KEY ASPECTS WITHIN DATA PROTECTION LAWS
When data protection laws are properly analysed the following key aspects become apparent:
The processing of personal data must be transparent.
The processing must comply with the general rules on lawfulness.
The data subject must be given a right to object.
Transborder flows of personal data are allowed, subject to a test of adequacy.
There must be appropriate remedies, sanctions and penalties.
However, there are some powerful exceptions. For example, the transparency provisions will not apply if they would defeat the purpose of the processing.
The data protection principles
European data protection laws are structured around key principles, which the DPA calls the ‘data protection principles’. The DPA contains eight data protection principles and these are found in the first schedule to the Act.
The principles and the data controller
The DPA places the obligation to comply with the data protection principles on the data controller, who is the person or entity with the power to determine the manner of processing and its purpose. Section 4(4) of the DPA says that ‘it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller’. This obligation also extends to ensuring that data processors (persons or organizations processing personal data on behalf of data controllers) comply with the seventh data protection principle. Data controllers who take advantage of model contractual clauses to render lawful transfers of personal data to non-adequate countries outside the EEA also carry an obligation tantamount to ensuring that the data importer complies with the principles.
The principles and the interpretation
The data protection principles are supported by interpretation contained in Schedule 1, Part II of the DPA. Section 4(2) says ‘those principles are to be interpreted in accordance with Part II of Schedule 1’.
Key aspect – transparency (including the first and second data protection principles)
The need for transparency in processing, while not quite sacrosanct, is one of the most important aspects of data protection laws. Putting the matter bluntly, a real respect for privacy means being open about one’s processing activities. Of course, there are times when transparency will be counterproductive or harmful to other interests (for example, in the fight against serious crime), but these instances are limited in number and are subject to strict rules.
The DPA’s approach to the issue of transparency is complex and multi-faceted, but the essential elements can be categorized as follows:
The promotion of consensual processing: The DPA encourages processing operations that are conducted with the data subject’s consent, wherever this is possible. For example, the first criterion for making the processing of personal data legitimate is that the data subject has given consent.
Fair processing: The first data protection principle requires processing to be fair and lawful. This is a complicated requirement because the first data protection principle merges a series of separate requirements within the Data Protection Directive, namely those contained in Articles 6, 7, 8, 10 and 11. As far as fairness is concerned, processing must be generally fair (the equivalent provision is contained in Article 6 of the Data Protection Directive) and must be specifically fair in the sense that the data subject should be supplied with information about the data controller and the processing prior to the commencement of processing (see Articles 10 and 11 of the Data Protection Directive for the equivalent provisions). Furthermore, the data subject should not be deceived or misled about the processing purpose, requirements that are not actually contained in the Data Protection Directive.
Obtaining for specified purposes: The second data protection principle requires personal data to be obtained for specified, lawful purposes. This requires the data controller to notify the data subject of the purpose prior to collection of the personal data. The notice can be given direct to the data subject or it can be included within the data controller’s notification.
Notification: Most data controllers are obliged to register with the Information Commissioner prior to the commencement of processing, a process known as notification. In summary, this process involves the data controller supplying the Information Commissioner with information about itself and its data processing activities, which the Information Commissioner then enters on a publicly accessible register. Where the obligation to notify exists (there are some exemptions from the obligation), it is a criminal offence to process personal data without having notified. It is also a criminal offence to fail to keep notifications accurate and up to date. Additionally, in certain cases where the obligation to notify is exempted the data subject may serve a written request on the data controller for ‘the relevant particulars’, which form the bulk of the information that would be provided if the obligation to notify existed.
The right of access to personal data: Data subjects are generally allowed access to their information and access to information about the data controller’s activities. Where the right of access applies the information usually has to be supplied within 40 days. The right of access is one of the DPA’s ‘subject information provisions’.
Information notices: The Information Commissioner is empowered to serve information notices on data controllers requiring them to furnish him with key information about their processing activities.
