FAIR PROCESSING (THE FIRST DATA PROTECTION PRINCIPLE)
The first data protection principle within Schedule 1, Part I of the DPA says:
|
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. |
The concept of fairness within the first data protection principle is actually an amalgam of three parts of the Data Protection Directive, plus one part that is not contained in the Directive. The first reference to fairness is actually extracted from Article 6.1.(a) of the Data Protection Directive, which says personal data must be ‘processed fairly and lawfully’, and forms part of the Directive’s principles relating to data quality (see Table 1.1). Fairness for these purposes requires consideration of the fairness of the processing purpose, the processing manner and the processing operations performed.
Fairness also has to be viewed from the perspective of the interpretation within Schedule 1, Part II of the DPA. The interpretation does two things. First, at paragraph 1 it introduces the concept of fair obtaining of data, requiring an examination of the method used to obtain data, including whether the data subject was deceived or misled as to the processing purpose. This part of the concept of fairness is the part that is not contained in the Directive. Second, paragraph 2 of the interpretation implements Articles 10 and 11 of the Directive and it is these provisions that are specifically part of the transparency provisions as categorized by this book, as they require, for processing to be fair, data controllers to provide data subjects with information about their processing activities, referred to later as ‘the supply of prescribed information’.
So that there is no ambiguity, in any given case a proper analysis of fair processing requires consideration of the following questions:
Is the processing purpose fair?
Is the processing manner fair?
Is the processing operation fair?
Has the information been fairly obtained?
Has the data controller supplied the prescribed information?
Questions 1, 2 and 3 express the issues within the fairness component of Article 6.1.(a) of the Data Protection Directive, implemented within the first line of the first data protection principle (‘personal data shall be processed fairly and lawfully’). The fourth question expresses the issue within paragraph 1 of the interpretation, fair obtaining. The fifth question expresses the issue within paragraph 2 of the interpretation, which implements Articles 10 and 11 of the Data Protection Directive.
Fairness generally, including the Johnson case
As mentioned above, fair processing is about much more than the supply of the prescribed information required by paragraph 2 of the interpretation. This point is excellently illustrated by the case of Johnson v. Medical Defence Union,59 where the judge, Mr Justice Rimer, divided his analysis of fairness into three parts. First, he analysed fairness from the perspective of the requirements contained in paragraph 2 of the interpretation, namely the supply of prescribed information. Second, he analysed the question ‘was the processing anyway unfair’, which involved looking at the processing purpose, which was the assessment of risk for insurance purposes. Third, he analysed whether there was any element of unfairness within the actual processing operation, namely the creation of a document containing a summary of information originally contained in 17 separate files. The second and third parts of his analysis are, to all intents and purposes, an analysis of the fair processing component within Article 6.1.(a) of the Data Protection Directive.
As the concept of fairness is much wider than the supply of the prescribed information it follows that the supply of the prescribed information does not of itself provide the data controller with a guarantee that its processing is fair. This point was clearly acknowledged by Mr Justice Rimer, who said, after completing his analysis of the Articles 10 and 11 requirements implemented by paragraph 2 of the interpretation, that:
|
the exclusion of [paragraph 2 of the interpretation] from consideration … only closes one route by which Mr Johnson might have been able to demonstrate an element of presumed unfair processing for the purposes of the first data protection principle. There remains the more general question of whether – even though I have held those paragraphs do not apply – the processing of Mr Johnson’s personal data was anyway fair. |
The Information Commissioner’s ‘Legal Guidance’60 also recognizes that the supply of the prescribed information does not guarantee that the processing will be fair saying that ‘it is important to note that compliance with the fair processing requirements will not of itself ensure fair processing’. In reaching this conclusion the Information Commissioner was guided by a series of cases heard by the Data Protection Tribunal under the Data Protection Act 1984. These cases were also analysed by Mr Justice Rimer.
