Data protection is a complex area. It is notoriously difficult to summarise because the legislation is so full of exemptions, provisos and exceptions. This chapter aims to give the reader a working knowledge of the overall scheme of the legislation and highlight the areas where there are potential pitfalls, so that specialised advice can be sought.

INTRODUCTION

The law in this area is primarily contained in the Data Protection Act 1998, although various other Acts and Regulations are also relevant, particularly in relation to electronic marketing. Data protection compliance in the UK is overseen by the Information Commissioner, and the website of the Information Commissioner’s Office (ICO) is always a useful jumping-off point to get to grips with the law and what is considered good practice in this area. Although the information it gives may occasionally be misleading, it is a good reference source, and if any dispute arises the ICO should be receptive to the argument that a data controller should not be found to be in breach of the Act where it is following advice published on the ICO website.

New powers in 2010 for the ICO to impose fines of up to £500,000 on organisations that commit deliberate or particularly serious breaches of the Act have underlined how important it is for organisations to have a proper understanding of their obligations in relation to personal data.

WHAT DATA ARE COVERED

The Data Protection Act requires that any ‘personal data’ are only obtained, processed and held by entities (called ‘data controllers’) that have registered (‘notified’ in the language of the Act) with the Information Commissioner. ‘Data subjects’ have a right to know who holds data about them, what those data are, that the data are used properly and for specified purposes, and (by and large) they are not used in a way that can harm them. In addition, the data controller is obliged to take steps to ensure that the information is secure and is not disclosed to unauthorised persons.

Data subjects have various rights, including the right to compensation should a data controller fail to comply with obligations under the Act.

The starting point for any discussion of data protection law is understanding what is meant by ‘personal data’. The definition in the Act says that personal data means data that relate to a living individual who can be identified from those data, or from those data and other information that is in the possession of or is likely to come into the possession of the data controller. Names are personal data. Names and addresses together are personal data (although the addresses themselves are probably not). Email addresses in the form [email protected] are personal data, but [email protected] may not be.

Information about George V is not personal data because he is dead.

Information about companies (as long as it does not refer to members of staff, directors or other individuals) is not personal data because companies are not individuals.

These definitions raise issues that have caused a great deal of uncertainty and debate: much of it centred on the 2003 case of Durant v. Financial Services Authority. Take, for example, the proviso about data being personal data if they identify a living individual in conjunction with other information that is in the possession of or is likely to come into the possession of the data controller. Every office has a set of telephone directories. A telephone directory is a catalogue of names, addresses and telephone numbers: clearly personal data. If someone in the office holds an address or a telephone number in isolation, it may be a phenomenally difficult task to go through the telephone directory searching for the telephone number or the address to see whose name tallies up with it, but it is possible. Does this mean all email addresses, street addresses and telephone numbers should be regarded as personal information, even if their connection with a living individual cannot immediately be identified? Until Durant, the Information Commissioner would have said ‘Yes’, but the latest guidance on the ICO website is that the relevant consideration is whether there is a system in place that allows the organisation in question to find information, applying a standard search procedure, without searching through every item in a set of information.

Images (photographs and videos) of people are also capable of qualifying as personal data, which means that closed-circuit television systems (CCTV) are essentially personal data gathering and storage devices, so organisations employing them have to comply with the provisions of the Data Protection Act. This whole topic is complex and further guidance is available on the Information Commissioner’s website, including a helpful flowchart intended to give a structured approach to deciding whether a given category of information constitutes personal data.

Do not fall into the trap of assuming that if you do not keep the information on a computer (or if you do not have a database), the Act does not apply to you. Manual data can be covered by the Data Protection Act and with few exceptions any data held in a ‘relevant filing system’ are covered by the Act. In a nutshell, if a filing system is any use (i.e. if it is ordered alphabetically by name, or if you can otherwise find information relating to a given individual without a general trawl of the whole system), then it is a ‘relevant filing system’. So a filing cabinet containing personnel files ordered alphabetically is a relevant filing system, as is an alphabetical address book.

SENSITIVE PERSONAL DATA

One category of personal data, sensitive personal data, is treated more stringently by the Act. Sensitive personal data consist of information that relates to:

• the racial or ethnic origin of the data subject;
• their political opinions;
• their religious beliefs or other beliefs of a similar nature;
• whether they are a member of a trade union;
• their physical or mental health or condition;
• their sexual life;
• the commission or eventual commission by them of any offence;
• any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

In general, the data controller has to take particular care when dealing with sensitive personal data. There are obligations under the Act that are more stringent when relating to sensitive personal data, than when they relate to other (non-sensitive) personal data.

