Data Protection Legislation in the UK: Summary Notes
1. Essential principles of data protection legislation
1.1 Data Protection – Introduction
Companies need to be aware of the regulations regarding data protection, particularly the requirement to obtain and process data fairly and lawfully and the requirement to take adequate security measures. The original Data Protection Act 1984 was passed both to maintain the privacy of the individual in respect of information held on computer and also to give the individual a right to know what personal information is held on computer. The Act relates only to personal data held electronically. The data protection regime was substantially changed by the Data Protection Act 1998. This Act is based on a European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (95/46/EC OJ No. L281/31 of 23.11.95).
1.2 Basic Data Protection Concepts
1.2.1 "Data" is defined in Section 1 of the Act as information which:
- is being processed by means of equipment operating automatically in response to instructions given for that purpose;
- is recorded with the intention that it should be processed by means of such equipment;
- is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
- in some other way forms a record of the health or education of an individual or is a record kept by a Local Authority for housing or social security purposes.
1.2.2 "Data Controller" is a person who (whether alone or with others) determines the purposes for which and the manner in which Personal Data is to be processed;
1.2.3 "Data Processor" is a person (other than an employee of the Data Controller) who processes Personal Data on behalf of the Data Controller;
1.2.4 "Data Subject" is an individual who is the subject of Personal Data;
1.2.5 "Personal Data" means data about a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller. Personal Data includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.
1.3 "Personal Data" Explained
1.3.1 In the United Kingdom, the important case of Durant v Financial Services Authority was decided by the Court of Appeal on 8 December 2003. This case significantly narrowed the interpretation of "personal data". In particular, the court determined that data would be "personal data" only if the data is either:
- of a biographical nature; or
- has as its focus the relevant individual (the data subject).
In particular, that case involved a complaint by Durant, against his Bank, Barclays Bank. There was litigation between the Bank and Durant in the 1990s which was unsuccessful. Durant subsequently complained to the Financial Services Authority (the "FSA") about Barclays’ treatment of him. The FSA refused to intervene in the matter. Subsequently, Durant made a request to the FSA under the Data Protection legislation for the personal data which the FSA held about him. He complained that the data the FSA disclosed did not contain all of the documents which referred to him, but only those documents where he was the subject of the document merely being mentioned in it.
The court decided that not all information that contained a person’s name was personal data. It said that there has to be a "continuum of relevance or proximity to the data subject" in order for a document to contain personal data.
Subsequent to that case, there has been guidance from the United Kingdom Information Commissioner. This does not take matters that much further since it states that personal data will include medical history, salary, tax and spending preferences. Conversely, reports regarding the performance of a department in which an individual works would not normally be regarded as personal data. This is, however, fairly obvious.
2. Obligations of the Data Controller and the Data Processor
The Act requires Data Controllers to register with the Information Commissioner (formerly known as the Data Protection Commissioner). A fee is payable. The Data Controller must register:
- his name and address;
- if he has nominated a representative for the purposes of the Data Protection Act 1998, the name and address of the representative;
- a description of the Personal Data to be processed by or on behalf of the Data Controller and of the categories of Data Subject to which they relate;
- a description of the purposes for which the data is to be processed;
- a description of any recipients to whom the Data Controller intends or may wish to disclose the data; and
- the names, or a description of, any countries or territories outside the European Economic Area to which the Data Controller intends or may wish directly or indirectly to transfer, the data.
In practice, the process of registration is simple, involving the completion of a multiple choice template available from the Information Commissioner’s office.
Failure to register is an offence.
2.2 Data Protection Principles
These principles considerably expand and amplify the old principles under the Data Protection Act 1984. In almost all circumstances, a breach of these principles is not a criminal offence. However, a breach by the Data Controller or Data Processor will allow the Data Subject to bring a claim in damages. The Information Commissioner may issue an enforcement notice requiring that a Data Controller abide by the principles.
If a judge believes that the principles have been broken, that is sufficient grounds for him to issue a warrant. Such a warrant authorises the Information Commissioner or his staff to enter and search premises and to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of Personal Data. The warrant also allows them to inspect and seize any documents or other material pointing to a breach of the principles or the commission of an offence under the Act.
2.3 The First Principle
Personal Data must be processed fairly and lawfully and, in particular, must not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive Personal Data, at least one of the conditions in Schedule 3 is also met. Examples of sensitive personal data include medical information and data regarding religious affiliation.