Key aspect – general rules on lawfulness (the first to fifth data protection principles)
Chapter II of the Data Protection Directive is titled ‘general rules on the lawfulness of the processing of personal data’. These general rules consist of nine sections including:
principles relating to data quality;
criteria for making data processing legitimate; and
special categories of processing.
The general rules on the lawfulness of the processing of personal data also include the transparency provisions, identified above, and the right to object, discussed later.
The Data Protection Directive’s principles relating to data quality are incorporated in the DPA’s data protection principles, which are contained in the first schedule of the Act. The criteria for making data processing legitimate are contained in the second and third schedules. For comparative purposes Table 1.1 shows the critical parts of the data quality principles as they appear in the Data Protection Directive and the DPA.
| Data Protection Directive 1995 See Article 6.1. Personal data must be: | Data Protection Act 1998
See Schedule 1, Part I Personal data shall be: |
|---|---|
| Processed fairly and lawfully. | Processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. |
| Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. | Obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. |
| Adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. | Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. |
| Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified. | Accurate and, where necessary, kept up to date. Note: The DPA gives the data subject the right to have inaccurate data rectified, blocked, erased or destroyed, but this right is contained in section 14 of the Act and not in the principles. |
| Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. | Not be kept for longer than is necessary. |
Within the Data Protection Directive the criteria for making processing legitimate apply only to personal data that does not fall within one of the ‘special categories’. The special categories are the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and the processing of data concerning health or sex life. Following the approach of Table 1.1, the critical parts of the criteria for making the processing of personal data legitimate are shown in Table 1.2.
| Data Protection Directive 1995 See Article 7 Member States shall provide that personal data may be processed only if: | Data Protection Act 1998 See Schedule 2 Conditions for the processing of personal data referred to in the first data protection principle: |
|---|---|
| (a) The data subject has unambiguously given his consent. | The data subject has given his consent to the processing. |
| Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. | The processing is necessary –
(a) for the performance of a contract to which the data subject is a party, or (b) for the taking of steps at the request of the data subject with a view to entering into a contract. |
| Processing is necessary for compliance with a legal obligation to which the controller is subject. | The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. |
| Processing is necessary in order to protect the vital interests of the data subject. | The processing is necessary in order to protect the vital interests of the data subject. |
| Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed. |
The processing is necessary –
(a) for the administration of justice, (b) for the exercise of any functions conferred on any person by or under any enactment, (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or (d) for the exercise of any other functions of a public nature exercised in the public interest by any person. |
| Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. | The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. |
The Data Protection Directive and the DPA both prohibit the processing of the special categories of personal data, or ‘sensitive personal data’ as the DPA prefers, unless the processing satisfies one of the specified conditions. For completeness, Table 1.3 shows the grounds upon which the special categories of processed.
It is important to note that if sensitive personal data are processed, the data controller will need to satisfy a criterion for legitimacy from Schedule 2 and a criterion from Schedule 3.
| Data Protection Directive 1995 See Article 8.2. The prohibition against the processing of the special categories of personal data shall not apply where – | Data Protection Act 1998 See Schedule 3 |
|---|---|
| (a) The data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition may not be lifted by the data subject’s giving his consent. | The data subject has given his explicit consent to the processing of the personal data. |
| Processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorised by national law providing for adequate safeguards. |
(1) The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.
