Events, exclusion lists, and the UK GDPR
If you run an event, there is - sadly - a strong chance that you've had to deal with inappropriate behaviour.
More and more events have adopted a code of conduct, to set out standards of acceptable (or unacceptable) behaviour. Breaches might lead to a warning, to ejection from an event, or to a ban on future attendance. Sufficiently egregious conduct outside an event may also lead to an exclusion, to protect the event's staff or attendees.
This blogpost looks at the UK GDPR responsibilities of an organisation which has banned one or more people from future attendance at an event, and wants to keep a list of excluded people for administration purposes.
(As always, this blogpost is not legal advice for any specific situation.)
Does the UK GDPR apply to exclusion lists?
The UK GDPR applies to the processing of personal data which falls within its material and territorial scope.
For the sake of this blogpost, I am working on the basis that the UK GDPR's territorial scope is met.
In other words, let us assume that the event is being run by an organisation established in the United Kingdom or by a group of friends in the UK, and that the event is targeted to people in the UK.
In terms of material scope, the UK GDPR applies to "the automated or structured processing of personal data".
An electronic list
An organisation storing its exclusion list on a computer, or loading it into a booking system to reject applications automatically, engages in automated processing. The UK GDPR applies.
A paper list
If the organisation keeps its list on a piece of paper, this storage is not automated processing.
In terms of "structured processing", the UK GDPR defines this as:
processing otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system
There is no definition of "filing system". Case law sets out a four stage test:
- are the files a “structured set of personal data”?
- are the data accessible according to specific criteria?
- are those criteria “related to individuals”?
- do the specific criteria enable the data to be easily ... retrieved?
If you have just one sheet of paper, and you add the name of an excluded person to the bottom of the list, there is scope for an argument that you do not have a filing system.
However, I would be hesitant to put too much weight on it. This is because, unlike cases which turn on thousands of files, and the ease by which a temporary worker could find and extract any given individual's data, if the data exist on just one page, someone could easily skim through and find the information they were looking for.
(If you are an FOI public authority, you are still in scope of the UK GDPR even if you engage in manual unstructured processing of personal data.)
A memorised list
If, for smaller events, one of the organisers keeps the list in their head, the UK GDPR will not apply.
However, clearly, this approach does not scale, and brings with it challenges of "institutional memory": if the person who knows the list is no longer available, this approach has no value as a safeguarding tool.
Obligations if the UK GDPR applies
If an organisation is considering an exclusion list, it is already running event, so - hopefully - it is already considering the implications of the UK GDPR. For example, in the operation of a website or marketing list, processing inherent in collecting payments and processing tickets, or for event/venue access. (If this is not the case, and the GDPR has not been considered, perhaps this will be a prompt to remedy that.)
In other words, the application of the UK GDPR to the exclusion list should not be something wholly new, but rather an extension of something to which the organisation has already given thought.
I am not setting out here an exhaustive list of things an organisation would need to cover, but key themes when considering an exclusion list include:
- identifying a lawful basis for operating an exclusion list.
- transparency, and ensuring that data subjects are aware of their inclusion on the exclusion list.
- accuracy: how will the organisation ensure that only puts the correct people on its list? Does it have, and record, sufficient information to identify only the correct person?
- keeping the personal data for no longer than is necessary.
- data minimisation: keeping the least amount of personal data necessary.
Lawful basis for an exclusion list
The UK GDPR sets out six lawful bases, which can justify the processing of personal data. Neither has priority over the others - an organisation just needs to find one which fits the bill.
Compliance with a legal obligation
If an organisation owes a duty of care to its staff or attendees, and a failure to exclude someone would breach the standard of care, the organisation may be able to demonstrate that the processing inherent in operating the exclusion list was necessary for compliance with a legal obligation to which the controller is subject.
I am not aware of anything authoritative on this point, so relying on this as your argument is not without risk.
An organisation may also be in a position to demonstrate that the exclusion of people who pose a threat to staff or attendees is in its (and its staff's, and attendees') legitimate interests.
