• Save
Data Protection Act
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Data Protection Act

  • 2,681 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,681
On Slideshare
2,674
From Embeds
7
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 7

http://yizi.co.uk 5
http://www.slideshare.net 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • EC Directive on Privacy and Electronic Communications 2002 The EC Directive on Privacy and Electronic Communications 2002 was brought into force in the UK on 11 December 2003 under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the Regulations”). The Regulations set out requirements for EU Member States to introduce new laws regulating the use of: unsolicited commercial communications, which includes spam cookies location and traffic data, and publicly available directories. Those affected by the Regulations are: providers of public communications networks and services businesses operating their own web sites pure e-commerce companies. Breach of the Regulations can result in regulatory investigations, fines, civil damages actions and criminal liability. Criminal sanctions may be imposed on company directors , as well as the company. The Areas of concern for companies and entities active in the UK market are: 1. Unsolicited Communications & the Opting In The sending of unsolicited electronic commercial communications, such as email, SMS or MMS communications is prohibited under the Regulations if the recipient has not previously specifically “opted in” to receive such communications. Consent may be obtained by, for example, the ticking a box, clicking an icon during a registration process or by way of a specific email request for information. However, if there is a pre-existing customer relationship, the “opt in” requirement may be disregarded, provided that three criteria are filled: The sender has obtained contact details of the recipient in the course of sale or negotiations for the sale of a product or service to the individual. The communication is made regarding the sender’s similar products and services only. The recipient has access to a simple means of declining the use of their contact details for the purposes of sending such communications, both at the time of the initial collection of the details, and at the time of each subsequent communication. 2. Opting Out Individuals have a perpetual right to “opt out” of receiving further communications at any time. Senders of unsolicited commercial communications are under an obligation not to disguise their identity and to provide a valid contact address for the recipient to contact the sender. The process provided to do so must not be complicated. 3. Corporate Subscribers The Regulations aim to protect individuals from direct marketing and also seeks to a lesser extent corporate subscribers. Sole traders and non-limited liability partnerships fall within the definition of corporate subscribers. It is unclear whether the Regulations apply to individuals at corporate entities; it may be difficult to know whether an email address is that of an individual or a corporate subscriber. 4. Cookies The Regulations introduces controls on the use of cookies or similar devices on web sites and individuals must be: provided with clear information about the purposes of the specific information being collected; and is given the opportunity to refuse the storage of, to access to, that information. A guide for business can be found on http:// www.allaboutcookies.org / , and includes: a compliance statement template, a compliance checklist and a template to help web sites develop their statement on cookie policy. 5. Faxes There is a distinction between faxes to businesses and those to private members of the public. The Regulations give private individuals the right to opt in, and businesses the right to opt out. Contact details should be attached to each fax sent out. Unsolicited faxes may not be sent to those registered with OFCOM. 6. Telephone calls Private individuals and businesses are both given the option of opting-out. Caller details must be supplied each time a call is made; the name of the caller must be given and if the individual requests, the address of the caller of a free-phone telephone number. As with faxes, those registered with OFCOM cannot be contacted. 7. Automated calls and Dialling Machines The Regulations provide that the only permitted use of such systems is when the person called has previously notified the caller for consent to being called. The individual must be given the option of opting-out of such communications. Considerations for Business: Direct Marketing Businesses which participate in direct marketing must take into account: What activities they are undertaking and how information is obtained from customers The content of their privacy or data protection notices What information is obtained from and given to customers and potential customers via online registration forms, or arising from telephone or fax contact. Furthermore, they must consider whether the information has been fairly obtained, in accordance with the Data Protection Act 1998 . The provisions relating to the protection of personal data in the Data Protection Act have not been replaced by these Regulations, so direct marketing activities should be considered in light of both the Act and the Regulations. Whether the company are properly registered under the Data Protection Act 1998 . Whether the individuals contact details have been obtained from list renters. This is primarily a concern for unsolicited emails, and businesses must check that the individuals opted in to contact thorough such means, to prevent any unlawfulness. Checks should be made with the Mailing Preference Service, Telephone Preference Service, or Fax Preference Service, in order to establish whether the customer has registered with any of these services. The Privacy and Electronic Communications (EC Directive) Regulations 2003 are one of the sets regulations introduced to accommodate the expansion of the so called "Information Society". These Regulations are fundamental to conducting business in the online environment and with the use of telecommunications networks.
