Data Protection Information Sheet, Summer 2009
Technological advances over the last twenty years have increased the ease with which data can be stored, manipulated, disseminated and transmitted. This has led to legislative changes to control the way information is handled and improve the protections afforded to individuals regarding personal information held about them. The Data Protection Act 1998 (“the Act”) provides a framework to ensure that personal information is handled properly and protects individuals by imposing obligations on the “processing” of “personal data” by “data controllers” and “data processors”.
What is Personal Data?
"Personal data" in this context means data relating to living individuals (referred to as “data subjects”) who can be identified from that data, or from that data and other information in the possession of the data controller. This will include not only names, addresses, and dates of birth, but also telephone numbers, e-mail addresses and job titles, for example.
Are you a Data Controller?
The data controller is the person or business which determines the purposes for which, and the manner in which, personal information is to be “processed”.
What does it mean to “process” data?
The term “processing” is very widely defined and includes obtaining, recording, storing, using, disclosing or erasing data. Ultimately, it is likely to cover most activities carried out involving personal data.
Eight Data Protection Principles
The Act contains eight “Data Protection Principles”. These specify that personal data must:
- be processed fairly and lawfully
The data subject must be informed of the data controller’s identity and the purposes for which the information will be processed. In practice, this should be provided as early on as possible, for example at the start of a telephone call or in the footer of the initial landing page of a website. The data controller also needs to ensure that the data subject has consented to the processing or that one of the other processing conditions in the Act is fulfilled. However, if the information being processed is “sensitive personal data” (for example, indicating the racial or ethnic origin, political opinion, religious beliefs, health, sexual life or past convictions of a data subject), then explicit consent must be given.
- be obtained for specified and lawful purposes
The data subject must be aware of the purpose for which the data was collected at the time of collection. Data controllers should review these purposes and notify data subjects if they change.
- be adequate, relevant and not excessive
In practice, this means that existing data should be kept under review by the data controller and that only data which is necessary for the specified and lawful purposes should be retained.
- be accurate and kept up to date
Data controllers are generally required to update all databases.
- not be kept any longer than necessary
There is no specific guidance on this, but data controllers will need to consider data subjects’ expectations, storage issues, and statutory limitation periods in respect of potential claims. Data controllers should formulate a retention policy and ensure all staff members apply it.
- be processed in accordance with the rights of the data subject
Data controllers should note that a data subject is entitled to receive information relating to whether his or her personal data is being processed, a description of the personal data being processed, the purposes for which it is being processed, and the persons to whom it may be disclosed. In addition, any individual requesting such information (otherwise referred to as a ‘data subject access request’) should be provided with copies of the information promptly and in any event within 40 days of receipt of the request.
- be stored securely
This is a particular problem where data is collected over the internet. There have been several high-profile security breaches in the recent past. In the event of a breach, the Information Commissioner (the body which deals with breaches of the Act and takes enforcement action) is likely to treat an organisation far more harshly if it does not process data securely.
- not be transferred to any other country outside the European Economic Area without adequate protection
The question of what constitutes ‘adequate protection’ is a complicated one. However, a data controller may make an assessment of adequacy by taking into account a number of factors. In addition, there are certain derogations from the eighth principle which might apply, notably US organisations which adhere to the “Safe Harbour” rules or sign up to specific contractual undertakings.
What does this mean for you?
Data protection laws are of great significance to businesses in the UK. Businesses need to pay close attention to the processing of personal data of their employees, and to the monitoring of employees’ e-mail and internet usage. Data protection policies should provide the necessary information to staff and customers, and businesses should seek the appropriate consents from employees and customers. They should also consider policies for retention of employee and customer data.
If you are involved in carrying out commercial transactions, there will almost certainly be processing of personal data in the course of, for example, share or business sales, joint ventures and service agreements. If you carry out any direct marketing, you should be aware of the relevant issued rules, codes and guidance which seek to promote good practice in relation to direct marketing activities.
Companies which are part of a larger group with an overseas presence must ensure that personal data is not circulated around the group in breach of the eighth data protection principle (see above).
Companies should be vigilant in ensuring that adequate data protection policies which comply with the eight principles are in place in their workplace. All businesses have a legal obligation to notify the Information Commissioner about their processing of personal data, including the kinds of information they process, and the purposes for which the information is used. These details are then placed by the Information Commissioner on a public register. The current notification fee is £35, and a failure to notify can result in a fine of up to £5,000.
If you are involved in any processing or controlling of personal data, you need to ensure that you are fully compliant with your obligations under the Act. As well as exposure to reputational risks, non-compliant businesses risk substantial monetary penalties or even criminal sanctions.
Laytons has an experienced Data Protection team which advises on the creation of policies, responding to and enforcing data subject access requests and all aspects of corporate data protection compliance. We also provide a full auditing service.
For further advice or more information, then speak to your usual Laytons contact or please contact:
Contact Esther Gunaratnam: email email@example.com
Contact Ben Crichton: email firstname.lastname@example.org
Contact Paul Caddy: email email@example.com
For PDF version of this focus sheet please click here
This Guide is a general guide only to what is a very complex area; action should be taken only after specific advice has been sought. © Laytons Solicitors London 2009.