The Data Protection Act 1998 applies to all organisations from 24 October 2001. Every business processes some kind of personal data. This will include data about customers, business contacts and employees.
Ignore data protection at your peril. Information is the lifeblood of every business. If your information flows are threatened, your business is threatened too. It does not take very much to comply with the new Act right from the start and put in place processes and procedures to help your business become and remain compliant.
It is, however, a costly and time-consuming effort to fix things once they have gone wrong. Many businesses have found, to their cost, that a database full of valuable personal data, is rendered valueless because those data were unfairly or unlawfully obtained.
Starting point for compliance
Under the new Act the first thing you must consider is whether you have a right to process personal data at all. The first data protection principle contains an absolute prohibition on the processing of all personal data unless that processing can be justified under one of six conditions set out in Schedule 2.
These conditions have been drafted in such a way that they should cover most processing operations. However, if you cannot find a condition that justifies your particular processing, then you will not be able to continue with it under the new Act.
You can process personal data if your processing is covered by one
1. The data subject (ie the person who is the subject of the personal data) has consented.
2. It is necessary for the entering into or performance of a contract with the data subject.
3. It is necessary for compliance with any legal obligation to which you are subject (other than one imposed by contract).
4. The processing is necessary to protect the vital interests of the data subject (where vital means a matter of life or death).
5. It is necessary for compliance with any statutory duty.
6. It is necessary for the purpose of your legitimate interests, except where the processing is unwarranted because it prejudices the rights of the data subject.
You can use this last ground to carry out your own marketing so long as you do not disclose the information to anybody else. You do not need consent to mail your own marketing material to people.
If your processing falls within any of the above conditions, you can continue to process personal data under the new Act.
Sensitive personal data
The new Act also introduces a special category of personal data which it refers to as sensitive personal data. These data are exhaustively defined as information relating to:
- the racial or ethnic origin of the data subject
- political opinions
- religious beliefs
- trade union membership
- physical or mental health or condition
- sexual life
- the commission or alleged commission by the data subject of any offence, or any court proceedings or sentences in respect of any offence.
If you process any of the above sensitive personal data, you must in addition to finding a condition under Schedule 2, find another condition under Schedule 3.
Schedule 3, together with a Statutory Instrument which has recently been published and is available from the Home Office website, lays down the conditions relevant for the processing of sensitive personal data.
The most useful conditions in Schedule 3 for most organisations are described below. You can process personal data if:
- the data subject has given his or her explicit consent
- the processing is necessary in respect of rights or obligations conferred or imposed by law in connection with employment
- the processing is necessary to protect the vital interest of the data subject or another person in cases where consent cannot be given or has been unreasonably withheld
- processing carried out by non-profit making bodies
- the information contained in the personal data has been made public by the data subject
- the processing is necessary for the purposes of establishing, exercising of defending legal rights or for any legal proceedings
- the processing is necessary for the administration of justice, by or under any enactment or for government departments
- the processing of racial or ethnic origin is necessary for the monitoring of equality of opportunity.
There are two additional conditions which are specifically for the benefit of the insurance or pensions industries. The first allows processing of health information about members of a policyholder's or member's family (eg spouse, siblings) where their consent cannot reasonably be obtained by the insurer or pensions trustees.
The second allows the continued processing of sensitive personal data for the purpose of insurance business or occupational pensions if the insurer or pensions trustee was already processing those data before 24 October 1998. If this is the case, the insurer can continue the processing without having to obtain the data subjects' explicit consent.
Data protection notices
The requirement to justify all processing under Schedule 2 and, where appropriate, Schedule 3 is fundamental to the new Act. However, your obligations under the first data protection principle do not stop there. In addition, a data controller (ie the person who determines the purposes for which and the manner in which personal data are processed) is also obliged to give data subjects certain information describing the processing. This information is usually given in the form of a data protection notice or privacy statement.
The giving of data protection notices is an essential part of the new Act. Your processing will not be fair unless you give these notices to the right people at the right time. Failure to do so may compromise the collection and subsequent processing of personal data. Many companies have come unstuck in this area and found themselves, a year or two later, unable to use vast amounts of data which had been unfairly collected. Getting the notices right is the key to success under the new Act.
Where the information has been collected directly from the data subject, the form of notice to be given is known as the article 10 notice (this name is derived from the article of the EU directive on data protection which describes the list of information which has to be given in the notice). Where the information is collected not directly from the data subject but from a third party, the data controller must still give the data subject the data protection notice and in this case it is know as the article 11 notice.
