From the 6th April, the Information Commissioner’s Office will have new powers to fine organisations and individuals for breaches of the Data Protection Act. Depending upon the severity of the breach, those who fail to meet their data protection obligations may face fines of up to £500,000.
How to Keep Your £500,000
The Data Protection Act 1998 (the “Act”) sets out a significant number of requirements with respect to the collection, holding and processing of data by organisations and individuals (known as “data controllers”). Whilst it can be said that many businesses comply with the Act without even realising they are, it must also be noted that it can be very easy to fail to comply in the absence of clearly defined procedures.
New Documents to Help You Comply with the Data Protection Act
Simply-docs has now released two new documents designed to assist organisations in complying with their obligations under the Act. The first is a general Data Protection Policy which is designed for use with data relating to parties outside of the organisation such as customers. The second document is an Employee Data Protection Policy and sets out information and procedures pertaining to an organisation’s handling of personal information relating to its employees.
The Act relates specifically to “personal data”. This is information which relates to a living person who can be identified from that information or from a combination of that information and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the person and any indication of the intentions of the data controller or any other party in respect of that person.
In addition to this, there is a further ‘level’ known as “sensitive personal data”. Information relating to the racial or ethnic origin of a person; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the actual or alleged commission by them of any offence; or any proceedings relating to such offences all fall under this heading.
A Principled Approach
If personal data is the body of data protection, then the eight data protection principles are surely its heart. These principles form the basis for data protection and are set out in the Act. Personal data must be:
1) processed fairly and lawfully;
2) obtained only for specified and lawful purposes and shall not be processed in any manner which is incompatible with those purposes;
3) adequate, relevant and not excessive;
4) accurate and, where appropriate, kept up-to-date;
5) kept for no longer than is necessary in light of the purpose(s) for which it is being used;
6) processed in accordance with the rights of individuals under the Act;
7) kept secure through appropriate technical and organisational measures; and
8) not transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Using information fairly and lawfully requires that individuals are informed of the following key points when their information is collected:
- The name of your organisation;
- The reason you are collecting their information and what you will use it for;
- Any additional details required to render your use of their information fair;
- Their right to access their information and have inaccuracies corrected.
Using Personal Information: you cannot expect your customers to expect the unexpected
Part and parcel of the second principle – that data must be obtained only for specified and lawful purposes and must not be used in any way which is incompatible with those purposes – is the obligation not to use personal data in any way which the individual may not expect. In many cases this is a matter of judgement. If an individual has agreed to receive marketing communications from you then to send them an email news letter or your latest brochure will be acceptable. Passing their details on to one of your affiliates or another third party to enable them to do the same, however, will not be.
Sharing is not always Caring
Subject to the exceptions listed below, organisations are not permitted to pass personal information on to third parties in the absence of the express permission of the individual concerned. Generally, this will be done at the point of data collection and can be as simple as an opt-in checkbox on a form. The consent of the individual is not required in the following circumstances:
- Supplying information to the Police (where telling the individual concerned would be likely to prejudice an investigation or impede the prevention of crime); and
- Provision of information required for a court case or in order to obtain legal advice.
The Rights of Data Subjects
Individuals have several important rights under the Act which relate to the use of their personal data:
1) Subject Access
Individuals have the right to obtain information about them held by data controllers.
2) Preventing Direct Marketing
Individuals have the right to make a written request that organisations do not use their personal information for direct marketing purposes. Organisations must comply with such a request within a reasonable time, generally no more than 28 days.
3) Having Personal Information Corrected
If an organisation holds personal information which is incorrect, the individual to whom that information relates has the right to request that it is corrected. Failure on the part of the organisation to comply with such a request will give the individual the right to obtain a court order which may require correction, removal, blocking or deletion of the information.
4) Preventing Automated Decisions
It may be tempting for an organisation to use automated systems to make certain decisions including, for example, recruitment decisions based upon test results. In certain cases, such automated decisions are perfectly acceptable. Organisations are therefore advised to inform individuals when such methods are applied, giving the individual the right to appeal decisions made using an automated system.
Access to Data & Subject Access Requests
Individuals about whom personal data is held have the following rights in relation to their information:
- To know whether an organisation or another party on their behalf is processing their personal data;
- To know what personal data is being processed, the reasons for such processing, and those to whom it may be disclosed;
- To receive a copy of their personal data; and
- To know about the sources of that personal data.
Individuals may make what is known as a Subject Access Request (“SAR”) at any time in order to see the information which an organisation holds about them. SARs must be made in writing, and must be accompanied by a fee of up to £10 (the maximum amount which an organisation can charge, though of course this can be less). Organisations must comply with an SAR within 40 days of receiving it (and the required fee). During this time, if additional information is required from the individual in order to comply with their request, the organisation is free to request it. Information supplied to individuals in compliance with an SAR must be supplied in a permanent format, such as a hardcopy printout, unless to do so would require “disproportionate effort” on the part of the organisation in which case the information must still be provided in some form.
Employees, Monitoring and Data Protection
Employers may, from time to time, wish to monitor their employees in various ways and for a variety of reasons. All workers who will be affected by such monitoring (including employees, casual workers, contractors and agency workers) must be made aware of the nature, extent and reasons for it. It is advisable for organisations to have a policy in place which explains such matters to their workers. In certain limited cases, monitoring without prior notification may be justified; however such cases are rare and will usually only occur where an organisation has good reason to suspect that the subject to be monitored has been involved in criminal activity or some other form of malpractice. Generally speaking, if the cause for the test is not sufficient to involve the police, covert monitoring cannot be justified. Any and all employees involved in monitoring, whether processing the information obtained or collecting it, must be made fully aware of their obligations under the Act and should ideally be kept to a minimum .
Notification and the Information Commissioner’s Office
Data controllers must register as such with the Information Commissioner’s Office (“ICO”). When processing personal information, data controllers must inform the ICO of the way in which processing takes place unless they are exempt from such requirements. Generally speaking, the following purposes will be exempt from the notification requirements:
- Staff administration – including payroll;
- Advertising, marketing and PR for the organisation’s own business; and
- Accounts and records.
It is important to note that organisations that fail to notify the ICO are committing a criminal offence and that notification must be renewed on a yearly basis. In the event that notification details change, organisations must notify the ICO of this within 28 days.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.