|
|
|
|
|
| The law |
Refer to a lawyer |
Refer to an accountant |
| |
|
| |
1. The First Principle |
| |
"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:- |
| |
- at least one of the conditions in Schedule 2 of the Act is met, and
|
| |
- in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the Act is also met."
|
| |
The ‘fair processing code’ is divided into (a) fair obtaining of personal data and (b) providing information to data subjects about the processing. To ensure that data can be said to have been ‘fairly obtained’ data controllers must not mislead or deceive data subjects as to the purpose or purposes of the processing. Personal data will be treated as having been fairly obtained if they have been obtained from a person who is either authorised or required under any enactment or international obligation to supply such data (such as the Charities Act 1993, for example). |
| |
Unless it would involve a disproportionate effort or unless the recording or disclosing of data is necessary for compliance with a legal (as opposed to contractual) obligation, data controllers must inform data subjects of their identity (or the identity of their representative), the purpose(s) for which the data are intended to be processed and any further information, having regard to the specific circumstances in which the data are to be processed, to enable the processing to be fair. As guidance in this latter respect, data controllers are advised to consider the extent to which the use of personal data by them is or is not reasonably foreseeable by the data subjects. To the extent that it would not be reasonably foreseeable, data controllers should ensure that they provide such further information as may be necessary. |
| |
All this information should be ‘readily available’ to data subjects, either by providing it at the time the data is requested, or at the time it is received (if it has been supplied by a third party) or when the data subject requests it. |
| |
One of the conditions for processing is that it is carried on with the consent of the data subject. In some cases implied consent may be sufficient. In others nothing less than clear written consent will suffice. A blanket consent to the processing of personal data is unlikely to be sufficient as a basis on which to process personal data, particularly sensitive data. The more ambiguous the consent being relied upon by data controllers the more likely there are to be questions about its existence or validity. |
| |
‘Consent’ is not defined in the 1998 Act but is defined in the EC Directive as ". . . any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." The fact that the data subject must "signify" their agreement means that there must be some active communication between the parties. Consent cannot be inferred from non-response to a communication (eg failure to return a notice of objection to the processing) neither is it valid where it has been obtained under duress or on the basis of misleading information. Passive consent can be inferred from a failure to tick an "opt-out" box on a form or other communication (inviting the individual to tick if they object to receiving future mailings of a specified type for example). Even where consent has been given it will not necessarily endure forever. In most cases consent will endure for as long as the processing to which it relates continues (or longer if that is appropriate in the circumstances) and provided the individual has not withdrawn their consent. |
| |
In the case of processing sensitive personal data the consent of the data subject must be ‘explicit’, ie should be absolutely clear. |
| |
OG 58 C5 sets out a decision tree showing some of the main things to consider when processing personal data, in particular when determining whether that processing is fair and lawful. |
 
| |
2. The Second Principle |
| |
"Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purposes or those purposes." |
| |
A data controller may specify the purpose(s) for which the personal data are obtained: |
| |
- in a notice given to the data subject in accordance with the fair processing code; or
|
| |
- in a notification given to the Information Commissioner under the notification provisions of the 1998 Act.
|
| |
A notice to a data subject should state why the personal data are being processed and provide an indication of the likely recipients of the data. Where personal data are disclosed to other persons, consideration should be given to the purpose(s) for which they are intended to be processed by that other person. For example, companies which sell on customer lists to other companies should notify data subjects of this fact and explain the intentions of the purchasers of the lists, who will usually wish to market to some or all of the customers on the lists. Regard should also be had to section 11 of the 1998 Act which allows data subjects the right to prevent processing for the purposes of direct marketing. |
| |
3. The Third Principle |
| |
"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed." |
| |
Data controllers should ensure they do not obtain more data than they need and discard any irrelevant data. It may be that certain information is required in relation to some data subjects but not others. Where that is the case, care should be exercised to ensure that the same level of information is not obtained from all data subjects. |
| |
4. The Fourth Principle |
| |
"Personal data shall be accurate and, where necessary, kept up to date." |
| |
Data are inaccurate if they are incorrect or misleading as to any matter of fact. It is not enough for data controllers to rely on the fact that the personal data were provided by the data subject or third party as evidence of their accuracy. Data controllers should take reasonable steps to ensure the accuracy of the data which they process and, if the data subject believes the data are inaccurate, the data should indicate that fact. |
| |
When deciding what action to take regarding ensuring the accuracy of data, data controllers are advised to consider: |
| |
- How significant is the inaccuracy and is it likely to cause the data subject damage or distress?
