What's PID? Some kind of hybrid of personally-identifiable information and personal data? As with many things in privacy, this question crosses over into other areas of law, in this case taxation and employment. What country are you based in? It largely depends on whether the company "providing" theRead more
What’s PID? Some kind of hybrid of personally-identifiable information and personal data?
As with many things in privacy, this question crosses over into other areas of law, in this case taxation and employment. What country are you based in?
It largely depends on whether the company “providing” the staff is providing a service to your organisation, in which these clinicians are simply employees of the service provider; or an agency providing temporary workers to your organisation, for you to direct and control. I will assume the latter.
Good question, I don't have much experience with carrier relationships but it is certainly possible to have a mix of roles among your supply chain, and it primarily depends on whether the supplier takes it upon themselves to determine the purposes and means of processing the consignor/consignee dataRead more
Good question, I don’t have much experience with carrier relationships but it is certainly possible to have a mix of roles among your supply chain, and it primarily depends on whether the supplier takes it upon themselves to determine the purposes and means of processing the consignor/consignee data you might provide to them. This affects your privacy notices and risk assessments more than anything else, and in practice you’re not likely to choose a carrier based on their data protection stance alone. A robust vendor risk management process would be my preferred approach.
I think you're right. Are you in the UK? S. 122(5) of the Data Protection Act 2018 incidentally defines direct marketing: “direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals This does not concern itself withRead more
I think you’re right. Are you in the UK? S. 122(5) of the Data Protection Act 2018 incidentally defines direct marketing:
“direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals
This does not concern itself with whose marketing, or whose product is being marketed.
Art. 21(2) [UK] GDPR provides for the explicit right to object to processing for direct marketing purposes, and Art. 21(4) requires you to inform of the right at the latest when first using the contact details, but this might already have been done, and you wouldn’t necessarily have to keep drawing attention to opt-outs, which differs from email direct marketing where you need unsubscribe/opt-out text in every message.
Definitely a number of risks you would have to consider - firstly, you would be processing for a new purpose. Is that covered by the privacy notice given to the individuals concerned upon first collecting/receiving their data? If not, you would need to consider Art. 13(3) or 14(4) [UK] GDPR as appliRead more
Definitely a number of risks you would have to consider – firstly, you would be processing for a new purpose. Is that covered by the privacy notice given to the individuals concerned upon first collecting/receiving their data? If not, you would need to consider Art. 13(3) or 14(4) [UK] GDPR as applicable and provide new privacy information prior to further processing. Presumably this would be based on legitimate interests so there would be an unqualified right to object and you would need to put in place a mechanism for registering and respecting those objections.
In my view, this would also constitute ‘profiling’, since FB/Google/LinkedIn will be creating a profile of your audience in order to build the lookalike audience (I had to look this up, here’s an article: https://www.ppchero.com/tips-for-building-good-facebook-lookalike-audiences/ ) but I don’t know that the paid ads would be considered direct marketing if they are merely targeted advertisements.
I think the ICO guidance is very clear in this that you need active cookie opt-in for google analytics. But seeing today's article in the Telegraph and the stance of several other EU regulators e.g. Spain and Italy, I see it will probably change soon. Our problem was more the people not interactingRead more
I think the ICO guidance is very clear in this that you need active cookie opt-in for google analytics. But seeing today’s article in the Telegraph and the stance of several other EU regulators e.g. Spain and Italy, I see it will probably change soon.
Our problem was more the people not interacting with the cookie banner than rejecting the cookies. We followed the ICO guidance on cookie walls and made it a bit more uncomfortable for users if they did not interact with the cookie banner at all and that raised the acceptance rate to over 70%. The marketing team was happy with that.
With Google Consent Mode, you can manage Google Analytics, cookies and GDPR user consent. If users don’t give their consent to statistics cookies, Google Consent Mode makes sure that you still get aggregated and non-identifying insights into your website’s performance, such as Timestamps, User agents, Referrers, Other basic measurements for modelling
Hi, I'm not sure if this is any help at all but I've just come across an article on the ico website on consent and capacity: The UK GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent. Generally, you can assume thRead more
Hi, I’m not sure if this is any help at all but I’ve just come across an article on the ico website on consent and capacity:
The UK GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent. Generally, you can assume that adults have the capacity to consent unless you have reason to believe the contrary. However, you should ensure that the information you provide enables your intended audience to be fully informed. It may be that you do have reason to believe that someone lacks the capacity to understand the consequences of consenting and so cannot give informed consent. If so, a third party with the legal right to make decisions on their behalf (eg under a Power of Attorney) can give consent.
Outsourcing of clinicians from a Third Party
BlueBottle
What's PID? Some kind of hybrid of personally-identifiable information and personal data? As with many things in privacy, this question crosses over into other areas of law, in this case taxation and employment. What country are you based in? It largely depends on whether the company "providing" theRead more
What’s PID? Some kind of hybrid of personally-identifiable information and personal data?
As with many things in privacy, this question crosses over into other areas of law, in this case taxation and employment. What country are you based in?
It largely depends on whether the company “providing” the staff is providing a service to your organisation, in which these clinicians are simply employees of the service provider; or an agency providing temporary workers to your organisation, for you to direct and control. I will assume the latter.
