All year we all work hard to make sure we end up on the Nice List, and avoid that dreaded lump of coal at the end of our bed. But what about Santa himself? Would the very list he proudly holds earn him a lump of coal from the ICO?

This year has been littered with high profile data breaches, from the Electoral Commission, to the Police Service of Northern Ireland. These breaches, and the potential fines from the Information Commissioners Office (ICO) that they might incur, have made us all pay a little more attention to personal data, what it is, and how to hold it securely.

For a little festive magic, let’s examine Santa’s infamous List, and have a think about if this would be personal data, and if it is, if Santa is acting appropriately to process and safeguard this data.

Personal Data

Personal data is any information relating to a particular living person, which can be used to identify the person, whether directly or indirectly. If the data contains the person’s name, or any other identifiable item, such as a nickname, or employee number, this would be personal data.

From this, it should be very clear that Santa’s big list of everyone’s names, and all the naughty or nice things they have done this year, would be personal data.

If a person made a Data Subject Access Request (DSAR) to Santa, for all of the personal data he holds about them, he would have to disclose any letters you have sent him over the years, and his List. However, as with all DSARs, Santa would have to be careful not to disclose anyone else’s personal data. As everyone on the list would be identifiable by their name, he would have to ensure that he redacted all information about everyone else, which would be third party data. The person making the DSAR would only be entitled to see their own name, and naughty or nice status.

Principles of Data Protection

Now we know Santa’s list contains personal data, we have to think about whether he has authority to hold this data under the UK General Data Protection Regulation (UK GDPR).

There are seven key principles set out in the UK GDPR, that Santa, as a controller of personal data, should have considered in order to ensure he has a right to process this data, and that he does so securely.

Lawfulness, fairness and transparency

To process personal data, Santa must have a lawful basis for collecting and using the data. These include consent, contract, legal obligation, vital interests, public task, and legitimate interests. For jolly St Nick, he would likely rely on public task, as the processing is necessary for him to perform his official function.

Santa must also ensure that he uses this information in a fair way, not in a way that is unduly detrimental. It might be that labelling the population as naughty or nice depending on his own personal measure of morality, and giving presents or coal in light of this, could be considered unfair, and that would be an interesting debate for the ICO to consider.

Finally, Santa must be clear, open and transparent with people about how their personal data will be used. For most businesses, that means a Privacy Notice like our Data Protection team can help prepare. Here, Santa is almost certainly in breach, as it is not sufficient to rely on the public having an expected level of general knowledge of how data is used. Controllers need to explain this properly to anyone whose data they process in clear and simple language.

Purpose limitation

Next, Santa needs to be clear about the purpose that he is processing this information for, and stick to this original purpose. In this case the purpose is clear, to decide what to give the person. However, like with transparency above, Santa needs to make sure people know exactly why he is processing their data if he wants to be compliant. He also cannot deviate from this original purpose, to for example, decide which particularly nice person to let ride in his sleigh. If he does decide to update the purpose, this should be communicated to all those affected and in his privacy notice!

Data minimisation

To fulfil this principle, a controller must ensure that the data they are processing is adequate, relevant, and limited only to what is necessary. In this case, the information about what someone has done with their year is sufficient for Santa to determine who is naughty and nice, and relevant for the purpose, and no more than needed for that purpose.

Accuracy

For this principle, Santa needs to take all reasonable steps to ensure that the personal data that he processes is not incorrect or misleading. As he is relying on this data for his purpose, he needs to ensure that it is kept up to date. Any naughtiness on Christmas Eve needs to be added to the tally to make sure the right people get the right gifts.

Santa will have to consider how he collects this information, and make sure there are procedures in place to keep this up to date and to correct any errors as soon as they are noticed.

Storage Limitation

Individuals have a right to erasure of their personal data if it is no longer needed for the stated purpose. This means, that for Santa, he needs to think about, and justify how long he holds the List year by year. This will depend on his purposes for this data. So, for example, does the naughty/nice tally across your entire life, or is it decided year on year. If it is year on year, there is no legitimate purpose for Santa to keep the list from one year to another. However, if it stacks, maybe Santa needs the previous years’ lists to determine future lists. If so, it will be very important that these are held securely, and should periodically review if he still needs to retain this.

Santa should also have a policy in place setting out the standard retention periods for this, and might seek legal assistance to prepare this.

Security

Santa needs to take a risk based approach to security and ensure that the protections he puts in place are proportionate to the risk. As his list contains the personal data of every person spanning various countries (which may also include some sensitive personal data), it is clearly very high risk. Data breaches can come from hacking, but also from human error.

Some useful security measures that Santa should consider include, password protecting the list if it is held electronically, investing in cyber security programmes, and training his elves on data processing and security, particularly if they also work remotely.

Accountability

Finally, the controller is ultimately responsible for their compliance with these principles and UK GDPR law. Santa must be able to demonstrate his compliance through appropriate records and measures.

With all of this in mind, it seems that Santa has a few holes in his Data Protection compliance that he will need to address, or he risks jingling all the way to a large ICO fine.

If you find yourselves in a similar Santa situation, please do reach out to our data protection team.

Seasons Greetings to one and all!