In the first of two articles on how to make sure you are not caught
out by the Data Protection Act, a top IT lawyer points the way
ahead as the 24 October compliance deadline looms.
The Data Protection Act 1998 applies to all organisations from 24
October 2001. Every business processes some kind of personal data.
This will include data about customers, business contacts and
employees.
Ignore data protection at your peril. Information is the lifeblood
of every business. If your information flows are threatened, your
business is threatened too. It does not take very much to comply
with the new Act right from the start and put in place processes
and procedures to help your business become and remain compliant.
It is, however, a costly and time-consuming effort to fix things
once they have gone wrong. Many businesses have found, to their
cost, that a database full of valuable personal data, is rendered
valueless because those data were unfairly or unlawfully
obtained.
Starting point for compliance
Under the new
Act the first thing you must consider is whether you have a right
to process personal data at all. The first data protection
principle contains an absolute prohibition on the processing of all
personal data unless that processing can be justified under one of
six conditions set out in Schedule 2.
These conditions have been drafted in such a way that they should
cover most processing operations. However, if you cannot find a
condition that justifies your particular processing, then you will
not be able to continue with it under the new Act.
You can process personal data if your processing is covered by one
 | | "It does not take very much to
comply with the new Act right from the start and put in place
processes and procedures to help your business become and remain
compliant. It is, however, a costly and time-consuming effort to
fix things once they have gone wrong." | | | | | |
| | Shelagh Gaskill | | |
|
|
or more of the grounds set out in Schedule 2:
1. The data subject (ie the person who is the subject of the
personal data) has consented.
2. It is necessary for the entering into or performance of a
contract with the data subject.
3. It is necessary for compliance with any legal obligation to
which you are subject (other than one imposed by contract).
4. The processing is necessary to protect the vital interests of
the data subject (where vital means a matter of life or
death).
5. It is necessary for compliance with any statutory duty.
6. It is necessary for the purpose of your legitimate interests,
except where the processing is unwarranted because it prejudices
the rights of the data subject.
You can use this last ground to carry out your own marketing so
long as you do not disclose the information to anybody else. You do
not need consent to mail your own marketing material to people.
If your processing falls within any of the above conditions, you
can continue to process personal data under the new Act.
Sensitive personal data
The new Act also
introduces a special category of personal data which it refers to
as sensitive personal data. These data are exhaustively defined as
information relating to:
- the racial or ethnic origin of the data subject
- political opinions
- religious beliefs
- trade union membership
- physical or mental health or condition
- sexual life
- the commission or alleged commission by the data subject of any
offence, or any court proceedings or sentences in respect of any
offence.
If you process any of the above sensitive personal data, you must
in addition to finding a condition under Schedule 2, find another
condition under Schedule 3.
Schedule 3, together with a Statutory Instrument which has recently
been published and is available from the Home Office website, lays
down the conditions relevant for the processing of sensitive
personal data.
The most useful conditions in Schedule 3 for most organisations are
described below. You can process personal data if:
- the data subject has given his or her explicit consent
- the processing is necessary in respect of rights or obligations
conferred or imposed by law in connection with employment
- the processing is necessary to protect the vital interest of
the data subject or another person in cases where consent cannot be
given or has been unreasonably withheld
- processing carried out by non-profit making bodies
- the information contained in the personal data has been made
public by the data subject
- the processing is necessary for the purposes of establishing,
exercising of defending legal rights or for any legal
proceedings
- the processing is necessary for the administration of justice,
by or under any enactment or for government departments
- the processing of racial or ethnic origin is necessary for the
monitoring of equality of opportunity.
There are two additional conditions which are specifically for the
benefit of the insurance or pensions industries. The first allows
processing of health information about members of a policyholder's
or member's family (eg spouse, siblings) where their consent cannot
reasonably be obtained by the insurer or pensions trustees.
The second allows the continued processing of sensitive personal
data for the purpose of insurance business or occupational pensions
if the insurer or pensions trustee was already processing those
data before 24 October 1998. If this is the case, the insurer can
continue the processing without having to obtain the data subjects'
explicit consent.
Data protection notices
The requirement to justify all processing under Schedule 2 and,
where appropriate, Schedule 3 is fundamental to the new Act.
However, your obligations under the first data protection principle
do not stop there. In addition, a data controller (ie the person
who determines the purposes for which and the manner in which
personal data are processed) is also obliged to give data subjects
certain information describing the processing. This information is
usually given in the form of a data protection notice or privacy
statement.
The giving of data protection notices is an essential part of the
new Act. Your processing will not be fair unless you give these
notices to the right people at the right time. Failure to do so may
compromise the collection and subsequent processing of personal
data. Many companies have come unstuck in this area and found
themselves, a year or two later, unable to use vast amounts of data
which had been unfairly collected. Getting the notices right is the
key to success under the new Act.
