Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
In-house lawyer and
decision makers’ forum
Data Protection Breakfast
Thursday, 12 September 2013
Introduction and Welcome
Data Protection seminar
Recognising personal data and anonymisation
Overseas transfers of personal data and the cloud
Electronic marketing and cookies
Apps, social media and BYOD
The new Data Protection Regulation
Short case studies
Recognising ‘Personal Data’
Why is this relevant?
The Data Protection Act 1998 (Act) will not be engaged if
you are not processing personal data
What is personal data?
First, establish if the information is ‘data’. There are four
categories of data:
– Automatically processed data or data recorded with the
intention that it will be so processed
– Data forming part of a ‘relevant filing system’
– Data forming part of an ‘accessible record’
– Data recorded by a public authority
Recognising Personal Data (2)
Secondly, establish if the data is ‘personal data’:
– Defined in s1 (1) of the Act as:
“Data which relate to a living individual who can be identified:
(a) from those data; or
(b) from those data and other information which is in the
possession of, or is likely to come into the possession of, the
– “Living Individual”
Recognising ‘Personal Data’ (3)
Examples of personal data include:
– Addresses, telephone numbers, job titles and dates of birth
– Expressions of opinions about an individual
– Indications of the intentions of the data controller or any
other person in respect of the individual.
Sensitive personal data
Anonymised data is not personal data……
Recognising ‘Personal Data’ (4)
Why are we talking about anonymised data?
Release of anonymised data can have:
– Commercial benefit
– Public benefit
– Academic research benefits
DPA does not apply to the anonymised data but DOES
apply to processing the source data to anonymise it
What is it?
Anonymised data is data that does not relate to any
individual and is unlikely to allow any individual to be
identified through its combination with other data at the
point of transfer to another party
Generally applied to large datasets rather than
pseudonymising individual pieces of information
How do we go about creating it?
Wide number of anonymisation techniques
Consent generally not required
Document your process – aim for transparency
Must address risk of re-identification
Have an on-going governance structure
Public authorities need to remember:
Application of FOIA
What happens if re-identification happens?
You will become a data controller
ICO likely to take enforcement action against
Overseas Transfers of Personal Data
Due to the continued globalisation of trade and ever
increasingly connected world, record amounts of customer
and employee data now are transferred overseas from the
Growth in cloud computing has also had a large impact
(often unknown to those who utilise its benefits)
As usual, the Act has something to say - 8th Principle:
“Personal data shall not be transferred to a country or territory
outside the European Economic Area (EEA) unless that country or
territory ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to the processing of personal
Is there a transfer? Two questions to consider:
1. Is the country of the transferee of personal data outside the EEA?
2. Does the transmission in question actually amounts to a transfer?
What is a ‘transfer’? Transfer or Transit?
Examples from ICO:
– (1) A company in the UK uses a centralised human resources system
in the US belonging to its parent company to store information about
its employees – TRANSFER
– (2) Personal data is transferred from the UK to Germany via a server
in Switzerland, which does not access or manipulate the information
while it is in Switzerland – TRANSIT
Overseas Transfers of Personal Data (2)
A five step “good practice” approach should be considered:
1. Is there is a transfer of personal data to a third country?
2. Is the transfer necessary?
3. Does the third country ensure an adequate level of
protection to data being transferred?
4. Consider whether the parties have, or can put in place,
adequate safeguards to protect the data
5. Consider if any of the other derogations to the 8th principle
Overseas Transfers of Personal Data (3)
If there will be a transfer to a third country, you need to
consider whether the third country ensures an adequate
level of protection.
Finding of adequacy normally based on a Community
finding or a positive outcome when applying the adequacy
– “Community finding”: where the European Commission makes
a finding that a country outside the EEA has an adequate
level of protection. A list can be found on the ICO website.
– “Adequacy test”: where there is no Commission finding, a
data exporter can assess the general adequacy itself.
Overseas Transfers of Personal Data (4)
You can use model contractual clauses to transfer data
which have been approved by the European Commission
Various sets available – controller to controller and
controller to processor
Binding Corporate Rules
Only available to multinational corporations looking to
transfer data around world
One data protection authority takes the lead and
coordinates input from others
Overseas Transfers of Personal Data (5)
What is the cloud?