To rely on this, the organisation would need to consider the interests of the excluded people, and be able to show that its interests (or those of its staff or attendees) were not outweighed by the interests of the excluded people.
The ICO has produced extensive guidance on legitimate interests.
My feeling is that legitimate interests is, on balance, likely to be the most realistic route.
However, legitimate interests is not without its problems. This is because a data subject has the right to object to processing carried out on the basis of legitimate interest. They'd need to give you specific reasons, pertinent to their particular situation, and you'd need to weigh up whether you can demonstrate compelling reasons for your processing, which override their objection.
In the most extreme situations, it may be justifiable to rely on the protection of vital interests. For example, if the exclusion is necessary to prevent a genuine and severe threat to a someone's life.
This basis is extremely limited, and so relying on it is, again, not without risk.
The UK GDPR has extensive requirements relating to transparency.
At a high level, an organisation needs to explain to data subjects what personal data it is processing about them and why, and give them information about their processing.
The ICO has a useful checklist.
An organisation may decide to provide general information as part of its broader transparency information, or as part of its code of conduct.
It may also decide that, at the point at which it enforces its code of conduct, it needs to notify the excluded person of the consequences of their actions, and that they will be included on the exclusion list.
Where an organisation justifies exclusion for a reason other than a breach of its code of conduct - for example, for behaviour outside the confines of the event - it may be harder to fulfil the requirement of transparency without notifying the excluded person directly.
(See below for discussion of withholding transparency in certain situations.)
Deciding what to record: adequacy, accuracy, and data minimisation
When deciding what information to record on the list, there are two main principles at play:
- data must be adequate: you need to keep enough for your activity.
- data must be limited to what is necessary in relation to the purposes for which they are processed: you cannot keep more than you need.
This can be a hard circle to square, as you must neither keep too much, nor too little, personal data.
An organisation would need to think about what it needs to record, and what they can safely leave out.
Just a name is unlikely to be enough
Recording just someone's name may be too little. Unless it was a very uncommon name, you run the risk of not knowing exactly which individual is excluded, and could lead to you incorrectly excluding others with the same name.
The inclusion of sufficient additional identifying information, to ensure that the intended person (and only the intended person) is excluded, is likely to be not just justifiable, but necessary.
The duration of the exclusion
If an organisation has decided to exclude someone for a period, recording that period on the list is likely to be sensible.
The organisation should ensure it is clear when that period started or, if the end of the exclusion depends on some other trigger event (e.g. that they are excluded for the next four events, rather than a period of time), what that trigger is.
The reason why someone was excluded
Recording why someone was excluded may be useful, in terms of being able to justify in future why someone is on the list.
Without it, demonstrating that your processing is fair may be challenging.
Conversely, recording too much information about why someone is on the list can bring its own problems.
- if you record the identity of the complainant(s), you must take their data protection rights into account too. The list may also be considerably more sensitive, and demand greater security protections, if it includes this information, especially if there is a genuine concern about the possibility of reprisal against a complainant.
- if the reason why someone is on the list is because of an actual, alleged, or suspected criminal offence, recording that will trigger the parts of the UK data protection framework dealing with criminal convictions and offences.
Recording actual, alleged, or suspected criminal offences
In addition to the normal data protection rules, the organisation's processing must also satisfy one of the conditions in Schedule 1, Data Protection Act 2018, and may also require an additional formality, an "appropriate policy document".
These requirements may not be insurmountable, but they are additional things to cover off, to ensure that your processing is carried out consistently with the law.
It might be preferable to refer to avoid references to criminal offences, where possible. For example, "credible allegations of consent violation", or "repeated instances of breaches of codes of conduct".
Limiting access to the reasons why someone was excluded
If an organisation decides to record the reason why someone has been excluded, they should exercise restraint over who has access to that information. They should limit access to those who need to know.
For example, someone may need to have access to the list because their role requires them to process ticket purchases or requests to attend, to ensure that tickets are not made available to someone who has been excluded. It is unlikely that this person needs to know why someone was excluded - to do their job, it is enough for them to know that that person is on the list.
