Is Your Data Protected?

Holding data about individuals?

Then read on because this affects you.

What exactly is Data Protection?

The 1998 Act defines data as information which:

• is being processed by means of equipment operating automatically in response to instructions given for that purpose

• is recorded with the intention that it should be processed by means of such equipment

• is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system

• does not fall within the above but forms part of an accessible record as defined by section 68 (of the Act)

By ‘Protecting’ data we mean ensuring that personal data about an individual is processed in accordance with legal requirements in order to protect the rights of the individual. The 1984 and 1998 Acts defines particular legal requirements that are to be adhered to.

Significant features of the Data Protection Act 1998

For those of you who became experts in the 1984 Act, don’t think that this Act is the same. There are new definitions for the terms ‘data’, ‘personal data’ and ‘processing’ which will have the effect of substantially broadening data protection regulation in the UK; the Personal Data will include new types of data such as sounds and images.

Importantly, there is a definition of a ‘relevant data filing system’ (an expanded definition of personal data) to reflect the Directives requirement that personal data held in structured manual files be brought within the data protection regulatory scheme.

There are also changes in the following significant areas:

• Updated Data Protection Principles.

• New requirements for processing Personal Data.

• New rights for Data Subjects.

• New rules controlling the processing of sensitive personal data.

The Act is applicable to every organisation that holds or processes data about any individual or organisation. There are to be broad exemptions for data held exclusively for journalistic, artistic or literary purposes

The Act creates a category of “Special Purposes” covering journalism, artistic and literary purposes. Only in this respect have the remedies available to data subjects been reduced; the 1984 Act made no concessions to, or special provisions for, the media: by comparison with the 1998 Act makes substantial exemptions in favour of those who obtain information with a view to publication in circumstances which would have been prohibited for other data controllers as being either unfair or unlawful obtaining or processing of personal data.

The Data Protection Registrar becomes the Data Protection Commissioner, and has somewhat extended powers to regulate data controllers, the new name for data users.

Data Subjects are given strengthened remedies, including a new right to prevent processing likely to cause them damage or distress, and a right not to be subjected to wholly automated decision making.

Registration is now called notification, and the Commissioner is given power to require information to be provided by Data Controllers: lack of any such power under the 1984 Act has proved a constraint on the Registrars ability to enforce its provisions.

Those who, as data users under the 1984 Act, control the contents and use of personal data will find that, as data controllers under the Act, they have obligations which broadly match their current obligations as data users, but with extensions to personal data recorded or intended to be recorded as part of a personal data filing system.

Data Protection and Europe

The European Community’s Data Protection Directive, EC/95/46 defines Data Privacy within the context of data relating to identified persons and seeks to ensure that the same basic rules are obeyed throughout the Single Market comprising the European Union. The Directive has been adopted by all Member States at governmental level and all Member States entered into a legal obligation to implement its requirements in law by 24^th October 1998.

The objective of the Directive is to promote the development of the Information Society with all its implications – both business and social – within the context of a European view of Data Privacy. This will allow the Information Society to develop in Europe in a fashion that is acceptable to obtain a competitive edge in their businesses at the expense of the rights of particular groups of citizens.

The Data Protection Act 1998 is designed to implement the requirements of the Directive in UK law. The requirements of the Directive only apply within the legal competence of the European Union. The government decided to introduce primary legislation in order to avoid the possibility of having two different Data Protection regimes within the UK according to whether the processing were within or without the EU legal competence. It is open for all EU countries to introduce stricter requirements than the Directive but they cannot reduce the rights and requirements set in the Directive, except where specific exceptions are permitted. The definitions and requirements are set out in the Directive and they are not optional although the Directive provides a number of options that can be chosen by Member States.

In the event of a legal challenge, the requirements of the Directive would take precedence over UK law, if that law has not adequately implemented the requirements of the Directive.

The Eight Principles

The 1998 Act incorporates Eight Data Protection Principles, as before, but the details and interpretation is different. A new Principle 8 is concerned with transfers of Personal Data outside the European Economic Area while the first three Principles have been condensed into two.

First Principle

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

A - at least one of the conditions in Schedule 2 is met and

B - in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

In considering whether personal data are processed fairly, consideration must be given to the way in which they are obtained:

• Was any person (from whom the data were obtained) deceived or misled about the purpose for which the data are to be processed.

• Was the provider of the data authorised by law or required to supply the data under an international obligation on the UK.

Where the data are provided by the data subject, the data controller must tell the data subject:

• The identity of the data controller or his nominated representative.
• The purpose for which the data are intended to be processed.
• Anything else necessary to enable the processing to be fair.

If the personal data contain an identifier (e.g. NI or NHS number), which relates to an individual and similar identifiers are in general use, then lawful processing must obey the conditions that have been laid down for such a general identifier.

The Second Principle

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

The purposes for which personal data are to be used can be specified in many ways. In particular, a notice to the data subject issued because of the first principle will satisfy the requirement. Equally, a notification to the Data Protection Commissioner will suffice.

Where the data are disclosed to a third party, the purposes for which that third party uses the data, must also be considered.

The Third Principle

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Ensuring that the personal data are adequate is normally straightforward but care should be taken with default settings. Although default settings can substantially simplify the process of data, it is vital that those using the systems should properly record the information that is obtained without either making assumptions because their ‘system’ requires an ‘amount’ or because they too rapidly accept default values suggested by the system.

Maintaining relevance and avoiding the collection of excessive items of personal data is vital to the collection and processing of Personal Data because ‘ it might be useful’ would contravene this Data Protection Principle. For example asking for both daytime and an evening telephone number. This is clearly irrelevant and excessive where the only telephone contact will be during the day and no emergency action may be required. The uncontrolled use of free format fields completed by end users may breach this principle and be particularly dangerous.

