Changing the lawful basis for processing personal data to help vulnerable customers

Consent is often seen as the only lawful basis for processing personal data, but it is not always the correct or best option. From a practical perspective, it can be challenging to obtain consent from some individuals. Vulnerable customers in particular may not understand that the data is needed to help them, and will therefore be less willing for their data to be shared.

A good example is processing personal data for the purposes of maintaining a Priority Services Register ("PSR"), the concept of a PSR is for the benefit of vulnerable individuals. However, it is often vulnerable individuals from whom organisations will struggle most to get consent from because, for example, they do not fully understand the implications of not providing their consent. The ICO has recently alluded to these issues when it comes to relying on consent for processing personal data in accordance with PSR and similar obligations and initiatives.

There are alternative options which can aid organisations in complying with their such obligations and initiatives to help vulnerable customers, to ensure that they are receiving the benefits that they are entitled to. However, any decision to change a lawful basis for processing personal data, particularly sensitive personal data (such as health related data), should not be taken lightly. Equally, regardless of the indications given by the ICO in respect of such changes to lawful bases for processing, an organisation should still ensure that any decision is recorded properly.

What the ICO has said

In the context of PSR, ICO held a consultation earlier this year with a number of stakeholders from the energy industry, wherein the ICO expressly noted the issues with relying solely on consent for the sharing of personal data where organisations are adhering to their obligations to maintain a PSR. Notably, the ICO stated that it considers that it is in the "substantial public interest" for vulnerable individuals (i.e. those who should be listed on a PSR) to receive the additional support and priority assistance that being on the PSR provides.

On that basis, the ICO indicated that Articles 6(1)(f) (legitimate interests) and 9(2)(g) (substantial public interest) would be deemed suitable lawful bases for sharing data collected for the purposes of a PSR.

It is important to note that in this consultation the ICO was focussed primarily on organisations sharing personal data which is collected for the purposes of a PSR. However, we consider that similar arguments could be applied to the collection and processing of personal for the purposes of helping vulnerable customers in a number of ways, including establishing and maintaining a PSR, and would likely extend to other industries and similar responsibilities that organisations may have in relation to vulnerable individuals.

The alternative lawful bases

As alluded to by the ICO, a suitable alternative lawful bases for processing personal data to support vulnerable customers include Article 6(1)(f) legitimate interests and Article 9(2)(g) substantial public interests. In some circumstances there may be legal obligations relating to treating vulnerable customers fairly that imply the need to collect and process personal data - and Article 6(1)(c) legal obligation could be an appropriate legal basis in those circumstances.

In relation to legitimate interests the balancing exercise might look as follows: for the organisation establishing the PSR to collect the necessary personal data on the basis that it allows the organisation to provide better support to its most vulnerable customers (as well as comply with any obligations it may have placed on it in terms of the PSR). On the other hand, it is in the interests of the vulnerable individual to be on the PSR in order to receive the services which could, in certain circumstances, be lifesaving.

Processing of special category data also needs to be considered as this includes health data for example and therefore has relevance in relation to vulnerability. As noted by the ICO as part of the consultation, there is a substantial public interest in vulnerable individuals receiving additional customer support and priority assistance in cases of utility outages or significant issues. In order to rely on Article 9(2)(g), a condition under Schedule 1, Part 2 of the Data Protection Act 2018 must also be complied with for example paragraph 18, Part 2 of Schedule 1 might be applicable in the circumstances for the protection of the physical, mental or emotional well-being of an individual” who is “aged under 18 or aged 18 or over and at risk”. There are other possible conditions under Article 9 (such as vital interest of data subject) and Schedule 1 (such as para 17 (related to providing advice) and para 19 (related to safeguarding economic well-being) that might apply depending on the facts.

The risks of changing lawful bases

It is important to note that, whilst changing the lawful basis for processing is not prohibited; however, it must be undertaken with due care and attention and the rights and freedoms of the relevant individuals need to be carefully considered – particularly in this case where it involves vulnerable individuals and special category data.

In some circumstances, it is possible that individuals have purposefully withheld their consent to being added to the PSR, as opposed to simply not understanding, and therefore may consider it to be contrary to their rights under the UK GDPR that their personal data be processed without their consent. This could lead to complaints being raised with the ICO and, subsequent to this, the ICO conducting an investigation into the issue.

There are also broader publicity concerns, particularly if any individuals were to misconstrue the intent behind the change – potentially leading to reputational issues.

Important considerations

There are two key points to bear in mind, which the ICO stressed, when any organisation is considering changing its lawful basis:

1. Be transparent about the lawful basis being relied upon.
2. Ensure individuals are afforded their Article 21 right to object to such processing (e.g. where relying on legitimate interests).

There are some additional considerations which should factor into any decision to change lawful bases for processing personal data, including carrying out a data protection impact assessment, particularly where special category personal data is being dealt with. Where relying on substantial public interest (Article 9(2)(g)) for the purposes of processing special category personal data, the Data Protection Act makes it clear that the organisation must have in place an Appropriate Policy document.

Finally, thought should be given to whether or not the relevant individuals should be notified of the change in lawful basis and, if so, what approach is taken by the organisation in notifying them. This decision will likely be based on the circumstances of the change, and therefore would need to be judged on a case-by-case basis.