Data Protection for Credit Unions
First Compliance have a depth of experience with Credit Unions and deliver ‘scale appropriate’ advice to minimise risk relating to GDPR and your data protection obligations.
Our services for Credit Unions fall into one of three categories
- Data protection advisory; expert support for the in-house representative, and practical advice on all data protection related areas for Credit Unions.
- Data protection services; gap analysis, policy and process documentation, process re-engineering, compliance monitoring, incident support, risk assessments, impact assessments.
- Outsourced DPO services; including outsourced Data Protection Officer DPO services or Representation.
“We have found them easy to deal with …. have a range of legal, technical and Credit Union experience that means they understand the risks associated with data protection for credit unions …. a robust process which is appropriate for the scale and nature of Unity Credit Union and I would recommend Paul to others who need support with Data Protection.”
Pat Owens, CEO Unity Credit Union
Nominations – remaining lawful in the context of GDPR
There has been much time spent debating the impact of GDPR upon Nominees, and in particular the requirement relating to the obtaining and the provision of access to nominee information. We provide a concise analysis and recommend a 4 point plan to minimise the exposure to a Credit Union.
What are the data protection issues with nominations
The key considerations relating to the lawful processing of nominee data are as follows;
- Obligation to inform Subjects of personal data obtained indirectly.
- Denial of access to nominees on foot of an access request.
- Providing members access to their nominee details.
We have examined the management of obligations relating to Nominees in the context of the Credit Union Acts, the Succession Acts, the exceptions to disclosure provided for under GDPR and Irish legislation. None of these provide particularly ideal justification to administer nominees in the manner commonly used today.
Actions to mitigate against risk
Considering this position and the almost universal position of Credit Unions to continue to manage nominations in the same manner, we suggest that you consider the following actions to demonstrate due consideration of the rights of the Subject (the nominee) and to protect the interests of the Credit Union should they become the test case in this regard.
Actions to protect the position of the Credit Union include;
- Document an operational risk assessment with a particular focus on the three elements listed above.
- List the safeguards that have been put in place.
- Implement a standard notice relating to Nominees that is to be included in all Access Request responses.
- Re-format the nomination form to bring it into line with the requirements for a document that is subject to the Succession Acts (the requirements for a will).
Retention of nominee data
Article 21.5 of the Credit Union Acts state that each Credit Union shall keep a record; (a) of the names of all persons nominated by it’s members under subsection (1) and such other details as will positively identify the nominees; and (b) of all revocations or variations (if any) of nominations under that subsection. We suggest consideration of the following process to satisfy these requirements and balance them with your data protection considerations;
- Record nominees in a format suggested in point 4 above.
- Create a separate form for Revocation. It should confirm the wish of the member to revoke the previous nomination and the date that that nomination was issued in the first instance. Signed and dated.
- In the event of a member wishing to appoint new nominee(s); retain a copy of all revocations and of the current nominee form only. i.e. no personal data relating to previous nominees.
- ‘Variations’ are to be attached to the current nomination.
A hard Brexit – key actions for CUs
The UK may be outside of the EU in the near future and this will require safeguards to be put in place by organisations in Ireland before they transfer personal data to the UK, including Northern Ireland. We summarise your legal obligations and the simple actions required to ensure that your Credit Union is not exposed.
Transfer to countries outside of the EU requires one of the following;
- An Adequacy Rulingby the EU. This ruling judges the third state’s data protection as adequate for the processing of EU personal data without additional action e.g. Switzerland or New Zealand.
- Appropriate Safeguards, these include among other things
- An EU standard data protection clause between the organisations.
- Binding corporate rules.
- Approved codes of conduct.
- Failing the above in specific casesrelying on consent from the subject, or the performance of a contract with the Subject.
The awarding of an Adequacy Ruling to the UK in the event of a no deal Brexit is not a given. The enactment of legislation granting powerful surveillance and retention powers to UK policing authorities in 2016 has already been judged as inconsistent with EU regulation and may prevent a full adequacy ruling.
Note, The UK has already stated that it is permitting personal data to flow freely from the UK to the EU.
Advance planning that is likely to minimise exposure to the Credit Union in the event of a hard Brexit includes;
- Assess your IT systems and ensure that you are not transferring personal data to the UK (e-mail, operating systems, analysis systems, insurance, storage of voice or cctv).
- Where a written instruction has not been already received, write to all members who have requested their documents to be sent to the UK to confirm that instruction in writing.
- Amend your membership agreements to state that instructions to transfer data outside of the state are considered an expansion of their agreement with the Credit Union. This is not strictly necessary, however, it is a measure that is likely to provide additional clarity and confirm that any instruction is part of a contract (membership agreement) rather than consent. This will reduce the likelihood of an action against the Credit Union.
