Would you know what to do if you received a request from the police to disclose data you were storing in respect of a customer or an employee? What if you were threatened with legal proceedings if you refused to comply with the request from a third party to provide, say, the contact details for an individual where that information was stored on your database?
Does the person responsible for answering these questions in your organisation know who she/he is, and the penalties for failure to comply with the Data Protection Act (“DPA”) and the related legislation?
The first thing you should do is to identify and appoint an appropriate individual to whom all such requests can be directed, usually your Data Protection Compliance Officer or Human Resources Director.
As your obligations under the DPA relate to “living individuals” capable of being “identified” from the data in your possession and in particular from your “processing” of that information (which term would include obtaining, recording, storing, dealing with, disclosing, disseminating, or transmitting), then you, as “Data Controller” (the person who determines the purpose for which the personal data is processed) must ensure that requests for information are dealt with promptly, fairly, consistently and in accordance with the DPA.
So can you simply rely on a blanket response that you will not provide “any” information in reply to any of the type of requests described above, or that at least without the consent of the individual, no information will be provided? The short answer is no; it is necessary to exercise a measured judgement in each case depending upon the circumstances of the request. For example, it is recommended that, subject to certain exemptions, you should notify the individual that you will be releasing information about him/her to a third party before disclosure takes place. Commonly an employer may release information to the Police or HM Revenue & Customs or other government agencies, but subject always to the principle obligation of fair processing.
Do you have a policy on how certain data might be processed? Further, do you have the “explicit” consent of the individual for the disclosure of “sensitive personal data” (medical details, religious belief, sexual orientation, etc.)? You may in certain circumstances process sensitive personal data without the explicit consent of the individual concerned where it is substantially in the public interest and where it is “necessary”. This will require a consideration of the purpose for the processing of the data and the exercise of your judgement as to whether such processing is a proportionate means of achieving that purpose. Personal data should only be processed for a purpose consistent with that for which the data was obtained, unless you can illicit an additional explicit consent for the “new” purpose.
To assist you to discharge your obligations towards individuals, third parties and government agencies, and at the same time to act in the public interest, a Code of Practice has been issued which, while not itself legally enforceable, attempts to set standards of behaviour consistent with the DPA and other relevant legislation in this area of the law. What you should appreciate is that a breach of the code may also constitute a breach of the DPA and trigger enforcement action by the Data Protection Commissioner. Failure to heed such an enforcement notice will constitute a criminal offence.
Similarly, a failure in filing a notification of your data processing activities, or your unlawful obtaining or processing of personal data are also breaches of the Criminal Law. Offences under the DPA are punishable by a fine of up to £5,000 upon conviction in the Magistrates’ Court, but probably by an unlimited fine after indictment in the Crown Court. Furthermore, an individual could also mount a civil claim for compensation if he/she claims to have suffered damage or damage and distress as a result of any individual breach of the DPA.
However, it may well be that the greater practical spur towards achieving compliance will be for you and your organisation to avoid the attendant adverse publicity which often accompanies either the provision of or the failure to provide such data. The existence of a clear and considered policy will obviously enable you to contemplate either eventuality with a degree of confidence.
Ian Tranter is a Partner specialising in employment law at Manchester-based Pannone & Partners. He can be contacted on firstname.lastname@example.org or 0161 909 3000.