GDPR Considerations For Handling Vulnerable Customer Personal Data
With the FCA’s Vulnerability Consultation, in addition to recent media focus on mental health, it’s clear that firms are taking this as an opportunity to review their vulnerability processes. In fact, the drive is not limited to financial services, OFCOM is also taking steps in relation to vulnerability.
This presents an opportunity for firms to re-think the way they see vulnerability, from a rather linear approach to a focus on the impact that firms can have. By linear approach, what I mean is something along the lines of:
Agents pro-actively attempt to identify vulnerability, or listen where customers inform them
Agents follow TEXAS to record the special category data in line with consent
Where consent is provided the firm will look to identify solutions which may assist the customer, such as a payment holiday, change in communication or, in high risk cases, cancelling outstanding debt
A New Way of Working
We can do better; we can think of vulnerability differently.
Firstly, we can look to take preventative measures aimed at avoiding vulnerability becoming a concern in the first place. This is what the FCA are getting at when they ask us to look at potential vulnerability (see their recent Vulnerability Consultation). Ideally, we can use data or information direct from the customer to understand their capability, resilience, life events causing stress and health concerns. This data can be scored to understand how potentially vulnerable the customer is. Firms will be able to use this scoring to identify the underlying factor which could cause vulnerability, for example, where low capability is the driving factor the customer can be provided with additional support, care and simplified information. Equally, where a life event has occurred, firms can offer to provide breathing space to help prevent escalating potential vulnerability.
Importantly we do need to recognise that with the preventative measures, we may sometimes be successful but other times we may not. Put simply, if you look at the list of indicators of vulnerability (relationship break-up, addiction, etc.) how many can we actually help the customer to avoid? We can contribute towards avoidance for some people, but we can’t ensure it. The focus, therefore, also needs to be on what you can do to help those who are vulnerable.
Where actual vulnerability has occurred, firms do need to be able to detect this, agents are an important line of defence, but other data should be used as well. The level of data you have will depend on the type of firm you are. Banks, for example, can build an unbelievable picture of a customer’s life through the payments they are making (i.e. to funeral companies, solicitors, etc.) whereas other firms may be relying on identifying payment trends.
The best firms will then have a discussion with the customer and try to understand the underlying causes of the vulnerability. Is it health, financial capability, resilience, life events or a mixture of those? You can see on the diagram below that where more than one of the four broad causes of vulnerability are present, the higher the number of causes the higher the risk.
Once firms risk assess the customer they can then look at the possible steps to assist, with greater assistance given to higher risk customers. Typically you might categorise customers by the impact that vulnerability has on them, such as the list below:
unable to meet basic needs
cannot use product/service
can’t access product/service
unable to protect interests
achieving same outcomes
Looking at the above list, I’m sure you can see how you can actually help the customers with their situation. It’s easier to assist when you look at impact rather than the label of the vulnerability. This ability is the next phase for agents.
The above is great but it does need to be met with GDPR compliance.
It’s evident that firms are also still trying to find the right way to handle vulnerable customer data, where it meets the standard of “special category data”, in line with GDPR requirements. Admittedly this is not an easy solution to find.
On the one hand we want to be processing the data to enable us to fully understand the customer’s circumstances and to offer the best possible solutions as is expected of us from the FCA’s Occasional Paper No.8 and the recent Vulnerability Consultation.
Conversely, we are concerned that processing the data may be in breach of GDPR. In short, GDPR requires you to have a basis for processing special category data under both Article 6 and 9. Typically firms in our industry will have a basis under Article 6, such as for the performance of the contract, but Article 9 requires an additional basis.
Traditionally we have relied upon explicit consent, which is fine where the customer is capable of providing consent, comfortable and it is actually possible for the controller to obtain consent. If it is not possible to obtain consent firms may be placed in a difficult position, they need to decide whether to break the law in order to do the right thing for customers, or do they?
Article 9 of GDPR does provide further circumstances where a controller can process such data, consent is only one of Article 9, paragraph 2a-j, there are nine other reasons.
The one I will focus on is the “public interest” basis which enables member states to declare certain circumstances to be in the public interest. Equally Article 9, paragraph 4 provides for member states to create additional reasons to process health data. This is exactly that the UK Parliament has done in Part 2 Schedule 1 of the Data Protection Act 2018.
The Data Protection Act 2018 gives controllers the ability to process health data where the following conditions are met:
(a) the customer cannot give consent, or
(b) where the controller cannot be able to obtain consent, or
(c) where obtaining consent would prejudice the provision of protection to that customer, and where
(d) a customer at ‘economic risk’ is defined in relation to individuals who cannot protect their economic well-being due to their physical or mental injury, illness or disability.
In other words, firms can process health data, without consent, where consent cannot be obtained for the reasons listed above and you would process it to ensure the economic well-being of the customer. In practice, this is quite difficult to put into place.
Putting Vulnerability & GDPR into Practice
I have heard of some controllers reading Article 9 of GDPR and deciding to rely upon public interest in Article 9 of GDPR for all special category data they may want to process. I think this is the wrong approach for the following reasons:
To process the data based on public interest you need supporting UK legislation, which means firms must find a basis within the 2018 Act which Parliament has listed under Part 2, Sch 1. For most of those reading this article this would mean meeting the economic well-being requirements as listed above. What is certain, is that never considering whether to obtain consent through applying a ‘catch all’ solution would not meet this requirement.
Some firms may be deciding to process the data under public interest rather than consent as it removes the customers ability to withdraw consent (i.e. use their “right to be forgotten”. This is completely the wrong motivation for choosing this basis and is unlikely to stand up to scrutiny.
So, to comply with the 2018 Act firms should first consider whether it is possible to obtain consent. Where it is possible to do so, consent should be the default. Where firms determine that consent is not possible, or would prejudice the assistance they are aiming to give to the customer then they should process the data under ‘economic well-being’. Consent should not be sought in this circumstance but the data subject must be made aware that the firm is processing their health data.
Do remember that the European Data Protection Board Guidance on Consent says that once you have asked for consent and the data subject refuses you cannot then choose to process the data anyway, even where another basis may apply. This means once you have asked for consent, you are stuck with it and the customers right to refuse / withdraw the information.
I do recognise that the above is difficult to put into practice as we are likely to be asking front line agents to make a judgment and decide whether to ask for consent or not. It will likely mean upskilling a section of your team to enable this approach to be used.
RB Compliance and Chris Fitch of the Money Advice Trust are in the process of creating new guidance on the above issue on behalf of MALG – we are really keen to understand your views. In the coming weeks we will be issuing a questionnaire, if you would like to participate please send your email address to: firstname.lastname@example.org. Also feel free to let us know your initial thoughts!