AUTOMATED DECISION TAKING
Section 12 of the DPA is concerned with automatic processing of personal data that is done for the purposes of evaluating matters relating to the data subject, such as performance at work, creditworthiness, reliability or conduct. The right to object in section 12 does not allow the data subject to prevent this kind of processing operation. Instead, it is concerned with decisions that are based solely on automatic evaluation-processing, if those decisions will significantly affect the data subject. Section 12 gives the data subject the right to prevent these decisions being taken, but it does not give the right to prevent the automatic evaluation-processing itself. If the data subject wishes to prevent the processing itself, recourse could possibly be found in section 10 of the DPA, if substantial and unwarranted damage or distress were caused.
Exercising the right to object
Again, the data subject can only exercise the right to object by giving written notice to the data controller (this will be called the ‘first data subject notice’). No special form is required for the first data subject notice, but it must contain words that convey the message that the data controller is being asked to ensure that no decisions significantly affecting the data subject are taken that are based solely on automatic evaluation-processing.
If the data controller fails to comply with the first data subject notice, or if no such notice is served, and it goes on to take a decision, then it must notify the data subject as soon as reasonably practicable after taking the decision that it has been taken and state that it is based solely on automatic evaluation-processing (this will be called the ‘first data controller notice’). The data subject may respond by serving another written notice (this will be called the ‘second data subject notice’) within 21 days asking the data controller to reconsider the decision or to take a new decision that is not based solely on automatic evaluation-processing. The data controller then has a further 21 days to serve a second written notice on the data subject (this will be called the ‘second data controller notice’) identifying the steps that it intends to take in compliance with the second data subject notice.
The sequence of notices summarized
The sequence of notices is as follows:
The first data subject notice. This is a written notice served under section 12(1) of the DPA. It will ask the data controller to ensure that no decisions significantly affecting the data subject are taken that are based solely on automatic evaluation-processing.
The first data controller notice. If the data controller does not comply with a notice given under section 12(1) of the DPA, or if no such notice is given, the data controller must notify the data subject within a reasonable period of the taking of a decision significantly affecting the data subject that is based solely on automatic evaluation-processing. This notice is served under section 12(2)(a) of the DPA.
The second data subject notice. If the data subject receives a notice from the data controller under section 12(2)(a) of the DPA, it may serve a written notice on the data controller asking it to reconsider its decision or to take another decision not based solely on automatic evaluation-processing. The data subject must serve this notice within 21 days of the date of receipt of the first data controller notice. The second data subject notice is served pursuant to section 12(2)(b) of the DPA.
The second data controller notice. If the data subject serves a second data subject notice, the data controller must serve a notice in response within 21 days of receipt of it, stating the steps that it intends to take in compliance. The second data controller notice is served under section 12(3) of the DPA.
Enforcement before the courts
As with the other rights to object, the right to object under section 12 can be enforced by the data subject before the court. If the court is satisfied that a data subject notice given under either section 12(1) or section 12(2)(b) has not been complied with, it may order the ‘responsible person’ to reconsider the decision or to take a new decision that is not based solely on automatic evaluation-processing.
Exempt decisions
The right to object does not apply to exempt decisions, of which there are essentially two kinds. The first kind of exempt decision concerns contracts between the data controller and the data subject. The second kind concerns decisions authorized or required by an enactment.
Decisions about contracts
For this exemption to apply the decision must be taken in the course of steps taken for the purpose of considering whether to enter into contract with the data subject, or with a view to entering into such a contract or in the course of performing a contract. Furthermore, the decision must ‘grant a request of the data subject’.
The effect of this exemption is that the data subject is not given a right to object where a decision based solely on automatic evaluation-processing is taken for the benefit of a contract with the data subject and if it achieves a result that the data subject requested. Thus, in the financial services field the data subject cannot object if as a result of automatic evaluation-processing they are issued with a credit card that they applied for.
Decisions under an enactment
This exemption benefits public authorities. Public authorities, such as the police or HM Revenue & Customs, may take decisions based solely on automatic evaluation-processing provided that ‘steps have been taken to safeguard the legitimate interests of the data subject’. Section 12(7)(b) then goes on to identify as an example a facility under which the data subject may make representations as being a step that safeguards the data subject’s legitimate interests.