Data Protection Legislation in the UK: an Overview
Where does the legislation come from?
In the United Kingdom, the first data protection legislation, the Data Protection Act 1984, stems not from membership of the European Union but from a much older European "club" the United Kingdom’s membership of the European Court of Human Rights. The more recent Data Protection Act 1998 ("the Act") stems from a European Community Directive of 1995. The purpose of the Directive is to provide a "common market" throughout the European Union for data protection.
By abiding with the legislation, the "benefit" is that no member state can prevent data flowing freely within the European Community on the grounds that any other European country does not have as strong protection of data as it does. In practice, large differences do exist between various member states. For example, in Scandinavia prosecutions for breach of the Data Protection legislation are far more common than in the United Kingdom where they are a rarity.
Furthermore, there have been a series of cases culminating with the Court of Appeal decision in the case of Durant v Financial Services Authority which have somewhat limited the legislation by narrowing the concept of what may be regarded as "personal data" in some circumstances in the United Kingdom. However, that case does not have any application outside the United Kingdom.
Is the legislation important?
Most breaches of the Data Protection Act go unnoticed. When they are noticed, there is often a public outcry but little else changes. In particular, there is little financial loss for the person who breaches the Data Protection legislation. This is because the primary means of enforcement of the legislation is by means of a civil court case. However, the costs of bringing such a case in the United Kingdom courts vastly exceeds the amount of damages which one would obtain as a result of court enforcement.
Take for example the case of HFC Bank (then a subsidiary of HSBC Bank) which in September 2004 accidentally e-mailed 2,600 people. However, instead of blind copying the recipients, it carbon copied all the recipients so all 2,600 could see one another’s e-mail addresses. The matter was further compounded because some customers had their automatic "out of office" responses on which responded to all 2,600, giving them further personal details. HFC Bank immediately apologised and credited the affected customer’s accounts with £50 compensation. There was still an outcry by disgruntled customers. In fact, £50 compensation was reasonable for the wrongful publication of the e-mail addresses. Certainly, there are no reported cases of anybody suing HFC Bank for greater damages. This, despite statements in the press at the time that some customers were unhappy.
To the general statement that the legislation is largely toothless there are four main exceptions:
- The Financial Services Authority ("the FSA"). Where a company is regulated by the FSA, then the FSA has power to apply an unlimited fine for breaches of the Data Protection legislation. The FSA has even let it be known that, in appropriate cases, it would consider imposing criminal sanctions against individuals within organisations where they are shown to be in breach. The FSA has a history of enforcing the Data Protection legislation in the recent past .
- Existing criminal offences. The primary criminal offence under the legislation applies where an organisation fails to register under the Act. Although in theory a mistaken registration can also lead to criminal proceedings, the registrar has never been known to prosecute anybody who simply makes a mistake in registration. Indeed, if he did so he would probably end up prosecuting potentially every company in the land: registration is almost impossible to effect 100% accurately. There is a further offence under the legislation for wrongfully trading in data. This offence is used from time to time against, for example, miscreants in the DVLA or Police authorities who purport to sell details of drivers and motor vehicles by wrongly accessing the DVLA database.
- New legislation. The Criminal Justice and Immigration Act 2008 contained a new section 77 which permits the Secretary of State to introduce, by way of a statutory instrument, a general offence of breaching the Data Protection Act 1998. The legislation provides for a maximum penalty of two years plus an unlimited fine. However, the Government has singularly failed to bring this offence into effect. There has been much speculation in the press that the passing of this legislation was merely a "sop" and that the Government has little incentive to criminalise the Data Protection Act 1998.
- The power of the Information Commissioner. The Information Commissioner is the Act’s policeman. As has already been noted, the Data Protection Act 1998 does in fact provide for some criminal enforcement. The Information Commissioner has from time to time prosecuted those who fail completely to register, such as second-hand car dealers. However, the Information Commissioner has a very limited budget and is unable to enforce the legislation meaningfully through prosecutions. Rather the Registrar must cajole people into complying with the legislation through the issue of good practice guides. However, the Information Commissioner has been lobbying the Government in recent months to substantially increase the Data Protection fees for larger companies. Were this to happen, then his budget constraints may be removed in such a way that the Information Commissioner could, should he so choose, police the legislation more vigorously.
Overview of the legislation
The most important principal of the legislation is that one must register. Registration requires completion of a multiple choice application form indicating where data is obtained, how it is processed and to whom it is to be given. It is then necessary to abide not only by the registration details that one has filed but also by the eight Data Protection Act principles. In summary, these are as follows:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for a specified and lawful purpose.
- Personal data shall be adequate, relevant and not excessive for the purpose for which it is processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data shall be kept for no longer than is necessary for the required purpose.
- Personal data shall be processed in accordance with the legislation.
- Appropriate technical organisational measures shall be taken against unauthorised loss or destruction of the personal data.
- Personal data shall not be transferred outside the European economic area unless the country recipient has an adequate level of data protection legislation.
In the context of outsourcing, data protection becomes of particular importance. In particular, the person engaging an outsource service provider will want to ensure that the service provider does take appropriate technical and organisational measures against unauthorised loss or processing. He will also want to ensure that if there is a loss due to the service provider’s misfeasance, the service provider compensates the person engaging the service provider. There is also a specific requirement within the seventh data protection principle that contracts whereby one party appoints another to process data should be recorded in writing. In practice, this is always likely to be the case where an outsource service provider is appointed.
Of greater concern in terms of non-compliance, however, is the final data protection principle. Whilst there is a limited "exemption" for certain United States companies under what is known as the "Safe Harbor principle", that exemption is limited to a relatively few companies. The main bulk of outsource service providers who are based in India and other low cost countries often process data in breach of the Data Protection legislation. This is because those countries do not have equivalent Data Protection legislation of their own, recognised as such by the European Commission.
Although in theory it is possible to adopt a model contract to ensure compliance with the Data Protection Act even when appointing a data processor in such a "low cost" country, that model contract is rarely used in practice. It is simply too complex and burdensome.
(To read an in-depth summary of data protection in the UK, click here.)
About the Author
Dai Davis is a Partner at Brooke North LLP. A technology lawyer, Dai read Physics at Keble College, Oxford and took a Masters Degree in Computing Science at the University of Newcastle-upon-Tyne before qualifying as a Solicitor. He is a qualified Chartered Engineer and an active Member of the Institution of Engineering and Technology (IET). Dai is a member of the Society for Computers and Law in the United Kingdom and has been Chairman of its Northern Branch and a member of the Council of that Society.Dai advises clients on intellectual property, computer and technology law subjects including such topical matters as E-Commerce issues. He is primarily a non-contentious lawyer, specialising in advising commercial and public authority clients on commercial agreements relating to software and technology products, including outsourcing agreements and web-related contracts. He also has considerable experience advising companies and consultants on product liability and product safety issues. Dai is a regular contributor to legal and technology journals.