Feedback and performance review are routine parts of many employment relationships. So it’s surprising to find that they take us into obscure corners of data protection law. Regulators have been clear for more than a decade that an opinion about someone is personal data, but there has been much less exploration of the fact that it’s likely to be information about two people – the one who is the subject of the opinion and the opinion holder. And – arguably unlike the situation of social network “friends” – those two people have very different relationships to the same data: for one it may be no more than an impression, for the other it may have significant financial or reputational impact. Any processing of that data must deal with two sets of rights and responsibilities, which are inextricably entangled.
Entangled data present an immediate challenge to the normal triad of data protection safeguards: information, individual rights, and data controller accountability. GDPR Article 13 offers the data subject information and individual rights at the point where data are collected or observed. But the subject of an opinion isn’t involved in the collection of their personal data, so processes that assume the data subject is present won’t work. This makes the data controller’s exercise of accountability (for example ensuring compliance with the Article 5 Principles and an Article 6/9 legal basis) even more important.
Uncertain data protection requirements may matter less for traditional human feedback and review processes, which are also covered by a great deal of good practice guidance (e.g. from the Chartered Institute for Personnel and Development) and, ultimately, employment law. However a new trend for using data, rather than human sources, to generate “opinions” may require new thinking. For example, would it be acceptable to use student sentiment, attendance or performance data as part of staff reviews? It’s worth reviewing which GDPR sections might help us think about situations where the same personal data relates to two different people. Although the following uses review/feedback for illustration, the aim is to sketch a possible approach to entangled data in general.
The Article 5 Principles and Accountability are always a good starting point. The Art.5(1)(b) requirement for purposes to be explicit means those who provide information must know who else it may be linked to and, because Art.5(1)(a) requires fairness to both, that knowledge must not distort the providers’ own behaviour or relationship with the processes through which data are collected. This links to Art.5(1)(c): if introducing a second purpose affects the quality or meaning of the data, then it is doubtful whether it will still be “adequate and relevant” for either purpose. The Art.5(1)(d) requirement that data be “accurate” highlights a specific challenge for entangled data: what if an opinion is accurate in the holder’s mind but not the subject’s? Do the two sides (and processes) share, or need, the same definition of “accurate”? Some of the less familiar Individual Rights may help to resolve these situations, as discussed below.
Article 5(1)(a) requires that every action to process data must be covered by one of the Article 6 lawful bases. Where the same personal data relates to two different people those bases don’t have to be the same but, if they are not, then particular care will be needed to ensure that the right conditions and safeguards apply to all the relevant processing. For example, Jisc’s standard model for analytics uses the Legitimate Interests of the institution for finding patterns in observed behaviour. Those interests must not (by Art.6(1)(f)) be over-ridden by the “interests, fundamental rights and freedoms of the data subject”: where there are multiple data subjects, this means that every one’s interests, rights and freedoms (not just to privacy) must be considered. By contrast, using data for performance review is most likely to be justified as “necessary for the performance of [the employment] contract” (Art.6(1)(b)), which involves a different set of data protection and employment law safeguards.
If different lawful bases apply to the different data subjects, it’s likely that their processing will be for different purposes. Art.5(1)(b) permits multiple purposes, so long as they are “compatible”. Incompatible purposes can only be added with consent: a problem for entangled data because – even if their contexts permit valid consent – it must be obtained from both data subjects. Although Article 6(4) is most often used to assess compatibility when different purposes affect the same data subject, its factors for Purpose Compatibility should also be useful in assessing which data and purposes are compatible across different groups of data subjects. Highlighting links between processes, context of collection, nature of data, possible consequences, and safeguards suggests that compatibility is most likely when the two groups have a similar relationship with the data, and when the processing has similar levels of impact on both. Using data collected in an informal context from one group to influence formal consequences for the other is unlikely to be compatible. We should also beware of situations where the meaning and significance of the information change significantly when viewed from the two sides.
As mentioned above, the normal Individual Rights safeguards of information (Art.13) and subject access (Art.15) are less effective when the same personal data relates to multiple data subjects. Information cannot be provided at the point of collection if a data subject is not present; subject access rights of one data subject may need to be limited to protect the privacy and rights of the others (Art.15(4)). It may be more appropriate to use Article 14’s “Information to be provided when personal data have not been obtained from the data subject”, but Art.14(2)(f) highlights that disclosing “from which source the personal data originate” may, again, breach the privacy of the individual source. Normally these information and access rights combine to help data subjects, controllers and sources identify inaccurate data and correct it. If necessary, Article 16 gives the data subject a legal Right to Rectification. However, where entangled privacy rights and disputes about the meaning of “accurate” hinder this approach, it may be better to combine the Right of Rectification with the Article 18 Right to Restriction. Such a process would let a data subject contest the accuracy of personal data and exclude it from further processing until/unless its meaning can be agreed.
This review suggests that data protection law can guide appropriate use of multi-party entangled personal data, but that this may involve considering some less familiar sections and perspectives.
