In the second of two articles a top IT lawyer looks at the wide
sweep of the Data Protection Act and analyses the effects on data
security, transfers of data abroad and the rights of the
individual.
Return to first article >>
Having examined what you need to do to get started with compliance
and understood the importance of data protection notices (see first
article), now let's take a closer look at the seventh and eighth
principles of the Data Protection Act.
Security and data processors
The seventh
principle requires that all data controllers put in place
appropriate technical and organisational measures to safeguard
personal data against unauthorised or unlawful processing or
accidental loss, destruction or damage.
This on its own is not surprising. However, the interpretation
section to this principle takes this requirement one step further
by imposing upon all data controllers who use data processors
certain additional obligations.
Data processors are defined in the new Act as any person (other
than an employee of the data controller) who processes personal
data on behalf of the data controller. This is a very broad
definition made more so by the wide meaning of "processing" which
covers every processing operation imaginable from collection to
destruction.
A data processor is, therefore, any one who does anything with or
to personal data. For example, IT consultants, statutory auditors,
pension administrators, external payroll providers, mailing houses
and even other companies within a group, are all potentially data
processors.
The new Act
 | | "The days when businesses could
use personal data as they wished are long gone and the new Act is
set to regulate their use even further. This does not mean that you
have to stop what you are doing. It does mean that you have to
review your processing and ensure that you can continue your
activities." | | | | | |
| | Shelagh Gaskill | | |
|
|
requires that a contract in writing must be put in place between
the data controller and each of his data processors. The contract
must:
1. Require the data processor to comply with obligations equivalent
to those of the seventh principle. In fact, a data controller must
not use a data processor who is unable to provide sufficient
guarantees in respect of the technical and organisational security
measures it will take in respect of the processing.
2. Grant to the data controller the right to audit the data
processor at any time (this will enable the data controller to
ascertain whether the data processor is complying with its
contractual obligations).
3. Specify that the data processor is to act only on instructions
from the data controller.
It also makes sound commercial sense to ensure the contract
specifies that under no circumstances will the data processor gain
any rights in the personal data. The contract should also describe
what is to happen upon termination (eg the return or destruction of
the personal data).
Many organisations have for many years transacted business with
their data processors in such a way that the initial contract (if
there ever was one) has long expired, and the parties conduct their
business on the basis of a course of dealings. There is no doubt
that this is a contract. However, the new Act requires that
contract to be in writing.
Companies with group structures will also be affected and have to
put in place inter-group processor contracts. For example, where
one company deals with payroll for all the others and another
handles the company car scheme for the group's employees.
Transfers of data abroad
The other principle
of the Act which will have a profound impact is the eighth
principle.
The eighth principle provides that personal data must not be
transferred to a country outside the EEA - comprising the 15 EU
member states, Norway, Iceland and Liechtenstein unless that
country ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to the processing of personal
data. I
It was quickly realised that the US did not provide such a level of
protection and, for many organisations with business links to the
States or with subsidiary or parent companies based there, this
poses a very considerable problem.
Some of the difficulty has been removed from this area by the
pragmatic approach adopted by the Commissioner. However, talks have
now been satisfactorily concluded between the European Union and
the US to try to put in place a Safe Harbours arrangement which
will enable personal data to continue being transferred to the
States.
The new Act does provide a number of exemptions from the
requirement of the eighth principle. If a data controller can fall
within one of these exemptions, he will be able to transfer
personal data to anywhere in the world, irrespective of whether
that country provides an adequate level of protection.
These exemptions are set out in Schedule 4 and the most relevant of
these are:
- that the data subject has consented to the transfer
- that the transfer is necessary for the performance of or the
entering into of a contract between the data controller and the
data subject
- that the transfer is necessary for the performance or
conclusion of a contract between the data controller and another
person (other than the data subject) but only where that contract
is entered into at the request of (or is in the interests of) the
data subject
- that the transfer is necessary for the purposes of
establishing, exercising or defending legal rights.
If your business is unable to benefit from any of the exemptions,
it will still be able to transfer personal data outside the EEA if
it complies with the eighth principle (ie ensures an adequate level
of protection).
Where the transfer is to a data processor based, for example, in
Asia where data capture is generally cheaper than in Europe, the
transfer can go ahead if a suitably drafted processor contract
(such as the one described above in relation to the seventh
principle) is put in place beforehand.
