COMPETITION &
REGULATORY
GROUP
Charles Russell LLP
5 Fleet Place
London
EC4M 7RD
www.charlesrussell.co.uk
Charles Russell ...
DATA PROTECTION
• Introduction
– Laws
– Definitions/jargon
• Data Protection Principles
• New Enforcement Powers
• “Hot to...
INTRODUCTION
LAW
• Data Protection Act 1998
– Data Protection Directive 95/46/EC
– see Europa website for other national l...
INTRODUCTION - Law
• Privacy and Electronic Communications
(EC Directive) Regulations 2003 (SI
2003/2426)
– Privacy and El...
INTRODUCTION - Definitions
Section 1(1) Data Protection Act 1998:
• “data controller” means, subject to
subsection (4), a ...
INTRODUCTION - Definitions
• “data processor”, in relation to personal
data, means any person (other than an
employee of t...
INTRODUCTION - Definitions
• “relevant filing system” means any set of
information relating to individuals
structured by r...
INTRODUCTION - Definitions
• “personal data” means information
relating to a living individual who can be
identified from ...
INTRODUCTION - Definitions
• “sensitive personal data” means
personal data relating to race, politics,
religious beliefs, ...
INTRODUCTION - Definitions
• “processing data” means obtaining it,
recording it, holding it, carrying out
operations with ...
INTRODUCTION - Definitions
Section 1(4) Data Protection Act 1998:
• where personal data are processed only for
purposes fo...
INTRODUCTION - DPA 1998
Exemptions
• National security
• Crime and taxation
• Regulatory activities usually statutory
and ...
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3...
First Principle
• Personal data must be processed fairly
and lawfully and … one of the
conditions must be met
– fair proce...
First Principle Conditions
• Consent to processing is most used condition
(explicit consent for sensitive personal data )
...
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3...
Fifth Principle
• Personal data processed for any
purpose or purposes shall not be kept
longer than necessary for that pur...
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3...
Sixth Principle
• Personal data shall be processed in
accordance with the rights of the data
subject
– data subject access...
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3...
Seventh Principle: data
processors/outsourcing
• Express terms governing due diligence
of data processors
– where processi...
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3...
Eighth Principle
• Personal data shall not be transferred to
a country or territory outside the EEA
unless that country or...
Lawful Export of Data
• Disclosure outside of the EEA
– to third country approved by Commission
(Art. 25(6)) (Argentina, A...
Model Contracts
• In standard form for use in following
situations:
– Controller to processor:
• Commission Decision (2002...
Transfer of Data Agreements
• New controller to processor approved
agreement
– effective date 15 May 2010
– set out in 201...
Transfer of Data Agreements
– available in Word
(http://ec.europa.eu/justice_home/fsj/privacy
/modelcontracts/index_en.htm...
ENFORCEMENT
• Investigations
• Enforcement Notice
• Prosecution
• Criminal Justice and Immigration Act
2008
• Coroners and...
Criminal Justice and Immigration
Act 2008
• introduces monetary penalties for breach of
data protection principles (s.144)...
Criminal Justice and Immigration
Act 2008
• secondary legislation being passed to bring
into effect
• no official announce...
Coroners and Justice Act 2009
• Royal Assent on 12 November 2009
• Part 8 – Data Protection Act amendments
– assessment no...
HOT TOPICS
• Breach notification
Privacy and Electronic
Communications Directive 2002/58/EC
• Amended by Citizens’ Rights Directive
2009/135/EC
• Amendment...
Breach Notification
• some early discussion about widening
measure to all data controllers, and
including general public n...
Andrew Sharpe
Charles Russell LLP
Tel: + 44 (0) 20 7203 5194
+973 17 133219
Mobile:+ 44 (0) 77 1307 9516
+973 39 035451
Em...
Offices in: London, Oxford, Cambridge, Cheltenham, Guildford, Geneva (Switzerland), Manama (Bahrain)
This information has ...
Upcoming SlideShare
Loading in …5
×

Data Protection (Download for slideshow)

2,440
-1

Published on

Introduction to Data Protection Law in the UK (March 2010)

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,440
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
117
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • SCHEDULE 2 - CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA
    1. The data subject has given his consent to the processing.2. The processing is necessary- (a) for the performance of a contract to which the data subject is a party, or(b) for the taking of steps at the request of the data subject with a view to entering into a contract.3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.4. The processing is necessary in order to protect the vital interests of the data subject.5. The processing is necessary- (a) for the administration of justice,(b) for the exercise of any functions conferred on any person by or under any enactment,(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.6. - (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.
  • This is implemented in the Data Protection Act 1998 at paragraph 4 and 5 of Schedule 4:
    “4 (1) The transfer is necessary for reasons of substantial public interest.
    (2) The Secretary of State may by order specify:
    (a) circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest, and
    (b) circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.
    5 The transfer:
    (a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
    (b) is necessary for the purpose of obtaining legal advice, or
    (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
  • Data Protection (Download for slideshow)

