With GDPR coming into force on 25 May, now is the time to check whether the conditions on your premises licence comply with the new rules on data protection.
Whilst GDPR recognises that conditions on a premises licence are a legal requirement, and therefore the capture and storage of data can be justified on this ground, there is still plenty of scope for the wording of those conditions to require a licence holder or data controller to act illegally when it comes to handling data belonging to customers, staff and others.
Under GDPR, individuals have rights in relation to any personal data of theirs that you hold. In addition, the person or company responsible for capturing the data has a duty to those individuals in relation to holding and using their personal data. This can cause conflict where the condition requires actions to be taken that would breach the rights of the individuals.
The examples below are not legal advice in relation to whether specific licence conditions breach or are potentially in breach of GDPR. They are simply intended to highlight the potential difficulties in reconciling GDPR with you licence obligations.
Premises licences more often than not contain CCTV conditions. The wording of these conditions is often the standard wording insisted upon by police licensing officers to give them as much right to view and download CCTV as possible.
CCTV footage captures personal data and therefore the duties to the individuals caught on camera, be they customers, staff or passers-by, apply.
The problems usually arise in relation to whom CCTV can be provided, what should be provided and the obligations of the person handing over the CCTV footage. Many licensing conditions stipulate that licensees should provide CCTV images to the police “on request”; however, the disclosure should be necessary for investigating or preventing a crime or apprehending or prosecuting an offender. As such the police must be able to justify their requests for CCTV images to be disclosed to them before they are handed over. Worse, conditions can require CCTV footage to be provided to officers other than police officers on request. Handing over CCTV to comply with such a condition is almost certainly a breach of GDPR.
Conditions relating to body-worn cameras often appear within premises licence CCTV conditions, especially for clubs, and often subject to the same conditions in relation to storage and handing over to various parties as regular CCTV. Body worn cameras can capture an awful lot of data not relevant to a crime or investigation, so there are more chances for capturing incidental personal data. If the images are uploaded to the premises CCTV, then it will be the responsibility of the premises to safeguard that information. Extra care therefore is required to ensure that personal data for unrelated bystanders is not disclosed accidentally or without justification. As such, handing over body cam footage immediately on request, without considering what is being handed over and for what purpose- including blurring images of incidental bystanders- is likely to be a breach.
In all cases where CCTV is to be handed over, then the data controller must ensure they know to whom the footage is going, where it will be held and agree a requirement for returning or destroying the footage once it has been used for the identified purpose.
The central philosophy behind GDPR is that a data processor must have a lawful basis for processing data. To comply, processing must be ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis for doing so.
One lawful basis for processing personal data is a legal obligation created by condition. You should be able to identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation to rely on this lawful basis for processing. As such, going further than the condition requires in terms of storage or use of data would require a separate and independent justification.
If 'legal obligation' is your lawful basis you should document it. Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
Taking personal data via club/ ID scan needs to be explained to customers at the time the information is taken, whether by notice or in person. This explanation must include the right of the individual to see what information is being held and what will be done with their data in future.
However, you must not process information in a way that goes further than is necessary. As such, requirements in conditions to hand over personal information 'on request' without it being made by a police officer in the investigation of an offence would probably breach GDPR, although not doing so would breach the condition of your premises licence.
There are a number of other conditions that might appear on a licence that may have data protection implications. For instance:
In each case, whether there is a potential breach of GDPR would depend on what was done with the data and in particular if the person who provides the personal information has consented to it being used as required by that condition.
Some premises licence summaries still show more personal detail than simply the name of the DPS. It is a legal requirement to display this document in public, but there is a potential breach if other personal details are included, especially address or date of birth. In this case, you would be better redacting this information and keeping an un-redacted copy of the summary with the licence to show officers if asked.
Ideally, get the conditions amended to resolve any conflict. The reality is that the law in relation to data protection is changing dramatically and therefore conditions should change to reflect this.
If in doubt, you might want to consider a 'catch-all' condition stating that where any request made or action required by condition is considered by the data controller of the premises to breach data protection legislation, then the data protection legislation supersedes the condition. It might be that the authority would want to see a written explanation as to why the request/condition cannot be complied with, but in providing that, you will be undertaking your general duty of care in handling personal data of customers and others on your premises.
Breaches of data protection carry potentially huge financial penalties. Fines of up to 20 million Euros or 4% of a company's global turnover can be levied for the most serious breaches.
Breaches of conditions upon conviction can carry unlimited fines and up to 6 months in prison. However, there would need to be a public interest in prosecuting. Non-compliance with those parts of a condition obviously in breach of data protection legislation, especially where the rest of the condition is complied with, is unlikely to be in the public interest.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at April 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.