1. Data Protection – an overview
By Ian C. Oultram
Compliance Officer
Business Link Northwest
Presented 16th March 2009

2. What is the Act for?
• Maintains balance between the individual
and government/industry
• Regulates demands for data by government
and industry
• Protects privacy of individual
• Privacy is a basic human right

3. Data Protection history
• Original Act passed in 1984
• Replaced by 1998 Act
• Brought UK into line with European Data
Protection Directive
• Information Commissioner’s Office established
in Wilmslow

4. Key Definitions
• Personal data – uniquely identifies individual
• Sensitive data – ethnic, health or criminal
• Processing – obtaining, storing, sharing, using
• Data subject – the individual concerned
• Data controller – organisation using and owning
data
• Data processor – organisation sub-contracted to
use data by the controller
• Notification – informing Commissioner of
processing purposes or a breach
• Purpose – broad area of use

5. The 8 Principles
• Fair and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept longer than necessary
• Processed in accordance with subject rights
• Kept secure
• Not transferred to other countries without
protection

6. Fair and lawfully processed
• Need consent OR contract OR legal obligation
OR statutory power OR public interest
• Fair processing statement (privacy policy)
made available at time data is obtained
• Statement should include details of purposes
and data sharing
• Comply with all relevant laws including
confidentiality and Human Rights Convention
• Act within limits of any statutory powers
• Process within specific but broad purpose
• Cannot obtain data and do nothing with it
1st Principle

7. Sensitive personal data
• At least one schedule 2 condition plus explicit
consent OR
• Necessary for statutory obligation regarding
employment OR
• Necessary to monitor equal opportunities
• Does not involve sharing or a new purpose
without consent
• Sickness and injury records should be kept
separate from other employment records
• Medical reports should concentrate on fitness
• Staff should know what BUPA data is shared
Business Link
1st Principle

8. Consent
• Individual must be aware of ways data will be
processed
• Cannot be inferred from non-response to opt-
out
• ‘Opportunity to object’ with another condition
such as public interest may provide basis
• Consent does not last forever
• Can be transferred from/to third party where
there is clear prior opt-in for sharing
• Explicit consent to processing of sensitive data
1st Principle

9. Opt-in and opt-out
• Opting-in by ticking a box, clicking an icon,
sending an email
• Prominent opt-out box along with clear and
bold message can establish consent
• Opt-in is always for the time being
• Remains valid until recipient objects
• Recipient can opt out at any time and must be
complied with
• Corporate subscriber has no right of opt-out
unless recipient is a named individual
1st Principle

10. Encore project
• Hewlett Packard and London School of
Economics involved
• Vision to make giving and revoking consent as
easy as turning a tap
• Tap as common on data gathering pages as
padlock is on payment sites
1st Principle

11. Telephone marketing
• Must identify ourselves and provide address or
Freephone number if asked
• Must regularly screen CRM against TPS and
CTPS registers
• Must not call numbers on TPS or CTPS registers
unless subscriber gives specific opt-in consent
• Provide opportunity to opt out and terminate call
• Must comply with request to opt out by ticking
CRM do not call
• Responsible even if agency calls on our behalf
1st Principle

12. Electronic marketing
• Includes email, text, sound, image, video,
voicemail and answer-phone messages
• Only send marketing to named individuals who
opt-in or who are clients (or implied opt-in)
• Can send emails to organisations or non-
personal emails addresses
• Must provide opportunity to opt out
• Must comply with opt-outs by clicking ‘no email’
• Should not use tracking devices unless
recipients can turn them off
• Should not use viral marketing techniques
• Subject to Privacy and Electronic
Communications Regulations Act
1st Principle

13. Direct mail
• Must inform individuals that we may use
details for marketing
• Individuals can opt-out of direct mail by
writing or ticking a box
• Should not mail-shot named individuals
who have opted-out or registered with MPS
• MPS does not carry legal obligation
• Non-personal letters are not subject to Data
Protection or MPS
1st Principle

14. Processed for limited purposes
• Data obtained for one purpose cannot be used
for another without consent
• Data cannot be obtained without purposes
being aligned
• Change in purpose needs consent which
cannot be obtained retrospectively
• Purpose should be stated in fair processing
statement
• Subjects must not be deceived or misled
regarding purpose
• Commissioner must be notified of new
purposes within 28 days
2nd Principle

15. Adequate, relevant, not excessive
• All processing must be necessary and
proportionate
• Data needs at least one valid purpose
• Minimum amount of data necessary to fulfil
purpose
• Information necessary for one individual
should not be kept for all subjects
• Data cannot be kept on basis that it might be
useful in the future
• Data should be kept up to date and relevance
reviewed
3rd Principle