Fair obtaining
Paragraph 1(1) of the interpretation is the DPA’s extension of the concept of fair processing, as the requirement within paragraph 1(1) is not contained in the Data Protection Directive. Paragraph 1(1) says:
|
In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed. |
The methods that data controllers may use to obtain personal data are limited only by the imagination, but whatever method is used it must avoid any possibility of the data subject being deceived or misled. This implies that the method used must impart accurate information about the data controller and the processing activities, which requires the persons collecting the personal data to be transparent about the identity of the data controller and the full range of processing activities. Of course, if the data subject is deceived or misled this will also undermine any consents relied upon for the purposes of Schedule 2 or Schedule 3.
EXAMPLEThere is a bucket on a hotel reception with a sign that reads ‘place your business card in the hat to win a bottle of champagne’. If the underlying reason for the offer is to obtain contact information for direct marketing purposes, it can be said that those persons who have entered their business cards might have been deceived or misled. |
The nature and extent of the information that needs to be provided to the data subject by the data controller depends upon the circumstances of the particular case, so real care needs to be taken with unusual or non-obvious processing activities. This point is reflected by paragraph 2(3)(d) of the interpretation, which includes a sweeping up provision that requires the data controller to provide the data subject with ‘any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair’. This sweeping up provision is part of the prescribed information.
Statutory obtaining
Paragraph 1(2) of the interpretation makes special provision for cases where the person supplying personal data to the data controller is acting under an enactment or in accordance with an international obligation binding upon the UK. In these cases the interpretation says that the obtaining of the personal data by the data controller is to be treated as being fair. However, the data controller must also supply the prescribed information and the processing must be generally fair in the sense required by Article 6.1.(a) of the Data Protection Directive.
Paragraph 1(2) says:
|
(2) Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who – (a) is authorised by or under any enactment to supply it, or (b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom. |
Transparency and the supply of prescribed information
Paragraph 2(1) of the interpretation says that personal data are not to be treated as processed fairly unless the data controller ensures that the data subject has, is provided with, or has made readily available to them the information prescribed in paragraph 2(3) of the interpretation. The prescribed information in paragraph 2(3) is:
the identity of the data controller;
the identity of the data controller’s nominated representative, if it has one. Data controllers must nominate representatives if they are not established in the EEA but are using processing equipment in the UK (section 5(2) DPA);
the purpose or purposes for which the data are intended to be processed;
any further information that in light of the specific circumstances is necessary to enable the processing to be fair.
The fourth requirement, ‘any further information that in light of the specific circumstances is necessary to enable processing to be fair’ is clearly very wide in scope, being a sweeping up provision that prevents the giving of definitive advice on the ambit of the prescribed information. Data controllers are required to consider their obligations on a case-by-case basis.
The supply of further information to enable processing to be fair, including the Johnson case
The background to Johnson v. Medical Defence Union 61 is discussed in Chapter 1, in the context of the analysis of the meaning of processing, but, in summary, this was a claim for compensation under section 13 of the DPA; Mr Johnson alleged that the defendant had failed to process his personal data fairly, in breach of the first data protection principal. A key component of his case was that the defendant failed to obtain his comments on information contained in 17 files, summaries of which were considered during the defendant’s risk assessment procedures that led to the termination of Mr Johnson’s insurance cover. The claimant said that the defendant’s failure to seek his comments constituted a breach of paragraph 2(3)(d) of the interpretation, which requires the data controller to supply the data subject with any ‘further information that in light of the specific circumstances is necessary to enable the processing to be fair.’ Mr Justice Rimer summarized the claimant’s argument in the following terms:
|
The other issue arising under paragraph 2(3) of Part II of Schedule I is whether the MDU provided Mr Johnson with any further information which it was necessary for him to have in satisfaction of paragraph 2(3)(d). Mr Johnson’s case on this is that, once Dr Roberts had concluded her preparation of the RAR form, the score sheet and the RAG sheet, the MDU should have submitted them to him for his comments, together with the underlying files from which the information in the RAR form was derived. Mr Johnson would then have had the opportunity to make his input into the risk review exercise that the MDU was undertaking, which would then have been before the RAG. |
