IMI - Data Protection and Privacy Notices
To help Member States comply with data protection rules, the European Commission have issued a recommendation on the exchange of data via the IMI system (PDF). Much of this recommendation outlines the parameters for using IMI and covers good practice which is already observed in the UK. However, there are a couple of actions which competent authorities, including local authorities, need to consider:
Informing service providers - privacy notices
The Commission recommend that competent authorities tell service providers that their personal data may be exchanged with other authorities via IMI and advise them of their rights of access. Although it is up to each competent authority to decide how to convey this information, a simple solution would be to include something in a privacy notice.
A privacy notice is a statement that individuals are given when information is collected about them. Most, if not all, authorities already publish a privacy notice on their website. We therefore recommend authorities add some text to their existing notices to inform service providers about the exchange of information via IMI.
It is up to each authority to decide what to include in their privacy notices, but there are some important points you should reflect:
- IMI is a web based portal developed by the European Commission. It enables messages and information to be exchanged between authorities in a secure environment, and complies with data protection rules.
Competent authorities will use the system to exchange information on service providers who are in scope of the Services Directive. Authorities must have good reason to request information, and provide justification when submitting a request.
- Only competent authorities involved in a request for information can see the personal details of a service provider.
- All personal data is automatically deleted from the system six months after the closure of a request.
- UK competent authorities are obliged to notify service providers if they supply sensitive data about them, such as that relating to disciplinary action or criminal sanctions, to other authorities.
Your privacy policy should already include information about rights of access and contact details. Should it not, or you do not currently have a privacy policy, you might find it useful to consult the Privacy notices code of practice (PDF) published by the Information Commissioner’s Office (ICO), which gives further guidance on what a good privacy policy should include.
Amending your ICO notification
All UK bodies that process personal data should already be registered with the ICO. As exchanging information via IMI will be a new use of personal data for most competent authorities, you should amend your notification entry with the ICO to reflect this. Please see their website for simple instructions on how to do this.
