Date 14 September 2006
The Data Protection Act 1998 (DPA) has been in force for some time and the vast majority of people have heard of it. But, as a business, do you know what your obligations are? Any “personal data” that is “processed” or “controlled” by you will, as a rule of thumb, come within the scope of the DPA. So what does “processing”, “controlling” and “personal data” mean?
The term “data” means information which is predominantly “processed” by means of automated equipment, such as a computer, but extends to manual records. Data is “personal data”, if it relates to a living person who can be identified from the data (the “data subject”) and is in the possession of the “data controller”, or is likely to come within the possession of the “data controller".
A “data controller” is someone (including a company) who decides how and for what purpose personal data is to be processed. A person or company can be a data controller if the data to be processed is held by a third party (this is relevant where one company might outsource a function such as payroll to another firm). A “data processor” is any person (other than employees of the data controller), who processes the data on behalf of the data controller.
The scope of information which qualifies as “data” is wide ranging and the information does not have to be confidential. Names, addresses, dates of birth and job titles are all data. A client database contains data. “Sensitive data” includes information regarding a person’s race, health, criminal record and religious beliefs. Sensitive data is subject to further controls which are discussed below.
The term “processing”, is widely defined and encompasses activities such as recording, holding, using, obtaining or removing data. “Controlling” data means the determination of the purpose and manner in which data is held or processed. The DPA sets out a number of principles which must be adhered to by data controllers and data processors:
- All data must be processed lawfully and fairly
- Data must be accurate
- Data must only be gathered for the specified lawful purpose and not processed in a way that will conflict with that purpose the data that is held should be adequate for the purpose and should not exceed what is necessary for the data controller’s needs
- Data must be only be kept for as long as necessary adequate security measures should be in place to protect data
- Data should always be processed in line with the rights of data subjects
- If data is to be transferred outside the EEA, the destination country must provide adequate protection for the rights of data subjects in relation to the processing of their personal data.
Consent
It is not necessary to obtain the consent of data subjects prior to processing their personal data. However, a data subject does need to give explicit consent for the processing of any sensitive data. Processing of sensitive data will only be deemed to be lawful and fair if at least one of the following conditions is met:
- The processing is necessary because of the data controller’s duties under the law
- The processing is done by a not for profit organisation
- The processing is of data deliberately made public by the data subject
- The processing is in relation to legal proceedings
- Processing is necessary to protect the vital interests of the data subject provided that consent cannot be given or cannot reasonably be attained
- Processing is equal opportunity monitoring
- The processing is being done by healthcare professionals for medical reasons.
Firstly all data controllers should notify the Information Commissioner’s Office (ICO) before processing any data. Failure to notify is a criminal offence. Notification is quick and inexpensive, so compliance with this requirement should not be a problem.
What will take some time to prepare and maintain are regular data audits to ensure compliance with the data protection principles outlined above. Data controllers may have to deal with requests made by data subjects to disclose information they hold about them.
The Information Commissioner
The Information Commissioner is in charge of ensuring compliance with the DPA and individuals may contact the ICO if they are worried that their personal data is being misused. The ICO website has a considerable amount of information and guidance on notification, complaints and compliance.
You can also contact your solicitor to discuss compliance and handling requests made by data subjects regarding their personal and sensitive data.
This article is only intended to provide a brief overview of data protection law as applicable in the UK. If you have any questions or would like advice please contact Peter Goodman on 01727 798090 or by email at peter.goodman@salaw.com.
© SA Law 2006
Every care is taken in the preparation of our articles. However, no responsibility is accepted as being owed to any person or organisation that acts on the basis of information contained within them. You should obtain specific advice in respect of individual cases.