In determining the claim the court was required to consider the ambit of paragraph 2(3)(d) of the interpretation and whether the requirement to supply ‘any further information that in light of the specific circumstances is necessary to enable processing to be fair’ extended to consultation with the claimant. Mr Justice Rimer was sure that paragraph 2(3)(d) does not extend that far:
|
Coming now to the point based on paragraph 2(3)(d), I consider, first, that in so far as article 10 may be viewed as casting light on the type of ‘further information’ that paragraph 2(3)(d) has in mind, it provides no support for the proposition that compliance with the fair processing requirements of the first data protection principle required Dr Roberts’s processing exercise to be followed by a consultation with Mr Johnson. Nor, in my judgment, does the more succinct language of paragraph 2(3)(d) support the proposition. That sub-paragraph is not concerned with explaining the ‘purposes’ of the processing, a matter which is covered by paragraph 2(3)(c). Nor is it about consulting with the data subject. It is about providing him with certain ‘further information’ having regard to ‘the specific circumstances in which the data are or are to be processed’. That is not naturally to be interpreted as requiring the data controller to engage in a consultation exercise after the completion of the processing. Article 10 suggests that it might (inter alia) require the data subject to be told of his right of access to, and to rectify, his personal data, but in this case Mr Johnson had already been told of those rights in the processing agreement. In a case in which the data was, for example, being, or was to be, processed by a ‘data processor’ as defined in section 1(1) of the DPA, it might also require notice of that to be given to the data subject. But I do not accept that the paragraph 2(3)(d) extends to the lengths of requiring the MDU to have consulted with Mr Johnson as part of the processing exercise. |
Thus, paragraph 2(3)(d) does not require a two-way conversation between the data controller and the data subject. All it requires is the supply of information to the data subject; under paragraph 2(3)(d) information flows in only one direction.
Does the interpretation actually require the supply of prescribed information in every case?
There are some exemptions from the obligation to supply the prescribed information, which are discussed later. Leaving these aside, an important question is whether the interpretation actually requires the data controller to supply the prescribed information in every case? In order to answer this question the full wording of paragraph 2(1) is required:
|
2. – (1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless – (a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and (b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3). |
As a preliminary point it will be noticed that paragraphs 2(1)(a) and 2(1)(b) both refer to ‘the information specified in sub-paragraph 3’. So that there is no confusion, ‘sub-paragraph 3’ means paragraph 2(3) of the interpretation, which specifies the prescribed information.
The focus now is the phrase appearing in both paragraphs 2(1)(a) and 2(1)(b), ‘the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him’. This splits down into three concepts:
The data subject ‘has’.
The data subject ‘is provided with’.
The data subject ‘has made readily available to him’.
If these concepts are taken at face value, it must be concluded that the interpretation does not actually require the data controller to supply the prescribed information in each and every case. The phrases ‘is provided with’ and ‘has made readily available to him’ are synonymous with supply of information to the data subject by the data controller, but the phrase ‘the data subject has’ is not.
Where ‘the data subject has’ the prescribed information the data controller does not have to supply it to them, because they already have it. Thus, the interpretation does not actually require the data controller to supply the prescribed information in every case.
This raises the question in what circumstances will the data subject already have the prescribed information prior to the collection of data so that the obligation on the data controller to supply it is not engaged? The answer is in routine transactions with which the data subject is fully familiar.
EXAMPLEA data subject makes their regular six monthly visit to the dentist, for a check-up. In this example the data subject knows the data controller’s identity and they know the purposes for which personal data are collected, namely for the purposes of providing dental treatment and for organizing the next visit. There are no unusual circumstances so there is no further information to give. It can therefore be said that ‘the data subject has’ the prescribed information prior to personal data being collected. |
Prescribed information where personal data are collected from the data subject – timing of supply of information
The DPA does not identify the time for supplying the prescribed information for cases where the personal data are collected directly from the data subject, but for the obligation to make any sense it must follow that the information should be supplied prior to the commencement of processing, which means before any personal data are collected.
Prescribed information where personal data are collected from a third party – timing of supply of information
Where personal data are collected from a third party, rather than directly from the data subject, the time for supplying the prescribed information is called ‘the relevant time’. The relevant time depends upon whether the data controller envisages disclosing the personal data to a third party.