  • Case 43/75, Defrenne v. Sabena, 1976 E.C.R. 455. Facts : the applicant brought an action before the Tribunal du travail, in Brussels for compensation for the loss she had incurred in terms of salary, allowance on termination of contract and pension in comparison with male members of the crew performing identical duties. The Belgian appeal court referred the case to the ECJ Holding : The ECJ held that the equal pay provision of Article 119 had as its aims both economic and social functions. It ruled that article 119 EC "forms part for the social objectives of the Community, which is not merely an economic union, but at the same time intended, by common action, to ensure social progress and seek constant improvement of the living and working conditions". Reasoning : the principle of equal pay for equal work would be binding not only upon member states but also, directly, upon private employers. So an individual can rely on some Treaty articles to enforce rights against another individual in the national courts. Direct and overt discrimination can be identified by the criteria set out under Article 119 of equal pay for equal work, whereas indirect and covert discrimination can be identified by reference to more explicit implementing provisions of a Community or national character. Direct forms of discrimination included discrimination that had their origins in legislative provisions or collective labour agreements that can be detected on the basis of a purely legal analysis of the situation  
  • See handout – Implementation and Text of EU Data Protection Directive
  • Section 1(1) DPA 1998
  • [Section 1(1) DPA 1998] [Schedule 2 DPA 1998]
  • NB – Names of business contacts are included in the definition
  • [Section 2 DPA 1998] [Schedule 3 DPA 1998]
  • [Section 1(1) DPA 1998]
  • [Schedule 1 Part II DAP 1998]
  • Section 7 DPA Section 10 DPA Section 11 DPA Section 12 DPA Section 13 DPA Section 14 DPA
  • [Schedule 1 Part II Paragraph 9-12 DPA]
  • [EEA is EU Member States plus Iceland, Liechtenstein ad Norway]
  • Consumer Protection (Distance Selling) Regulations 2000 Information Requirements In good time prior to the conclusion of the contract the supplier shall – Provide to the consumer the following information- (i) the identity of the supplier and, where the contract requires payment in advance, the supplier’s address; (ii) a description of the main characteristics of the goods or services; (iii) the price of the goods or services including all taxes; (iv) delivery costs where appropriate; (v) the arrangement for payment, delivery or performance; (vi) the existence of a right of cancellation except in the cases referred to in regulation 13; (vii) the cost of using the means of distance communication where it is calculated other than at the basic rate; (viii) the period for which the offer or the price remains valid; and (ix) where appropriate, the minimum duration of the contract, in the case of contracts for the supply of goods or services to be performed or recurrently; Inform the consumer if he proposes, in the event of the goods or services ordered by the consumer being unavailable, to provide substitute goods or services 9as the case may be) of equivalent quality and price; and Inform the consumer that the cost of returning any substitute goods to the supplier in the event of cancellation by the consumer would be met by the supplier.
  • NB. This right is exercisable by any living individual NB. The need for CRM systems to be compliant
  • See Catherine Zeta Jones case (Hello Magazinne). Photographs are personal data. Data protection added as a cause of action. The Information Commissioner has to investigate every complaint.
  • Very high risk area from a compliance point of view
  • See British Gas example. Put a brochure in with customer bills. One person complained to Data Protection Registrar (Now Information Commissioner). Went to Data Protection Tribunal. Brochure stopped being put in with gas bill. British Gas had been relying on implied consent. British Gas was promoting third party goods and services.
  • Note: Personal Data is the oil of the 21 st Century.

