Data Protection seminarRecognising Personal DataData SharingOverseas Transfers of Personal DataElectronic MarketingThe New Data Protection RegulationShort case study
Recognising ‘Personal Data’Before establishing if the Data Protection Act 1998 (Act) isengaged, you need to recognise what personal data is.(1) Is the information ‘data’? – Four categories of data: Automatically processed data Data Forming part of a ‘relevant filing system’ Data forming part of an ‘accessible record’ Data recorded by a public authority.
Recognising ‘Personal Data’ (2)(2) is the data ‘personal data’? – Once you have established that the information is ‘data’, you need to establish if it is ‘personal’ data. – Defined in s1 (1) of the Act as: “Data which relate to a living individual who can be identified: (a) from those data; or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”.“Living Individual”“Individual”
Recognising ‘Personal Data’ (3)Examples of personal data include:– addresses, telephone numbers, job titles and dates of birth– expressions of opinions about an individual– indications of the intentions of the data controller or any other person in respect of the individual.Anonymised data is not personal data.
Data Sharing (1)(1) What is ‘data sharing’? – Disclosure of data by one or more organisations to a third party organisation or sharing of data between different parts of an organisation. – If the data sharing does not involve personal data ie where only statistics that cannot identify anyone are being shared, then the Act does not apply.
Data Sharing (2)(2) Data sharing has two legal components: – Whether you can share personal data eg lawful, powers etc. – How to share personal data eg securely, transparently etc.Your legal status affects your ability to share information eg itdepends on whether you are a public sector body or aprivate/third sector one.The public sector: – (1) Identity the legislation that is relevant to your organisation. (a) Express obligations. (b) Express powers. (c) Implied powers.
Data Sharing (3) – (2) If there is no power to data share then the data must not be shared unless, for example, there is an overriding public interest to do so. – (3) The Freedom of Information Act 2000 requires all public authorities to disclose any information they hold to anybody who asks for it. Although there are various exemptions eg for disclosure which would breach any data protection principle.The private sector: – Most private organisations have a general ability to share data so long as it does not breach the Data Protection Act or any other law.
Data Sharing (4)(3) Sharing Confidential Personal Data– Obligation of confidence can be overridden if: • consent is obtained • it is in the Public interest – Helen Maddock –v- Devon CC (2003): there was no breach of confidence when a council passed on concerns about the suitability of a woman to become a social worker to the university where she was training. Considered a matter of public interest that unsuitable persons should not become social workers • statutory requirements provide for it.
Data Sharing (5)(4) Advice: Apply the Statutory Code of Practice on data sharingto help you collect and share personal data in a way that is fair,transparent and in line with the rights and expectations of thepeople whose information you are sharing and consider thefollowing. – Whether you are obliged to share. – Whether you have the power to share. – Stick to any statutory limits. – Confidentiality requirements before disclosure. – Disclose the minimum that you need to disclose. – Disclose in a secure manner. – Whether you have to inform the data subject. – Keep records of the disclosure. – If you are routine data sharing then consider having a formal agreement in place.
Overseas Transfers of Personal DataDue to the globalisation of trade, record amounts of customerand employee data now has to be transferred overseas from theUK.Data Protection Act 1998, 8th Principle• “Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Overseas Transfers of Personal Data (2)4 Step “Good Practice” Approach. Consider:– (1) if there is a transfer of personal data to a third country– (2) if the third country ensures an adequate level of protection to data– (3) whether the parties have or can put in place, adequate safeguards to protect the data– (4) if any of the other derogations to the 8th principle apply.
Overseas Transfers of Personal Data (3) (1) Is it a transfer? Two questions must be considered: – (a) Whether the country of the transferee of personal data is outside the EEA; – (b) Whether the transmission in question actually amounts to a transfer. What is a ‘transfer’? Transfer or Transit?
Overseas Transfers of Personal Data (4)Examples from ICO:– (1) A company in the UK uses a centralised human resources system in the US belonging to its parent company to store information about its employees – TRANSFER– (2) Personal data is transferred from the UK to Germany via a server in Switzerland, which does not access or manipulate the information while it is in Switzerland – TRANSIT
Overseas Transfers of Personal Data (5)(2) Adequacy– If there will be a transfer to a third country, you need to consider whether the third country ensures an adequate level of protection. Finding of adequacy normally based on a Community finding or a positive outcome when applying the adequacy test.– “Community finding”: where the European Commission makes a finding that a country outside the EEA has an adequate level of protection. A list can be found on the ICO website.– “Adequacy test”: Where there is no Community finding, a data exporter should assess the general adequacy criteria.– Binding Corporate Rules.
