This guide is based on UK law. It was last updated in February 2008.
Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights were revised and superseded by the Data Protection Act 1998 which came into force on 1st March 2000. This Guide explains what you should know about data protection under the Data Protection Act 1998 ('the Act').
When does data protection law apply?
Data protection law applies whenever a data controller processes personal data. These words are given special meanings by the Act.
A data controller is the person who determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. In other words, you will be a data controller if the processing of personal data is undertaken for your benefit and you decide what personal data should be processed and why. A typical example of a data controller is an employer.
Personal data means data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. For example, most organisations will process personal data relating to employees, customers, suppliers and business contacts. These individuals are referred to in the Act as 'data subjects'.
The Act applies when personal data is processed or is to be processed by a computer, or is recorded or to be recorded in a structured manual filing system. There are other types of system covered by the Act, but these are the most common.
Whether or not manual files are covered by the Act is not always an easy question to answer. To be covered:
- there must be a set of information relating to individuals,
- which is structured either by reference to individuals or by criteria relating to individuals,
- in such a way that specific information relating to particular individuals is readily accessible. If your manual files fall within this definition, you will have to comply with the Act.
The term 'processing' covers virtually any use which can be made of personal data, from collecting the data, storing it and using it to destroying it.
What are the obligations?
The data protection principles
In order to comply with the Act, a data controller must comply with the following eight principles:
- The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
- Data should be obtained only for specified and lawful purposes.
- Data should be adequate, relevant and not excessive.
- Data should be accurate and, where necessary, kept up to date.
- Data should not be kept longer than is necessary for the purposes for which it is processed.
- Data should be processed in accordance with the rights of the data subject under the Act.
- Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Other requirements for data controllers
Under the first data protection principle, a data controller must justify its processing of personal data under one of the following conditions:
- the data subject has given his consent to the processing;
- the processing is necessary for the performance of a contract or the entering into of a contract to which the data subject is a party;
- the processing is necessary for compliance with any legal obligation to which the data controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject;
- the processing is necessary for the administration of justice; or
- the processing is necessary for the purposes of legitimate interests pursued by the data controller provided such processing does not harm the rights and freedoms or legitimate interests of data subjects.
The data controller must also register with the Information Commissioner ('the Commissioner').
Sensitive personal data
Where the data controller intends to process sensitive personal data, there are further conditions. Sensitive personal data consists of information relating to the racial or ethnic origin of a data subject, his political opinions, religious beliefs, trade union membership, sexual life, physical or mental health or condition, or criminal offences or record. Of these further conditions, the most useful to most businesses will be:
- where the data subject has given his explicit consent;
- where the processing is required for the purposes of complying with employment law;
- where it is necessary to establish, exercise or defend legal rights.
If none of the conditions can be met, processing cannot legally continue.
Purposes of processing
Data subjects must be given information about the purposes of the processing. This information is generally provided in the form of a data protection notice, which can be given in application forms, terms and conditions, by telephone or on a website. The information to be set out in a data protection notice must include a description of:
- details of the data controller;
- the purposes for the processing, including any non-obvious purposes (e.g. cross-mailing, host mailing);
- details of any recipients of the personal data (e.g. other companies within the group) and their purposes;
- an opt-out / opt-in to marketing, as appropriate;
- a description of the methods to be used for contacting individuals for marketing purposes (e.g. telephone, fax, SMS, email and/or mail); and
- any other information that is necessary to make the processing fair (e.g. whether it is obligatory to provide all the information requested or whether provision of some of that information is optional).
By using an appropriately worded data protection notice, an online business can ensure that there is consent from visitors to its web site to allow the business to build a valuable contacts database and market its services to the visitors.
Data controllers must put in place adequate technical and organisational measures to safeguard personal data which they are processing from destruction, adequate loss, unauthorised access or disclosure. This would include, for example, using a secure server when payments are made online.
Furthermore, all data controllers must put in place processing contracts with their 'data processors'. A data processor is a third party appointed by the data controller to process personal data on its behalf, although it will still be the data controller who ultimately decides what happens to the data. These processing contracts must be in writing and must set out what the data processor may or may not do with the personal data, including what security measures should be taken to safeguard the data. Data controllers should reserve for themselves the right to audit data processors to ensure compliance with the contract.
To give a practical example, if a website collects e-mail addresses, this could constitute personal data – so the data controller not only has to register with the Commissioner but ensure that security be put in place to guard against hacking. If the website is actually hosted by a third party on behalf of the data controller, then the data controller will have to contractually oblige that third party to put the relevant security in place. Of course, the data controller will also have to comply with other principles.
Transfer of data overseas
If personal data is disclosed or made available to a person overseas, that is considered a transfer for the purposes of the eighth data protection principle above. In the context of the internet, if the information is placed on a website without specific consent from the individual, this may be in breach of the Act since the data can be accessed in countries with less stringent data protection laws.
Rights of individuals
Data controllers must give the following rights to data subjects:
- the right of access to his or her personal data;
- the right to object to certain processing causing substantial damage or distress;
- the right to object to automated decision taking; and
- the right to object to direct marketing.
The most important of these rights is the right to access personal data. An individual may request access to all personal data of which he or she is the subject and which is being processed by the data controller. The data controller may require the data subject to pay a maximum fee of £10, to make the request in writing and to provide enough information to identify and verify the identity of the data subject making the request. There are exemptions from these access rules in certain limited circumstances.
Another right which will be of importance to any organisation which markets to individuals, is the right given to data subjects to object to direct marketing. There are no exemptions to this right.
What are the consequences of non-compliance?
Compliance should not be taken lightly as the new Act has more teeth than its predecessor, the Data Protection Act 1984. The Commissioner has been given extensive powers of enforcement which rival those of the VAT man. Data controllers could, for example, find these new powers used against them by disgruntled employees or customers, who contact the Commissioner to complain that there has been a breach of the rules.
The Commissioner can now serve a data controller with an 'information notice' requiring the data controller to provide certain information within set time limits. Failure to comply with such notice, or providing deliberately false information, is a criminal offence. If the Commissioner concludes that there has been a breach of the Act, she may then serve a data controller with an 'enforcement notice'. This could force a data controller to cease processing personal data, or cease processing data in a particular way. Failure to comply with an enforcement notice is a criminal offence.
Criminal liability does not lie just with the data controller. It is possible for officers of a company, such as its directors or managers, to be personally criminally liable if the offence has been committed with their consent, connivance or neglect. Employees may also incur criminal liability in certain limited circumstances if they disclose or obtain personal data without authority of the data subjectcontroller.
Although the commission of a criminal offence under the Act will not result in a prison sentence, it will result in fines which, depending on the circumstances, may be of an unlimited amount. In addition the introduction of custodial sentences under the Act is being considered by Parliament. It is also increasingly the case that industry regulators are looking at matters of data security which are similar to those addressed by the Act.
However, the fines are unlikely to be the reason why most data controllers will want to comply. Few data controllers will be able to continue with business as usual if they are prevented from processing personal data as a result of an enforcement notice and no data controller will want the bad publicity which is attached to the unfair processing of personal data.
The increasing use of information technology and the internet ensures that data protection remains one of the most important and relevant laws that online businesses are required to comply with. The internet is all about the transfer of information. Not only is the internet used to disseminate information, but also to collect it. Organisations must look now at how they collect, store and use personal data and ask themselves whether they comply with the Act. This may involve amending employment and marketing practices in addition to internal training.