Transcript

  • 1. SYNEXUS Data Protection Training
    • Michael Mulholland
    • Compliance Consultant
    • [February 2010]
  • 2. Experience
    • Compliance Consultant – Fiserv, Euroclear, Cheval Property Finance
    • Legal Counsel at GMAC
    • Legal Adviser/Compliance Officer at Citigroup
    • Legal Adviser & Litigator at First National Bank Plc (Now GE Money)
  • 3. Training Objectives
    • Why this course was arranged
    • Objectives
    • Raising awareness
    • Tangible evidence
    • Developing internal expertise
    • Personal Objectives
    • BAU Impact
    • Overall effectiveness
  • 4. Agenda
    • Compliance
    • Background
    • DPA 1998 – Definitions
    • DPA 1998 – The Data Protection Principles
    • The role of the information commissioner
    • Notification
    • The rights of the individual
    • Exemptions
    • Offences
    • Privacy and Electronic Communications (EC Directive) Regulations
    • The Law of Direct Marketing
    • Associated Legislation
    • A Data Protection Scenario
    • Slides, Handouts and test paper
  • 5. Why Comply?
    • Civil Liability
    • Criminal Sanctions (including for directors)
    • Enforcement notice
    • Negative publicity
  • 6. Background to UK Data Protection
    • Directive 95/46/EC implemented by the Data Protection Act 1998
    • Freedom of Information Act 2000 ( The Freedom of Information Act gives an individual the right to obtain information held by public authorities unless there are good reasons to keep it confidential)
    • Privacy and Electronic Communications (EC Directive) Regulations 2003
    • The Information Commissioner’s Office www.ico.gov.uk
  • 7. EC Directive on Privacy and Electronic Communications 2002
    • The EC Directive on Privacy and Electronic Communications 2002 was brought into force in the UK on 11 December 2003 under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the Regulations”).
    • The Regulations set out requirements for EU Member States to introduce new laws regulating the use of:
    • unsolicited commercial communications, which includes spam
    • cookies
    • location and traffic data, and
    • publicly available directories.
    • Those affected by the Regulations are:
    • providers of public communications networks and services
    • businesses operating their own web sites
    • pure e-commerce companies.
    • Breach of the Regulations can result in regulatory investigations, fines, civil damages actions and criminal liability. Criminal sanctions may be imposed on company directors , as well as the company.
  • 8. The European Dimension
    • The European
    • Communities Act 1972
    • The Treaty of Rome
    • Citizens could rely on the Articles directly
    • Apply if national law silent or inconsistent
    • Defrenne v Sabina 1976
    • Indirect effect of directives
  • 9. Case 43/75, Defrenne v. Sabena, 1976 E.C.R. 455.
    • Facts : the applicant brought an action before the Tribunal du travail, in Brussels for compensation for the loss she had incurred in terms of salary, allowance on termination of contract and pension in comparison with male members of the crew performing identical duties. The Belgian appeal court referred the case to the ECJ
    • Holding : The ECJ held that the equal pay provision of Article 119 had as its aims both economic and social functions. It ruled that article 119 EC "forms part for the social objectives of the Community, which is not merely an economic union, but at the same time intended, by common action, to ensure social progress and seek constant improvement of the living and working conditions".
  • 10.
    • Reasoning : the principle of equal pay for equal work would be binding not only upon member states but also, directly, upon private employers. So an individual can rely on some Treaty articles to enforce rights against another individual in the national courts.
    • Direct and overt discrimination can be identified by the criteria set out under Article 119 of equal pay for equal work, whereas indirect and covert discrimination can be identified by reference to more explicit implementing provisions of a Community or national character.
    • Direct forms of discrimination included discrimination that had their origins in legislative provisions or collective labor agreements that can be detected on the basis of a purely legal analysis of the situation  
  • 11. Meaning of Indirect Effect
    • Indirect effect is a principle of European Community Law which compels national courts to interpret 'so far as possible' national legislation in accordance with the aims of a directive.
