From 25 May 2018 attorneys and deputies should prepare for the General Data Protection Regulations, 2016/679 EU (GDPR). These provisions are now likely to affect more attorneys/deputies than previously.
Most attorneys/deputies do not fall within the Data Protection Act 1998 (DPA) as they retain the donor/Ps personal data in their heads or they use the donor/Ps bank account to manage finances. This is changing as we become more conscious of accuracy, privacy and storing information.
If an attorney/deputy stores identifiable (Article 4(1)) or pseudonymised data (Article 4(5)) in a relevant filing system they may be subject to the GDPR. Attorney/deputies should consider, do they:
- Retain the donor/Ps personal information on a computer or organised paper filing system?
- Send/receive emails containing personal donor/P data?
- Store the donor/Ps personal details, including care assessments, records or financial information on their computer or organised filing system?
- Disclose the donor/Ps personal data to local authorities or GPs?
If the answer is yes to any of these, the attorney/deputy could be subject to the GDPR as a data controller.
Section 1 DPA directs that individuals (alone or jointly) holding personal data electronically (s.1(1)(b) DPA) or using a relevant filing system (s.1(1)(c) DPA) are seen as data controllers (s.1 DPA) and subject to the provisions of the DPA and GDPR.
This is more likely to include attorney/deputies who are; professionals, charge for their services, manage complex decisions or are business LPA attorneys. It still could include attorney/deputies who store the donor/Ps personal details on a computer or in an ordered filing system. It is unlawful to act as a data controller and hold personal data without being registered with the Information Commissioner’s Office (ICO). They have an evaluation test to determine eligibility.
One of the most significant GDPR changes is consent. Consent to data storage or disclosure is now an active process for specific purposes (Article 6(1)(a) GDPR) and no longer a general consent to use, store or disclose personal data. An assumption cannot be made that a data subject consents merely by their inactivity to respond. The donor’s consent (Sch 2(1) DPA) should be freely given with them clearly affirming this (Article 4(11) GDPR). Their consent can be withdrawn at any time (Article 7(3) GDPR with the data controller being able to demonstrate this (para. (42) GDPR)).
The act of consent is both time and issue specific (s.2(1) MCA) and is continuous (see s.3(1) MCA) with the donor required to make an active choice. To consent, the donor should understand the nature of the data to be collected and the specific legitimate purpose (Article 5(1)(b)) and that they can withdraw this consent. Data controllers are also required to ensure data is, ‘processed lawfully, fairly and in a transparent manner (Article 5(1)(a) GDPR).
If the donor/P lacks sufficient capacity to consent to data storage, disclosure or withdrawing their consent, this is made via their attorney/deputy providing it is in their best interests (s4 MCA). Section 4(4) MCA also directs, as far as is reasonably practicable, the donor/P is to be encouraged to participate or improve their ability to participate in the decision, e.g. consenting or withdrawing consent.
Acting as a data controller
Attorney/deputies subject to the GDPR acquire a dual role, being both data controllers and attorney/deputies. Here a conflict of interest may arise with the attorney/deputy effectively approaching themselves to consent (as data controllers) on behalf of the donor/P. In such circumstances attorneys would be required to consider how they can minimise risks or possible discrimination, especially regarding vulnerable adults (para. (75) GDPR). They may wish to consider advocacy support for the donor/P to avoid potential conflict issues arising.
Attorney/deputies should conduct an audit identifying data held by third parties and its accuracy as they are now responsible for the ongoing consent on behalf of a vulnerable adult. They should also consider if data held by themselves or third parties should be amended or deleted (Article 17(1) GDPR). Where emails contain personal data, attorney/deputies should send these using encryption (Article 6(4)(e) GDPR).
Attorney/deputies as data controllers are likely to receive requests for personal data disclosure. If the donor has sufficient capacity, refer the request to them.
If not, the MCA Code of Practice chapter 16 directs attorney/deputies to consider, ‘Does the person have the capacity to agree [consent to] that information can be disclosed?’. This places an obligation on the attorney/deputy to engage with s.4 MCA regarding making best interests decisions on behalf of someone lacking capacity.
Any disclosure request must be made in the donor/Ps best interests. The Attorney/deputy here acts as both data controller and attorney/deputy and should be able to justify why (as either data controller or attorney/deputy) they disclosed personal data or declined access.
Lasting powers of attorney function as complete documents, including any instructions or guidance. If these clauses are onerous or place the attorney into compromising situations, these can destabilise a lasting power of attorney.
Instruction clauses which provide consent to or decline access to personal data should be avoided as these may breach the consent GDPR provisions. They may also limit the nature of active and free consent under Article 4(11) GDPR.
Also, clauses which direct what might be in the donors best interests regarding consent as these may breach s.4 MCA. Guidance to attorneys can be provided via a memorandum of wishes.
The new GDPR provisions provide a significant development regarding personal data and protection of a vulnerable adult’s privacy. Solicitors should draw to the attorney/deputies attention their obligations under the GDPR. They should also encourage them to undertake the ICO’s registration test. Further guidance can be provide via chapter 7 and 16 MCA Code of Practice regarding attorney responsibilities.
Craig Ward is also the author of Lasting Powers of Attorney A Practical Guide, 3rd edition available from The Law Society bookshop.