on. However, where EEA providers rely on explicit consent for the transfer of personal data to the UK they may also choose to rely on consent as the lawful basis for the disclosure.
1 The ‘non-disclosure’ provisions are essentially the first five data protection principles (except for the conditions required in the first principle) and sections 10 and 14 of the DPA 1998, to the extent that they are relevant to the intended disclosure. The principles can be found here.
2 The additional conditions relating to the first principle can be found here.