The provision of a range of IT technologies and service models
on demand via a network usually delivered via the internet:
– Software as a service
– Platform as a service
– Infrastructure as a service
Generally provided by a third party or parties hosting resources
and data across a number of servers and/or for a number of
Causes lot of concern from a data protection perspective as:
– the servers are often based overseas outside of the EEA
– there can be difficulty working out who is responsible for what
– data can be stored across a number of servers on a
continually changing basis
The Cloud (2)
If you are the data controller using a cloud provisioned
You must check where any data is going to be stored and, if not in the
EEA, ensure that you meet one or more of the conditions required
before data can be transferred outside of the EEA
You will be responsible for assessing risks, informing data subjects,
putting written controls in place, monitoring, protecting and retrieving
Not easy when dealing with cloud providers and commonly you will also
be offered standard terms that are non-negotiable
A checklist for data protection compliance by cloud clients and cloud
providers has been issued by ICO – see Guidance on the use of cloud
computing 2012). Consider also a privacy impact assessment before
moving to the cloud.
See also ICO Personal Information Online Code of Practice (July 2012)
To collect and use personal data for email and SMS
marketing (“electronic marketing”) there are certain steps
you should follow at the time you collect it and when you
send out messages
Collect and process the personal data fairly
Comply with the Privacy and Electronic Communications
Regulations 2003 (PECR) (as amended). In particular you
– Obtain prior consent – you cannot send unsolicited electronic
marketing messages unless you have the individual’s prior consent
to do so. This strict ‘opt-in’ rule is only relaxed if three exemption
criteria are satisfied.
– Identify the sender, nature of communication etc (see (E Commerce
Regs 2002 Regs 7 & 8)) and give details of how to
revoke consent/opt out).
– You have obtained the individual’s details as part of
the sale or negotiations for sale of a product or service
to that person;
– The marketing material concerns only a similar
product or service; and
– The individual must have simple means of refusing
unsolicited marketing at the time their details are
collected and, if they do not opt-out, you must give a
simple way of doing so in every future message e.g.
Electronic Marketing (2)
– Recommend marketing campaigns are always
– Be very careful if using bought-in email lists.
– Explain clearly what a person’s details will be used for
when collecting data through an appropriate privacy
policy and seek opt-in consent when data collected.
– Provide a simple way for them to opt-out of marketing
– Have a system in place to deal with complaints.
Electronic Marketing (3)
What are they?
– From 2011 under the amended PECR you now need to (i) tell
users about them and (ii) obtain “consent” before setting most
types of cookies.
– Only set strictly necessary cookies without consent.
– But what is meant by consent?
Opt-in? e.g. pop up – “For this site to work correctly…we need
to store a small file (called a cookie) on your computer….If you
click on “OK” below we will store cookies and you can continue
using this site with full functionality….For more information read
Implied? e.g. pop up - “We have placed cookies on your
computer to help make this website better. You can change
your cookie settings at any time. Otherwise we’ll assume you’re
OK to continue.” (ICO website)
– ICO Guidance (May 2012 and onwards)
BYOD – “bring your own device”
– Lots of legal issues (case study explores some of these not
just data protection)
– From a data protection perspective security is the biggest
issue – 7th Principle (and other principles too).
What happens if device lost, hacked or stolen?
Steps taken must relate to risks e.g. is sensitive personal
data available for access or storage on a “BYOD”
– Prevent unauthorised access (e.g. password on device,
encryption on device, lock out/delete data if too many
failed attempts, separate business from personal data)
– Encrypt data in transit
– Right to monitor and automatically delete data
– Employees leave
Apps, Social Media and BYOD
ICO Guidance on BYOD (March 2013)
– Carry out an internal assessment leading to implementing
BYOD policy (include an acceptable use policy and also a
social media policy if BYOD policy leads to increased use
of social media by employees)
– Need to cross refer to Employment Practices Code (e.g. re
monitoring and acceptable use policy)
Apps, Social Media and BYOD (2)
Social Media – social networking and online forums
– Growth in organisations setting up own blogs/social media
web pages/online forums
Customer reviews/feed back
School/university alumni/ae events
Charity fund-raising and volunteer sites
– If you are processing personal data for non-domestic
purposes then you will be subject to the DPA and won’t
benefit from domestic purposes (s 36) exemption
Apps, Social Media and BYOD (3)
– Need to assess in particular
Who is data controller
Ensure data accurate (4th Principle)
“Solicitors from Hell” case
– ICO Guidance (May 2013)
– Have accurate acceptable use policy
– Be clear how complaints dealt with
Apps, Social Media and BYOD (4)
– Collect personal data (location, stored data, sensor data…)8
– Process personal data
– EU’s Article 29 Working Party issued opinion WP 202 on
apps on smart devices (27 February 2013). If you are
developing or using Apps in your business you must address
the privacy issues.