WHO NEEDS TO NOTIFY?

Unless a specific exemption applies, it is an offence to process personal data without an appropriate entry in the Information Commissioner’s register (called ‘notification’). The exemptions include individuals who process personal data for personal, family or household affairs (which also exempts domestic data controllers from most of the other provisions of the Act) and, in the context of business:

• staff administration;
• advertising, marketing and public relations;
• accounts and records.

There are also various exemptions from notification for certain non-profit making organisations, including clubs.

There are two important points:

• Exemption from notification does not (by itself) mean exemption from the other provisions of the Act.
• The exemptions are fairly narrow and it is often difficult to interpret the exemptions and decide whether they specifically apply.

Experience shows that, when most businesses are examined in any detail, they are almost invariably undertaking activities that are outside the scope of the exemptions, so they are required to notify.

There are, in any event, some advantages to notifying voluntarily, even though it will cost you £35 each year (or £500 for large organisations) and take a little bit of administration time. It removes the obligation on the data controller (Section 24 of the Act) to supply, free of charge, to anyone requesting it basically the same information that they would have to supply in the notification. It accordingly makes more sense to compile this information once for notification purposes, rather than having to do it each time somebody makes a request.

Typical examples as to why the exemptions do not go far enough are as follows:

• The administration of company pensions (including stakeholder pensions) will necessarily involve holding personal data and passing it on to pension trustees: something that is not dealt with in the employee administration exemption.
• Employee records will frequently contain information about an employee’s next of kin. Our view is that next-of-kin data relates to a living individual other than the employee him or herself, and is accordingly covered by the exemption (there is some guidance from the Information Commissioner that contradicts this, but in the end it is for the courts, not the Information Commissioner, to determine the question).

HOW TO NOTIFY

You can notify on the Information Commissioner’s website, by email, by post or by telephone. The information that is required to undertake a notification is:

• the data controller’s name and address;
• the name and address of any representative of the data controller;
• a description of the personal data being or to be processed and the category of data subjects to which they relate;
• a description of the purpose of processing;
• a description of any intended recipients of the data;
• a list of any countries outside the European Economic Area (EEA) to which the data may be transferred by the data controller;
• answers to a standard list of questions about data security; and
• a statement (if relevant) of the fact that certain data processed by the data controller are of a type excluded from notification.

You must notify under the correct name of the data controller (e.g. if you are a limited company, the proper company name including ‘Limited’) as well as any names you trade under. If you are a partnership, you should notify under the partnership’s trading names as opposed to the names of the individual partners. If you have more than one company in your group processing data (in practice, this is likely to be all non-dormant companies) then they each have to notify separately. Remember that they may be undertaking different processing, so the notifications may need to be different, and ensure that there is an entry in the notification allowing for the transfer of personal data between companies in the group.

As noted above, the notification form requires you to summarise the steps you have taken to ensure data security. If you have taken measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage, do the methods include:

• adopting an information security policy (i.e. providing clear management direction on responsibilities and procedures in order to safeguard personal data)?
• taking steps to control physical security (e.g. locking doors of the office or building where computer equipment is held)?
• putting in place controls on access to information (e.g. introducing password protection and encryption on files containing personal data)?
• establishing a business continuity plan (e.g. holding a backup file in the event of personal data being lost through flood, fire or other catastrophe)?
• training your staff on security systems and procedures?
• detecting and investigating breaches of security when they occur?
• adopting the relevant international information security standards from the ISO/IEC 27000-series? (These standards are not a statutory requirement but a business-led approach to best practice on information security management.)

The Commissioner has made it easy to notify by drawing up a set of templates for a number of different types of business that contain the elements of notification most likely to apply to that business. These are available on the Commissioner’s website and are by far the simplest way to commence a notification. Be careful, however, because they are not comprehensive and it is unlikely that any specific business fits precisely within a template. They are very useful as a guide but do not use them without thinking through the issues and, especially, about whether there are other areas not contained within the template that need to be covered. For example, none of the templates contains a notification relating to the issue of personal data to potential investors or successor businesses of a data controller. In practice, many businesses are in the market for acquisition or wish to raise finance; as part of that process they will have to undergo due diligence. This due diligence will almost certainly result in personal data being made available to a potential successor business or investor but, in the absence of a specific notification permitting that disclosure, it would be a criminal offence to release the information to them. The Information Commissioner’s office has suggested that data provided in due diligence can be made anonymous but, in the context of most small- to medium-sized businesses, this would not be feasible. As a result, it is important to think through the processes involved in your business and potential business developments to determine the scope of an appropriate notification.

