Submitted by Daragh O Brien on March 16, 2010 - 17:06.
Interesting question Keith. Before I make a stab at answering it it is prudent for me to put the obligatory disclaimer and health warning on this as we don't have a contractual relationship so the answer below should be taken as my personal opinion not binding legal advice. If you want that, please check with your own legal advisors. It is also worth pointing out that my comments on the recording were based on current Irish legislation, and there are subtle differences in how the EU regulations are applied across Member States.
In order to answer the question we must think back to the underlying history in Europe behind Data Protection legislation. Apparently we have had issues in the past with the use and abuse of personal data about people, particularly sensitive data. Ultimately, in order to ensure and preserve transparency, organisations gathering and processing personal data are, subject to some exemptions and exceptions, required to publish the fact of their processing so that we can all see who is recording what about whom.
The UK ICO's guidance on Exemptions can be found here. It is a very well put together flow-chart type document which gives some clear advice. In the section on exemptions for NfP's it states that the organisation can claim an exemption if:
"Your processing is only for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it".
So, if your NfP is only capturing information for the purposes of maintaining membership databases and administrative supports you are exempt from registration.
However, the specific scenario you raise has an interesting niggle which is that part of the personal data being processed. This is a grey area based on my reading of the various guidance documents from the UK's Information Commissioner.
The key question as to whether the exemption for NfP's extends to the sensitive data in this case really boils down to whether the information is absolutely necessary for the exempt purpose (in this case managing memberships). I would suggest pondering on that point and then giving the ICO's Notification Helpline to check with the ultimate authority, but if after your consideration of the purposes to which the information is being put you feel that it isn't absolutely necessary, then notification would be a prudent step.
Daragh O Brien (CMIAIDQ, FICS)
Taoiseach
Castlebridge Associates
Not for Profits & Sensitive Data
Interesting question Keith. Before I make a stab at answering it it is prudent for me to put the obligatory disclaimer and health warning on this as we don't have a contractual relationship so the answer below should be taken as my personal opinion not binding legal advice. If you want that, please check with your own legal advisors. It is also worth pointing out that my comments on the recording were based on current Irish legislation, and there are subtle differences in how the EU regulations are applied across Member States.
In order to answer the question we must think back to the underlying history in Europe behind Data Protection legislation. Apparently we have had issues in the past with the use and abuse of personal data about people, particularly sensitive data. Ultimately, in order to ensure and preserve transparency, organisations gathering and processing personal data are, subject to some exemptions and exceptions, required to publish the fact of their processing so that we can all see who is recording what about whom.
The UK ICO's guidance on Exemptions can be found here. It is a very well put together flow-chart type document which gives some clear advice. In the section on exemptions for NfP's it states that the organisation can claim an exemption if:
"Your processing is only for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it".
So, if your NfP is only capturing information for the purposes of maintaining membership databases and administrative supports you are exempt from registration.
However, the specific scenario you raise has an interesting niggle which is that part of the personal data being processed. This is a grey area based on my reading of the various guidance documents from the UK's Information Commissioner.
The key question as to whether the exemption for NfP's extends to the sensitive data in this case really boils down to whether the information is absolutely necessary for the exempt purpose (in this case managing memberships). I would suggest pondering on that point and then giving the ICO's Notification Helpline to check with the ultimate authority, but if after your consideration of the purposes to which the information is being put you feel that it isn't absolutely necessary, then notification would be a prudent step.
Daragh O Brien (CMIAIDQ, FICS)
Taoiseach
Castlebridge Associates