    • In the EU, a " directive " is a legislative order that requires implementation in every member state by the domestic government. While the member state has the freedom to draft their own implementing law, the law must comply with the aim of the original directives. As a result, implementation may take different forms across the member states.
    • This is in contrast to a " regulation ," a single law for the entire Union that is directly effective in every member state.
  • 12. Implementation of the EU Data Protection Directive
    • Examples
    • UK - Data Protection Act 1998; all companies had to achieve full compliance as of 24 October 2001
    • Germany – Amendments to the Federal Data Protection Act (Bundesdatenschutzgestz) entry into force 23 May 2001
  • 13. Essential Definitions
    • Data
    • Personal Data
    • Sensitive Personal Data
    • Processing
    • Data Subject
    • Data Controller
    • Data Processor
  • 14. Data
    • Automated information
    • Manual records intended to be processed by computer
    • Information held on a relevant filing system
  • 15. Personal Data
    • Information relating to living individuals (including sole traders and partners of partnerships) who can be identified from the information
    • E.g. names, email addresses, opinions in appraisals
    • Durant v Financial Services Authority – a changing definition of “personal data”?
  • 16. Personal Data
    • Means data which relate to a living individual who can be identified:
    • from those data, or
    • from those date and other information which is in the possession of, or likely to come into the possession of, the data controller,
    • and includes any expressions of opinion about the data subject
  • 17. Sensitive Personal Data
    • A category of Personal Data given greater protection
    • racial or ethnic origin
    • political opinions
    • religious beliefs
    • trade union membership
    • physical or mental health
    • Sexual life
    • Commission or alleged commission of an offence (and proceedings relating to such commission)
  • 18. Processing
    • Obtaining, recording or holding information or data, or carrying out any operation or set of operations on the information or data, including –
    • (a) organisation, adaptation or alteration of the information or data,
    • (b) retrieval, consultation or use of the information or data,
  • 19. (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data Difficult to imagine any action which is not processing
  • 20. Data Subject
    • An individual who is the subject of Personal Data
    • Must be a living individual
    • Companies and other corporate bodies cannot be Data Subjects
    • Nationality and/or residence not important
  • 21. Data Controller
    • The person who determines the purposes and manner in which Personal Data is processed
    • Can be alone or jointly or in common with others
    • Can be an individual or corporate body
  • 22. Data Processor
    • The person who processes the data on behalf of the Data Controller
    • Does not include employees of the Data Controller
    • DPA not directly applicable to Data Processors
    • [Section 1(1) DPA 1998]
  • 23. Data Protection Act 1998 The Data Protection Principles
  • 24. Eight Data Protection Principles
    • Fair and Lawful Processing
    • Processing for specified purposes only
    • Adequate, relevant and not excessive
    • Accurate and up to date
    • Kept no longer than is necessary
    • Rights of data subject
    • Appropriate security
    • International Transfers of Personal Data
  • 25. Fair and Lawful Processing
    • Three limbs
    • Fair Processing Notice
    • Satisfaction of a processing condition
    • Lawful processing
  • 26. Fair and Lawful Processing
    • Fair Processing Notice
    • Identity of data controller
    • Purposes for which personal data are to be processed
    • Identity of any persons to whom personal data will be disclosed
    • Overseas destinations where personal data may be transferred
    • Additional disclosure required to make processing fair
    • Schedule 1 Part II DPA 1998
  • 27. Fair and Lawful Processing
    • Fair Processing Notice
    • Identity of data controller
    • Purposes for which data are to be processed
    • Identity of any persons to whom personal data will be disclosed
    • Overseas destinations where personal data may be transferred
    • Additional disclosure required to make processing fair
  • 28. Fair and Lawful Processing
    • Satisfaction of a processing condition
    • PERSONAL DATA
    • Consent; or
    • Necessary for the performance of a contract to which the data subject is a party; or
    • Legal obligation (non-contractual); or
    • Protection of vital interests of data subject; or