Where the information has been collected directly from the data
subject, the form of notice to be given is known as the article 10
notice (this name is derived from the article of the EU directive
on data protection which describes the list of information which
has to be given in the notice). Where the information is collected
not directly from the data subject but from a third party, the data
controller must still give the data subject the data protection
notice and in this case it is know as the article 11 notice.
The type of information that must be given is prescribed. However,
previous data protection case law and guidance notes issued by the
Data Protection Commissioner have added several layers to these
notices. It is now, therefore, rather more complicated to get these
right. The following is a checklist of the kind of information your
notice should contain:
- the full legal name of the data controller (eg the legal name
of the company)
- the purposes for the processing, including all non-obvious
purposes (eg credit checking, host mailing, marketing by telephone,
fax or e-mail, analysing transactional data)
- any disclosures to third parties (eg other companies within the
group, other carefully selected third parties)
- the purposes for which those third parties will use the
personal data
- methods of contact for marketing purposes (eg telephone,
e-mail, SMS, fax or mail)
- an opt-out of your own marketing and that of third
parties.
One thing should be made absolutely clear: giving a notice is not
the same as obtaining consent. If you need to obtain consent in
order to justify your processing (for example under Schedules 2 and
3), then you must draft your notice so that it contains consent
wording and you must ensure the data subject indicates that he or
she consents by giving you some positive indication.
You may need to obtain explicit consent if you are processing
sensitive personal data about your employees or if you intend to
transfer personal data relating to your customers to countries
outside the European Economic Area (EEA).
If the data protection notice (with the consent wording) is
included on an application form or website registration page or
other page which must be completed and returned to the data
controller by the individual, this is the most effective way of
obtaining that individual's explicit consent to the
processing.
In essence there is little difference between consent and explicit
consent. The new Act does not give any guidance on this point,
although it requires consent in Schedule 2 and explicit consent in
Schedule 3. The general view is that the courts will recognise
consent when they see it and that the best way of obtaining
explicit consent is to make sure that you inform the individual
fully and frankly of everything that you intend to do with his or
her sensitive personal data and what those data consist of (eg
medical information, criminal convictions etc).
Consent requires a positive action on the part of the individual.
For example, a registration page which contains a data protection
notice either immediately above or beside the accept/reject button,
is a good way of obtaining both consent and explicit consent to the
terms of that notice, the individual completes the page, sees the
notice, clicks the accept button and returns the form to the data
controller.
There can be no clearer indication of consent to the terms of the
notice than this. If the individual does not agree with those
terms, he or she is always free to go elsewhere.
Data protection and marketing
The issue of marketing must also be dealt with in the data
protection notice. There is little doubt that the use of personal
data for marketing purposes is fundamental to every business. The
new Act gives individuals the absolute right to opt out of having
their personal data processed for marketing purposes.
This was the practice under the old Data Protection Act 1984 (the
"1984 Act"), but be warned, that you will be under a legal
requirement to comply with any opt-out. Failure to comply will be a
breach of the new Act and could expose your business to enforcement
action by the Commissioner and a claim for compensation from the
data subject.
It is not just the new Act that you must be aware of where
marketing is concerned. The Telecommunications (Data Protection and
Privacy) Regulations 1999 have had a substantial impact in respect
of the use of telephone and fax for direct marketing purposes. The
Distance Selling Directive and the E-Communications Directive will
have a similar effect on marketing by e-mail.
Many data controllers use the telephone to encourage business and
many of these businesses are now finding that they can no longer do
so unless they have first screened their telephone lists against
the Telephone Preference Service (TPS).
That includes their customer lists as well as their prospect lists.
Even so, it is still not lawful to call people, unless they have
previously been given a notice to say that they will be called for
marketing purposes, and they have not objected.
What is not commonly known is that if a person's telephone number
was obtained in circumstances where they consented to receiving
marketing telephone calls, then those calls can continue even if
that person subsequently registers with the TPS.
The data protection notice is a way in which you obtain a person's
consent to being marketed by telephone. That is why it is crucial
to include the appropriate wording to cover this situation. Even if
you are not telemarketing or SMS marketing at present you may wish
to do so in the future. You should draft the notice so that it
covers all your business' processing needs for the next five
years.
The requirements of the first data protection principle have been
considered above in some detail, because that is the most crucial
of all the principles. However, there are seven more principles and
each imposes upon data controllers certain obligations in respect
of the processing of personal data. None of these can be ignored
and, in particular, you need to be aware of the seventh and eighth
principles which are covered in the next article.
©Masons 2001
Read second article>>Shelagh Gaskill is a partner at international
law firm Masons where she heads the Data Protection and Information
Law team. She is also joint editor of Sweet & Maxwell's
Encyclopedia of Data Protection.