Data Protection Act - Red alert, all areas!

In the second of two articles a top IT lawyer looks at the wide sweep of the Data Protection Act and analyses the effects on data...

In the second of two articles a top IT lawyer looks at the wide sweep of the Data Protection Act and analyses the effects on data security, transfers of data abroad and the rights of the individual.

Return to first article >>

Having examined what you need to do to get started with compliance and understood the importance of data protection notices (see first article), now let's take a closer look at the seventh and eighth principles of the Data Protection Act.

Security and data processors
The seventh principle requires that all data controllers put in place appropriate technical and organisational measures to safeguard personal data against unauthorised or unlawful processing or accidental loss, destruction or damage.

This on its own is not surprising. However, the interpretation section to this principle takes this requirement one step further by imposing upon all data controllers who use data processors certain additional obligations.

Data processors are defined in the new Act as any person (other than an employee of the data controller) who processes personal data on behalf of the data controller. This is a very broad definition made more so by the wide meaning of "processing" which covers every processing operation imaginable from collection to destruction.

A data processor is, therefore, any one who does anything with or to personal data. For example, IT consultants, statutory auditors, pension administrators, external payroll providers, mailing houses and even other companies within a group, are all potentially data processors.

The new Act
"The days when businesses could use personal data as they wished are long gone and the new Act is set to regulate their use even further. This does not mean that you have to stop what you are doing. It does mean that you have to review your processing and ensure that you can continue your activities."
Shelagh Gaskill
requires that a contract in writing must be put in place between the data controller and each of his data processors. The contract must:

1. Require the data processor to comply with obligations equivalent to those of the seventh principle. In fact, a data controller must not use a data processor who is unable to provide sufficient guarantees in respect of the technical and organisational security measures it will take in respect of the processing.

2. Grant to the data controller the right to audit the data processor at any time (this will enable the data controller to ascertain whether the data processor is complying with its contractual obligations).

3. Specify that the data processor is to act only on instructions from the data controller.

It also makes sound commercial sense to ensure the contract specifies that under no circumstances will the data processor gain any rights in the personal data. The contract should also describe what is to happen upon termination (eg the return or destruction of the personal data).

Many organisations have for many years transacted business with their data processors in such a way that the initial contract (if there ever was one) has long expired, and the parties conduct their business on the basis of a course of dealings. There is no doubt that this is a contract. However, the new Act requires that contract to be in writing.

Companies with group structures will also be affected and have to put in place inter-group processor contracts. For example, where one company deals with payroll for all the others and another handles the company car scheme for the group's employees.

Transfers of data abroad
The other principle of the Act which will have a profound impact is the eighth principle.

The eighth principle provides that personal data must not be transferred to a country outside the EEA - comprising the 15 EU member states, Norway, Iceland and Liechtenstein unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. I

It was quickly realised that the US did not provide such a level of protection and, for many organisations with business links to the States or with subsidiary or parent companies based there, this poses a very considerable problem.

Some of the difficulty has been removed from this area by the pragmatic approach adopted by the Commissioner. However, talks have now been satisfactorily concluded between the European Union and the US to try to put in place a Safe Harbours arrangement which will enable personal data to continue being transferred to the States.

The new Act does provide a number of exemptions from the requirement of the eighth principle. If a data controller can fall within one of these exemptions, he will be able to transfer personal data to anywhere in the world, irrespective of whether that country provides an adequate level of protection.

These exemptions are set out in Schedule 4 and the most relevant of these are:

  • that the data subject has consented to the transfer
  • that the transfer is necessary for the performance of or the entering into of a contract between the data controller and the data subject
  • that the transfer is necessary for the performance or conclusion of a contract between the data controller and another person (other than the data subject) but only where that contract is entered into at the request of (or is in the interests of) the data subject
  • that the transfer is necessary for the purposes of establishing, exercising or defending legal rights.

If your business is unable to benefit from any of the exemptions, it will still be able to transfer personal data outside the EEA if it complies with the eighth principle (ie ensures an adequate level of protection).

Where the transfer is to a data processor based, for example, in Asia where data capture is generally cheaper than in Europe, the transfer can go ahead if a suitably drafted processor contract (such as the one described above in relation to the seventh principle) is put in place beforehand.

