Date of publication: November 2016
In the UK, the Data Protection Act 1998 (the “Act”) regulates the use of personal data.
The Act applies to the “processing” of “personal data”, and as such affects most business operating in the UK which holds information about individuals (such as employees or customers).
It is important that businesses comply with the Act, as a failure to do so can result in both criminal and civil liability.
The Act is complex and imposes a large number of obligations on those who process personal data. This publication highlights the key issues, role and responsibilities under the Act.
PLEASE NOTE THAT THE NEW GENERAL DATA PROTECTION REGULATION COMES INTO FORCE ON 25 MAY 2018 AND WILL AFFECT YOUR DATA PROTECTION OBLIGATIONS.PLEASE SEE OUR QUICK GUIDE ON THIS SUBJECT.
“Personal data” is information which relates to living individuals (“data subjects”) who can be identified from that data. Examples of personal data include information relating to an individual’s name, address, telephone number and other similar details.
A “data controller” is defined as the person/s who determines the purposes and manner in which any personal data is processed. This includes individuals, organisations and other corporate and unincorporated bodies.
A “data processor” means any person (other than an employee of the data controller) who processes data on behalf of a data controller but does not make any independent determination of the purposes or manner in which personal data is, or will be, processed.
The Act broadly defines “processing” data as obtaining, recording, holding, using, disclosing or erasing data which in practice encompasses almost any activity relating to the use of data, including storing on remote servers for cloud computing purposes.
There are more restrictive conditions relating to the treatment of “sensitive personal data”. Sensitive personal data includes, but is not limited to, information relating to an individual’s race, health, sexual history, religious beliefs, salary details, political opinions, criminal records and other information of a “sensitive” nature.
Before any data can be processed, the data controller (as opposed to a data processor) must notify the Information Commissioner’s Office (ICO) of certain information, unless they are exempt. The ICO is the primary regulator in the UK and the information is publically available on an online register via the ICO website www.ico.gov.uk. The failure for a data controller to notify is a criminal offence.
Before any data can be processed, the data controller (not the data processor) must notify the UK regulator, the Information Commissioner’s Office (ICO) of certain information, unless they are exempt. Information provided to the ICO during registration is publically accessible on an online register via the ICO website www.ico.gov.uk. The failure for a data controller to notify is a criminal offence.
There are 8 principles under the Data Protection Act 1998 as follows:
Below is a short examination of some of the key principles that data controllers must observe at all times:
The processing of data will not be fair where the data subject has been pressured into giving personal data, or misled/misinformed about the use of their data. Data controllers therefore need to either obtain the consent of the data subject before processing the personal data (which is strongly recommended) or demonstrate that:
The processing of sensitive personal data must fulfil further criteria under the first principle, which includes:
This principle requires data controllers to put procedures in place to ensure that data is destroyed or deleted where it is no longer necessary for the purpose for which it was collected. For example, data which is collected for a specific campaign should be destroyed once the campaign is concluded.
The Act does not provide specific time limits for the retention of data, and thus the responsibility lies with individual organisations to determine what is “necessary” in the circumstances.
The Act confers rights on data subjects, which must be observed by data controllers and processors, the key ones of which are as follows:
Any personal data that is processed must be protected or encrypted with adequate methods to ensure that the data is secure and safe from damage. This principle poses particular issues in relation to portable devices which store data and personal information, because they can easily be lost or stolen. The ICO recommends that laptops or other such devices are protected by approved encryption software.
The Act prevents the transfer of data to a country or territory outside of the EEA unless that country or territory ensures a level of protection of the rights of data subjects equivalent to that provided in the UK.
Putting personal data on a website will often lead to a transfer outside of the EEA occurring, as a transfer will take place each where the website is hosted on an overseas servers.
The European Commission has decided that certain countries outside the EEA have an adequate level of protection for personal data. As at the date of this publication, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands,
Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
If a country has not been approved as adequate by the European Commission, it is still possible to send personal data to that country if in the particular circumstances, the data controller is satisfied that there is an adequate level of protection.
There are various methods of a company satisfying this requirement - they may:
In connection only with transfers of personal data to the United States, US organisations may self-certify their compliance to EU standards of data processing within their business activities by signing up to the Privacy Shield program, which was adopted by the European
Commission on 12 July 2016 following the invalidation of the previous Safe Harbor Framework.
A prescribed application process must be undertaken to self-certify under Privacy Shield and there are ongoing compliance obligations and fees payable.
In practice, the ICO has confirmed that it is always preferable to ensure adequate protection of data is in place rather than rely on an exemption where data is being transferred, particularly as data subject consent is unlikely to remain valid for long periods of time.
With the advent of cloud-based computing, infrastructure, platform and software services are often wholly operated using servers in remote data warehouse accessible to users via an internet browser or remote access software.
Although this provides various positives such as flexibility of access, reduction of costs for IT resources, and environmental benefits, there is a risk that data is split and stored in multiple countries at any given time, including those outside of the EU.
Any businesses which operate using cloud-based remote third party services should consider putting in place controller-processor agreements based upon the Model Contract Clauses to govern the flow of data between the parties and ensure that there are private contractual rights to enforce the observance of EU data protection standards.
The Act imposes various obligations on organisations who hold personal information and affects the vast majority of our clients.
Should you have any questions or require further information about the requirements and obligations under the Act, please contact Ben Robson our Corporate & Commercial Team using the details below.
Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice. Please seek legal advice if you have any questions about the information set out above.
Copyright © 2013 - Oury Clark.