|
| |
- From where is the information obtained and is it reasonable to rely on that source?
|
| |
- What steps can be taken to verify the information?
|
| |
- How reliable is the data controller’s procedure for data entry?
|
| |
- What procedures are followed when an inaccuracy is discovered?
|
| |
Data controllers need only keep data up to date ‘where necessary’. For example, if the purpose of the data processing is to establish an historical record it would defeat that purpose to update it. In most cases, however, it will be in the interests of the data controller to keep data up to date. It is therefore advisable to carry out regular reviews of that data and keep a record of the date of the last review. Particular care should be taken if the fact that data are out of date may cause damage or distress to the data subject. |
| |
5. The Fifth Principle |
| |
"Personal data processed for any purposes shall not be kept longer than is necessary for that purpose or those purposes." |
| |
Data should be reviewed regularly and what is no longer required should be discarded. In some cases data may be legitimately retained for many years, such as where it could relate to a potential legal claim (in which case the data should be retained until the time limit for bringing action has expired). |
| |
6. The Sixth Principle |
| |
"Personal data shall be processed in accordance with the rights of data subjects under this Act." |
| |
A person will contravene this Principle if, and only if, they: |
| |
- fail to supply information pursuant to a subject access request under Section 7 of the 1998 Act; or
|
| |
- fail to comply with notices given under the following provisions of the 1998 Act:
|
| |
|
- Section 10 (right to prevent processing likely to cause damage or distress);
|
| |
|
- Section 11 (right to prevent processing for the purposes of direct marketing);
|
| |
|
- Section 12 (rights in relation to automatic decision-taking);
|
| |
- (in respect of exempt manual data only, during the transitional periods up to and including 23 October 2007) fail to comply with a notice given under Section 12A of the 1998 Act (right to require data controller to rectify, block, erase or destroy inaccurate data or cease holding such data in a way incompatible with the data controller’s legitimate purpose).
|
| |
7. The Seventh Principle |
| |
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." |
| |
Data controllers need to take "appropriate" security measures (both technical and organisational) to ensure personal data they hold are protected, having regard to: |
| |
- the state of technological development;
|
| |
- the cost of implementing any measures;
|
| |
- the harm that might result from unauthorised processing etc;
|
| |
- the nature of the data to be protected.
|
| |
Technical measures might include: |
| |
- putting in place comprehensive back up procedures;
|
| |
- introducing measures to prevent computer hacking;
|
| |
- implementing virus detection software;
|
| |
- insisting on the use and regular changing of passwords;
|
| |
- placing restrictions on access so that individuals only have access to those parts of the computer system to which they have a legitimate interest;
|
| |
Organisational measures might include: |
| |
- ensuring that employees with access to personal data are reliable and trustworthy;
|
| |
- making appropriate checks on people who are recruited for data entry work or who are to undertake such work for the first time (without of course interfering with the rights of those employees);
|
| |
- providing employees with responsibility for the entry of personal data with proper training and regular updates on the requirements of the 1998 Act;
|
| |
- making the deliberate or negligent contravention of the 1998 Act a disciplinary offence and withdrawing access to personal data pending the outcome of a disciplinary hearing;
|
| |
- ensuring that precautions against burglary, fire or natural disasters are adequate;
|
| |
- reviewing procedures for the storage and disposal of personal data (including computer disks and print-outs);
|
| |
- ensuring waste paper containing personal data is placed in a separate "confidential" waste bin and shredded by a reputable contractor;
|
| |
- where personal data is processed on behalf of the data controller by a data processor, obtaining guarantees from the data processor regarding security measures and ensuring compliance with those measures and ensuring that the processing is carried out under contract:
|
| |
|
- which is made or evidenced in writing;
|
| |
|
- under which the data processor is to act only on instructions from the data controller; and
|
| |
|
- which requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh Principle.
|
| |
8. The Eighth Principle |
| |
"Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data." |
| |
Personal data are transferred to a country or territory outside the EEA whenever the data are disclosed or made readily available in such a place. This means that if an organisation places personal data on its website, because that information can be accessed from anywhere in the world, the organisation may be in breach of this principle. If the level of data protection in the country or territory of destination is "adequate" there is no breach of this principle. However, this does not apply to a public register which is exempt from this Principle. |
|