Breaches – When should a Credit Union report
Breaches are one of the critical events most feared by any organisation. Where the personal data involved includes financial data it can become an emotive issue for Members and result in regulatory intervention. There are specific processes and actions that will minimise exposure and we summarise them below
Understanding the process & high level actions
This is a well understood process, however there is often a nervousness when individuals need to apply it in practice. You can find a fully documented breach process here. The three basic steps (in this order) are to;
- Take action to minimise/correct exposure or risk to the Subject.
- Assess the risk to understand if the DPC or Subjects need to be informed.
- Document the actions taken.
A breach related to the loss of control over personal data only, and needs to be reported when it poses a risk to the rights and freedoms of the Subjects. A breach can include
- A cyber breach.
- Accidentally providing the personal data of one member to another.
- The loss of a laptop, mobile phone or other device containing personal data.
- Sending an e-mail to the wrong person.
- Using data for an unlawful purpose. This is often non-intentional, however is a breach. e.g. cctv, excessive voice recording, the use of proof of identity or other contact details for a purpose other than for what it was obtained for.
The most effective way to prevent or these incidents is through the implementation of good process and staff training.
How to manage breaches with ease
The main reasons why breaches cause real stress to a business are because of their infrequent occurrence and the treat of having to report to the regulator. We would suggest the following actions to most organisations to ensure that they are confident in their steps to react to a breach;
- Have an individual (not necessarily a DPO) appointed to be knowledgeable of the process and to take ownership.
- Have all staff trained to react immediately and to report internally. There is a 72 hour timeline on reporting obligations.
- Know when to report. Have a simple risk analysis prepared in advance. Reporting is normally advisable except where the data is encrypted or has been transferred to a trusted party. note; Reporting a breach is normally advisable and there is no penalty if the breach is withdrawn or reclassified at a later stage. The Data Protection Commission DPC currently encourages reporting.
- Be aware that the DPC is focused on delivering good outcomes, and provide advice to you if need be. They are good to engage with not likely to impose punitive conditions upon a CU unless they are warranted.
- Know when you need help. These may include;
- IT support.
- Professional advice relating to reporting obligations.
- Risk mitigation actions.
- Train staff; Training to create a culture of data protection is the one of the most effective ways to avoid and to react to breaches.
We do not wish to underplay the significance of a data breach, simply to emphasise that good preparation and a cool head in the event of a breach are likely to protect the Credit Union from reputational or regulatory harm.
Subject Access Requests – The key elements for ‘street wise’ management of Access Requests
Many Access Requests are as a result of grievances by members or by staff and these events are often a key indicator of another underlying issue or a possible legal action. There are 5 clear actions that every CU needs to implement to assure good process and ensure that it avoids some of the hurdles that could result in litigation of regulatory actions.
There are many standard parts of the legislation relating to Subject Access Requests(SAR) that are commonly understood within the CU community like the 30 day timeline, the exceptions to the requirement to disclose, and how to respond to Subjects legitimately. We provide a complete process document here for free. This paper focuses on how to remain ‘street wise’ while managing Subject Access Requests.
The 5 key ‘street wise’ elements to avoid unintentional harm to the CU are;
Recognise a request
Valid and legitimate requests may be served electronically, on paper or by word of mouth. Particular attention needs to be taken to;
- Recognise a request. GDPR has enabled SARs to be served orally and all members of staff need to be aware that if a member requests access to their personal data that this has a legal implication. Where a member of staff is not certain if they have been served with a SAR it is essential that the data protection representative is informed and can decide on a course of action.
- Recognise if this is a request for ‘information’ of for ‘access’. There are separate requirements in law for each of these situations and a false interpretation of the request could expose the CU to unnecessarily effort or to liabilities.
De-escalate a request at an early point
Our experience is that Controllers often assume that a request is for full disclosure of information. We typically recommend that the CU communicates with the Subject at an early stage and ask the Subject what they are looking for. This will typically reduce the amount of data required and provide an opportunity to understand the context of the SAR. This simple action will often de-escalate a situation and enable the CU to address the core motivation behind the request.
The importance of Identity
Having identified a request, this is perhaps the most important action to avoid a reputation-damaging breach. Personal Data must be requested and released to the Subject only, and if the request is made by a third party representing the Subject, this must be verified explicitly. Be thorough. If the CU fails on this count and solicitors become involved at a later stage it will cause real harm.
Many organisations accept the bona fide of a request from a solicitor on a subject’s behalf, and the regulator has indicated likewise, however it is prudent to always seek validation.