Many businesses make the mistake of thinking that once they have notified, they can go ahead and process data in whatever way they like. Notification is just the first step. Businesses still have to comply with the data protection principles in relation to the data that they hold, process and disclose, and, in particular, this may mean that they may need to obtain the consent of the data subjects before undertaking that processing.

You are required to renew your notification annually and if the nature of the business changes in such a way as to necessitate changes to your notification, you are under an obligation to notify the Information Commissioner of those changes.

Although in practice many businesses change their notifications, if necessary, at the time of annual renewal, there is an obligation to update as and when the change happens, so businesses that wait until annual renewal to do this will technically be in breach during the intervening period.

DATA PROTECTION PRINCIPLES

Fair and lawful processing

‘Processing’ includes almost any activity involving data: obtaining them, possessing them, retrieving them, analysing them, performing actions on them and disclosing them. That means that for the processing to be lawful, the data must have been obtained fairly and lawfully in the first place. Where you are obtaining the data from the data subject him or herself, you must ensure that the data are obtained fairly (i.e. you disclose who you are, why you need the data, and what you are going to do with them). If you are obtaining data from a third party, things are more complicated.

When you obtain data from a person other than the data subject, there are essentially two scenarios. Either you have obtained the information from a person providing information about someone else (e.g. an airline obtains personal data about a passenger from the travel agent booking the ticket) or you have obtained the information from a third-party database (e.g. a mailing list broker).

In each case, you must (so far as is practicable) as soon as possible after obtaining the data, provide the data subject in question with certain details (i.e. who you are, why you have the data, and what you are going to do with them). ‘So far as is practicable’ are the words used in the legislation and there is as yet no guidance from the courts as to how that will be interpreted.

In practical terms, though, this means that if you are harvesting data from individuals, you should always ask them whether they are the data subject in question (e.g. if your call centre takes calls from customers over the phone and a caller gives a credit card in the name of Annabel Smith, you should ask the caller if they are Annabel Smith, and challenge them if they appear to have a male voice or sound too young to have a credit card; but this is good security practice anyway). If the person providing the data turns out not to be the data subject, you should ensure that you provide the actual data subject with the necessary information.

If you get the data from a mailing list, you will need to satisfy yourself that the list broker obtained the data fairly and lawfully, that it can lawfully pass the data on to you and that you can lawfully use the data you obtain for the purposes you want to use them for. If the list broker did not obtain the data fairly and lawfully, you cannot make use of them without breaching the Act, so you need to be absolutely sure that you can use the list and build strong protection (e.g. indemnity clauses) protecting you against any claims that the list cannot be used lawfully.

You should ask the list broker some difficult questions about how they obtained the data:

• Did you obtain the data yourself or from a third party?
• Do you know that the data subjects themselves provided you with the data and not someone on their behalf?
• Do you have the consent of the data subjects to release their details to me? How was that consent obtained? Were any of the consents given by minors? (Particular issues arise in relation to the protection of children’s data; the ICO has guidance on its website.)
• Do you have the consent of the data subjects to use their names for the purposes I am contemplating?
• How do you handle updates and corrections to the list? Can I have access to your updates and corrections for the period of the list hire?
• How do you handle requests from the data subjects for their names not to be used for marketing purposes?

Any reputable list-broking firm should be able to provide answers to these questions to your satisfaction.

Schedule 2 of the Act describes a number of circumstances under which the processing of data may be considered fair even though the express consent of the data subject has not been obtained. These include processing where necessary in connection with a performance of a contract to which the data subject is a party, or where it is necessary to comply with a legal obligation (other than one imposed by contract).

These Schedule 2 conditions may enable processing to be carried out without express consent, but they should generally be approached with caution, and, as a general rule, consent is always preferable.

