Principles of data protection
We have for some time now been focusing on understanding the principles of data protection as espoused under Section 17 of the Data Protection Act, 2012 (Act 843). In the last article, I explained how a data controller could obtain lawful consent in compliance with the Act. Today, permit me to delve further into consent and some of the confusing concepts under Section 20(1) such as ‘legitimate interest’ and ‘necessary’.
Advertisement
In practice, abiding by the general rule of prior consent may be difficult, expensive and in some circumstances utterly impossible given the requirements that prior consent must be clear, affirmative, freely given, etc. This is why the law provides the legitimate interest and necessity window which allow means of justification when prior consent of an individual cannot be obtained.
The ‘legitimate interest’ condition essentially accommodates a data controller or third party processing personal data without the prior consent of a data subject. However, it has been observed that some data controllers try to hide under this ‘legitimate interest requirement’ to avoid obtaining prior consent. It is a trend that has led to regulators all over the world calling for stringent proof of legitimate interest by data controllers and third parties. Where data controllers decide to use the legitimate interest window they will be required to demonstrate compliance to the regulator in the following manner.
Data controller
A data controller can process personal data without prior consent ‘to protect a legitimate interest of the data subject’ - Section 20(1)(c). The data controller is required under this provision to demonstrate that the processing is necessary to protect an interest which is essential for the life of the data subject and should only be activated where the processing cannot be justified on any other legal basis. An example would be a life and death situation where an individual’s medical history is disclosed to a hospital’s emergency department after a serious road accident where the individual’s consent cannot be given or is being withheld.
The ‘legitimate interest’ ground can also be activated to serve other important grounds of public interest such as the processing of personal data for humanitarian purposes. This would include the monitoring of epidemics (such an ebola or cholera outbreak) and their spread or humanitarian emergencies – especially in situations of natural and man-made disasters.
Requirements for processing data
In processing personal data for the legitimate interest of the data controller or third party, a data controller is required to first establish the need for itself or the interested third party. This need may, for instance, be to enable data controllers or third parties to protect their financial interests. An example would be where a finance company is unable to locate a customer who has stopped making payments under a hire-purchase agreement. If the customer has moved house without notifying the finance company of his new address, the finance company may engage a debt collection agency to find the customer and seek repayment of the debt. So although the customer has not consented to this disclosure, it is made for the purposes of the finance company’s legitimate interests – i.e. to recover the debt.
Once ‘need’ has been established, the second requirement is to balance the interest of the data controller or third party against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted as it has prejudicial effects on the rights and freedoms or legitimate interests of the individual. The data controller or third party’s legitimate interests need not be in harmony with that of the data subject, however, where there is a serious disparity between competing interests, the data subject’s interest supercedes. In the earlier example, the interest of the customer will differ from that of the finance company since it will be in the interest of the customer to evade paying his outstanding debt.
However, this will be a clear situation where passing his personal data to a debt collection agency will supercede the interest of the customer as the customer is seeking to take advantage of the data controller or third party by going into hiding. This requirement helps protect the data controller or third party by ensuring that data subject do use the requirement for consent as a basis to infringe on their legitimate interests and vice versa.
The third and final requirement after establishing ‘need’ and ‘balancing interests’ is to ensure that the processing is fair and lawful and complies with all the data protection principles. Continuing the above example, the finance company must ensure that the personal data it passes to the debt collection agency is accurate (in terms of the known details of the customer’s identity); that it is up to date (in terms of the amount outstanding and the customer’s last known address); that it is not excessive and will be adequately secured. The agency should only get as much personal data as is relevant or necessary for the purpose of finding the customer and recovering the debt.
In determining whether processing is “necessary” without prior consent, data controllers are required to establish that they would not be able to use other reasonable means to process the personal data (such as seeking prior consent or establishing legitimate interest). Thus, processing under the condition of necessity must be for specified purposes only.
Data controllers will not be compliant where the processing is deemed ‘necessary’ only because the data controller has decided to operate their business in a particular way. This condition will be met in a situation where employer processes personal data about its employees or because it is necessary to do so in connection with their individual contracts of employment and to comply with the employer’s legal obligations.
However, if the employer decides to outsource its HR functions to an overseas company and transfers the employees’ data to that company, that action will not be necessary. Since it will not be “necessary” to transfer the data overseas for processing, the employer would instead have to rely on consent, or on the legitimate interest’s condition, to process its employees’ personal data in that manner.
The understanding of the concepts of ‘legitimate interest’ and ‘necessary’ are critical to the compliant obtaining of prior consent and the justification of it under Section 20 of the Act. As a result of the subjective nature of proving these concepts data controllers must seek appropriate expertise in order to establish their personal data collection processes – especially in the area of obtaining prior consent.
The writer is an ICT Law & Data Protection Specialist @ Nsiah Akuetteh & Co., Ghana. She is First Executive Director of Data Protection Commission of Ghana.