Additionally, scammers have been known to go to some length to impersonate a Subject to access data. If the CU falls for this trap and releases personal data, this will be a data Breach. A scam of this nature is normally with a view to extortion, and the mere association with this type of activity can cause severe reputational damage to a CU.
Follow a documented process
All elements of the SAR process need to be administered effectively. A well written process will guide the CU and demonstrate data protection preparedness to the regulator in the event of regulatory action. A full SAR process document is available free here from First Compliance.
It is also sensible to have a well constructed Privacy Notice that fulfils many of the other requirements relating to notifications to a Subject in the event of a SAR. This will avoid an inadvertent failure to comply with the specific requirements of a SAR response as detailed in law.
Understand what has to be disclosed
The CU has an obligation to store personal data in a lawful manner and that includes both the capacity to keep it safe and to organise personal data in a manner that enables access or deletion in a manner that is consistent with it’s purpose. Many CUs also have historical systems (often on paper of microfiche) that cause further difficulty. These formats need to be catalogued.
In any event, the CU needs to make reasonable effort to retrieve such data and to be aware of the exceptions to disclosure. There are any exceptions to disclosure and perhaps the most discussed (nominations aside) is the release of data relating to employees in the course of their work. Precedent has been set in the French and Irish courts that suggests that an organisation does not need to release data that is exclusively related to the fulfilment of a work function unless it is in some manner personal to the Subject.
Particular care also needs to be take not to release third party personal data. We recommend a thorough review of data to be released, typically by a person who is not the person that has compiled the data, to redact all third party data. This simple action inevitably results in a safer process.
Similar information relating to Access Requests by State Authorities (Garda, CAB and etc.) can be seen here.
State Authority (Garda, CAB and etc.) Access Requests – How to avoid embarrassment in court
State Authority Access Requests SAAR are a relatively common occurrence for Credit Unions, with a request for cctv footage being the most common. This is typically on foot of investigation of a potentially illegal act and the information that you provide is evidence. If this case goes to court you will be called to validate that this data was obtained legitimately by you and by the authorities.
It is important to stick to a formal SAAR process and never to take a shortcut. Acknowledging that you took that shortcut is likely to the event that causes real embarrassment in court. In the event of key information having been obtained unlawfully it will destabilise a case and in many instances cause a judge halt the proceedings. This may subsequently result in the CU being paused for an unlawful release of personal data.
The key elements of the good management of State Authority Access Requests are;
- State authorities can ONLY request data on the basis of a law. Make sure that this is quoted and recorded by the CU before any release
- Always be mindful that this could end in court with you as a witness. Solicitors will always examine the legality of the obtaining of key data. This has the potential for a judge to dismiss a case.
- Be prepared and follow the process tightly. A full SAAR process document is available here at no cost from First Compliance.
- Document the request and the formal identity of those making the request. A template report is included in the documentation form First Compliance.
- Unless it is an emergency, taking time to get the process and information right is time well spent. In this environment information that takes time but is accurate is infinitely more valuable than information that is fast but potentially compromised
- Apply a good measure of common sense. It is never the intention of a Credit Union to frustrate authorities, simply to make sure that process is not compromised.
These simple actions will help the CU to avoid a potentially embarrassing release of data and enable you to manage these events with confidence.
A risk based approach to Data Protection – how to keep it simple
Data Protection regulation is often implemented in Credit Unions in a manner that could be considered over engineered. While in many aspects this is necessary, particularly because of the nature of the business of a Credit Union, GDPR provides for many aspects of compliance to be proportionate to the scale and nature of the Controller. This enables CUs to make risk based decisions relating to implementation. We are examining operational risk in this context.
Credit Unions a needs to take a ‘call’ on may items that require judgement. These items are considered in good faith in the interest of both the Members and the CU, however may be open to regulatory challenge. Issues that may require a judgement call include;
- the acceptance of ID from a person who may not have a passport or driving license,
- managing vulnerable persons in the context of the Assisted Decision Making Acts,
- live monitoring of cctv in certain circumstances
- the obtaining of and access to Nomination data or,
- the retention of withdrawn loans information.
The Credit Union needs to document the rationale and considerations that lead to these decisions and demonstrate that risks to the rights and freedoms of the Subjects were considered. We recommend the maintenance of an Operation Risk Record ORR that documents each of these decisions and delivers
- A description of the issue
- The decision taken
- The safeguards put in place to protect the Subjects,
- The effect of not taking this decision
- A risk analysis of the impact on the Member and the CU
This enables the CU to make reasoned decisions relating to the delivery of service and demonstrate a structured process to manage operational risk.
Once implemented, this process is easy to maintain, enables the CU to systematically manage data protection related operational risks, and to defend it’s position in the event of an action by the regulator.