The conditions of Schedule 2 include where:
- the Data Subject has consented;
- the processing of the data is necessary for the performance of a contract with the Data Subject;
- the processing of the data is necessary as a preliminary to entering into a contract with the Data Subject; or
- the law imposes a legal obligation on the Data Controller to process the information.
The general conditions of Schedule 3 include where:
- the Data Subject has "explicitly" consented; or
- the law imposes a legal obligation on the Data Controller to process the information in connection with employment (which need not necessarily be the employment of the Data Subject).
There are further, more specialised exceptions in Schedule 3 for trade-unions, political associations and religious bodies in respect of their members. In addition there are exceptions provided for the administration of justice and for medical records processed by a "health professional".
In determining whether Personal Data is processed fairly, the Act also states that regard is to be had to the method by which the data is obtained, including in particular whether any person from whom the data is obtained is deceived or misled as to the purpose for which the data is to be processed.
Furthermore, in order for Personal Data to be processed fairly, the Data Subject must be informed of:
- the identity of the Data Controller;
- if the Data Controller has nominated a representative for the purposes of this Act, the identity of that representative;
- the purposes for which the data is intended to be processed; and
- any further information which is necessary, having regard to the specific circumstances in which the data is to be processed, to enable processing in respect of the Data Subject to be fair.
In general, the Data Subject must be given this information when the Data Controller first processes the data or when the Data Controller first discloses the information to a third party. The Act allows for the Secretary of State to provide for exceptions to this rule of disclosure where the provision of the information would involve a disproportionate effort, or where the law imposes a legal obligation on the Data Controller to record or disclose the information.
2.4 The Second Principle
Personal Data must be obtained only for one or more specified and lawful purposes, and should not be further processed in any manner incompatible with those purposes.
The purposes for which Personal Data is obtained must be specified by the Data Controller. In determining whether any disclosure of Personal Data is permissible, regard is to be had to the purposes for which the Personal Data is intended to be processed by any person to whom it is disclosed.
2.5 The Third Principle
Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed.
2.6 The Fourth Principle
Personal Data must be accurate and, where necessary, kept up to date.
Where the Data Controller takes reasonable steps to ensure the accuracy of the data, there will be no breach of this principle. Where the Data Subject has notified the Data Controller of the Data Subject's view that the data is inaccurate, and the data indicate that fact, there will be no breach of this principle.
2.7 The Fifth Principle
Personal Data processed for any purposes must not be kept for longer than is necessary for those purposes.
2.8 The Sixth Principle
Personal Data must be processed in accordance with the rights of Data Subjects under the Data Protection Act 1998. For example, this principle will be breached where the Data Controller fails to give the Data Subject access to a copy of his data, as required by the Act, or where the Data Controller fails to abide by the rights of the Data Subject to appeal against automatic decision-taking.
2.9 The Seventh Principle
Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data.
This principle is to be interpreted having regard to:
- the state of technological development;
- the cost of implementing any measures;
- the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
- the nature of the data to be protected.
The overriding principle is that the security measures adopted must be "appropriate".
In addition, the Data Controller must take reasonable steps to ensure the reliability of any employees of his who have access to the Personal Data. Where a Data Controller uses a Data Processor, the Data Controller must choose a Data Processor who provides sufficient guarantees in respect of those technical and organisational security measures.
Furthermore, the Data Controller must take reasonable steps to ensure that the Data Processor complies with those measures. In particular, the contract between the Data Controller and the Data Processor must be in writing and must require the Data Processor to abide by obligations equivalent to those in the seventh data protection principle.
2.10 The Eighth Principle
Personal Data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data.
The level of protection must be adequate in all the circumstances, having regard in particular to:
- the nature of the Personal Data;
- the country or territory of origin of the information contained in the data;
- the country or territory of final destination of that information;
- the purposes for which and period during which the data is intended to be processed;
- the law in force in the country or territory in question;
- the international obligations of that country or territory;
- any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases); and
- any security measures taken in respect of the data in that country or territory.
There are a number of exceptions to the eighth principle. For instance, the eighth principle does not apply where:
- the Data Subject has consented to the transfer;
- the processing of the data is necessary for the performance of a contract between the Data Subject and the Data Controller;
- the processing of the data is necessary as a preliminary to entering into a contract between the Data Subject and the Data Controller;
- the transfer is necessary in order to protect the vital interests of the Data Subject.
