Jump to content

GateHub and mental health


nonce

Recommended Posts

GateHub has recently registered with the UK ICO:

https://ico.org.uk/ESDWebPages/Entry/ZA198432

 

On this page GateHub says they also process information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs of a similar nature
  • trade union membership

Why does GateHub need to process mental health details (and other classes of sensitive information)? How do they collect information about mental health?

Link to comment
Share on other sites

15 minutes ago, tomxcs said:

Probably just boilerplate.

I doubt it is a bolerplate. Data controller must clearly say why it needs personal data and how it plans to process it (this applies to all countries in the EU - EU directive 95/46).

UK Data Protection Act says:

Quote

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Interpretation:

Quote

be clear from the outset about why you are collecting personal data and what you intend to do with it;

 

Edited by T8493
Link to comment
Share on other sites

Probably just boilerplate.

It might be due to kyc and aml. Thinking if they ping a country for records and said country wasn't too fussy about what they release?

Ex: If they do background checks some jurisdictions hold police responses to mental illnesses as an encounter.

Link to comment
Share on other sites

56 minutes ago, Mercury said:

It might be due to kyc and aml. Thinking if they ping a country for records and said country wasn't too fussy about what they release?

Ex: If they do background checks some jurisdictions hold police responses to mental illnesses as an encounter.

I'm not sure they can reasonably process mental health details in such situations. They probably must just delete or anonymize such information.

Processing sensitive information is allowed only under very specific conditions:

Quote

 

However, if the information is sensitive personal data, at least one of several other conditions must also be met before the processing can comply with the first data protection principle. These other conditions are as follows.

  • The individual whom the sensitive personal data is about has given explicit consent to the processing.
  • The processing is necessary so that you can comply with employment law.
  • The processing is necessary to protect the vital interests of:
    • the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or
    • another person (in a case where the individual’s consent has been unreasonably withheld)
  • The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
  • The individual has deliberately made the information public.
  • The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
  • The processing is necessary for administering justice, or for exercising statutory or governmental functions.
  • The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
  • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

 

 

The consent must be explicit. I'm not very familiar with the UK Data Protection law but this often (usually) implies prior written (and specific) consent (which GateHub doesn't have).

About consent:

Quote

This suggests that the individual’s consent should be absolutely clear. It should cover the specific processing details; the type of information (or even the specific information); the purposes of the processing; and any special aspects that may affect the individual, such as any disclosures that may be made.

 

Of course, I'm assuming that no other UK law demands collecting mental health details....

 

 

 

 

 

 

 

 

Edited by T8493
Link to comment
Share on other sites

30 minutes ago, T8493 said:

I'm not sure they can reasonably process mental health details in such situations. They probably must just delete or anonymize such information.

Processing sensitive information is allowed only under very specific conditions:

Gatehub may not keep such information, but don't they still have to state they might be receiving such data? These regulations are a mess.

Link to comment
Share on other sites

4 minutes ago, Mercury said:

Gatehub may not keep such information, but don't they still have to state they might be receiving such data? These regulations are a mess.

If they receive such data, then the other party must have consent of the GateHub customer OR the other party must be legally obliged (by law) to give GateHub such data - at least in the EU.

EU Data Protection Directive is quite clear.

If their intention was to cover the case when they erroneously receive sensitive personal data from other sources, then why they didn't include all possible classes of sensitive personal data? Why did they include only 4 classes? This doesn't make sense to me.

 

 

Quote

 

Sensitive personal data means personal data consisting of information as to -

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c ) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

 

 

Link to comment
Share on other sites

I have no idea then.

I was recalling that here (Canada) there was cases of citizens being denied entry into the US over years old reports linked to mental health (ex: suicide prevention by an police officer), that was shared in a data dump exchange. It only affected some people based largely on how their local law enforcement gathered/ filed and stored the data. I thought that if they are doing KYC/AML on users outside the EU that their local law enforcement might turn over all legal notices.

I believe that the EU is the only region where right to personal privacy is deemed a human right? And that this overruled in cases of national security? So it might be linked to that... I mean- mental health, race, religion does sound like a national security profile...

 

Link to comment
Share on other sites

10 minutes ago, Mercury said:

 

I believe that the EU is the only region where right to personal privacy is deemed a human right? And that this overruled in cases of national security? So it might be linked to that... I mean- mental health, race, religion does sound like a national security profile...

 

The UK just left us ... 

Link to comment
Share on other sites

I think this information is related to job interviews. The registration lists "to support and manage our staff " as one of the purposes.

Link to comment
Share on other sites

9 hours ago, T8493 said:

I doubt it is a bolerplate. Data controller must clearly say why it needs personal data and how it plans to process it (this applies to all countries in the EU - EU directive 95/46).

My point being that they may occasionally have to deal with this sensitive info (gets passed to them during KYC/AML, see it for employee background checks, etc.) but I have to doubt that GateHub cares about the health information or union membership of its customers. It's a standard, cover-your-ass legal disclaimer that I'd bet just about any other organization that collects and processes data on their customers or employees must make.

Edited by Guest
Link to comment
Share on other sites

8 minutes ago, tomxcs said:

My point being that they may occasionally have to deal with this sensitive info (gets passed to them during KYC/AML, see it for employee background checks, etc.) but I have to doubt that GateHub cares about the health information or union membership of its customers. It's very much a standard, cover-your-ass legal statement that I'd bet just about any other organization that collects and processes data on their customers or employees must make.

Probably.

But there is one catch. Their wording mentions only 4 classes of sensitive personal information. But they can clearly come in contact with other classes of personal information which are not mentioned. 

EDIT: But all this guessing is somewhat pointless, because GateHub - as a data controller - must provide unambiguous explanation of how they process personal info anyway.

 

Edited by T8493
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...