The Fourth Principle

Personal data shall be accurate and, where necessary, kept up to date.

Data are inaccurate if they are incorrect or misleading as to any matter of fact.

It is not always possible to have accurate and up to date data. However, data controllers must make reasonable efforts to ensure the accuracy of the data. Furthermore they must take appropriate steps to ensure that their data are kept up to date where this is necessary to address the notified purposes of the processing. If the data subject notifies the data controller of his or her view that the data are inaccurate, the data must either be corrected or indicate the view of the data subject.

The Fifth Principle

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

This is a straightforward requirement. The collection and storing of data is within the definition of processing, so the data protection principles apply for as long as personal data are kept. By ceasing to keep personal data, data controllers remove these obligations.

Erasing and destroying data are also within the definition of processing, so the protection continues until the data are no longer kept by the data controller.

The Sixth Principle

Personal data shall be processed in accordance with the rights of data subjects under this Act.

The data subject has the following rights under the Act:

• A right of access to personal data.

• A right to prevent processing likely to cause damage or distress.

• A right to prevent processing for purposes of direct marketing.

• Rights in relation to automated decision making including the right to have logic explained.

The Seventh Principle

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and again accidental loss or destruction of, or damage to, personal data.

When considering the level of security measures to be taken, the judgement must taken into account the following:

• The state of technological development in the field of data security.

• The cost of implementing the proposed measures.

• The harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage.

• The nature of the data to be protected.

The data controller must ensure the reliability of the staff that have access to personal data. Where the data controller uses an external organisation to process their information, called a data processor, to process personal data, the seventh principle still applies. The data controller must use only those data processors that provide sufficient guarantees for the level of security of the data. Reasonable steps must be taken by the data controller to ensure the data processor complies with the security measures. 

The Eighth Principle

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The Act describes an ‘adequate level of protection’ as one that is adequate in all the circumstances of the case and having regard to:

• The nature of the personal data.

• The country where the data came from and where it is to go.

• The purposes for which and period during which the data are intended to be processed.

• The law in force in the destination country, its international obligations and any relevant codes of conduct or other rules which are enforceable in that country.

• Any security measure taken in respect of the data in the destination country.

Unless:

• The data subject has given his consent to the transfer.

• The transfer is necessary under a contract between the data subject and the data controller, or at the request of the data subject with a view to his entering into a contract with the data controller.

• The transfer is necessary under a contract or the conclusion of a contract between the data controller and a person other than the data subject which was entered into at the request of the data subject, or is in the interests of the data subject.

• The transfer is necessary for reasons of substantial public interest as may be defined in regulations.

• The transfer is necessary for or, or in connection with, any legal proceedings (including prospective legal proceedings), is necessary for obtaining legal advice, or is necessary for establishing, exercising or defending legal rights.

• The transfer is necessary in order to protect the vital interests of the data subject.

• The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.

• The terms of the transfer are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.

• The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.

Notification and penalties

If you are already covered by an existing registration, you will probably not need to re-register (notify) until the existing data protection registration reaches the end of its normal life, which in most cases is three years from the date of registration. It is advisable, however, to clarify this and to check existing registrations.

If any of your systems are not covered by an existing registration, you may need to notify the Data Protection Commissioner. Registration is now called ‘notification’. All data controllers are required to notify their use of personal data unless such a use is granted an exemption.

Anyone not complying can be prosecuted under either Act of Parliament depending upon the date and decisions by the Secretary of State in respect of the implementation of the 1998 Act and the repeal of the 1984 Act.

The penalties for a breach of the law are generally sufficiently large that no organisation could expect to withstand wilful non-compliance. The Act imposes requirements on both companies and staff in their processing of Personal Data and individuals can be prosecuted for non-compliance.

Directors and managers of corporate bodies have specific liability in this context. Any challenge to an individual or company could lead to action by the Commissioner, which could put those individuals or that company’s activities at risk. The commissioner has greater powers than the previous registrar and will be able to obtain information from organisations through an Information Notice, which was not previously possible. Enforcement of the principles will be achieved by the Data Protection Commissioner issuing enforcement notices, a breach of which will be a criminal offence.

Rights of a Data Subject

The data subject has a number of rights under the 1998 Data Protection Act, some of which did not exist under the previous legislation. The data subject now has the right:

• To be informed about the use made of his/her personal data.

• To be provided with a copy of his/her record.

• To be informed on demand about the purpose of processing, the source and the recipients, or classes of recipients, of the data.

• To object where substantial damage or distress may be caused.

• To object where personal data are used for direct marketing.

• To be informed on demand of the logic used in purely automatic decisions using his/her personal data.

• To have data corrected, erased or blocked where appropriate.

• To have previous recipients of corrected, erased or blocked data informed.

You must tell the data subject when you collect the data from him/her:

• The name of the data controller and the name of the data controllers representative (if any).

• The purposes for the data.

• Any other relevant information, such as intended recipients of the information.

If you don’t have dealings with the data subjects directly, you should still attempt to get in touch with them and let them know.

You must be prepared to cease processing if the data subject has a valid reason to complain about what you are doing but, in any case, the data subject has an absolute right to demand that you cease processing for direct marketing purposes.

Act Now!

Just like with the Y2K issue, the advice is don’t just sit back and think that you are not affected. The legislation applies to all organisations and individuals, whatever their structure and purpose.  It covers the public and the private sector; businesses and not for profit organisations’ limited companies, partnerships, unincorporated bodies, and the self employed. The only exception is that it does not cover data held purely for domestic and personal purposes.

Useful services and other info...

If you haven’t already done so, check your registration and ensure that you are in compliance. If in doubt contact your auditors, consultants or the Data Protection Commissioner.