Overseas Transfers of Personal Data (6)(3) Model clauses and Binding Corporate Rules– Model clausesFailure to comply with the 8th Principle – Enforcement – Fine: of up to £500,000 – Directors and officers of companies who have committed offences may also be liable to prosecution – Civil proceedingsTopical issues: Cloud computing has raised concerns with regard tothe storage of personal data by cloud service providers on serversoutside the EEA. A checklist for data protection compliance bycloud clients and cloud providers has been issued.
Electronic MarketingTo collect and use personal data (eg to send out marketing material)there are certain steps you should follow at the time you collect it.In addition to the Data Protection Act, the Privacy and ElectronicCommunications Regulations 2003 (PECR) apply to certainmarketing activities. The PECR impose two rules regardingunsolicited email marketing. You must: – Rule 1 - provide certain information (name/organisation name, what you will use the information for, address (for opt-out requests)); AND – Rule 2 - obtain consent – You cannot send unsolicited email marketing messages unless you have the individual’s prior consent to do so. This strict ‘opt-in’ rule is relaxed if three exemption criteria are satisfied.
Electronic Marketing (2)You must not send unsolicited electronic marketing to anyindividual or company who has asked you not to contact them orwho has signed up to an opt-in or preference service.
Electronic Marketing (3)What is prior consent?– Explicit ‘opt-in’ consent: “I consent to you sending me marketing information about your products by email from time to time. [ ] Please tick box”.– Consent may be any positive action eg sending an email or subscribing to a service. There must be some form of positive action by the individual and the individual must know that they are agreeing to receive marketing and to a specified means of communication.
Electronic Marketing (4)An individual can opt-out at any time under the Act and any opt-out message must be actioned and a list of all individuals whohave opted-out must be kept.Rules do not apply to marketing sent to companies.
Electronic Marketing (5)Glossary of terms: – “Electronic Mail” – includes emails, texts, picture and video messages. – “Individuals” – includes individuals as well as sole traders and unincorporated partnerships. – “Unsolicited” – something that is not invited.Additional regulators/bodies such as the Advertising StandardAuthority and the Direct Marketing Association should beconsidered.
Electronic Marketing (6)If you wish to carry on using the “opt-out” method but you want itto amount to prior consent, you must do three things: – Draw attention to the fact that you are collecting mobile numbers and email addresses for marketing. – Use a consent statement. – Provide an ‘opt-out’ facility.
Electronic Marketing (7)Advice:– Recommend marketing campaigns are always permission- based.– Explain clearly what a person’s details will be used for.– Provide a simple way for them to opt-out of marketing messages.– Have a system in place to deal with complaints.
The New Data Protection RegulationOn 25 January 2012, the European Commission published aproposal for a new Regulation.The European Commission has called for:– an effective new data protection framework– clear, effective rights for individuals– clear responsibility and accountability– obligations to be focussed on processing that poses genuine risks to individuals or societies– data protection authorities that are independent with a clearer role.
The New Data Protection Regulation (2)Potential changes:– Higher fines– Stronger data subject rights– Consent– More responsibility on data controllers.
The New Data Protection Regulation (3)The Regulation should essentially be a harmonised EU regime.The draft Regulation will need to be approved by EU memberstates and ratified by the European Parliament. It could possiblytake up to 2 years before the Regulation is adopted.
Case Study (1) (Recognising Personal Data) A potential member of a gym meets with a sales manager of a local gym to discuss membership options. The sales manager asks the prospective member for certain information (name, address, age) and records these details manually on a ‘new membership application form’. These details will subsequently be added to the gym’s computer system.Is this data?
Case Study (2) (Overseas Transfer of Data)UK Gadgets is one of the leading suppliers of gadgets in the UK. It hasrecently been bought out by a US multinational, US Gadgets.As part of its new reporting obligations, UK Gadgets has been asked tosend copies of all of its employee records to US Gadget’s head office inNew York.However, compliance with this request may be difficult as it is one of themain principles of the Data Protection Act that personal data should not betransferred outside the EEA unless the data will be adequately protected.The commercial director is a little concerned that if he sends these, hecould be in breach of Principle 8, but head office is adamant that they mustbe sent.
Case Study (2) (Overseas Transfer of Data)What are his options? NB: This case study assumes that the other Data Protection principles have been complied with and that the data does not consist of sensitive personal data where consent to transfer may need to be obtained.
Case Study (3) (Electronic Marketing)Please tick here if you do not want us to contact you byelectronic means (e-mail or SMS) with information aboutgoods and services which we feel may be of interest to you.Is this acceptable?