    1. 1. COMPETITION & REGULATORY GROUP Charles Russell LLP 5 Fleet Place London EC4M 7RD www.charlesrussell.co.uk Charles Russell LLP Floor 31, World Trade Centre West Tower Is Al Kabeer Avenue PO Box 31249 Manama Kingdom of Bahrain www.charlesrussell.bh Data Protection Update Andrew Sharpe 18 March 2010
    2. 2. DATA PROTECTION • Introduction – Laws – Definitions/jargon • Data Protection Principles • New Enforcement Powers • “Hot topics” and future for data protection
    3. 3. INTRODUCTION LAW • Data Protection Act 1998 – Data Protection Directive 95/46/EC – see Europa website for other national laws (http://ec.europa.eu/justice_home/fsj/privacy /index_en.htm) – “the Act is certainly a cumbersome and inelegant piece of legislation” (Morland J, Naomi Campbell v MGN Limited [2002] EWHC 499 (QB))
    4. 4. INTRODUCTION - Law • Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) – Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2004 (SI 2004/1039) – Privacy and Electronic Communications Directive 2002/58/EC • Durant -v- Financial Services Authority [2003] EWCA Civ 1746
    5. 5. INTRODUCTION - Definitions Section 1(1) Data Protection Act 1998: • “data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
    6. 6. INTRODUCTION - Definitions • “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller; • “data” means information which is or is intended to be processed automatically (i.e. computerised) or forms part of a relevant filing system
    7. 7. INTRODUCTION - Definitions • “relevant filing system” means any set of information relating to individuals structured by reference to individuals or criteria relating to individuals in such a way that specific information relating to an individual is readily accessible – “on a par” with a computerised filing system – “temp test”
    8. 8. INTRODUCTION - Definitions • “personal data” means information relating to a living individual who can be identified from that data or from other information in the possession of the data controller – narrow interpretation – must be significantly biographical, have individual as its focus and affect an individual’s privacy (personal or professional)
    9. 9. INTRODUCTION - Definitions • “sensitive personal data” means personal data relating to race, politics, religious beliefs, physical or mental condition, sexual life, offences (allegations and sentence), membership of trade union
    10. 10. INTRODUCTION - Definitions • “processing data” means obtaining it, recording it, holding it, carrying out operations with respect to it, including: – alteration – retrieval – consultation – use – disclosure – erasure
    11. 11. INTRODUCTION - Definitions Section 1(4) Data Protection Act 1998: • where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller. DATA CONTROLLER LIABLE FOR DATA PROCESSOR.
    12. 12. INTRODUCTION - DPA 1998 Exemptions • National security • Crime and taxation • Regulatory activities usually statutory and usually designed to protect the public • Health, education social work • Research history and statistics • Disclosures required by law or made in connection with legal proceedings
    13. 13. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Personal data must be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one condition in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
    14. 14. First Principle • Personal data must be processed fairly and lawfully and … one of the conditions must be met – fair processing only if data controller is identified to data subject, together with identity of any data protection representative, and purpose(s) for which data are intended to be processed is stated – conditions at Schedule 2 or 3 to DPA 1998
    15. 15. First Principle Conditions • Consent to processing is most used condition (explicit consent for sensitive personal data ) • Can process personal data without consent in certain circumstances e.g.: – paragraph 6 of Schedule 2: “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”
    16. 16. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Personal data shall be accurate and where necessary kept up to date Personal data processed for any purpose or purposes shall not be kept longer than necessary for that purpose or purposes
    17. 17. Fifth Principle • Personal data processed for any purpose or purposes shall not be kept longer than necessary for that purpose or purposes – often misused as a reason not to process personal data inappropriately, most famously by Humberside Police (deleted information on Ian Huntley may have prevented Soham murders) – question of judgement for data controller
    18. 18. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Personal data shall be processed in accordance with the rights of the data subject.
    19. 19. Sixth Principle • Personal data shall be processed in accordance with the rights of the data subject – data subject access rights – “stop” notices for damage or distress – “stop” notices for direct marketing – “stop” notices for automatic decision making processes
    20. 20. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss destruction of or damage to personal data
