Data Protection and IDEA

Data Protection and IDEA
Joanne Bone & Neil Bentley
Irwin Mitchell
11 May 2004

Why Is Data Protection
Important?
• Data Protection Act 1998
• Overseen by the UK’s Information
Commissioner
• Potential Civil and Criminal Liability

Important?
• Criminal Liability
• Fines for breach
– Up to £5000 in Magistrates’ Court
– Unlimited in Crown Court
• Company officers, directors and
managers can be personally liable

Important?
• Civil Liability
• Any breach of the Act is actionable
• Compensation for damage and/or
distress
• In practice Courts are awarding
damages for breach of the Act

So When Does The Data
Protection Act Apply?
• The Act applies to the PROCESSING
of PERSONAL DATA

What Is Personal Data?
• Personal data can be any information
which relates to a living individual who
is identifiable from that data alone or in
conjunction with other data
• Both paper and electronic records can
be covered

• Durant v Financial Services Authority
• Definition of personal data interpreted
by the Court in a more restrictive way
• Information now only personal data
where it affects the individual’s privacy
– Is the information biographical?
– Is the information focused on the
individual?

• Payroll/salary details?
• Internet logs?
• Health records?
• e-mails?
• Electoral register?
• CCTV images?
• Bank details?
• Social Services records?

Paper Records
• “Relevant Filing System”
• “Temp test”
– could a reasonably competent temporary
worker retrieve the information relating to a
specific individual without leafing through
the file?

Paper Records
• Manual files structured solely in
chronological order are unlikely to be
covered
• Freedom of Information Act will expand
the category of paper records covered
by the Data Protection Act
– Applies to public authorities or bodies
carrying out public functions
– In force from January (probably) 2005

Types Of Data
• Ordinary vs Sensitive Personal Data
• Sensitive Personal Data includes:
– Race/Ethnic origin
– Religion
– Sexual life
– Trade union membership
– Physical or Mental Health
– Commission of offences/criminal
proceedings
– Political opinion

When Am I Processing
Personal Data?
• Any manipulation of data
• This will include:
– collection
– calling data up on screen
– auditing the information
– storage
– destruction

Who Is Responsible For
Processing?
• Data Controller vs Data Processor
• Data Controller
– Determines the purposes for which the
data are processed and how
– Legally responsible for what happens to
the data
• Data Processor
– Processes data on behalf of/under
instruction of Data Controller

Processing?
• In a nutshell:
– Do you determine what is done with the
data? (= data controller)
– Do you deal with data under instruction of
third party? (= data processor)
• Internal auditor (=data controller)
• External auditor (=data processor)
• Statutory Auditor (depends)

Processing?
• Data Controller responsible for
compliance with the Act
• Data Processor is not BUT may be
required to undertake compliance
obligations by contract
– Security/confidentiality
– Only use the data as instructed
• Can be both data controller & processor

Processing?
• Outsourced functions
– Company to which functions outsourced
likely to be data processor
– Should be a written contract in place
between organisation and company to
which functions outsourced
– Original organisation remains responsible
for compliance

Notification
• Must notify if:
– You are a DATA CONTROLLER and
– process PERSONAL DATA
– on COMPUTER
• Not strictly required if a data processor
for accountancy/audit purposes
• Annual renewal, £35
• 28 days to notify changes

Are We Entitled To
Process The Data?
• Data to be processed fairly & lawfully
• Ordinary Data – unambiguous consent
– actual consent
– necessary to perform a contract
– necessary to decide whether to enter into a
contract
– necessary to comply with a legal obligation
• Sensitive Data – explicit consent

Are We Entitled To
Process The Data?
• Responsibility of the data controller
– If data processor, seek warranty in contract
• Fair processing notice:
– Who will process the data
– What purposes the data will be used for
• is audit included?
– Any further information necessary to be
given for the processing to be fair
• Should notify BEFORE collect data

Are We Entitled To
Process The Data?
• Opt-in, opt-out or neither?
– is it optional?
– is it for marketing purposes?
– does it allow contact by e-mail or SMS?
• “Do not solicit” databases
• Issues of using data collected by third
parties

Are We Entitled To
Process The Data?
• Employee data:
– restrictions on accessing e-mails, call
recordings, CCTV and website logs
• Not only a Data Protection Act issue:
– Human Rights Act; Art 8 ECHR
– Regulation of Investigatory Powers Act
2000
– Telecommunications (Lawful Business
Practice) … Regulations 2000

Are We Entitled To
Process The Data?
• Employee Monitoring and Acceptable
Use Policies:
– for data protection, rely upon “consent” or
“necessary for legitimate interests unless
unwarranted prejudice to data subject”
– for interception, see RIPA & LBP Regs
– see also Data Protection Code, Part 3
• Data processors - seek warranties

What Are The Other Obligations?
• Data to be adequate, relevant and not
excessive
• Data to be accurate and, where
necessary, kept up to date
• Data not to be kept for any longer than
is necessary
• Data controller needs systems for data
management, review and disposal

• Individuals (=data subjects) have rights
of access to personal data
– statutory obligation to reply to requests
– 40 day timetable
– maximum £10 fee
– both electronic and paper records
– beware of identifying other individuals
• Data Controller should have a Subject
Access Procedure

• Appropriate steps to be taken to hold
data securely
– physical and technological measures
– ensure employee reliability
– written contracts with data processors
• Be aware of restrictions on data transfer
to non-EEA countries
– seek consent, “safe harbor” or contract

Are There Any Exemptions?
• Exemption from the eight principles
– e.g. national security; domestic purposes
• Exemption from the non-disclosure
provisions
– e.g. where required by law; to detect crime
• Exemptions from the subject information
provisions
– e.g. regulatory activity; negotiations;
management forecasting and planning

Data Protection And
Freedom Of Information
• For “public authorities” caught by
Freedom of Information Act 2000:
– data protection obligations expanded
– particularly subject access rights
• Publication Schemes
• General “Right to Know”
• January 2005 commencement date

In Summary
Examine the basis for your work:
• are you a data controller or a data
processor?

In Summary
If you are the data controller:
• Appoint a compliance officer
• Have systems in place for data
collection, review and disposal
• Have appropriate contracts with third
party data processors
• Set up standard letters for data requests

In Summary
If you are a data processor:
• Should follow controller’s instructions
• Data controller may propose a written
contract
– their obligation, not yours
– you should seek warranties about data
collection and compliance with the Act
• Do you need a notification?

Any more questions?
Joanne Bone
bonej@irwinmitchell.co.uk
Neil Bentley
bentleyn@irwinmitchell.co.uk
Helen Goldthorpe
goldthorpeh@irwinmitchell.co.uk
0870 1500 100

Data Protection and IDEA

More Related Content

What's hot

Viewers also liked

Similar to Data Protection and IDEA

More from AuditWare Systems Ltd.

Recently uploaded

Data Protection and IDEA