• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Data Protection (Download for slideshow)

on

  • 1,382 views

Introduction to Data Protection Law in the UK (March 2010)

Introduction to Data Protection Law in the UK (March 2010)

Statistics

Views

Total Views
1,382
Views on SlideShare
1,340
Embed Views
42

Actions

Likes
1
Downloads
59
Comments
0

3 Embeds 42

http://sreek.zzl.org 36
http://www.linkedin.com 5
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • SCHEDULE 2 - CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA 1. The data subject has given his consent to the processing. 2. The processing is necessary- (a) for the performance of a contract to which the data subject is a party, or (b) for the taking of steps at the request of the data subject with a view to entering into a contract. 3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. 4. The processing is necessary in order to protect the vital interests of the data subject. 5. The processing is necessary- (a) for the administration of justice, (b) for the exercise of any functions conferred on any person by or under any enactment, (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or (d) for the exercise of any other functions of a public nature exercised in the public interest by any person. 6. - (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. (2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.
  • This is implemented in the Data Protection Act 1998 at paragraph 4 and 5 of Schedule 4: “ 4 (1) The transfer is necessary for reasons of substantial public interest. (2) The Secretary of State may by order specify: (a) circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest, and (b) circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest. 5 The transfer: (a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), (b) is necessary for the purpose of obtaining legal advice, or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

Data Protection (Download for slideshow) Data Protection (Download for slideshow) Presentation Transcript