2.11 Summary of Obligations of the Data Controller
The Data Controller must:
- comply with the principles of the new legislation;
- inform individuals before disclosure or use of data (individuals have a right to object to that disclosure or use);
- keep information secure (and prevent accidental loss or alteration);
- ensure that any third party processor has the appropriate security measures and that any third party processor enforces those security measures; and
- ensure that any contract he has with a Data Processor is in writing.
2.12 Summary of Obligations of the Data Processor
The processor must:
- process data only as requested by the Data Controller; and
- ensure that the contract with the Data Controller is in writing.
3.1 Information Commissioner
There are several bodies which will have responsibilities under the new legislation. In the UK, the Information Commissioner (under the 1984 Act known as the Data Protection Commissioner and formerly as the Data Protection Registrar) has the primary responsibility to police the legislation. In addition there is a Supervisory Authority which monitors the application of the new legislation. The Information Commissioner has wide powers to investigate the data processing undertaken by businesses. Companies that are within the ambit of the Financial Services Authority are subject to severe financial penalties for breaches of the data protection legislation.
3.2 Other Enforcement Bodies
Under the Directive, there is also a Working Authority which is a European body consisting of representatives of the Supervisory Authorities from each country. The Directive also established a Committee which consists of representatives of the Member States of the European Union. The Working Authority and the Committee express opinions on, for example, whether steps need to be taken to prevent data being transmitted to any particular foreign country.
There is a procedure whereby the European Commission, following consultation with these bodies can determine whether or not a country or territory provides an adequate level of protection for the purposes of the eighth data protection principle. Only a limited number of foreign territories have been approved to date. These include the Isle of Man, Canada, Switzerland, Argentina and Guernsey.
3.3 United Kingdom Enforcement
In the United Kingdom, the more important criminal offences are:
- where a Data Controller fails to register under the new Act with the Commissioner;
- where the data to be processed falls into a category to be specified by the Secretary of State of data processing that may cause substantial distress to a Data Subject and the Data Controller fails to follow the procedure under the Act requiring him to notify the Information Commissioner before he carries out that Data Processing;
- where a person fails to comply with an enforcement notice, an information notice or a special information notice issued by the Information Commissioner;
- where a person knowingly or recklessly, without the consent of the Data Controller, obtains or discloses Personal Data. A further offence is committed if that person sells or offers to sell the data he has obtained in that manner;
- where an actual or prospective employer requires a Data Subject to exercise the Data Subjects right to obtain a copy of the criminal record of that Data Subject from, for example, a police authority or the Secretary of State.
Furthermore where an offence is committed with the consent, connivance or by the neglect of any director or manager of a company he too will be guilty of that offence. There is, in some circumstances, a defence if it can be shown that the accused exercised all due diligence to comply with the Act.
Only the Information Commissioner or the Director of Public Prosecutions may initiate criminal proceedings under the Act. The maximum penalty under the Act is a fine.
Ultimately, the question of enforcement depends on how much money the government puts aside to enforce the new legislation. Enforcement of the legislation has been haphazard because of low government funding.
The position is different for financial businesses. The Financial Services Authority can and does effectively enforce the legislation.
4. Duty on Data Controller to inform Data Subject
4.1 Individual’s entitlement to information
An individual is entitled to be informed by a Data Controller whether that Data Controller is processing Personal Data about that individual. Where the Data Controller is processing Personal Data about an individual, that individual (the Data Subject) is entitled to be given:
- a description of the Personal Data of which that individual is the Data Subject;
- a description of the purposes for which the Personal Data is being or is to be processed;
- a description of the recipients or classes of recipients to whom the Personal Data is or may be disclosed;
- a copy of the Personal Data of which that individual is the Data Subject; and
- any information available to the Data Controller as to the source of that Data.
4.2 Procedure to be Followed
The Data Subject must request the information in writing and must pay the fee requested by the Data Controller (the fee is subject to a statutory maximum – which is currently £10). The Data Controller is entitled to demand reasonable evidence of the identity of the Data Subject. A Data Controller should consider this entitlement seriously, since the Data Controller will be in breach of the Act if he releases information about a Data Subject to the wrong individual.
Where a Data Controller has complied with one request for information from a Data Subject, he is not required to comply with a second request from the same Data Subject until a reasonable time after the first request.