Apps, Social Media and BYOD (5)
– Key privacy issues highlighted by EU
Lack of transparency on types of processing
Lack of meaningful (i.e. free and informed) consent
Poor security measures
Disregard of any purpose limitation and lack of data
minimisation (e.g. “market research” that doesn’t relate to
App at all)
– Take away: ensure privacy issues are addressed in App
Apps for children raise specific issues
Apps, Social Media and BYOD (6)
The New Data Protection Regulation
On 25 January 2012, the European Commission published a
proposal for a new EU Regulation. This will repeal the existing
1995 EU Data Protection Directive. In the UK this will mean all
or part of the DPA 1998 (tbd by Parliament) will be superseded
by a directly effective Regulation.
The European Commission has called for:
– An effective new data protection framework
– Clear, effective rights for individuals
– Clear responsibility and accountability
– Obligations to be focussed on processing that poses genuine risks
to individuals or societies
– Data protection authorities that are independent
– with a clearer role.
– Higher fines
– Stronger data subject rights including “right to be forgotten”
– Consent (specific Article on this e.g. placing burden of proof
on data controller where consent relied on)
– More responsibility on data controllers (including those
outside the EU) including requiring data protection officers in
organisations and obligation to notify the regulator if a data
breach and then potentially tell data subjects too
The New Data Protection Regulation (2)
The Regulation should essentially be a harmonised EU
The draft Regulation will need to be approved by EU
member states and ratified by the European Parliament.
Originally to be adopted in 2014 and in effect in 2016.
But delay in legislative process due to contentious nature
of the Regulation.
The New Data Protection Regulation (3)
Note: other recent and proposed EU laws
– Regulation 611/2013 on the notification of personal data
breaches (not general - only applies to ISPs/telcos – in
force from 29 August 2013 and see also amended PECRs)
– Proposed Network and Information Security Directive
(February 2013) (potentially applies to a wide range of
companies and organisations in energy, transport, banking
and finance, health care plus e-commerce platforms, social
networks, search engines, clouder services, application
stores, payment gateways plus “public administrations”) –
obligations to guarantee security appropriate to the risk and
to tell regulator about cyber security incidents
The New Data Protection Regulation (4)
Case Study (1) (Recognising Personal Data)
A potential member of a gym meets with a sales manager
of a local gym to discuss membership options. The sales
manager asks the prospective member for certain
information (name, address, age) and records these
details manually on a ‘new membership application form’.
These details will subsequently be added to the gym’s
Is this data? Does it matter if the information is never added to the
Case Study (2) (Overseas Transfer of
UK Gadgets is one of the leading suppliers of gadgets in the
UK. It has recently been bought out by a US multinational, US
As part of its new reporting obligations, UK Gadgets has been asked to
send copies of all of its employee records to a third party cloud provider
(CloudCo) based in the US appointed by US Gadget’s head office in
New York to manage the multinational’s global HR database. The UK
Co will have direct access to the cloud service through web browser
and password access. In due course it will also upload updated data
direct to CloudCo. The UK data will be available for access and
processing by both the UK and US parent.
The HR director is a little concerned that if he does this, he could be in
breach of the DPA, but head office is adamant that they must be sent.
What are his options?
NB: This case study assumes that the other Data Protection principles have
been complied with and that the data does not consist of 'sensitive' personal
data where consent to transfer may need to be obtained.
Case Study (3) (Electronic Marketing)
Please tick here if you do not want us to contact you by
electronic means (e-mail or SMS) with information about
goods and services which we feel may be of interest to
Is this acceptable?
Case Study (4) (Apps/BYOD/Social Media)
After considerable internal debate amongst the IT director,
HR director and head of sales and marketing at Way
Ahead law firm, the Board decide to allow legal staff to
utilise their own smart phones and tablets for work
What should Way Ahead do to minimise risks?