The type of information that must be given is prescribed. However, previous data protection case law and guidance notes issued by the Data Protection Commissioner have added several layers to these notices. It is now, therefore, rather more complicated to get these right. The following is a checklist of the kind of information your notice should contain:
- the full legal name of the data controller (eg the legal name of the company)
- the purposes for the processing, including all non-obvious purposes (eg credit checking, host mailing, marketing by telephone, fax or e-mail, analysing transactional data)
- any disclosures to third parties (eg other companies within the group, other carefully selected third parties)
- the purposes for which those third parties will use the personal data
- methods of contact for marketing purposes (eg telephone, e-mail, SMS, fax or mail)
- an opt-out of your own marketing and that of third parties.
One thing should be made absolutely clear: giving a notice is not the same as obtaining consent. If you need to obtain consent in order to justify your processing (for example under Schedules 2 and 3), then you must draft your notice so that it contains consent wording and you must ensure the data subject indicates that he or she consents by giving you some positive indication.
You may need to obtain explicit consent if you are processing sensitive personal data about your employees or if you intend to transfer personal data relating to your customers to countries outside the European Economic Area (EEA).
If the data protection notice (with the consent wording) is included on an application form or website registration page or other page which must be completed and returned to the data controller by the individual, this is the most effective way of obtaining that individual's explicit consent to the processing.
In essence there is little difference between consent and explicit consent. The new Act does not give any guidance on this point, although it requires consent in Schedule 2 and explicit consent in Schedule 3. The general view is that the courts will recognise consent when they see it and that the best way of obtaining explicit consent is to make sure that you inform the individual fully and frankly of everything that you intend to do with his or her sensitive personal data and what those data consist of (eg medical information, criminal convictions etc).
Consent requires a positive action on the part of the individual. For example, a registration page which contains a data protection notice either immediately above or beside the accept/reject button, is a good way of obtaining both consent and explicit consent to the terms of that notice, the individual completes the page, sees the notice, clicks the accept button and returns the form to the data controller.
There can be no clearer indication of consent to the terms of the notice than this. If the individual does not agree with those terms, he or she is always free to go elsewhere.
Data protection and marketing
The issue of marketing must also be dealt with in the data protection notice. There is little doubt that the use of personal data for marketing purposes is fundamental to every business. The new Act gives individuals the absolute right to opt out of having their personal data processed for marketing purposes.
This was the practice under the old Data Protection Act 1984 (the "1984 Act"), but be warned, that you will be under a legal requirement to comply with any opt-out. Failure to comply will be a breach of the new Act and could expose your business to enforcement action by the Commissioner and a claim for compensation from the data subject.
It is not just the new Act that you must be aware of where marketing is concerned. The Telecommunications (Data Protection and Privacy) Regulations 1999 have had a substantial impact in respect of the use of telephone and fax for direct marketing purposes. The Distance Selling Directive and the E-Communications Directive will have a similar effect on marketing by e-mail.
Many data controllers use the telephone to encourage business and many of these businesses are now finding that they can no longer do so unless they have first screened their telephone lists against the Telephone Preference Service (TPS).
That includes their customer lists as well as their prospect lists. Even so, it is still not lawful to call people, unless they have previously been given a notice to say that they will be called for marketing purposes, and they have not objected.
What is not commonly known is that if a person's telephone number was obtained in circumstances where they consented to receiving marketing telephone calls, then those calls can continue even if that person subsequently registers with the TPS.
The data protection notice is a way in which you obtain a person's consent to being marketed by telephone. That is why it is crucial to include the appropriate wording to cover this situation. Even if you are not telemarketing or SMS marketing at present you may wish to do so in the future. You should draft the notice so that it covers all your business' processing needs for the next five years.
The requirements of the first data protection principle have been considered above in some detail, because that is the most crucial of all the principles. However, there are seven more principles and each imposes upon data controllers certain obligations in respect of the processing of personal data. None of these can be ignored and, in particular, you need to be aware of the seventh and eighth principles which are covered in the next article.
Read second article>>
Shelagh Gaskill is a partner at international law firm Masons where she heads the Data Protection and Information Law team. She is also joint editor of Sweet & Maxwell's Encyclopedia of Data Protection.