Processing for limited purposes

Data should be processed only for the purposes that you have notified the Information Commissioner and, where you need consent for processing, only for the purposes for which you have consent. For example, if you have obtained data from customers for billing purposes, you must not, in the absence of consent from those customers, use the data for marketing to them. It is accordingly important, when you are harvesting data, to convey to data subjects the purposes for which you want the data, and to obtain their consent to the use of the data for those purposes.

When is consent not consent?

One of the characteristics that makes processing ‘fair’ is that you have the data subject’s consent to the processing. Where the data involved are ‘sensitive personal data’ then the Act says that ‘explicit consent’ is required. This means that the data subject must agree, in some unequivocal way, to the processing taking place and, logically, that they are fully informed as to what they are consenting to.

In other words, the data subject must be made aware of the purposes for which their sensitive personal data are to be processed; and must indicate that they give their consent. The consent can be in writing, or spoken, or even a tick in a box. However, giving the data subject the right to opt out (as opposed to opting in) in these circumstances is not sufficient. For example, a box saying ‘tick here if you do not want your sensitive personal data processed for marketing purposes’ would not be sufficient to ensure that the processing was fair.

Express consent is required for the processing of sensitive personal data, so lawyers generally assume that for other, ‘non-sensitive’ personal data, the consent required does not need to be explicit, and accordingly can be implicit. What is implied consent? If someone leaves their name and address details after telephoning a ‘catalogue order line’ voicemail, then clearly they have implied consent to use their address details to send them a catalogue. It is questionable whether they have implied consent to anything else done with those data, however.

It is arguable, but it is probably implied consent if a data subject fails to tick the box on a reply form that says ‘tick here if you do not want us to make your details available to other companies for marketing purposes’. In other words, for non-sensitive data, opt-outs are (probably) permissible. Specific opt-ins are invariably the safer approach, though, from the legal point of view.

The question of whether implied consent has been given will depend in each case on the circumstances. Another consideration is that in addition to data protection law, separate legislation applies to restrict unsolicited electronic communications (email, phone, SMS etc.), as explained below.

Adequate, relevant and not excessive

This principle is self-explanatory. You must obtain the appropriate data you need to carry out your job properly (e.g. as a credit reference agency you would need to ensure that you have adequate data about a data subject to be able to make a decision about their creditworthiness). You must only collect relevant data (it is not necessary, for example, to collect data on the inside leg measurement of your customer if you are in the business of pizza delivery). However, it is very easy for you (or your web designers) to ask irrelevant questions when harvesting data from websites, for example.

Think whether it is necessary for you to know the age, gender or marital status of your customers. In many cases, the answer will be ‘yes’, but at least give the data subjects a chance to opt out of providing that information; organisations commonly mark ‘essential’ information with an asterisk. In practice, so long as the data you hold is relevant, then it is difficult to see how it would be ‘excessive’.

Accurate

Keeping your data accurate makes good business sense. The amount of effort you invest in keeping your data accurate should be balanced against both the importance to you of keeping your data accurate and the potential harm that the data subject could suffer. For example, if you hold medical records, an incorrect reference that the data subject is not allergic to penicillin could clearly be disastrous. Likewise, if you are a credit reference agency holding incorrect data showing a data subject to be an undischarged bankrupt, you could be liable for damages to the data subject for any loss or distress caused by a bad credit rating. If, however, you are the proprietor of a pop singer’s website, then you may be able to argue that the data subject’s favourite colour needs somewhat less care. In practical terms, the data most companies will think about in the context of data protection are marketing and contact data and employment records; in both cases, it is sensible to have a regular review of the data you hold to ensure that it is kept up to date and accurate. In this respect, as with most issues relating to data protection, making a serious effort to comply with the Act is likely to count for a lot with the Commissioner, even if technically your organisation may not strictly be complying with the law.

The Commissioner is likely to be less sympathetic to data subjects’ claims that your data was inaccurate if you make it easy for data subjects to correct any errors: for example, providing a page on the website for reviewing and amending details, or sending out an update form with the data subject’s details and inviting them to amend any errors. In the latter case, do not be tempted (as several financial institutions have done recently) to send out a letter along the lines of ‘We know you have opted out of marketing so we are writing to ensure that we are holding accurate details about you and to remind you of what wonderful services we can offer you’.