  • Data Protection Update Andrew Sharpe 18 March 2010
  • DATA PROTECTION
    • Introduction
      • Laws
      • Definitions/jargon
    • Data Protection Principles
    • New Enforcement Powers
    • “Hot topics” and future for data protection
  • INTRODUCTION
    • LAW
    • Data Protection Act 1998
      • Data Protection Directive 95/46/EC
      • see Europa website for other national laws ( http:// ec.europa.eu/justice_home/fsj/privacy/index_en.htm )
      • “ the Act is certainly a cumbersome and inelegant piece of legislation ” (Morland J, Naomi Campbell v MGN Limited [2002] EWHC 499 (QB))
  • INTRODUCTION - Law
    • Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
      • Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2004 (SI 2004/1039)
      • Privacy and Electronic Communications Directive 2002/58/EC
    • Durant -v- Financial Services Authority [2003] EWCA Civ 1746
  • INTRODUCTION - Definitions
    • Section 1(1) Data Protection Act 1998:
    • “data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
  • INTRODUCTION - Definitions
    • “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
    • “data” means information which is or is intended to be processed automatically (i.e. computerised) or forms part of a relevant filing system
  • INTRODUCTION - Definitions
    • “relevant filing system” means any set of information relating to individuals structured by reference to individuals or criteria relating to individuals in such a way that specific information relating to an individual is readily accessible
      • “on a par” with a computerised filing system
      • “temp test”
  • INTRODUCTION - Definitions
    • “personal data” means information relating to a living individual who can be identified from that data or from other information in the possession of the data controller
      • narrow interpretation
      • must be significantly biographical, have individual as its focus and affect an individual’s privacy (personal or professional)
  • INTRODUCTION - Definitions
    • “sensitive personal data” means personal data relating to race, politics, religious beliefs, physical or mental condition, sexual life, offences (allegations and sentence), membership of trade union
  • INTRODUCTION - Definitions
    • “processing data” means obtaining it, recording it, holding it, carrying out operations with respect to it, including:
      • alteration
      • retrieval
      • consultation
      • use
      • disclosure
      • erasure
  • INTRODUCTION - Definitions
    • Section 1(4) Data Protection Act 1998:
    • where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.
    • DATA CONTROLLER LIABLE FOR DATA PROCESSOR.
  • INTRODUCTION - DPA 1998 Exemptions
    • National security
    • Crime and taxation
    • Regulatory activities usually statutory and usually designed to protect the public
    • Health, education social work
    • Research history and statistics
    • Disclosures required by law or made in connection with legal proceedings
  • DATA PROTECTION PRINCIPLES
    • Summary
    • Process fairly and lawfully
    • Obtain data only for one or more specified purposes
    • Data adequate relevant and not excessive
    • Data accurate and kept up to date
    • Data not to keep longer than necessary
    • Process in accordance with rights of data subject
    • Take appropriate security measures
    • No transfer of data outside EEA without adequate protection
    • Personal data must be processed fairly and lawfully and, in particular, shall not be processed unless-
      • (a) at least one condition in Schedule 2 is met, and
      • (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  • First Principle
    • Personal data must be processed fairly and lawfully and … one of the conditions must be met
      • fair processing only if data controller is identified to data subject, together with identity of any data protection representative, and purpose(s) for which data are intended to be processed is stated
      • conditions at Schedule 2 or 3 to DPA 1998
  • First Principle Conditions
    • Consent to processing is most used condition (explicit consent for sensitive personal data )
    • Can process personal data without consent in certain circumstances e.g.:
      • paragraph 6 of Schedule 2: “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”
  • DATA PROTECTION PRINCIPLES
    • Summary
    • Process fairly and lawfully
    • Obtain data only for one or more specified purposes
    • Data adequate relevant and not excessive
    • Data accurate and kept up to date
    • Data not to keep longer than necessary
    • Process in accordance with rights of data subject
    • Take appropriate security measures
    • No transfer of data outside EEA without adequate protection
    Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Personal data shall be accurate and where necessary kept up to date Personal data processed for any purpose or purposes shall not be kept longer than necessary for that purpose or purposes
  • Fifth Principle
    • Personal data processed for any purpose or purposes shall not be kept longer than necessary for that purpose or purposes
      • often misused as a reason not to process personal data inappropriately, most famously by Humberside Police (deleted information on Ian Huntley may have prevented Soham murders)
      • question of judgement for data controller
  • DATA PROTECTION PRINCIPLES
    • Summary
    • Process fairly and lawfully
    • Obtain data only for one or more specified purposes
    • Data adequate relevant and not excessive
    • Data accurate and kept up to date
    • Data not to keep longer than necessary
    • Process in accordance with rights of data subject
    • Take appropriate security measures
    • No transfer of data outside EEA without adequate protection
    Personal data shall be processed in accordance with the rights of the data subject.
  • Sixth Principle
    • Personal data shall be processed in accordance with the rights of the data subject
      • data subject access rights
      • “stop” notices for damage or distress
      • “stop” notices for direct marketing
      • “stop” notices for automatic decision making processes
  • DATA PROTECTION PRINCIPLES
    • Summary
    • Process fairly and lawfully
    • Obtain data only for one or more specified purposes