This contract will ensure that the processing benefits from an adequate level of protection while in the hands of the data processor. The Commissioner is satisfied that this provides an adequate level of protection because the UK-based data controller will always be available for her to take enforcement action against if a breach occurs.

Manual filing systems
Any discussion of the new Act is not complete without mention of one of the most talked about changes, namely the inclusion of certain manual files within the scope of the new Act. Under the 1984 Act, the only personal data that fell within its provisions were data which were capable of being processed electronically (eg on computer). The new Act expands the definition of data considerably to include any data which constitute a "relevant filing system".

What is a relevant filing system has been hotly debated by both the Registrar and the government. There is still some uncertainty as to how it will be interpreted in practice.

However, one thing is very clear. Neither the European Directive (which the new Act implements), nor the new Act are intended to apply to all manual files which contain personal data. The only files that will be caught are those that fall within the definition of a relevant filing system.

If your manual files satisfy all of the following requirements, they will be caught by the new Act:

  • there must be a set of information relating to individuals
  • that set must be structured by reference to individuals or criteria relating to them (eg alphabetically, or by payroll number)
  • that set must also be structured in such a way that specific information relating to a particular individual is readily accessible.

For example, a personnel filing system will be a set if the business has more than one employee. When you look at the way the set is structured externally, you must be able to pull out a file relating to a particular employee. This will usually be the case if the set is arranged alphabetically.

When you pull out that particular file and you open it, the file must be structured internally so that specific information about that employee (eg his appraisals for the past five years) is readily accessible. If you have to search through the entire file, page by page, to find the information you are looking for, then it is highly unlikely that the file is structured in such a way that specific information is readily accessible.

Therefore, files which are both externally and internally highly structured will be caught.

However, for many businesses, whether or not their files are caught is academic because they have already taken a policy decision to treat these files as if they were subject to the new Act. This means complying with all the principles and giving employees access to their personal data. If you are one of those businesses, then there is no reason why you should not continue with your policy, even if your files are so obviously unstructured that they do not form a relevant filing system.

Rights of data subjects
The new Act contains some familiar and some new rights for data subjects. Without doubt, the most important of these is their right of access. This was a right which existed under the 1984 Act. However, it has been widened so that the right now extends to gaining access to archived and back up data (which were previously exempt), as well as information about sources and disclosures of data and the logic behind any decision which is taken using solely automated means.

Other rights of data subjects include:

  • the right to prevent processing which is likely to cause damage or distress
  • the right to prevent processing for the purposes of direct marketing
  • the right to object to automated decisions-taking where that decision is in respect of matters which may significantly affect the individual
  • the right of any person affected (not just data subjects) to claim compensation for damage (or damage and distress) in respect of any breach of the new Act, and
  • the right to apply to court for an order to rectify, block, erase and destroy inaccurate personal data.

These rights, coupled with the new Human Rights Act 1998 and the draft Freedom of Information Act 2000, will increase individuals' rights to privacy and respect for their personal data. It will also give them greater opportunities to access information about themselves and about your processing activities

Information is fast becoming the currency of the future. The more you have, the better you will understand the market and your customers. The days when businesses could use personal data as they wished are long gone and the new Act is set to regulate their use even further. This does not mean that you have to stop what you are doing. It does mean that you have to review your processing and ensure that you can continue your activities.

The best way of doing this is to carry out an audit of your processing. This will determine what personal data you have, the purposes for the processing, your methods of collection, any third party recipients, including your data processors and it will help you to put in place processes and procedures to enable you to comply with the new Act.

For example, you cannot hope to find a ground under Schedule 2 for all your processing operations if you are not aware of the scope of these. Equally, how do you know whether you need to find a condition under Schedule 3, if you have not investigated whether your business processes sensitive personal data? Many organisations which carry out audits are stunned by the extent and nature of their processing operations.

© Masons 2001

Shelagh Gaskill is a partner at international law firm Masons where she heads the Data Protection and Information Law team. She is also joint editor of Sweet & Maxwell's Encyclopedia of Data Protection.

Read more on IT legislation and regulation