Not kept longer than necessary

This heading is, at first sight, self-explanatory, but it raises some difficulties. Your auditors will no doubt insist that you keep financial data for at least seven years (and it is an obligation under the self-assessment tax regime to do so). However, this is likely to include personal data. The Information Commissioner may argue that you should make the data anonymous, to the extent that you can without breaching the requirements of your auditors and HMRC, but in practice that is likely to be impossible. You may also want to keep other data for at least six years in case of legal action (the ‘statute of limitations’ generally allows you to sue and be sued up to six years from the event complained of), indeed your insurers may place an obligation like this on you. The breadth of these requirements means that, as a data controller, you need to ensure that your notification covers all the purposes for which you may need to retain data, and that you maintain a constant review of the data you hold to ensure that you delete any data that are no longer required.

This poses a special problem so far as backups are concerned: many companies will have a dusty cupboard containing backup tapes, possibly in an old format that the company no longer has the equipment available to read. These may contain data that are covered by the Act, and that accordingly should be kept accurate and deleted once no longer required. Many companies will take the view that as the Commissioner’s primary role is to ensure that the data subjects are not harmed by the misuse of personal data, so long as the tapes are kept securely and the data on them is not merged with any live data without scrupulous checks, and any relevant guidance on the ICO website has been taken into account, the Commissioner is likely to conclude that the Data Protection principles are being adhered to, and will not seek to take enforcement action.

Processed in accordance with the data subject’s rights

Personal data must not be processed:

• if the data controller has not complied with the data subject’s rights of access to personal data;
• if the data subject has objected to processing on the grounds that to carry on with the processing would cause damage or distress;
• if the data subject has objected to direct marketing;
• if the data controller is in breach of the provisions of the Act that allow the data subject to object to automated decision-taking.

Secure

Personal data must be kept secure and protected from unauthorised access. This means that the data controller must not only take technical measures (like using password protected access), but also ensure that only suitable staff have access to it. The extent of the steps to be taken depends on the type of data and the likelihood of harm that may result (presumably to the data subject) from a security breach. What the appropriate technical measures are will change over time as technology and best practice change. For example, the Commissioner is likely to take the view that encryption should now be used wherever practical, and indeed has issued guidance to the effect that enforcement action is likely to be taken against organisations where laptops and other mobile devices containing personal data are stolen, and encryption has not been used.

You would be wise to put measures such as the following in place:

• Ensuring that all personal data is encrypted wherever practical, especially data on mobile devices such as laptops, memory sticks and smart phones.
• Limiting access to data through appropriate passwords etc.
• Limiting physical access to the disks and tapes on which the data is held.
• Vetting staff who have access to the data.
• Providing training in data security to staff who have access to the data.
• Keeping backups of data to ensure it can be restored in case of loss or error.
• Observing appropriate identification procedures to ensure that personal data are only disclosed to the appropriate people (e.g. giving the data subjects a password or pass phrase to verify their identity).
• Cross-checking the data to ensure accuracy (e.g. removing multiple entries, checking addresses against postcode databases, and analysing the data to throw out badly formed telephone numbers).
• Having procedures in place to ensure that data are erased once they are no longer required.
• Having a procedure to ensure regular updating of data (e.g. telephoning data subjects on a rolling cycle to check their data are being kept up to date).
• Reviewing on a regular basis all of the procedures in relation to the above to make sure they are still valid.

As part of the notification process, you are required to submit a brief statement of the steps you intend to take to comply with this principle. A good way to comply with both this requirement and the general obligation of this principle, is to perform a risk assessment relating to the data and to modify internal processes accordingly.

The Information Commissioner has stated that compliance with the International Standard 27001 provides a suitable benchmark for compliance. However, this is a very comprehensive standard and it is not necessary to be fully compliant with it in order to comply with this principle. More information can be obtained from the International Organization for Standardization.

‘Proportionality’ is a buzzword currently used a lot in the regulatory context: it simply means that the steps taken should be adequate but not excessive in relation to the likely harm that could be suffered arising from a breach. Clearly, an organisation holding health records would have to take significantly greater security measures than an organisation holding a mailing list of email addresses of people interested in gardening, for example.

Where you appoint a third party to undertake data processing for you (e.g. a payroll bureau), you must take steps to ensure that they comply with similar obligations in relation to data security, and you are required to have a written contract with them that imposes these obligations. Make sure you understand what practical measures the third party will take to safeguard information.