    • Administration of justice; or
    • In legitimate interests of controller unless prejudicial to the data subject
  • 29. Fair and Lawful Processing
    • Satisfaction of a processing condition
    • Sensitive Personal Data
    • Explicit Consent; or
    • Legal obligation (in connection with employment); or
    • Protection of vital interests; or
    • Non-profit associations; or
    • Data subject has made personal data public data; or
    • Legal proceedings; or
    • Administration of justice; or
    • Medical purposes; or
    • Ethnic equality monitoring
    • [Schedule 2 DPA 1998]
    • [Schedule 3 DPA 1998]
  • 30. Fair and Lawful Processing
    • Lawful processing
    • No guidance in the DPA
    • “something which is contrary to some law or enactment or is done without lawful justification or excuse”
    • E.g. information obtained by breach of confidence
    • [Schedule 1 DPA 1998]
  • 31. Rights of the Data Subject
    • Right of subject access
    • Prevention of processing causing damage or distress
    • Right to prevent processing for direct marketing
    • Rights in relation to automated decision taking
    • Right to compensation
    • Dealing with inaccuracy
  • 32. Security
    • Appropriate technical and organisation measures to protect Personal Data
    • Reasonable steps to ensure reliability of staff
    • “ appropriate” depends on the circumstances
    • E.g. security policy, password access, encryption, disaster recovery/back up
    • Written agreements with Data Processors
  • 33. International Transfers
    • No transfer of Personal Data outside of the EEA unless:
      • Adequate protection; or
      • Satisfaction of a schedule 4 condition
  • 34. International Transfers
    • Adequate protection?
    • White list Countries
    • Guernsey
    • Argentina
    • Canada
    • Switzerland
    • Isle of Man
  • 35. International Transfers
    • US Safe Harbor
    • http:// www.export.gov/safeharbor /
    • Presumption of adequacy
  • 36. International Transfers
    • Satisfaction of a schedule 4 condition
    • Consent
    • Necessary for the Performance of a Contract
    • Substantial public interest
    • Necessary for legal proceedings
    • Necessary to protect vital interests
    • Public register
    • On terms approved by the Information Commissioner
    • Authorised by the Information Commissioner
  • 37. The Law of Direct Marketing
    • The Data Protection Act 1998 provides the following definition of direct marketing:
    • “ the communication of any advertising or marketing material which is directed to particular individuals”
  • 38. The following main statutory provisions regulate direct marketing in the UK
    • Data Protection Act 1998 (‘DPA’) together with 19 statutory instruments made pursuant thereto. The DPA was passed in order to comply with the UK’s obligations under Directive 95/46/EC, which required Member States to pass implementing legislation by 24 th October 1998.
  • 39. Example of related Statutory Instrument
    • Regulation 3 of the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (SI 2000/191) provides that the maximum fee for a subject access request is £10.
  • 40. Consumer Protection (Distance Selling) Regulations 2000
    • (‘Distance Selling Regulations’) which require businesses to provide certain information (See Notes) to consumers either before the contract is entered into or as soon as possible thereafter.
    • Most Direct Marketing is done at a Distance i.e. fax, e-mail, telephone or post.
  • 41. Distance Contract
    • Any contract concerning goods or services concluded between a supplier and a consumer under an organised distance sales or service provision scheme run by the supplier who for the purpose of the contract, makes exclusive use of one or more means of distance communication up to and including the moment at which the contract is concluded.
  • 42. Means of Distance Communication
    • Any means which, without the simultaneous physical presence of the supplier and the consumer, may be used for the conclusion of a contract between those parties.
  • 43. The Notification Requirement
    • A basic principle of the DPA is that those businesses that process personal data should generally be listed on a publically available register.
    • The process of registering a business is known as ‘notification’.
    • The register of data controllers is held and maintained by the Office of the Information Commissioner (OIC).
  • 44. IT IS A CRIMINAL OFFENCE TO PROCESS PERSONAL DATA WITHOUT AN APPROPRIATE ENTRY ON THE REGISTER OF DATA CONTROLLERS
  • 45. Where direct marketing is carried on by a business, the appropriate additional register entries will be either or both of the following:
  • 46.