The World Employment Confederation provided feedback on the agency worker triangular relationship here: https://edpb.europa.eu/sites/default/files/webform/public_consultation_reply/wec_input_consultation_edpb_controller_processor_final.pdf
EDPB Guidelines 07/2020 adopted this year incorporate a reference to agency workers: https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf
See lessHow do you get your training content?
Atis
We created everything ourselves. But I've seen OneTrust training and it seems good. You can also look at https://www.itgovernance.co.uk/gdpr-training.
We created everything ourselves. But I’ve seen OneTrust training and it seems good. You can also look at https://www.itgovernance.co.uk/gdpr-training.
See lessDelivery service companies – Data controller or processor?5262
BlueBottle
Good question, I don't have much experience with carrier relationships but it is certainly possible to have a mix of roles among your supply chain, and it primarily depends on whether the supplier takes it upon themselves to determine the purposes and means of processing the consignor/consignee dataRead more
Good question, I don’t have much experience with carrier relationships but it is certainly possible to have a mix of roles among your supply chain, and it primarily depends on whether the supplier takes it upon themselves to determine the purposes and means of processing the consignor/consignee data you might provide to them. This affects your privacy notices and risk assessments more than anything else, and in practice you’re not likely to choose a carrier based on their data protection stance alone. A robust vendor risk management process would be my preferred approach.
See lessIs Is the promotion to staff by post of a staff benefit that is available from a specific third party supplier marketing?
BlueBottle
I think you're right. Are you in the UK? S. 122(5) of the Data Protection Act 2018 incidentally defines direct marketing: “direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals This does not concern itself withRead more
I think you’re right. Are you in the UK? S. 122(5) of the Data Protection Act 2018 incidentally defines direct marketing:
“direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals
This does not concern itself with whose marketing, or whose product is being marketed.
Art. 21(2) [UK] GDPR provides for the explicit right to object to processing for direct marketing purposes, and Art. 21(4) requires you to inform of the right at the latest when first using the contact details, but this might already have been done, and you wouldn’t necessarily have to keep drawing attention to opt-outs, which differs from email direct marketing where you need unsubscribe/opt-out text in every message.
See lessUsing Contact data for look-a-like audiences in Google Ads
BlueBottle
Definitely a number of risks you would have to consider - firstly, you would be processing for a new purpose. Is that covered by the privacy notice given to the individuals concerned upon first collecting/receiving their data? If not, you would need to consider Art. 13(3) or 14(4) [UK] GDPR as appliRead more
Definitely a number of risks you would have to consider – firstly, you would be processing for a new purpose. Is that covered by the privacy notice given to the individuals concerned upon first collecting/receiving their data? If not, you would need to consider Art. 13(3) or 14(4) [UK] GDPR as applicable and provide new privacy information prior to further processing. Presumably this would be based on legitimate interests so there would be an unqualified right to object and you would need to put in place a mechanism for registering and respecting those objections.
In my view, this would also constitute ‘profiling’, since FB/Google/LinkedIn will be creating a profile of your audience in order to build the lookalike audience (I had to look this up, here’s an article: https://www.ppchero.com/tips-for-building-good-facebook-lookalike-audiences/ ) but I don’t know that the paid ads would be considered direct marketing if they are merely targeted advertisements.
See lessWhat’s your stance on Google Analytics? Have you found any good options?
Yorkie82
I think the ICO guidance is very clear in this that you need active cookie opt-in for google analytics. But seeing today's article in the Telegraph and the stance of several other EU regulators e.g. Spain and Italy, I see it will probably change soon. Our problem was more the people not interactingRead more
I think the ICO guidance is very clear in this that you need active cookie opt-in for google analytics. But seeing today’s article in the Telegraph and the stance of several other EU regulators e.g. Spain and Italy, I see it will probably change soon.
See lessOur problem was more the people not interacting with the cookie banner than rejecting the cookies. We followed the ICO guidance on cookie walls and made it a bit more uncomfortable for users if they did not interact with the cookie banner at all and that raised the acceptance rate to over 70%. The marketing team was happy with that.
With Google Consent Mode, you can manage Google Analytics, cookies and GDPR user consent. If users don’t give their consent to statistics cookies, Google Consent Mode makes sure that you still get aggregated and non-identifying insights into your website’s performance, such as Timestamps, User agents, Referrers, Other basic measurements for modelling
Capacity and Consent
Liz
Hi, I'm not sure if this is any help at all but I've just come across an article on the ico website on consent and capacity: The UK GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent. Generally, you can assume thRead more
Hi, I’m not sure if this is any help at all but I’ve just come across an article on the ico website on consent and capacity:
The UK GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent. Generally, you can assume that adults have the capacity to consent unless you have reason to believe the contrary. However, you should ensure that the information you provide enables your intended audience to be fully informed. It may be that you do have reason to believe that someone lacks the capacity to understand the consequences of consenting and so cannot give informed consent. If so, a third party with the legal right to make decisions on their behalf (eg under a Power of Attorney) can give consent.
Heres the link: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/consent/what-is-valid-consent/#what8
See less