Again, showing that care has been taken in these matters is likely to count a lot if the ICO ever has cause to look into your organisation’s data protection compliance.

Not transferred to countries without adequate protection

It is unlawful to pass personal data to any country that does not have adequate protection for data subjects. This is a contentious and difficult topic, but the major points are as follows.

• All EEA countries are deemed to have adequate protection. When new countries join the EU, it will become lawful to transmit data to those countries.
• The USA does not have adequate protection. However, the US Department of Commerce, in conjunction with the European Commission (EC), has set up a scheme called Safe Harbor (2000) that allows US businesses to sign up to a set of principles roughly equivalent to those in the Data Protection Act and that accordingly makes transfers of data to those companies legitimate. A full list of these companies can be found on the US Department of Commerce website.
• The EC periodically makes decisions that various territories do have adequate levels of protection and that data can be passed there freely. At the time of writing, only Argentina, Canada, Guernsey, Isle of Man, Jersey, Switzerland, Israel, Andorra and the Faroe Islands are deemed to have adequate levels of protection.
• Irrespective of whether the country in question has an adequate level of protection, the data subject can give consent to the transfer and the transfer may comply with certain other criteria (which can be found in Schedule 4 to the Act).
• The EU has produced model contracts that, in effect, impose obligations on recipients of personal data in countries outside the EU equivalent to those that exist in the EU. If an EU data controller enters into this model contract with a recipient outside the EU, then data transfer becomes legitimate. (There are separate model contracts for data controller to data controller transfers and data controller to data processor transfers).
• Transit of data through a country is not the same as transfer to a country. Internet traffic may pass through the USA, for example, en route from the United Kingdom to Germany but this does not amount to a transfer within the meaning of the Act. The best view is probably that if anything amounting to ‘processing’ goes on in a country, then there is a transfer to that country, but otherwise the data is just in transit and there is no breach of this principle.

RIGHTS OF DATA SUBJECTS

In brief, data subjects have the right to have their data processed only in accordance with the data protection principles set out above, and:

• to receive information about the identity of the person processing their data, the purposes of the processing and any other relevant details (including details of the source, or classes of source, of the data and the persons, or classes of persons, to whom such data may be disclosed);
• to receive a copy of the data that a data controller may hold on them;
• to object to automated decision-taking (the aim being to protect data subjects against processes such as automated credit-scoring, so data subjects can require that a human being is actively involved in the decision-making process);
• to prevent their details being used for direct marketing purposes;
• to prevent processing likely to cause damage or distress;
• to have inaccurate data corrected or erased;
• to receive compensation for breaches of the Act;
• to have the Commissioner consider a request for assessment where the data subject believes that the data controller may not be carrying out processing in accordance with the Act.

The right to receive information about the data processor

For processing to be fair, the data controller must provide information about who is processing the data and why they are processing it. They must also provide any other information that may in the circumstances be required to make the processing fair. This is why every company website should have a privacy policy setting out this information (almost any company website will involve an invitation to provide personal data to the company, even if it only consists of an email address for enquiries). The right to receive a copy of the data that the data controller holds is subject to a £10 maximum fee.

Complying with data subject access requests

You are obliged to provide a data subject with details of the data you hold on them. You should consider the following questions:

• Have they paid you a fee? You can set a fee for this, up to a maximum of £10.
• Is this their first request or have they requested before? If they have requested before, you are allowed to refuse a subsequent request before a ‘reasonable interval’ has elapsed (there is no guidance on what this means).
• Have they provided you with information about the data they are looking for? A request cannot be a fishing expedition through all of the data that you hold: you are entitled to be told what sort of data the subject is looking for, for example, mailing databases, accounts details, personnel records.
• Have they provided you with enough information so that you can be sure they are who they say they are (e.g. copy of driving licence and utility bill)?
• Is there any other exemption relating to the data or the application?

Once you are satisfied with the answers to those questions, you can proceed to collate the information, bearing in mind that:

• you must withhold or make anonymous information that identifies another data subject, unless you have that data subject’s consent.

  For example, if an employee asks for details of complaints about them, releasing the complaints may identify the complainants, in which case the data cannot generally be disclosed without the complainant’s consent. Simply removing the complainant’s name may not be sufficient because the data subject may still be able to identify the complainant from the other contents of the complaint. In this case, you should decline the request, giving reasons. However, you can not use this as a blanket excuse to refuse disclosure because you are under a positive obligation to try to make the data available to the requesting data subject if you can.

