The Data Protection Act 1998 (“Act”) regulates the use of personal data. It imposes duties on data controllers, namely those that determine the purposes for which and manner in which personal data are processed such as employers, owners of businesses and advertisers, when processing personal data.
Personal data are data about a living individual (the ‘data subject’), such as name and address, purchasing preferences, and financial history. Some data are considered more “sensitive” than others and more stringent rules apply to the processing of that sensitive data. Examples of sensitive data include data relating to racial or ethnic origin, political opinions or sexual life.
The Act covers a wide range of activities, for example merely holding, collecting or using personal data will be covered whether this is on a computer or if it is held on a relevant filing system.
General Data Protection Regulation
From 25 May 2018, a new piece of EU legislation – the General Data Protection Regulation (“GDPR”) – will apply and impose a set of new data protection rules on all EU member states. As it is a regulation with direct effect, it will apply in all member states directly without the need for them to pass further national implementing legislation. The GDPR will bring with it heightened obligations on data controllers, as well as businesses that process personal data on their behalf (known as ‘data processors’), and the fines for non-compliance will be larger than those under the current regime. This note focuses on the current legislation, as the GDPR does not yet apply in the UK. For more information, please see our other briefing note.
What does the Act require?
Some of the more basic requirements of the Act are set out below, although this is not exhaustive. The Information Commissioner has prepared guidance for businesses which can be obtained online or in hard copy. The website address is https://ico.org.uk/ .
If you are processing personal data of any kind then, except in limited circumstances, you should submit a ‘notification’ to the Information Commissioner’s Office. The form can be filled in online. If an organisation has a turnover of £25.9 million or more and more than 249 members of staff, or if they are a public authority with more than 249 members of staff, the cost of notification is £500 per annum. All other data controllers must pay £35 per annum unless they are exempt. Registered charities, small occupational pension schemes and organisations that have been in existence for not more than one month do not come into the higher tier fee bracket of £500 per year, regardless of their size and turnover. They fall into the lower tier fee of £35 per year unless they are exempt from the requirement to notify altogether. Notifications must be kept up to date and renewed annually.
Data protection principles
The Act requires compliance with 8 principles of data protection and a fair processing code. The principles broadly require that personal data are:
- processed fairly and lawfully;
- obtained only for specified and lawful purposes and are not processed in any matter incompatible with those purposes;
- relevant, adequate and not excessive for those purposes;
- accurate and, where necessary, kept up to date;
- not kept for longer than necessary;
- processed in accordance with the rights of data subjects under the Act;
- kept where appropriate measures are in place to prevent the accidental loss, destruction or unauthorised disclosure of that data; and
- not to be transferred outside the European Economic Area (i.e. the EU member states, Iceland, Liechtenstein and Norway) unless you are satisfied that the country in question can provide an adequate level of protection for the rights and freedoms of the data subjects concerned.
Personal data can only be ‘processed’ (e.g. obtained, held and used) if at least one of the certain specified conditions are met. For most personal data, those conditions include:
- consent has been obtained;
- the processing is necessary for the performance of a contract with the data subject, for taking steps at their request with a view to entering into a contract, or to comply with legal obligations;
- the processing is necessary for the purpose of the legitimate interests of the data controller, and is not unwarranted.
The Act also gives data subjects the right to access information held about them upon payment of a single fee of up to £10, but this can vary, particularly if the information requested is for health or educational records. Businesses must be prepared to respond to data protection subject access requests within specified time limits.
Individuals are also given the right to object to the use of their personal data for direct marketing.
If you wish to transfer personal data to countries outside the European Economic Area, it is necessary to ensure that adequate protection in the destination country is achieved. This may be satisfied in a number of ways, such as:
- the destination country has been judged in a community finding to provide adequate protection for personal data (currently Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay).
- adequate contractual safeguards are in place (e.g. using approved ‘Model Clauses’ or ‘binding corporate rules’ – the latter for intragroup transfers).
- in relation to the US, an agreement between the EU and US permits airlines to transfer air passenger names to the US Bureau of Customs and Border Protection.
- the US is otherwise not considered to offer an adequate level of protection. Historically, the EU-US Safe Harbour enabled US organisations to self-certify their adherence to a series of principles designed to replicate the safeguards of EU law for data protection, allowing the safe transfer of personal data between the EU and US. However, the Safe Harbour was invalidated in October 2015 and has now been replaced by a new framework named the EU-US Privacy Shield. US organisations have been able to self-certify under the new scheme since 1 August 2016.
In the absence of these, the data controller itself will have to establish that the destination country does provide adequate data protection safeguards – which may not be straightforward. If none of these routes are possible, the transfer will only be lawful if one of the exceptions applies, e.g. the transfer is made with the consent of the data subject.
The Information Commissioner has released detailed Codes of Practice in relation to the use of employee data, which cover topics such as the use of data in the context of recruitment and selection, how to deal with employment records and issues arising from monitoring employees at work (e.g. internet use, email traffic).
Individuals may seek compensation in certain circumstances if they suffer damage and/or distress because of a contravention of the Act.
In certain circumstances, failure to comply with the Act can lead to criminal liability and fines in the Magistrates Court or the Crown Court. In addition, the Information Commissioner has enforcement powers which enable him to impose substantial fines (up to £500,000) on those who seriously breach the Act.
For further information please contact the Head of Data Protection, Beverley Flynn on 01483 734264, Beverley Whittaker on 01483 734281, Gary Parnell on 01483 734269 or another member of the commercial team at Stevens & Bolton.
This information is necessarily brief and is not intended to be an exhaustive statement of the law. It is essential that professional advice is sought before any decision is taken.
© Stevens & Bolton LLP January 2017