It has been almost impossible to avoid the growth of social media and the increasing deployment of location-based technologies over the last few years. This trend has sharpened the UK regulatory and media focus on individual's personal information and privacy rights. Collectively, this position means that now, more than ever, you need to know, and comply with, your legal obligations under the Act.
The following summary is designed as a refresher to help you get to grips with your obligations under the Act.
Does the Act apply to me?
Put broadly, if your organisation handles personal information about living people then it must comply with its obligations under the Act. The Act applies to "personal data". Personal data is a much broader concept than most people realise. In short it is data concerning a living person who can be identified from that data, or that can be identified when that data is used in conjunction with other data likely to be held or acquired in the future. “Identified” is used here in the sense that one person can be distinguished from another – e.g. by their behaviours. It does not mean that a person can be identified as “John Smith of such-and-such road, who has blue eyes, brown hair”.
The information doesn't have to be confidential and it includes names, addresses, dates of birth, telephone numbers etc, but also identifiers or codes, which are used in place of names. It may even include expressions of opinions or intentions in respect of the individual concerned.
The obligations under the Act apply to "data controllers". Technically, a data controller is the person who determines the purpose for which, and the manner in which, the personal data is processed. A company may be a data controller even where the data is held by a third party (provided that the company controls how the third party controls the data). The Act also recognises the concept of a "data processor" - e.g. a service provider - that processes personal data on behalf of a data controller. Obligations are not directly imposed on the data processor under the Act, however the data controller is required to pass on obligations to the data processor and so the contracts between the two parties must impose obligations on each party. In practice, virtually all modern businesses are data controllers to a greater or lesser extent.
In effect, any activity involving personal data, for example obtaining, recording or holding, will be classed as "processing" under the Act.
What are the principles of the Act?
The Act contains 8 principles. Each of these is set out below. They are intended to be self-explanatory, but some of them have hidden nuances which we have briefly summarised.
1. Data must be processed fairly and lawfully
This is the most important principle. In general, processing will not be fair if the individual has been misled as to why the data was collected or how it will be used or if they were placed under any pressure or offered inducements when the data was collected. The data controller must have legitimate grounds for collecting and using the personal data, not use it in ways that have unjustified adverse effects on the individual concerned, be transparent about how it intends to use the data, handle the data only in ways that the individual would expect and not do anything unlawful with the data.
At least one of a number of "conditions for processing" must also be met, for example, the individual must consent to the processing or the processing must be necessary for the legitimate interests of the data controller and is not unfairly prejudicial to the individual concerned.
The data controller must also provide certain information to the individual "so far as is practicable" and this should be done before the data is collected (commonly referred to as a "privacy notice" or “fair collection notice”). In practice, there are not many circumstances in which it is not practicable to provide such information.
2. Data must only be obtained for specified and lawful purposes and processed in a manner which is compatible with those purposes
It must be clear from the outset why personal data is being collected and what it will be used for. If use or disclosure of the data for any purpose other than that originally disclosed to the data subject is desired, the new purpose must be fair and compatible with the original purpose.
3. Data must be adequate, relevant and not excessive in relation to the purpose for which is processed
4. Data must be accurate and, where necessary, kept up to date
5. Data must not be kept for longer than is necessary
6. Data must be processed in accordance with the rights of data subjects under the Act
For example, people have a right to make a "subject access request" to see a copy of the information held about them by an organisation and the reasons why it is being processed. In most cases data controllers must respond promptly to such a request and in any event within 40 calendar days of receiving it.
7. Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or damage to personal data.
The level of security required depends on the nature of the data that is held and the harm that would be caused by its improper use or destruction. A data controller should undertake an assessment of its information risk and the costs involved. Management and organisational measures (e.g. controls over who has access to data centres / particularly sensitive information) are as important as physical and technological security (locks, keys, firewalls, encryption etc). These should be backed up with robust policies and procedures and well trained staff so as to be able to respond to any breach of security effectively. A data controller must also ensure that any data processor processing data on its behalf also complies with this principle. In practice, this involves conducting due diligence on the data processor and putting in place a number of contractual protections.
It is worth noting that to date this principle is the one that receives most frequent attention from regulators and the media, typically due to organisations losing unencrypted laptops and usb sticks.
8. Personal data must not be transferred outside the EEA unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data
The growing trend towards hosted / cloud computing solutions is a particular risk here: beware the data processor who uses such solutions unbeknown to you. As a data controller you would be responsible for their actions.
Do I need to tell anyone if I process personal data?
The Information Commissioners Office (ICO) regulates compliance with the Act. Data controllers must notify the ICO before processing (and notifications must then be renewed annually). Your organisation may need to do an audit in order to be able to provide the information required.
What happens if I get it wrong?
If the ICO finds that there has been a breach of the Act the most common form of sanctions are the issue of either:
1. Information notices. These require data controllers to provide information about their processing operations in order to help the ICO decide whether or not the data controller has complied with the Act; or
2. Enforcement notices (and undertakings). These require a data controller to take, or refrain from taking, specified steps in order to comply with the Act. It can include the organisation signing a formal undertaking to comply and cease doing what it is doing.
Enforcement by the ICO is usually taken after receiving a complaint from an individual but the ICO can also take action on a pro-active and not merely reactive basis. The ICO will usually however approach data controllers with a view to ensuring compliance before taking enforcement action. In certain circumstances, the ICO may obtain a warrant from court and exercise powers of entry, inspection and seizure of documents or equipment.
Failure to notify is a criminal offence and it is also an offence to fail to update the register within 28 days of any changes occurring to the notified details.
Failure to comply with an information or enforcement notice is an offence as is knowingly making a false statement in response to an information notice.
Directors and other officers of companies that commit offences under the Act may also be liable to prosecution. Where a company has committed an offence and it has been committed with the consent of, or due to the neglect on the part of, the officer concerned, that party will be guilty of an offence as well as the company itself. Offenders are liable to a maximum £5000 fine if convicted in a Magistrates Court or an unlimited fine if convicted on indictment in the Crown Court.
The ICO may now also impose a fine up to a maximum of £500,000 for serious contraventions of the Act. Since gaining this power in April 2010 the ICO has issued a number of fines, for example:
• A penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients.
• A penalty of £60,000 was issued to A4e (an employment services company) for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
• The owner of former solicitors ACS Law was served with a £1000 penalty after sensitive personal details were made available to download via a website. The ICO's investigation found serious flaws in ACS Law's IT security system and the firm had failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure. As Mr Crossley was a sole trader it fell on him to pay the fine. The ICO said that were it not for the fact that ACS Law had ceased trading so that Mr Crossley had limited means, a penalty of £200,000 would have been imposed.
Aside from legal sanctions, failure to comply with the Act can cause damage to an organisation's reputation and adverse publicity.
How can DWF help? We are able to offer a range of solutions to our clients including:
• data protection updates and training tailored to a particular client, industry or sector;
• data protection audits to assess a company's compliance with the DPA and recommendations to minimise the risk of DPA breaches;
• drafting and advising on DPA and FOIA policies;
• advice and assistance in liaising with the ICO in relation to alleged DPA and/or FOIA breaches and investigations; and
• ad hoc advice on specific data protection issues such as the use of CCTV footage, notification requirements, off-shore data processing, consent to marketing, drafting privacy notices etc.