There are a small number of built in exceptions from the right to be informed in the UK GDPR. The Data Protection Act 2018 (DPA 2018) also provides some other exemptions from this obligation. These are detailed below.
There is no automatic exception from the right to be informed just because the personal data is in the public domain. You should still provide privacy information to individuals, unless you can rely on a specific exception or exemption. Please see ‘What common issues might come up in practice?’ for more details.
The exceptions available in the UK GDPR depend on how you have obtained an individual’s personal data.
When you collect personal data directly from the individual it relates to, you do not need to provide them with privacy information if:
When you obtain personal data from a source other than the individual it relates to, you do not need to provide them with privacy information if:
Example
A local authority obtains information about an individual’s working hours and pay from their employer for the purposes of a benefit fraud investigation. The local authority decides that telling the individual about the collection of their personal data would seriously impair the progress of the investigation because the individual might destroy further evidence necessary to prove an offence. As such, the local authority documents its justification for this decision and does not provide the individual with any privacy information in this instance.
Example
An individual provides information to their social worker in confidence about a family member. If providing privacy information to that family member would result in a breach of confidence, the social worker is exempt from the requirement to provide the information.
Further reading – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 guidelines on Transparency, which have been endorsed by the EDPB.
Situations in which it is impossible to provide privacy information to individuals are few and far between. This is most likely to occur if you do not have any contact details for individuals and have no reasonable means to obtain them.
If you determine that providing privacy information to individuals is impossible, you must publish the privacy information (eg on your website), and you should carry out a DPIA. See ‘What else should we consider if we want to rely on an exception?'.
A public library is engaged in a project to collect, organise and archive information on defunct clubs and societies that operated in the local area over the past 100 years. Amongst other things, the records in question contain membership details including people’s titles and names, but not any address or contact information. It is impossible for the library to provide the individuals with any information about what it is doing because it does not have any contact details. As such, it publishes the relevant privacy information on its website. The library also carries out a DPIA and as a result it decides to publicise the project in a local newspaper in order to direct people to the privacy information on its website.
To rely on this exception, you must make (and document) an assessment of whether there is a proportionate balance between the effort involved for you to provide individuals with privacy information and the effect that your use of their personal data will have on them. The more significant the effect, the less likely you will be able to rely on this exception.
This is an exception to the general obligation of transparency, and should be treated as the exception, not the rule. You should not use it to routinely escape your obligations to inform individuals about your use of their data. If you want to rely on disproportionate effort, you need to be confident you can justify why contacting individuals is genuinely disproportionate in the particular circumstances.
The UK GDPR says (particularly if you use personal data for archiving or research purposes) you should take into account:
If you determine that providing privacy information to individuals does involve a disproportionate effort, you must still publish the privacy information (eg on your website), and you should carry out a DPIA. See ‘What else should we consider if we want to rely on an exception?'
Example
At the start of each academic year, a school obtains the name and contact details of individuals when it collects emergency contact information from the parents or guardians of children that have enrolled that year. The school assesses that the effort involved for it to write to every emergency contact to provide them with privacy information is disproportionate in relation to the effect that the use of their personal data will have on them (contacting them in the event of an emergency). As such, the school does not actively provide privacy information to each emergency contact, however it does publish information on the use of emergency contact details on its website. It also carries out a DPIA and decides that to further mitigate any risks, it will put a policy in place to specify the strict limited use of emergency contact details, and places restrictions on its computer system so that only authorised members of staff have access to these details.
You need to consider the effect on the overall lawfulness, fairness and transparency of your processing, and whether you need to put in place additional safeguards.
Even if you are justified in relying on an exception, if you don’t actively provide an individual with privacy information this can cause ‘invisible processing’. The processing is ‘invisible’ because the individual won’t be aware that you are collecting and using their personal data.
Invisible processing results in a risk to the individual’s interests as they cannot exercise any control over your use of their data. In particular, they are unable to use their data protection rights if they are unaware of the processing. This is true even if the processing itself is unlikely to have any negative effect.
Given these risks, if you intend to rely on the exceptions for impossibility or disproportionate effort, you must still publish your privacy information, and you should carry out a DPIA. A DPIA will help you to assess and demonstrate whether you are taking a proportionate approach. It will help you consider how best to mitigate the impact on individuals’ ability to exercise their rights. It will also help you demonstrate how you comply with fairness and transparency requirements. For more details, read our guidance on data protection impact assessments.
You should also consider the impact on your lawful basis for processing. In particular, you may find it difficult to rely on legitimate interests if you process personal data in ways the individual does not reasonably expect and you do not provide privacy information. The UK GDPR is clear that the interests of the individual are more likely to override your interests in these circumstances. You would need to be confident that you have a compelling reason to justify the unexpected nature of the processing, and can mitigate the impact on individual rights. For more information, see our separate detailed guidance on legitimate interests and the impact of reasonable expectations.
In more detail – ICO guidance
The DPA 2018 provides several other potential exemptions from the right to be informed.
Depending on what you do with personal data, a number of these exemptions may be familiar to you, covering areas such as national security, crime and taxation, and legal proceedings. Others may be less familiar such as the exemption relating to the use of personal data for immigration control.
Please see our separate guidance on the exemptions for more details.