    • Data adequate relevant and not excessive
    • Data accurate and kept up to date
    • Data not to keep longer than necessary
    • Process in accordance with rights of data subject
    • Take appropriate security measures
    • No transfer of data outside EEA without adequate protection
    Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss destruction of or damage to personal data
  • Seventh Principle: data processors/outsourcing
    • Express terms governing due diligence of data processors
      • where processing carried out by data processor on behalf of data controller, data controller must take reasonable steps to ensure compliance with technical and organisational measures
      • ensure data processor subject to contractual obligations AND include audit rights for at least Seventh Principle
  • DATA PROTECTION PRINCIPLES
    • Summary
    • Process fairly and lawfully
    • Obtain data only for one or more specified purposes
    • Data adequate relevant and not excessive
    • Data accurate and kept up to date
    • Data not to keep longer than necessary
    • Process in accordance with rights of data subject
    • Take appropriate security measures
    • No transfer of data outside EEA without adequate protection
    Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
  • Eighth Principle
    • Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
      • export always permitted where data subject give consent to transfer
      • other transfers without consent possible (Schedule 4 of the DPA 1998)
  • Lawful Export of Data
    • Disclosure outside of the EEA
      • to third country approved by Commission (Art. 25(6)) (Argentina, Australia, Canada, Guernsey, Isle of Man, Jersey, Switzerland)
      • US Safe Harbor - http:// www.export.gov/safeharbor /
      • Binding corporate rules (Art. 26(2))
      • Model Contracts (Art. 26(4))
  • Model Contracts
    • In standard form for use in following situations:
      • Controller to processor :
        • Commission Decision (2002/16/EC) of 27 December 2001
      • Controller to controller :
        • Commission Decision (2001/497/EC) of 15 June 2001
        • Commission Decision C(2004)5271 of 7 January 2005 (preferred)
  • Transfer of Data Agreements
    • New controller to processor approved agreement
      • effective date 15 May 2010
      • set out in 2010/87/EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)
  • Transfer of Data Agreements
      • available in Word ( http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm )
      • introduces obligations on sub-processors
      • not yet formally adopted by Information Commissioner
  • ENFORCEMENT
    • Investigations
    • Enforcement Notice
    • Prosecution
    • Criminal Justice and Immigration Act 2008
    • Coroners and Justice Act 2009
  • Criminal Justice and Immigration Act 2008
    • introduces monetary penalties for breach of data protection principles (s.144)
      • amends Data Protection Act 1998 (new sections 55A – 55E)
      • maximum penalty set by Secretary of State
      • fining guidelines published by Information Commissioner’s Office (see www.ico.gov.uk )
    • only allowable for:
      • “ serious contravention of [a data protection principle]”
      • “ likely to cause substantial damage or substantial distress”
      • deliberate breaches or where controller knew or ought to have known that there was risk of contravention and that the contravention would be likely to cause substantial damage or substantial distress
  • Criminal Justice and Immigration Act 2008
    • secondary legislation being passed to bring into effect
    • no official announcement as to when it will be brought into effect
    • maximum penalty
      • £500,000
      • some lobbying, including from previous Information Commissioner, to be given OFT-style power (i.e. up to 10% annual turnover of offender)
    • appears from secondary legislation that measures being passed to be bring measures into effect on 6 April 2010
  • Coroners and Justice Act 2009
    • Royal Assent on 12 November 2009
    • Part 8 – Data Protection Act amendments
      • assessment notices - will give Information Commissioner statutory audit powers over government departments and public authorities
      • data-sharing code – requires ICO to produce code for data sharing, to be approved by Secretary of State (and Parliament)
    • Some lobbying, including by previous IC, for assessment notice power to be for private as well as public sector
  • HOT TOPICS
    • Breach notification
  • Privacy and Electronic Communications Directive 2002/58/EC
    • Amended by Citizens’ Rights Directive 2009/135/EC
    • Amendments introduce breach notification requirements by electronic communications networks or services providers to national regulatory bodies and subscribers
    • Member States must implement by 18 June 2011
  • Breach Notification
    • some early discussion about widening measure to all data controllers, and including general public notification
      • Reding speech 23 October 2009
      • already more extensive breach notification in some member states (e.g. some federal states in Germany)
      • EU looking closely at mixed practice in USA, where majority of states have some kind of breach notification law
  • Andrew Sharpe Charles Russell LLP Tel: + 44 (0) 20 7203 5194 +973 17 133219 Mobile: + 44 (0) 77 1307 9516 +973 39 035451 Email: [email_address] http://www.linkedin.com/in/andrewsharpe CRITique at http://charlesrussell.wordpress.com andrewjsharpe TMT_Lawyer
    • Offices in: London, Oxford, Cambridge, Cheltenham, Guildford, Geneva (Switzerland), Manama (Bahrain)
    • This information has been prepared as a general guide only and does not constitute advice on any specific matter. We recommend that you seek professional advice before taking action. No liability can be accepted by us for any action taken or not taken as a result of this information.
    • Charles Russell LLP is a limited liability partnership registered in England and Wales, registered number OC311850, and is regulated by the Solicitors Regulation Authority. Any reference to a partner in relation to Charles Russell LLP is to a member of Charles Russell LLP or an employee with equivalent standing and qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London EC4M 7RD.
    www.charlesrussell.co.uk www.charlesrussell.bh