There are numerous exceptions provided under the Act. These exceptions generally apply to the entirety of the Act. They include where:
- Personal Data is processed for the purposes of national security;
- Personal Data is processed for the purposes of the detection of crime or the apprehension or prosecution of offenders but only to the extent that otherwise there would be prejudice to those purposes;
- Personal Data is processed for the purposes of the assessment or the collection of taxes but only to the extent that otherwise there would be prejudice to those purposes;
- Personal Data is processed for journalistic, literary or artistic purposes to the extent that it is in the public interest to publish the data and that compliance with the Act would be incompatible with those purposes;
- Personal Data is processed by an individual only for the purposes of that individual's personal, family or household affairs (including for recreational purposes).
Partial exemption from the duty to provide the Data Subject with a copy of data relating to him arises:
- for Personal Data consisting of the physical or mental health of the Data Subject;
- where the Secretary of State so orders, for Personal Data relating to the education of the Data Subject where the Data Controller is a teacher or proprietor of a school at which the Data Subject is or was a pupil;
- for Personal Data processed for certain regulatory purposes such as for health and safety at work but only to the extent that otherwise there would be prejudice to those purposes;
- where the Personal Data is processed only or research purposes.
4.4 Data Subject’s right to prevent Processing Generally
A Data Subject can require the Data Controller to stop processing data about himself or herself. To do so, the Data Subject must send a written notice to the Data Controller giving reasons as to why the processing of the data is causing or would cause him or her "unwarranted" substantial damage or substantial distress. Within 21 days the Data Controller must state in writing that he will comply with the Data Subject’s notice or else state why he regards the Data Subject’s notice as unjustified and the extent (if any) to which he intends to comply with it. If the parties continue to disagree, a Court will decide who is right and whether the Data Controller must stop processing that Data.
The Data Subject is not entitled to exercise this right where:
- the Data Subject has already consented to the processing;
- the processing of the data is necessary for the performance of a contract with the Data Subject;
- the processing of the data is necessary as a preliminary to entering into a contract with the Data Subject;
- the law imposes a legal obligation on the Data Controller to process the information.
4.5 Data Subject’s right to prevent Processing for Direct Marketing
A Data Subject has the right to require that a Data Controller stops processing his Personal Data for the purpose of direct marketing. The Data Subject may by written notice require the Data Controller to do this within a reasonable period of timing following the serving of a written notice on the Data Controller. In this context "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. If the Data Controller fails to comply with such a notice, a court can order the Data Controller to do so.
4.6 Data Subject’s right to prevent Automated Decision-taking
There is a similar right for a Data Subject to require that a Data Controller takes no decision which affects that individual solely by means of automated decision-taking. Examples of such automated decision given under the Act are his performance at work, his creditworthiness, his reliability or his conduct. There are some exemptions from this provision. The most important is where a decision is taken by the Data Controller in considering whether to enter into a contract with the Data Subject at the request of the Data Subject. This will exempt many automated credit-worthiness decisions, provided the Data Subject has formally applied for credit.
5. Timetable for the legislation
5.1 European Union Directive
European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (95/46/EC OJ No. L281/31 of 23.11.95) was passed on 24 October 1995. Under the European Union Directive, legislation in each country of the European Union was needed by 24 October 1998.
5.2 Transitional Arrangements
The actual transitional arrangements under the Act were exceedingly complex and form the entirety of Schedules 8 and 14 of the Act. However, most of the legislation was in force from 24 October 1998, and all of the legislation is now in force.
(To read this author's overview of data protection legislation in the UK, click here.)
About the Author
Dai Davis is a Partner at Brooke North LLP. A technology lawyer, Dai read Physics at Keble College, Oxford and took a Masters Degree in Computing Science at the University of Newcastle-upon-Tyne before qualifying as a Solicitor. He is a qualified Chartered Engineer and an active Member of the Institution of Engineering and Technology (IET). Dai is a member of the Society for Computers and Law in the United Kingdom and has been Chairman of its Northern Branch and a member of the Council of that Society.Dai advises clients on intellectual property, computer and technology law subjects including such topical matters as E-Commerce issues. He is primarily a non-contentious lawyer, specialising in advising commercial and public authority clients on commercial agreements relating to software and technology products, including outsourcing agreements and web-related contracts. He also has considerable experience advising companies and consultants on product liability and product safety issues. Dai is a regular contributor to legal and technology journals.