The EU General Data Protection Regulation magnifies the data privacy obligations of deputies and attorneys in relation to donors and people lacking mental capacity. Craig Ward provides a guide to the new requirements
From 25 May 2018, attorneys and deputies are subject to the General Data Protection Regulation (EU 2016/679) (GDPR) and the Data Protection Act 2018 (DPA 2018). These revised provisions are likely to affect more attorneys and deputies than the previous regime.
Failure to act appropriately regarding the interests of a vulnerable adult lacking capacity may result in a complaint to the ICO
Most attorneys and deputies do not fall within the GDPR / DPA 2018 regime, as they retain the donor / P’s personal data in their heads or they use the donor / P’s bank account to manage finances. This is changing as we become more conscious of the accuracy, privacy and storage of personal information.
If an attorney or deputy stores identifiable (as defined in article 4(1) of the GDPR) or pseudonymised data (article 4(5)) in a filing system (article 4(6)), they may be subject to the GDPR.
Attorneys and deputies should ask themselves the following questions:
- Do they store the donor / P’s personal data, including care assessments or financial information, on a computer or in a filing system?
- Do they ever send and receive emails containing the donor / P’s personal data?
- Do they ever disclose the donor / P’s personal data to local authorities (LAs) or GPs?
If the answer to any of these is ‘yes’, they could be subject to the GDPR as a data controller.
Section 3 of the DPA 2018 directs that individuals holding personal data (section 3(4)) or using a filing system (section 3(7)) are seen as data controllers (section 6) and subject to the GDPR. This is more likely to include attorneys / deputies who are professionals (ie solicitors), who charge for their services, who regularly make complex decisions, or who are appointed under a business lasting power of attorney (LPA). It could still include attorneys / deputies who store the donor / P’s personal details on a computer or in a filing system.
It is unlawful to act as a data controller and hold personal data without being registered with the Information Commissioner’s Office (ICO). The ICO has a self-assessment checklist to determine eligibility.
Consent by the data subject to data storage or disclosure is now an active process for specific purposes (article 6(1)(a) of the GDPR), and no longer a general consent to use, store or disclose personal data. An assumption cannot be made that a data subject consents merely by not having responded to a request from those holding their data. The donor’s consent should be freely given, with them clearly affirming this (article 4(11)). Their consent can be withdrawn at any time (article 7(3)), with the data controller being able to demonstrate this free choice of withdrawal (paragraph (42) of the GDPR)).
The act of consent is both time- and issue-specific and continuous, with the donor making an active choice. To consent, the donor should understand the nature of the data to be collected and the specific, legitimate purpose
The act of consent is both time- and issue-specific (section 2(1) of the Mental Capacity Act 2005 (MCA 2005)) and continuous (section 3(1) of the MCA 2005), with the donor making an active choice (article 6 of the GDPR). To consent, the donor should understand the nature of the data to be collected and the specific, legitimate purpose (article 5(1)(b)). Data controllers are required to ensure data is ‘processed lawfully, fairly and in a transparent manner’ (article 5(1)(a)).
Requests for consent to data retention should be provided in writing, accompanied by reasons why the data is being held and how it will be used. The consent request should be in plain English, clearly distinguish the consent from other matters (article 7) and be freely given (article 4(11)). The data subject should be informed at the time that they may withdraw their consent at any time.
Where the donor / P lacks sufficient capacity to consent to data storage, disclosure or to withdraw their consent, this is made via their attorney / deputy, providing it is in their best interests (section 4 of the MCA 2005). Section 4(4) also directs, as far as is reasonably practicable, that the donor / P be encouraged to participate in the decision to give or withdraw consent.
Where the consent relates to special category data (which the GDPR specifies as more sensitive data that needs more protection), article 9(2)(a) of the GDPR provides that a data subject may give consent to data processing for a specific purpose. The solicitor would need to identify what this specific purpose is to the client.
If the nature of this purpose were to change, fresh consent would be required from the client. Where this special category data relates to a third party, consent should be obtained from that data subject.
If consent is withdrawn, data may no longer be used after that date.
The solicitor’s obligations
Lawful data processing may also be claimed where an obligation arises.
Article 6(1)(c) of the GDPR states that ‘processing is necessary for compliance with a legal obligation to which the controller is subject’. An obligation is imposed on solicitors by section 50(1) of the Solicitors Act 1974, which says: ‘Any person duly admitted as a solicitor shall be an officer of the Senior Courts.’ This obligation manifests itself as a requirement in the SRA Handbook to provide accurate and appropriate legal advice. Article 9(2)(b) of the GDPR qualifies this obligation, stating that ‘processing is necessary for the purposes of carrying out the obligations… in the field of… social protection law…’. Social protection is defined as risks to health, protecting vulnerable groups, promoting an individual’s wellbeing (section 1 of the Care Act 2014), and protecting and making decisions for individuals lacking capacity (section 1 of the MCA 2005).
As a solicitor is an officer of the court and obliged to provide suitable legal advice, this obligation may be claimed to fulfil lawful data processing.
Attorney / deputy as data controller
Attorneys / deputies subject to the GDPR acquire a dual responsibility, being both data controllers and attorneys / deputies. A conflict of interest may arise here, with the attorney / deputy effectively approaching themselves to consent on behalf of the donor / P. In such circumstances, the attorney / deputy would be required to consider how they can minimise risks to the data subject’s rights and freedoms and eliminate discrimination and processing breaches regarding vulnerable adults (paragraph (75) of the GDPR). They may wish to consider advocacy support for the donor / P to avoid potential conflict issues. If an LA is appointed as deputy, it should consider if an advocate would be appropriate (article 34 of the GDPR and section 67 of the Care Act 2014) to protect P’s interests and reduce a conflict of interest risk, as the LA is acting as both deputy and data controller.
