A recent news story grabbed the headlines when a supermarket security guard refused to announce a car registration number over the public-address system. He was asked to do so by an off-duty paramedic, concerned about two overheating children locked in the car on a hot day.
The security guard was adamant that doing so without consent would breach the data protection rights of the car owner under GDPR, and he also prevented colleagues from taking action.
It’s clear that this could not be the case; the GDPR is intended to protect an individual’s privacy, but not at the expense of the wellbeing of others. The announcement (data processing) could have been justified on the grounds of ‘vital interests’.
In its guidance on using ‘vital interests’ as the grounds for processing personal data, the Information Commissioner’s Office (ICO) states as the first point:
‘You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life.’
In this instance, the preservation of life equates to the protection of life. The second point states:
‘The processing must be necessary. If you can reasonably protect the person’s vital interests in another less obtrusive way, the basis will not apply. ‘
Arguably, the security guard or paramedic could have tried to smash the car window, but would that have been a reasonable and less-obtrusive course of action? Perhaps not. And therefore, given there was no other expedient method of protecting the children, or otherwise contacting the car owner, this point would not have applied.
Considering the urgency of the situation, announcing the registration publicly would have been perfectly acceptable. Well-documented evidence from the USA, where an average of 30-40 children die in hot cars every year, shows that it can take as little as 15 minutes in an overheated car for a child to suffer life-threatening brain or kidney injuries.
Classification of personal data
Another question raised by this case is why a registration number should be classified as personal data as it does not name an individual. The Information Commissioner considered the question under the old Data Protection Act in 2009, and decided that registration numbers of vehicles owned by private individuals will be ‘personal data’ (as the owner can be identified from that number), but not when the vehicle is owned by a company. It is unclear whether the Information Commissioner would take the same view under the GDPR but, with the definition of ‘personal data’ being widened under the new legislation, it is likely the same decision would be made now.
This case highlights the fear-factor of breaching the GDPR. To most, it is clear that a simple announcement in an emergency such as this would not lead to a breach, but there is a lack of understanding or guidance from companies to their employees on how to act in emergencies. Trusting your gut instinct and acting on common sense isn’t necessarily incompatible with the GDPR, but the dread of getting it wrong can result in the right action being taken too late. If you need to prepare guidance for your staff, or aren’t sure of when you can or can’t process data, get in touch and let BPE’s experts help you.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.