(2) The Secretary of State may by order – (a) exclude the application of sub-paragraph (1) in such cases as may be specified, or (b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied. |
| Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent. |
The processing is necessary –
(a) in order to protect the vital interests of the data subject or another person, in a case where – (i) consent cannot be given by or on behalf of the data subject, or (ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or (b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld. |
| Processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects. |
The processing –
(a) is carried out in the course of its legitimate activities by any body or association which – (i) is not established or conducted for profit, and (ii) exists for political, philosophical, religious or trade-union purposes, (b) is carried out with appropriate safeguards for the rights and freedoms of data subjects (c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and (d) does not involve disclosure of the personal data to a third party without the consent of the data subject. |
| Processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims. | The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject. |
|
The processing –
(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), (b) is necessary for the purpose of obtaining legal advice, or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights. | |
|
(1) The processing is necessary–
(a) for the administration of justice, (aa) for the exercise of any functions of either House of Parliament, (b) for the exercise of any functions conferred on any person by or under an enactment, or (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department. (2) The Secretary of State may by order – (a) exclude the application of sub-paragraph (1) in such cases as may be specified, or (b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied. | |
|
(1) The processing is necessary for medical purposes and is undertaken by –
(a) a health professional, or (b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional. (2) In this paragraph ‘medical purposes’ includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services. | |
|
(1) The processing –
(a) is of sensitive personal data consisting of information as to racial or ethnic origin, (b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and (c) is carried out with appropriate safeguards for the rights and freedoms of data subjects. (2) The Secretary of State may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects. | |
| The personal data are processed in circumstances specificed in an order made by the Secretary of State for the purposes of this paragraph. |
Key aspect – the right to object (preventing processing)
The right to object enables the data subject to exert control over their personal data. The DPA provides the data subject with a right to prevent processing likely to cause damage or distress, a right to prevent processing for direct marketing purposes and, in certain circumstances, a right to prevent automated decision taking.
Key aspect – transborder data flows (including the eighth data protection principle)
As mentioned earlier, the removal of obstacles to the free flow of personal data is one of the two principal aims of data protection laws. This aim provides the legal basis for the Data Protection Directive itself. To recap, the Directive considers free flows of personal data to be integral components of the rights of free movement that are central to the Internal Market’s proper functioning.
The Directive’s starting point is that transborder flows of personal data between the EC Member States may not be restricted or prohibited on the sole ground of protection of privacy (see Article 1.2.). However, transfers to countries outside the EU may only take place if the third country offers an ‘adequate’ level of protection for personal data.
The DPA adopts a similar approach, saying at the eighth data protection principle that ‘personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data’.
Both the Directive and the DPA explain how the adequacy of third countries is measured. They both also contain derogations from the general rule so that in certain circumstances transfers to non-adequate third countries are allowed.
Key aspect – enforcement (remedies, sanctions and penalties)
The Data Protection Directive requires the EC Member States to provide every person with a right to ‘a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question’ (Article 22) and an entitlement to ‘receive compensation from the controller for [any] damage suffered’ as a result of ‘an unlawful processing operation or of any act incompatible with the national provisions adopted’ (Article 23). In addition, it is stated that ‘Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted’ (Article 24). Finally, the Member States are required to establish completely independent supervisory authorities endowed with sufficient investigative powers, effective powers of intervention, the power to engage in legal proceedings and the power to hear complaints from data subjects (Article 28).
Taking these obligations in reverse order, the independent supervisory authority under the DPA is the Information Commissioner. Using their powers under the DPA, the Information Commissioner can commence criminal proceedings against data controllers, they can serve ‘enforcement notices’, ‘information notices’ and ‘special information notices’, they can conduct proceedings in the Information Tribunal, they can assess processing for legal compliance upon the request of the data subject and, with a warrant, they can enter upon premises to inspect, examine, operate or test processing equipment and to seize documents or materials containing evidence.
The DPA also creates a small series of primary criminal offences, by which it is meant that a criminal prosecution can be commenced directly by the Information Commissioner or the Director of Public Prosecutions upon the obtaining of evidence of a breach of the rule concerned. However, it is important to note that all breaches of the DPA can ultimately lead to criminal prosecutions, although the notice procedures have to be followed first in the majority of cases.
The data subject may commence civil proceedings for compensation where damage is suffered as a result of a breach of the DPA. If distress is suffered as well, a claim for compensation can be maintained for that harm, but there is no standalone right to sue for compensation for distress where no damage is caused, except where the processing is done for journalistic, artistic or literary purposes.
The data subject may also commence civil proceedings to enforce the right or access or the right to object.
The sixth, seventh and eighth data protection principles
As mentioned earlier, the DPA contains eight data protection principles. For completeness, the sixth, seventh and eighth data protection principles say the following:
|
6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. |