GDPR: Retaining and Providing Personal Data to PSA
26 March 2018
As many providers within the phone-paid services industry will already be aware, the law surrounding data protection will change shortly. The General Data Protection Regulation (EU) 2016/276 (GDPR) is due to come into effect on 25th May 2018. In addition, the UK Data Protection Bill [HL] 2017-19 (DP Bill) – which is currently progressing through Parliament - will supplement the GDPR and update the UK’s data protection laws.
This Notice sets out our current expectations around the retention and provision of personal data to the PSA arising from specific rules in the PSA Code of Practice (the Code) and directions for information made by the PSA under the Code. These rules and directions for information require providers to provide, or be able to provide, information to PSA, which may include ‘personal data’.
We believe that the new data protection laws will not affect a provider’s ability to retain and provide PSA with personal data when requested under the Code. Our current view is that all consumer data should be retained for a minimum of two years from collection. However, this Notice outlines our intention to consult on proposed new expectations, including in relation to retention of specific types of data, to be issued as formal Guidance. We expect to consult during the early part of summer 2018.
PSA’s current expectations
Disclosure of personal data
Where we use the Code (as approved by Ofcom under the Communications Act 2003) to direct providers to supply information, they are able to provide us with personal data under the exemption from non-disclosure set out at section 35(1) of the Data Protection Act 1998 (DPA 1998). The text of the exemption is as follows:
Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.
We note that the ‘non-disclosure provisions’ do not include additional conditions that are required under Schedule 2 of the DPA 1998. However, in our view the condition set out at paragraph 3 of Schedule 2 will be satisfied for the purposes of disclosure. This states that:
The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
Our view therefore is that providers have a clear legal basis for disclosing the personal data to the PSA when requested to do so under the Code.
Providers should note that for sensitive personal data (as defined in s2 DPA 1998) explicit consent of the data subject is required before this data can be provided to PSA. In such circumstances, we would expect providers to ensure that they make all reasonable efforts to obtain consent from the consumer, where the data is required by a direction or a Code provision.
We are aware that in some situations a Level 2 provider may not be in possession of personal data that would be of regulatory benefit to PSA. For example, we understand that where operator billing/charge to bill is the payment mechanic used to bill a consumer of a phone-paid service) the Level 2 provider is normally not provided with the consumer’s MSISDN. In such a scenario, we note that the Level 2 provider would normally only be provided with an identifier. As a result, we will normally direct the Level 1 provider to provide us with the required MSISDN data in these circumstances.
Retention of personal data
As mentioned above, s35(1) exempts providers from the non-disclosure provisions. Therefore, as with disclosure our view is that providers are able to retain documents for any period specifically directed by PSA under the Code or required under PSA Code rules. This removes the need for providers to be concerned about retention periods. The Code currently requires providers to maintain various records that are likely to include personal data through the following provisions:
• Proof of Consent to Charge – paragraph 2.3.3
• Proof of Consent to Market – paragraph 2.4.2
• Evidence of Complaint Handling – paragraph 2.6.6
• Evidence of Due Diligence on clients – paragraph 3.3.1
We currently consider that such data should be retained for a minimum period of two years from the point at which it is collected, which ensures that it is available for regulatory purposes, as required, for a reasonable period. This period allows PSA to consider and where necessary investigate and address any compliance issues identified through consumer enquiries or PSA monitoring. It also ensures that PSA is able to maintain fairness and proportionality when considering deadlines for responses to PSA correspondence).
The GDPR and DP Bill
Disclosure of personal data
We believe that providers will continue to be able to provide personal data to PSA under the new data protection laws, where such data is required through a direction under the Code or by specific Code rules. Article 6(1)(c) of the GDPR states that processing (including storage) will be lawful if:
Processing is necessary for compliance with a legal obligation to which the controller is subject.
In terms of further requirements of the first and other principles under the GDPR, paragraph 5(2) of Schedule 2 of the DP Bill provides an exemption for data controllers in relation to disclosure of personal data where this is done as a result of an enactment. The relevant enactment for providers of phone-paid services is the Communications Act 2003 under which the Code is approved and enforced.
In relation to special categories of personal data (referred to as ‘sensitive personal data’ under the DPA 1998), our view is that this remains unchanged under the new data protection laws: The explicit consent of data subjects will be required before such data can be provided to PSA. Again, in such circumstances, we would expect providers to ensure that they make all reasonable efforts to obtain such consent from the consumer where such data is required by a direction or a Code provision.
Our position in relation to issuing directions to the most appropriate person in the value chain remains the same under the new data protection laws.
Retention of personal data
We have been approached by a number of providers asking for retention periods for various data required by the Code and for the purposes of PSA enquiries and investigations (or other regulatory benefit). We understand that definitive retention periods for specific types of data would be helpful to providers looking to ensure compliance with their obligations under the new data protection laws.
Given the differing impacts that laying down specific retention periods may have on various providers, we intend to issue a consultation on proposed Guidance in this area. Such Guidance should assist providers in complying with their information obligations under the new laws. Such obligations include ensuring consumers are made aware at the outset that their personal data is also being processed (including being stored) for PSA’s regulatory purposes, the period for which their data will be stored, and that PSA may be a recipient of such data.
The proposed Guidance will cover data required under the Code and appropriate retention periods for such data. The proposed Guidance will also include retention periods for related or other data that are likely to be of regulatory benefit to the PSA particularly during an enquiry or investigation and therefore may be the subject of a direction under the Code. This will include:
• Promotional Material, including all versions of online promotion, and data on when and where they were placed – section 2.2
• Proof of Consent to Charge or Market, including but not limited to specific data about user purchase history and behaviour, and/or handsets or other devices – paras 2.3.3 and 2.4.2
• Evidence of Compliant Handling, including any correspondence with a consumer, or records of communication with a consumer, and records of the outcomes of any enquiry or complaint – section 2.6
• Evidence of Due Diligence, including Know-Your-Client checks, and ongoing records of risk assessment and testing – Para 3.3.1
Confidential non-personal data
Providers will be aware that the GDPR and DP Bill only relate to personal data. Such data is distinct from non-personal data which is confidential. Paragraph 1.6 of the Code covers confidential information supplied to PSA, whether as part of an investigation or otherwise. It makes clear that such data will be kept in confidence and not divulged to any third party without consent or existence of a Code or other lawful basis, except where we need to share such data with law enforcement agencies. This will remain the case when the GDPR and DP Bill come into effect.
1 The ‘non-disclosure’ provisions are essentially the first five data protection principles (except for the conditions required in the first principle) and sections 10 and 14 of the DPA 1998, to the extent that they are relevant to the intended disclosure. The principles can be found here.
2 The additional conditions relating to the first principle can be found here.