    21. 21. Seventh Principle: data processors/outsourcing • Express terms governing due diligence of data processors – where processing carried out by data processor on behalf of data controller, data controller must take reasonable steps to ensure compliance with technical and organisational measures – ensure data processor subject to contractual obligations AND include audit rights for at least Seventh Principle
    22. 22. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
    23. 23. Eighth Principle • Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data – export always permitted where data subject give consent to transfer – other transfers without consent possible (Schedule 4 of the DPA 1998)
    24. 24. Lawful Export of Data • Disclosure outside of the EEA – to third country approved by Commission (Art. 25(6)) (Argentina, Australia, Canada, Guernsey, Isle of Man, Jersey, Switzerland) – US Safe Harbor - http://www.export.gov/safeharbor/ – Binding corporate rules (Art. 26(2)) – Model Contracts (Art. 26(4))
    25. 25. Model Contracts • In standard form for use in following situations: – Controller to processor: • Commission Decision (2002/16/EC) of 27 December 2001 – Controller to controller: • Commission Decision (2001/497/EC) of 15 June 2001 • Commission Decision C(2004)5271 of 7 January 2005 (preferred)
    26. 26. Transfer of Data Agreements • New controller to processor approved agreement – effective date 15 May 2010 – set out in 2010/87/EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)
    27. 27. Transfer of Data Agreements – available in Word (http://ec.europa.eu/justice_home/fsj/privacy /modelcontracts/index_en.htm) – introduces obligations on sub-processors – not yet formally adopted by Information Commissioner
    28. 28. ENFORCEMENT • Investigations • Enforcement Notice • Prosecution • Criminal Justice and Immigration Act 2008 • Coroners and Justice Act 2009
    29. 29. Criminal Justice and Immigration Act 2008 • introduces monetary penalties for breach of data protection principles (s.144) – amends Data Protection Act 1998 (new sections 55A – 55E) – maximum penalty set by Secretary of State – fining guidelines published by Information Commissioner’s Office (see www.ico.gov.uk) • only allowable for: – “serious contravention of [a data protection principle]” – “likely to cause substantial damage or substantial distress” – deliberate breaches or where controller knew or ought to have known that there was risk of contravention and that the contravention would be likely to cause substantial damage or substantial
    30. 30. Criminal Justice and Immigration Act 2008 • secondary legislation being passed to bring into effect • no official announcement as to when it will be brought into effect • maximum penalty – £500,000 – some lobbying, including from previous Information Commissioner, to be given OFT-style power (i.e. up to 10% annual turnover of offender) • appears from secondary legislation that measures being passed to be bring measures into effect on 6 April 2010
    31. 31. Coroners and Justice Act 2009 • Royal Assent on 12 November 2009 • Part 8 – Data Protection Act amendments – assessment notices - will give Information Commissioner statutory audit powers over government departments and public authorities – data-sharing code – requires ICO to produce code for data sharing, to be approved by Secretary of State (and Parliament) • Some lobbying, including by previous IC, for assessment notice power to be for private as well as public sector
    32. 32. HOT TOPICS • Breach notification
    33. 33. Privacy and Electronic Communications Directive 2002/58/EC • Amended by Citizens’ Rights Directive 2009/135/EC • Amendments introduce breach notification requirements by electronic communications networks or services providers to national regulatory bodies and subscribers • Member States must implement by 18 June 2011
    34. 34. Breach Notification • some early discussion about widening measure to all data controllers, and including general public notification – Reding speech 23 October 2009 – already more extensive breach notification in some member states (e.g. some federal states in Germany) – EU looking closely at mixed practice in USA, where majority of states have some kind of breach notification law
    35. 35. Andrew Sharpe Charles Russell LLP Tel: + 44 (0) 20 7203 5194 +973 17 133219 Mobile:+ 44 (0) 77 1307 9516 +973 39 035451 Email: andrew.sharpe@charlesrussell.co.uk andrewjsharpe TMT_Lawyer http://www.linkedin.com/in/andrewsharpe CRITique at http://charlesrussell.wordpress.com
    36. 36. Offices in: London, Oxford, Cambridge, Cheltenham, Guildford, Geneva (Switzerland), Manama (Bahrain) This information has been prepared as a general guide only and does not constitute advice on any specific matter. We recommend that you seek professional advice before taking action. No liability can be accepted by us for any action taken or not taken as a result of this information. Charles Russell LLP is a limited liability partnership registered in England and Wales, registered number OC311850, and is regulated by the Solicitors Regulation Authority. Any reference to a partner in relation to Charles Russell LLP is to a member of Charles Russell LLP or an employee with equivalent standing and qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London EC4M 7RD. www.charlesrussell.co.uk www.charlesrussell.bh
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×