Dossiers, profiles and the data protection conundrum
‘We have a file on you…’ It sounds sinister. Like something from a spy movie.
Nonetheless, there are many reasons why organisations create and retain profiles on individuals. Recently, this hitherto unremarkable topic took centre stage via the ‘Farage-gate’ de-banking affair. Suffice to say the fallout for NatWest and its private banking arm, Coutts, has been disastrous. We also know Nigel Farage won’t be the only person on whom banks have complied profiles. Nor are banks the only businesses to do so.
I’m not going to dwell too much on Nigel Farage or NatWest’s handling of his case. As a data protection practitioner what interests me are the inherent difficulties around creating compliant dossiers or profiles for legitimate business purposes.
Some organisations may have been blissfully unaware of the risks around ‘business intelligence’ or ‘due diligence’ profiling (until Farage-gate, that is). Others may decide the business benefits of the information they’re holding on individuals outweighs the potential risk.
Here’s a list of just some of the reasons businesses may choose to enhance the records held on individuals or create new records.
- Business pitches: In preparing a business pitch, it seems logical to research potential customers or partners. Consider corporate hospitality, for example – do they support Arsenal or enjoy horse racing? These might be the little details that seal the deal.
- Employment: For many roles, it would seem perverse to NOT perform basic due diligence on a candidate. Indeed, some organisations might be criticised for not doing so.
- Donations: Charities, academic institutions and research bodies might receive a donation and want to know if it might be reputationally damaging to accept. Or they may research high-profile figures and/or philanthropists to see if they’re a good fit to approach to support their cause.
- The personal touch: A client or customer shares sensitive information about themselves in everyday conversation. Their partner is unwell, for example. Do you want to keep a record, so you remember to ask after them the next time you speak? Or they might mention it’s their birthday – shall we keep a note so you can send flowers next year? My local Indian restaurant always sent my husband a birthday card, which he is always delighted to receive (although it might have had something to do with the complimentary samosas).
- Activists & risk management: You may be aware of individuals who seek to disrupt your business activities for political or environmental reasons. In fact, you might argue you’ve an obligation to establish the risk for employee welfare and safety purposes.
- Complainers: You might wish to alert your contact centre staff to customers who are prolific / abusive and / or vexatious complainants.
- Social media commentators: You learn of people prone to unfairly badmouthing your business on Twitter / ‘X’, Facebook or online forums. You might choose to monitor their output for rebuttal purposes (incidentally, the most major political parties do this via ‘rebuttal units’).
There are endless scenarios why it makes good business sense to add information to a record you hold, or to create specific profiles about people. Clearly, the more sensitive the information, the more risk involved should the record be exposed – especially if you haven’t been open about what you’re doing.
The data protection conundrum
There’s something of a Catch-22 here. One of the core principles of data protection law is the handling of personal data must be lawful, fair and transparent.
Lawful basis
To be lawful, you shouldn’t do anything obviously illegal. Secondly, you also require a lawful basis for the purpose for which you’re using personal data. There are six to choose from:
- Contract: You may be able to rely on contract if it’s necessary to gather this information for the purposes of a contractual relationship with the individual, or to take steps before entering into a contract with them. Banking is a good example, with its regulatory rules around money-laundering.
- Public interest: You may be able to argue your actions are in the public interest. The risk here is conflating your interests with public’s! The threshold here’s pretty specific, usually for public protection and safety.
- Legal obligation: You may have a statutory or sector-specific obligation to gather and hold certain information (banking, again, is a prime example).
- Vital interests: This would only apply in an emergency; a life and death type situation.
- Consent: You could ask the individual for their specific, informed and unambiguous consent. (hmmm, perhaps not … although in some parts of the world consenting to intrusive pre-employment screening is a prerequisite of recruitment processes).
- Legitimate interests: You could balance your business interests, with the interests, rights and freedoms of the individual.
As you can see, at the first hurdle organisations may struggle to squeeze what they’re doing into a lawful basis. A quick glance might even suggest swathes of business intelligence and due diligence practices may technically be unlawful.
Many will have regulatory reasons that may fall under Legal Obligation or Legitimate Interests. Is your business or organisation one of them?
Legitimate Interests is often the lawful basis businesses choose, but would the balancing test of your business interests with the interests rights and freedoms of the individual really stand up to scrutiny? Perhaps not, if they have no idea you’re doing it. Which brings me neatly on to transparency…
Transparency
Data protection law tells us we should be open and upfront about what we do. Alongside this, people have a fundamental right to be informed about how we collect and use their personal information.
Your privacy notice (aka Privacy Policy) should cover the purposes you use personal data for. It may say something like; ‘We create profiles to better understand our customers and improve the service we provide’. It may clearly state you conduct ‘wealth screening’ or collect data indirectly from openly available sources.
But is it really that transparent? And has this privacy notice been brought to people’s attention, not camouflaged using acres of small print? Probably not, if the dossiers or profiles you’re creating aren’t related to people you enjoy an existing relationship with.
So, at this second hurdle, organisations may fail to meet transparency requirements.
Data collected indirectly
Arguably one of the most widely ignored aspects of data protection law (especially in this context) is the requirement to inform people and provide privacy information when we’ve collected their data indirectly, i.e. from another organisations or from openly available sources.
This should be done ‘within a reasonable period after obtaining the personal data, but at the latest within one month’. If the personal information’s going to be used for a communication with the individual, ‘at the latest at the time of the first communication’.
There are some exceptions such as providing this information would involve disproportionate effort and when the personal information must remain confidential subject to an obligation of professional secrecy.
In practice, individuals will often be blissfully unaware of dossiers and profiles have been created about them, until things go wrong.
What are the risks?
The two main ways in which data protection risks could materialise are a Data Subject Access Request (as the Nigel Farage case demonstrates) or a data breach.
Businesses should ask themselves – what would your response to a Data Subject Access Request (DSAR) look like? When gathering and keeping additional information about people, you need to consider the repercussions should you be required to disclose this information to the individual themselves. How likely is the individual to submit a request for a copy of their personal data. And if so, how damaging could it be?
Even if a DSAR feels highly unlikely, what would be the potential impact should this information be disclosed in a data breach?
How can you mitigate the risks?
Imagine your lawful basis is tenuous and people are unaware you’re holding a dossier or profile on them. Nonetheless, you still feel there’s a genuine business necessity. What can you do?
I know at this point, some people in my world might begin clutching their pearls, but with a seriously practical head on? We can reduce the risk by following other data protection principles:
- Only gather and retain what you really need and can justify. Be proportionate – as the Farage case shows, do you really need all the information you’ve garnered when researching someone?
- Delete it promptly when you no longer need it
- Store it securely and limit access to only those who need it
- Make a record your decisions. It’s much easier down the line to argue necessity if you’ve made a proper record at the time.
Don’t share material unless absolutely necessary and be mindful of the sensitivity of the details you’re keeping. If you feel it’s necessary to offer a view on someone’s opinions or politics – that becomes their personal data too. I can think of several reasons why that might be an entirely reasonable thing to do. Conversely, I can think of many reasons why it might not be!
So what do you think now? Are your dossiers or profiles really necessary and justifiable? Make sure you’re ready to defend your actions to individuals, the ICO or ultimately to the courts.
As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.