If a data controller does not envisage disclosing personal data to a third party within a ‘reasonable period’ of the time it first starts to process it, the prescribed information must be supplied to the data subject at the time when the data controller first processes the data.
If a data controller does envisage disclosing the personal data to a third party within a reasonable period of the time when it first starts to process it, the relevant time depends upon whether the personal data are actually disclosed. If they are disclosed to a third party within the reasonable period, the relevant time is the time of disclosure. However, if the data controller realizes before the expiry of the reasonable period that the data will not be disclosed, the relevant time is the time when the data controller first realizes this fact. In any case, the longstop for supplying the prescribed information where the personal data are not disclosed to the third party is the end of the reasonable period.
Exemptions from the requirement to supply the prescribed information – where personal data are collected from a third party
There are two important exemptions from the obligation to supply the prescribed information where the personal data are collected from a third party. The first exemption is for cases where the supply of the prescribed information would involve a ‘disproportionate effort’. The second exemption is for cases where the recording or disclosure of the personal data is necessary for compliance with a non-contractual legal obligation, such as where the data controller is a public authority and the processing is necessary for the performance of public functions.
The disproportionate effort exemption
Unfortunately, the DPA does not define ‘disproportionate effort’ so it is necessary to look elsewhere for help. The Information Commissioner’s ‘Legal Guidance’62 provides the following assistance:
|
In assessing what does or does not amount to disproportionate effort the starting point must be that data controllers are not generally exempt from providing the fair processing information because they have not obtained data directly from the data subject. What does or does not amount to disproportionate effort is a question of fact to be determined in each and every case. In deciding this the Commissioner will take into account a number of factors, including the nature of the data, the length of time and the cost involved to the data controller in providing the information. The fact that the data controller has had to expend a substantial amount of effort and/or cost in providing the information does not necessarily mean that the Commissioner will reach the decision that the data controller can legitimately rely upon the disproportionate effort ground. In certain circumstances, the Commissioner would consider that a quite considerable effort could reasonably be expected. The above factors will always be balanced against the prejudicial or effectively prejudicial effect to the data subject and in this respect a relevant consideration would be the extent to which the data subject already knows about the processing of his personal data by the data controller. |
In cases where the disproportionate effort exemption is relied upon, an order63 made under the DPA will also apply. This order concerns situations where an individual has served a written notice on the data controller asking the data controller to supply the prescribed information before the relevant time or as soon as practicable after that time. If such a notice is received, the data controller may only rely upon the disproportionate effort exemption if it ‘does not have sufficient information about the individual in order readily to determine whether he is processing personal data about that individual’. However, in such a case the data controller must ‘send to the individual a written notice stating that he cannot provide the [prescribed information] because of his inability to make that determination, and explaining the reasons for that inability’.
In addition, the order says that the data controller must record the reasons for its view that the disproportionate effort exemption applies.
The exemption for processing that is necessary for compliance with a non-contractual legal obligation
The order64 will also apply in the case of the second exemption provided that the non-contractual legal obligation arises under an enactment or under a court order. The same rules apply as for the disproportionate effort exemption except that the data controller is not required to record the reasons for its view that the second exemption applies.
Cases on fairness, including the Johnson case
Johnson v. Medical Defence Union is currently the leading case on the meaning of fair processing and it has certainly helped to clarify the law. The judge, Mr Justice Rimer, examined first the claimant’s allegation that the defendant had failed to supply all of the prescribed information required by paragraph 2 of the interpretation within Schedule 1, Part II of the DPA and he found that there was unfair processing in this regard. However, no separate issues arose in respect of unfair obtaining.
As regards the fairness of the processing purpose, the processing manner and the processing operation, that is, the issues within Article 6.1.(a) of the Data Protection Directive, the judge found that these were all fair, although, as noted earlier, he actually posed himself the questions ‘was the processing anyway unfair?’ and ‘was there any unfairness in Dr Roberts’ summaries of the four computerised files?’