    • Advertising, marketing and public relations
    • Advertising, marketing and public relations for others
  • 47. The register may be searched at
    • www.dataprotection.gov.uk
  • 48. The Right to Prevent Direct Marketing
    • S.11 Provides
    • “ (1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
  • 49. S11 DPA
    • (2) If the court is satisfied, on the application of any person who has given notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
    • (3) In this section ‘direct marketing’ means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
  • 50. The Preference Services
    • Preference services exist for the following types of direct marketing:
    • Mail (MPS)
    • Telephone (TPS)
    • Fax (FPS)
  • 51. Related Rights
    • Access
    • Where personal data are being processed by or on behalf of the data controller, the data subject is entitled to be given a description of:
    • The personal data of which that individual is the data subject;
    • The purposes for which they are being or are to be processed; and
  • 52. Related Rights
    • (c) The recipients or classes of recipients to whom they are or may be disclosed.
    • In addition, the data subject is entitled to have communicated to him or her in a form which is capable of being understood;
    • (d) The information constituting any personal data of which that individual is the data subject; and
    • (e) any information available to the data controllers as the source of those data
  • 53. Automated Decisions
    • A data subject has the right to prevent the data controller from taking evaluation decisions concerning him or her by automated means alone.
    • Additionally, where personal data are being processed automatically for the purpose of evaluating matters relating to the data subject and the processing has or is likely to be the sole basis of a decision significantly effecting the data subject, he or she is entitled to be informed by the data controller of the logic (save to the extent that is constitutes a trade secret) behind the decision taking.
  • 54. Compensation for Damage/Distress
    • An individual who suffers damage as a result of a contravention by a data controller of any provision of the Data Protection Act is entitled to compensation. Additionally, compensation for distress may be claimed in all cases where the individual has suffered damage.
  • 55. Request for Assessment
    • Under section 42 of the DPA any person who feels that he or she is directly affected by the processing of personal data may ask the Data Protection Commissioner to carry out an assessment of the processing to determine whether or not it is being undertaken in accordance with the provisions of the Act. The Commissioner does not have discretion as to whether to carry out such an assessment.
  • 56. However the Commissioner does have some discretion as to the manner in which an assessment is to be carried out and factors that can be taken into account in this regard are
    • the extent to which the request appears to raise a matter, of substance;
    • any undue delay in making the request;
    • whether or not the person making the request is entitled to make an application for data subject access
  • 57. Rectification, Blocking, Erasure & Destruction
    • If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.
  • 58. Legitimising Direct Marketing
    • The First Data Protection Principle provides that personal data must not be processed unless one of the six conditions in Schedule 2 to the DPA is met:
    • The data subject has given his consent to the processing
    • The processing is necessary –
    • (a) for the performance of a contract to which the data subject is a party, or
    • (b) for the taking of steps at the request of the data subject with a view to entering into a contract.
  • 59. Legitimising Direct Marketing
    • The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
    • The processing is necessary in order to protect the vital interests of the data subject.
    • The processing is necessary:
    • (a) for the administration of justice
    • (b) for the exercise of any functions conferred on any person by or under any enactment
    • (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
    • (d) for the exercise of any other functions of a public nature exercised in the public interest by any person
  • 60.
    • The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom data is disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
    Legitimising Direct Marketing
  • 61. 7. Obtaining consent for Direct Marketing
    • Consent may be obtained by use of opt-out or opt-in clauses.
    • Example 1 (OPT OUT)
    • We would like to keep you informed of products or services that we feel may be useful to you. Please tick this box if you do not wish to do so.
  • 62. Example 2 (OPT OUT)
    • We will occasionally transfer your contact details to our carefully chosen business partners so that they may contact you with offers. Tick this box if you do not wish us to do so.
  • 63. Example 3 (OPT IN)
    • Please tick this box if you wish us to keep you informed of special offers.
  • 64. Thank You for Listening!