This contract will ensure that the processing benefits from an
adequate level of protection while in the hands of the data
processor. The Commissioner is satisfied that this provides an
adequate level of protection because the UK-based data controller
will always be available for her to take enforcement action against
if a breach occurs.
Manual filing systems
Any discussion of the
new Act is not complete without mention of one of the most talked
about changes, namely the inclusion of certain manual files within
the scope of the new Act. Under the 1984 Act, the only personal
data that fell within its provisions were data which were capable
of being processed electronically (eg on computer). The new Act
expands the definition of data considerably to include any data
which constitute a "relevant filing system".
What is a relevant filing system has been hotly debated by both the
Registrar and the government. There is still some uncertainty as to
how it will be interpreted in practice.
However, one thing is very clear. Neither the European Directive
(which the new Act implements), nor the new Act are intended to
apply to all manual files which contain personal data. The only
files that will be caught are those that fall within the definition
of a relevant filing system.
If your manual files satisfy all of the following requirements,
they will be caught by the new Act:
- there must be a set of information relating to
individuals
- that set must be structured by reference to individuals or
criteria relating to them (eg alphabetically, or by payroll
number)
- that set must also be structured in such a way that specific
information relating to a particular individual is readily
accessible.
For example, a personnel filing system will be a set if the
business has more than one employee. When you look at the way the
set is structured externally, you must be able to pull out a file
relating to a particular employee. This will usually be the case if
the set is arranged alphabetically.
When you pull out that particular file and you open it, the file
must be structured internally so that specific information about
that employee (eg his appraisals for the past five years) is
readily accessible. If you have to search through the entire file,
page by page, to find the information you are looking for, then it
is highly unlikely that the file is structured in such a way that
specific information is readily accessible.
Therefore, files which are both externally and internally highly
structured will be caught.
However, for many businesses, whether or not their files are caught
is academic because they have already taken a policy decision to
treat these files as if they were subject to the new Act. This
means complying with all the principles and giving employees access
to their personal data. If you are one of those businesses, then
there is no reason why you should not continue with your policy,
even if your files are so obviously unstructured that they do not
form a relevant filing system.
Rights of data subjects
The new Act contains some familiar and some new rights for data
subjects. Without doubt, the most important of these is their right
of access. This was a right which existed under the 1984 Act.
However, it has been widened so that the right now extends to
gaining access to archived and back up data (which were previously
exempt), as well as information about sources and disclosures of
data and the logic behind any decision which is taken using solely
automated means.
Other rights of data subjects include:
- the right to prevent processing which is likely to cause damage
or distress
- the right to prevent processing for the purposes of direct
marketing
- the right to object to automated decisions-taking where that
decision is in respect of matters which may significantly affect
the individual
- the right of any person affected (not just data subjects) to
claim compensation for damage (or damage and distress) in respect
of any breach of the new Act, and
- the right to apply to court for an order to rectify, block,
erase and destroy inaccurate personal data.
These rights, coupled with the new Human Rights Act 1998 and the
draft Freedom of Information Act 2000, will increase individuals'
rights to privacy and respect for their personal data. It will also
give them greater opportunities to access information about
themselves and about your processing activities
Information is fast becoming the currency of the future. The more
you have, the better you will understand the market and your
customers. The days when businesses could use personal data as they
wished are long gone and the new Act is set to regulate their use
even further. This does not mean that you have to stop what you are
doing. It does mean that you have to review your processing and
ensure that you can continue your activities.
The best way of doing this is to carry out an audit of your
processing. This will determine what personal data you have, the
purposes for the processing, your methods of collection, any third
party recipients, including your data processors and it will help
you to put in place processes and procedures to enable you to
comply with the new Act.
For example, you cannot hope to find a ground under Schedule 2 for
all your processing operations if you are not aware of the scope of
these. Equally, how do you know whether you need to find a
condition under Schedule 3, if you have not investigated whether
your business processes sensitive personal data? Many organisations
which carry out audits are stunned by the extent and nature of
their processing operations.
© Masons 2001
Shelagh Gaskill is a partner at international
law firm Masons where she heads the Data Protection and Information
Law team. She is also joint editor of Sweet & Maxwell's
Encyclopedia of Data Protection.