Keeping personal data for no longer than is necessary
If someone is excluded for a limited period, or for a certain number of events, there will come a time when their exclusion is over.
The organisation should consider what records it keeps after that point. Will it retain historic records of someone's exclusion, or, once the exclusion period is finished, will it "wipe the slate clean"?
If the organisation decides to retain records of historic exclusions, it must be capable of satisfying the UK GDPR's requirements in respect of that ongoing retention.
If it cannot do that, it would struggle to demonstrate that retaining someone's exclusion history was consistent with the UK GDPR.
Derogations from compliance for e.g. concerns about staff or attendee welfare
Although the UK GDPR is focussed on protecting the data protection rights of data subjects - in this case, the people whose data are included on an exclusion list - data subjects may not be the only people in need of safeguarding.
In particular, if someone is excluded from an event because of the risk they pose to a particular person or group of people (e.g. staff or other attendees), an organisation may, understandably, want to consider the well-being of that person / those people, in addition to considering the data protection rights of the people on the list.
For example, an organisation may have concerns about transparency, if it considers that explaining to an excluded person that they have been excluded, would pose a significant risk to staff or attendees.
For practical reasons, this is unlikely to apply where someone has been evicted from an event, as they will be aware of what has happened, even if not the full detail. But where someone is excluded for conduct outside the event, they may be unaware that they are excluded.
Exemptions and the Data Protection Act 2018
The Data Protection Act 2018 contains a number of exemptions, on which the organisation might rely to justify derogating from one or more of the requirements of the UK GDPR.
The organisation bears the burden of demonstrating that an exemption applies.
Given the general duty of accountability, it would be sensible for an organisation to keep a record of why it has declined to comply with one or more of the UK GDPR's requirements (such as transparency), if it decides that that is the appropriate thing to do.
If compliance would be likely to prejudice the prevention of crime
One of those exemptions permits an organisation to derogate from most (but not all) of the requirements of the UK GDPR, if compliance with that requirement would be likely to prejudice the prevention of crime.
If, for example, being transparent to the excluded person brings with it a realistic risk of the commission of a crime - such as harassment, or an assault - then the organisation is likely to be able to justify withholding that information.
The exemption applies only insofar as the requirement would be likely to prejudice the prevention of crime (or one of the other listed things). This means that it is limited. This is consistent with the idea that the exception restricts the rights of the affected data subject.
For each requirement of the GDPR that the organisation intends to restrict on this basis, the organisation must be able to demonstrate the realistic risk of prejudice to the prevention of crime. It is not enough if the concern relates to something which is not a crime. This is going to require documentation.
But the fact that the exemption is limited does not mean it does not exist, and it may be available in the most serious of cases.
Sharing an exclusion list or receiving someone else's exclusion list
An organisation may be tempted - or requested - to share its list.
For example, a new event might want to know who has been excluded from similar events, so that they can also exclude them.
Sharing a list
Data protection law does not prohibit sharing personal data, but the sharing organisation should give careful consideration before it does so, to ensure that, if it does share its list, it does so in a manner which is consistent with the UK GDPR.
In other words, while sharing is not prohibited, the organisation still needs to demonstrate compliance with the UK GDPR.
This consideration will cover the usual range of UK GDPR requirements, including:
- has the organisation told the affected people that it might share the list with others?
- does it have a lawful basis for the sharing? What is its legal justification for doing it?
- is sharing the list consistent with the purpose for which it was created?
- what governance or controls should it put in place, to avoid misuse of the list?
There is no express legal requirement for a data sharing agreement, although the ICO considers it to be good practice. Indeed, it has relied on the absence of a data sharing agreement as part of the basis for fining an organisation for its data sharing activities.
(In addition to GDPR-related considerations, there are other risks which could arise from sharing a list, particularly if the information contained within it is inaccurate or disputed.)
Receiving a list
If an organisation is on the receiving end of another organisation's list, it will want to go through a very similar assessment, to ensure that it can process it lawfully.
One of the major concerns for a recipient is likely to be around accuracy of the received data. How comfortable is it that the information on the list is accurate? Can the sharing organisation explain why someone is on the list, and evidence that?