As is quite commonplace these days, the internet has thrown up some wonderful Christmas memes to brighten our days as we head towards the festive season, but one might be spreading a little fake news in disguise.
A witty, but incorrect, reworking of a classic Christmas song has been calling into question Father Christmas’ data protection policy.
“He’s making a list,
“He’s checking it twice,
“He’s gonna find out who’s naughty or nice,
“Santa Claus is in contravention of Article 4 of the General Data Protection Regulation (EU) 2016/679.”
Funny yes, but it’s our opinion that as the ‘Naughty or Nice’ list is essential for Father Christmas to do his job, after all he doesn’t want to miss giving presents to those good children who deserve them, he’s within the code.
Although he will need to make sure the list is deleted and refreshed every year. Especially with those naughty children who have been working hard to turn their lives around and have a ‘right to be forgotten’.
The meme has also got the ICO thinking about other festive data protection myths, with Deputy Commissioner for Policy, Steve Woods tackling them head on in a recent blog.
Here’s what Steve had to say…
You can’t contact parents to tell them what stall they will be running at the school Xmas Fayre because you don’t have their express consent
This actually happened to a member of staff at the ICO and is one of many myths which have at their source the common miscomprehension about consent.
In short, you don’t always need consent to comply with GDPR – it is not the only lawful basis on which you can use someone’s personal information. For example, in this case, the school or PTA had a legitimate interest in being able to contact parents and volunteers.
Churches cannot ask for Christmas prayers for named parishioners who are ill or sick, because their health data is protected
This is another case caused by confusion surrounding the need for consent.
The new laws exist to give people more rights and freedoms, not to act as a barrier to small community groups. If this is something that the parishioner concerned might reasonably expect and welcome and the church can justify processing their health data, then it is unlikely to be breaching the law.
Get a free half-hour privacy consultation
Children can’t write public letters to Santa as their parents’ permission will be needed
This is a case which came up in Germany recently, where children would traditionally post their letters to Santa on a tree in the town of Roth. The town council – which granted children’s wishes such as visiting the fire station or having the Mayor come to their school – halted the practice because parents’ permission was needed under GDPR.
While the GDPR does give special status to the data of children, a simple form including both the child’s letter and a parent’s signature eventually solved the problem. Again, it is all about proportionality, balance and reasonable expectations.
You can’t give a delivery driver directions to someone else’s home
Difficult as it might be to believe, we were asked this question after a local shopkeeper was apparently told that giving a parcel delivery driver directions on how to reach a house in the village breaches the GDPR.
The GDPR doesn’t prevent you from giving out directions. If it sounds too far-fetched to be true, then it probably is.
GDPR means you can’t get a refund if you buy something online as a ‘guest’ rather than a ‘registered user’ and it turns out to be faulty.
This was suggested in a recent news article. GDPR has no detrimental effect whatsoever on your rights under consumer protection legislation.
Christmas cards are banned if you don’t have the recipients’ consent
No, GDPR doesn’t ban Christmas cards, even in corporate context. If you are sending Christmas cards to friends, family, neighbours etc you don’t need their consent.
If you’re sending corporate Christmas cards, you need to be more careful and consider whether it contains direct marketing – especially if it addressed to an individual. In particular, if sending a corporate Christmas greeting electronically, e.g. by email, then be sure to comply with the Privacy and Electronic Communication Regulation (PECR) rules on electronic marketing.
Politicians and schools who run Christmas card design contests for children now face excessive regulation
No, they don’t, despite what some media reports may claim. They are asked to observe basic data protection principles for example relating to security, data minimisation which they should have – and most likely will have been – observing for years under the previous legal regime.
Parents can’t film or take pictures of their child’s Nativity play
This old chestnut was also a common misconception under the previous Data Protection Act 1998 and is an example of where some organisations routinely but incorrectly cite data protection laws as a reason for not doing something.
Schools may have their own reasons for preferring parents don’t photograph or record performances – for example, child safeguarding issues or commercial considerations – but as long as the filming or photography is for your own personal purposes, then there is nothing in data protection laws past or present which prevents this.
Protecting your data at Christmas
Away from the myths, many people will be buying ‘Internet of Things’ devices for their homes this Christmas, or smart toys and devices which process personal data for their children. The ICO has published advice for parents and for retailers on this topic.
They also have a wide range of more general data protection advice and tools for organisations, while members of the public can read more about their rights here.
So, there you have it from the ICO themselves. If you do see any of these myths being shared you can point them to this blog or Steve’s and set the record straight.
But there’s just one thing left to say, and that’s “Merry Christmas and a Happy New Year” from all of us at PRIVACY HELPER.