GDPR: Trustees & PRs
'GDPR' is the EU's General Data Protection Regulation, which has been in force in the UK for just over two years.
It requires anyone who holds personal information that can identify another natural, living person to comply with data protection rules, unless they are exempt, e.g. only acting in a ‘purely household or personal capacity’. Until recently, the scope of this exemption and the application of the wider rules has been unclear in relation to trusts and estates.
It is not certain that any official guidance specifically for trustees and personal representatives of deceased estates will be forthcoming from the Information Commissioner’s Office (ICO). Meanwhile, some guidance has recently emerged from the Society of Trust and Estate Practitioners (STEP) for non-charitable trusts/estates under English law. The ICO has not officially endorsed STEP’s interpretation, but has given qualified support to their views. Further guidance may be issued, but the key points to be clarified so far are:
Unpaid trustees and PRs who are not acting in a professional capacity should be able to rely on this exemption. Claiming expenses does not count as payment for these purposes. This exemption should therefore take unpaid, lay trustees and PRs outside the regulations and should also exempt professionals acting without pay outside of their firms (e.g. if acting for family and friends). Where there is a mixture of exempt and professional trustees/PRs, all GDPR responsibilities fall on the professionals. Trustees and PRs who are not exempt are ‘data controllers’ and have separate obligations for each trust or estate they act for. Trustees or PRs who, or whose firms, also advise the trust/estate in a professional capacity have separate obligations in relation to their professional roles.
Lawful grounds for processing
Trustees and PRs who are not exempt must have a legitimate purpose to ‘process’ personal information (i.e. collect, share, use and store it, whether on a computer or in paper). Most trustees and PRs will hold personal data on the basis that it is necessary to fulfil their duties and to comply with other areas of the law. Any sensitive information (e.g. about a person’s race, politics, religion, health or sexual orientation) is likely to be held by trustees and PRs in order to establish beneficiaries’ rights.
It is standard practice for organisations to provide ‘privacy notices’ explaining why the information is held, how long it will be kept, what it is used for, who it will be shared with and the person’s rights in relation to it. However, trustees and PRs holding information provided by a third party, such as a settlor of a trust, should not need to provide notices as a matter of course to all beneficiaries as there is an exemption where the general law already protects their interests and governs their rights to information. Trustees and PRs should, however, provide privacy information where they collect information direct from the person concerned.
Individuals can request access to their information but are not entitled to disclosure of information which would adversely affect the rights and freedoms of others, including the rights of trustees and PRs. As such, disclosure may be refused in relation to information that is protected under trust law.
Please contact us if you require help with GDPR compliance.