16. Accurate and up-to-date
• Take reasonable steps to ensure accuracy
• Update individual or third party data regularly
• Individuals can request their data is updated or
deleted
• Record when information was recorded or
updated
• Aware that data may not reflect current situation
• Objections should be noted
• Avoid false matches and unfounded inferences
• Exceptions are historical records of
‘transactions’
4th Principle

17. Not kept longer than necessary
• Data not kept for longer than purpose it was
originally obtained
• Not gathered or held indefinitely without a
purpose
• Reviewed regularly and deleted when no
longer required
• Deleted when relationship ceases
• Historical or statistical data can be kept
indefinitely
5th Principle

18. Processed in accordance with
subject rights
• Must supply information relating to a subject
access right
• Must rectify or delete inaccurate or illegitimate
data
• Must stop processing if causes damage or
distress when requested
• Must cease direct marketing when consent
withdrawn or not given
• Subject has right to seek compensation for
damage or distress
• Must know purpose
6th Principle

19. Subject access rights
• Entitled to copy of data unless cost, time and effort
is disproportionate
• Respond to written request within 40 calendar days
after identity of requester is established
• Data supplied should include archived data but not
management forecasts nor employment references
• Not obliged to comply where similar request has
been met
• Routine amendments are allowed but must not
cover-up or tamper with data
• Must not disclose to anyone else unless required
by law, warrant, for legal advice or proceedings
6th Principle

20. Employees’ subject access rights
• Emails and word documents should be
disclosed where individual is the subject
• References received by us should be disclosed
unless subject to strict confidentiality
• References given by us are exempt from
access
• Personal references are not covered
• Do not disclose when investigating criminal or
harassment allegations
• Taxation or management information need not
be disclosed
6th Principle

21. Kept secure
• Take appropriate technical, management and
organisational measures during processing
• Prevent accidental loss, damage, destruction or
unlawful access and keep audit trails
• Design security measures into new data projects
• Adopt ISO 27001 standard and undertake
security risk analysis
• Prepare security incident response plan
• Adopt privacy enhancing techniques and
encryption
• Ensure staff reliability and train staff in data
protection
• Ensure business continuity
7th Principle

22. Not transferred to other countries
without protection
• Not transferred outside European Economic
Area without adequate level of data protection
• Safe countries and ‘safe harbours’ allowed
• Model contracts available
8th Principle

23. Information Commissioner’s role
• Registers data controller notifications
• Makes register available for public inspection
• Investigates requests for assessments
• Issues information notices
• Issues data subject notices
• Issues enforcement notices
• Has powers of entry and inspection under
warrant
• Can endorse a code of practice

24. Offences
• Processing without notification
• Failure to notify changes in purpose within 28
days
• Failure to comply with Commissioner’s
‘information notice’ request
• Failure to comply with enforcement notice
• Obstructing warrant
• Obtaining or disclosing data without
permission of data controller
• Selling or offering to sell data without
permission of data controller

25. Data sharing
• Check notification includes all classes of
organisation we wish to share with
• Obtain consent unless processing and
disclosure is in public interest
• Explicit consent before sensitive data can be
shared
• Should not share personal data where
anonymised data will do
• Conduct privacy impact assessment and
prepare code of practice
• Commissioner recommends creating fast-track
to dispense with existing barriers to sharing
• Data sharing review encourages research and
statistical analysis and change in culture

26. Code of practice
• Define data sharing and business case
• Describe negative effect on individuals
• State whether consent is needed
• Outline legal provisions which allow data
sharing
• Include less invasive alternatives such as
anonymous data
• Describe data to be shared and list
organisations to share with
• Evaluate security standards and training which
need to be adopted
• Can take form of privacy impact assessment
• Review regularly and develop privacy strategy

27. Paper-based files
• Act covers computer input and output
documents
• Includes organised and structured document
files (relevant filing systems)
• Review paper-based filing systems to check
whether they become ‘organised’
• Documents should be securely disposed
• Commissioner recommends shredders for
home-workers
• No requirement to notify Commissioner of
paper-based files

28. Monitoring at work
• Should be open and not covert unless part of
criminal or malpractice investigation
• Subject to Regulation of Investigatory Powers
Act and European Convention on Human Rights
• Right for privacy even in workplace
• Personal emails should not be opened
• Staff should be aware that business emails or
voicemails may be checked while away
• Manager can listen/record calls for staff training
and quality when caller receives message

29. CCTV
• Cameras should not be angled towards staff
• May need a new purpose to cover CCTV
• Signs should be placed at entrance to
surveilled zone
• Recordings should be stored to safeguard
images and rights of individuals
• Restrict access and viewing and delete when
no longer needed
• Included in subject access rights and can be
disclosed to Police
• European Convention on Human Rights applies
• Commissioner recommends new statutory
code of practice

30. The end
• Any final questions?
• Thank you for your kind attention