The first thing an attorney / deputy should do once they have identified themselves as a data controller is to apply the principles of article 5 of the GDPR, paragraph (1)(a) in particular, which requires that data is processed lawfully, fairly and in a transparent manner in relation to the data subject.
Where the data controller fails to notify the ICO of a data breach, that data controller as an attorney / deputy could be said to be no longer acting in the best interests of the donor / P, and an abuse may have arisen
To comply with article 5, attorneys / deputies should conduct an audit to identify relevant data held by the donor and third parties, check its accuracy, and consider if a review similar to a data protection impact assessment (DPIA) should be conducted, as they are now responsible for ongoing consent on behalf of a vulnerable adult. Although DPIAs are principally aimed at new technologies, they do require data controllers to consider the ‘high risk to the rights and freedoms of natural persons’ (article 35(1)). Article 35(7) sets out the procedure for conducting a DPIA. This should include identifying how conflicts of interest are to be managed and how best interests (under section 4 of the MCA 2005) are going to be applied.
They should also consider if data held by themselves or third parties should be amended or deleted (article 17(1)).
A data controller is obliged to provide data subjects with specific information under article 13 of the GDPR. It would be appropriate for attorneys and deputies as data controllers to review article 13, especially paragraph (1)(c), which states that this information should include ‘the purposes of the processing for which the personal data are intended as well as the legal basis for the processing’.
Attorneys / deputies should send any emails containing personal data using encryption (article 6(4)(e)).
Differences between LPAs
A difference exists between the lawful processing of the data in a donor’s LPA for property and financial affairs, and in an LPA for health and welfare. Financial information is held subject to article 6 of the GDPR, health and welfare data subject to article 9.
When making decisions where the donor lacks capacity, decision-makers should be able to justify these as being compliant with making a best-interests decision and the lawfulness of processing that data type (articles 6 and 9 of the GDPR). They should also have regard for section 1(6) of the MCA 2005 (achieving purposes in other ways) and article 5(1)(c) of the GDPR concerning how the processing should be relevant and limited to what is necessary in relation to the purposes for which they are processing.
LPAs function as complete documents (this includes any instructions or guidance). If any clauses are onerous or place the attorney in a compromising situation, they can destabilise the LPA itself.
Instruction clauses which provide consent or decline access to personal data should be avoided, as these may breach the GDPR’s consent provisions. They may also limit the nature of active and free consent under article 4(11). Clauses which direct what might be in the donor’s best interests regarding consent should also be avoided, as these may breach section 4 of the MCA 2005. Guidance to attorneys can be provided via a memorandum of wishes.
Attorneys / deputies as data controllers are likely to receive requests for data disclosure. If the donor has sufficient capacity, refer the request to them.
If not, chapter 16 of the MCA Code of Practice directs attorneys / deputies to consider, whether ‘the person has the capacity to agree [consent to] that information can be disclosed?’. This places an obligation on the attorney / deputy to engage with section 4 of the MCA 2005 regarding making best-interests decisions on behalf of someone lacking capacity.
Any disclosure request must be made in the donor / P’s best interests. The attorney / deputy should be able to justify why (as either data controller or attorney / deputy) they disclosed data or declined access.
The following should be considered regarding disclosure.
- How was the data subject given the opportunity to decline disclosure?
- How was their capacity assessed and recorded regarding their consent to disclose?
- What kind of support was offered (including advocacy)?
- What was the justification given by the person requesting disclosure?
- Does the LPA contain a clause regarding disclosure?
- If disclosure was not made, how would this affect the data subject?
Managing sole or joint attorney conflicts of interest
If a sole or joint attorney is appointed, a clause may be included in the preference box identifying a third party to annually review the attorney / data controller’s actions. This can assist in managing conflict of interest risks. For example: ‘I wish [ABC] to annually review this lasting power of attorney and consider the actions of the attorney[s] who may also be acting as [a] data controller[s].’
Complaints and breaches
Complaints may arise against attorneys / deputies, for example under article 4(12) of the GDPR (personal data breaches). Data subjects may complain under section 165 of the DPA 2018 or article 13(2) of the GDPR. The difficulty is that the attorney / deputy as data controller would be in effect complaining to themselves, often about an issue they may have been party to!
A failure to act appropriately regarding the interests of a vulnerable adult lacking capacity may result in a complaint to the ICO (see, for example, article 12(4) of the GDPR). Equally, where the data controller fails to notify the ICO of a data breach (article 33), that data controller as an attorney / deputy could be said to be no longer acting in the best interests of the donor / P, and an abuse may have arisen. In such circumstances, a safeguarding procedure could be instigated by the LA and/or a complaint made to the Office of the Public Guardian (section 22(3)(b) of the MCA 2005) or the Court of Protection (section 16(8) of the MCA 2005).
The new GDPR provisions mark a significant development in the law regarding personal data and the protection of a vulnerable adult’s privacy. Solicitors should draw the attorney / deputy’s attention to their obligations under the GDPR. They should also encourage them to undertake the ICO’s self-assessment test. Further guidance can be found in chapters 7 and 16 of the MCA Code of Practice regarding an attorney’s responsibilities.