  Make sure a copy of your reasoning is retained, in case you are required to justify your decision to the Commissioner or the Court. The question of disclosure is tricky and you should take expert advice in all but the most clear-cut cases.

• the time limit for compliance with the request is 40 days from the day you receive the request, the day you get the fee or the day you get the information containing details of the data subject’s identity, whichever is the latest.
• the data provided to the data subject should be in a clear format that can be read by the human eye.

EXEMPTIONS

The Data Protection Act is a complex piece of legislation with many exemptions from its main rules depending on the circumstances. In the main, the exemptions are:

• from notification (as discussed in the section on notification, above);
• from providing information to the data subject about who you are and the reasons for processing their data (the ‘Subject Information Provisions’); and
• from providing the data subject with copies of the information you hold about them (the ‘Subject Access Provisions’).

There is not scope in this book to go into the exemptions in any detail.

By way of example, there are general exemptions from the provisions of the Act in relation to national security, detection and prosecution of crime, giving and receiving legal advice, domestic purposes and journalism, literature and art.

More specific exemptions apply in certain circumstances, such as where disclosing the information would affect the value of a company’s stock or where there are ongoing negotiations affecting the data subject (the aim being that a canny data subject should not be able to use the Data Protection Act to find out what pay award his employer is thinking of giving him). Establishing whether a particular exemption applies is far from straightforward, and although initial guidance can be found on the Information Commissioner’s website, it is wise to take specialist advice before relying on any apparent exemption.

PENALTIES AND ENFORCEMENT

The Information Commissioner has the primary responsibility for enforcing the Act (or taking ‘regulatory action’, to use the appropriate ICO jargon). Since 6 April 2010, the Commissioner has had the power to fine organisations that breach data protection laws up to £500,000. Guidance on the ICO website states that a ‘monetary penalty notice’ may be handed out if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress, but only where the contravention was either deliberate or the data controller knew or ought to have known that there was a risk that a contravention would occur, and failed to take reasonable steps to prevent it. At the time of writing, these powers have only recently come into force, so it is unclear how they will be used, but it seems likely that it will not be long before the Commissioner flexes these new muscles to impose a major fine on an organisation that commits a particularly flagrant (or well-publicised) breach. The guidance the Commissioner has released on the proposed use of fines makes it clear that an important part of their purpose is as a deterrent. Among the examples given in the guidance of the kinds of breach that are likely to be considered serious enough to warrant a fine are failures that result in the loss of unencrypted data (the ‘laptop in the back of a taxi’ type incident), or particularly sensitive data such as medical records.

The primary mechanism of enforcement, however, is likely to remain by means of an Enforcement Notice. When the Information Commissioner believes that a data controller is contravening the Act, he may issue an Enforcement Notice that sets out steps that the data controller must take to bring the processing within the law. Failure to comply with it is a criminal offence (and managers and directors of an infringing company will also be liable). There are some other criminal offences contained in the Act:

• Unlawful obtaining or disclosing of personal data.
• Selling or offering to sell unlawfully-obtained personal data.
• Enforced subject access. (This probably needs a little more explanation: it used to be a frequent practice for employers to require prospective employees to obtain a copy of their criminal record from the police prior to offering them employment. Clearly, the employer could not obtain this information directly but the employee could. It is now a criminal offence to require someone else to obtain personal data about themselves in connection with that person’s work.)

There are also some administrative offences that make it a crime to interfere with the work of the Information Commissioner or the administration or enforcement of the Act. It is, as one might expect, a crime to fail to notify, to provide false statements to the Information Commissioner, to fail to notify him of any changes to a notification and to fail to cooperate with him in certain circumstances.

REFERENCES

European Commission (1995) Directive 95/46/EC, Article 25(6).

European Commission Model Contracts available at http://ec.europa.eu/

Information Commissioner’s website: www.ico.gov.uk

Specifically on what constitutes ‘personal data’, see http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/what_is_data_for_the_purposes_of_the_dpa.pdf

and for enforcement and monetary penalties, see: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_regulatory_action_policy.pdf

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_guidance_monetary_penalties.pdf

and on notification, see: http://www.ico.gov.uk/what_we_cover/data_protection/notification.aspx

US Department of Commerce Safe Harbor: http://www.export.gov/safeharbor/