The processing purpose identified in Johnson was the assessment of risk for insurance purposes. The manner of processing was partly automated and partly manual and the processing operations included creating an electronic summary of information contained in other files, with the decision to refuse continuation of insurance cover being based on printed copies of the summary. However, Mr Johnson was not asked for his views on the information within the files or within the summary, which was his principal complaint. As regards the overall fairness of these activities, Mr Justice Rimer delivered the following judgment:
|
Approaching the question of fairness head on, I have come to the conclusion that there is in principle nothing relevantly unfair about the MDU’s risk assessment policy or about the way in which it processed information in applying that policy. Mr Johnson’s big point is that he has a long and, from a claims viewpoint, blameless record. He says other doctors, in particular those specialising in orthopaedics, have had large claims brought against them yet remain MDU members. He has had no claims and yet his membership was terminated. He says that the scoring process applied by the policy is arbitrary and irrational and so capable of producing a like result. He says that the MDU fails to make proper distinctions between minor and major complaints, and that, at least in his case, it had regard to matters which, so he says, cannot rationally be regarded as genuinely predictive of future risk. It is easy to see how he regards the decision in his case as unfair but it has to be remembered that the policy is directed at risk management – at preserving the MDU funds against a risk of claims, and the incurring of costs, in the future. The MDU experience is that a risk of that nature cannot be measured simply by awaiting the happening of a statistically significant number of occurrences that do in fact cause a drain on its funds. It is also that the risk of complaints is not a matter that is necessarily geared to the clinical competence of a doctor. The likelihood of complaints may well be based just as much on the way in which the doctor gets on with his colleagues and patients. A complaint, when made, may well be unfounded, but may also be expensive to defend. The objective of the risk management policy is to minimise the exposure of MDU funds to such expense. The policy that the MDU has developed is to assess risk by reference to whether the particular doctor attracts complaints. It is not assessed by an attempted investigation of whether there is anything in such complaints, an investigation which in practice could anyway not be carried out in any conclusive way. It would be possible to obtain the member’s view of the complaint, but it is not part of the policy to do so because (a) it would only provide part of the picture and (b) it is a part which the policy does not regard as material to the assessment which the risk review is making. A wider investigation would usually be impracticable. In defending the MDU’s risk assessment policy as fair, Mr Spearman emphasised that it has to be viewed against the background in which there is a contractual relationship between the MDU and its members and in which the MDU has a positive duty, in the interests of all its members, to adopt a responsible risk assessment policy directed at preserving its assets. The fairness of the processing of a member’s personal data has to be considered in that contractual context. |
As regards the second question he posed himself, the issue was whether there was any unfairness in the actual creation of the summary:
|
I have concluded that [apart from the failure to supply the prescribed information] there is in principle no basis for any challenge to the fairness of the MDU’s approach to, and execution of, the risk assessment review in relation to Mr Johnson. That does not exclude the possibility that there might have been an element of unfairness in the way that Dr Roberts actually processed the data in the files. If she had, for example, materially misstated the nature of an allegation or complaint against Mr Johnson, that might go to the fairness of the processing in which she was engaged; and a consequential question might arise as to whether, but for such misstatement, the [committee making the decision on continuation of insurance cover] would or might have made a different recommendation. |
On this question the judge again dismissed Mr Johnson’s complaint.
There are other cases on the meaning of fair processing, but these are all decisions of the Data Protection Tribunal under the Data Protection Act 1984 (note that the Data Protection Tribunal was renamed the Information Tribunal by the Freedom of Information Act 2000). These cases are not binding on the Information Tribunal or the courts, but they do help with understanding the meaning of fair processing.
CNN Credit Systems Ltd v. The Data Protection Registrar,65 a 1991 decision of the Data Protection Tribunal, is one of a series of appeals heard by the Tribunal following the service of enforcement notices on credit reference agencies. These enforcement notices were served under the Data Protection Act 1984 for breach of the first data protection principle within that Act. The first data protection principle said ‘the information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully’. The basic scenario at the heart of the case was presented in the following terms:
|
In 1985 Mr Simon Jones, a chartered accountant, sold his house to a Mr J. Watson. In 1988 Mr Jones applied to a building society for a cheque guarantee card. He was refused a card and informed that a credit reference had been sought from CCN. Mr Jones applied to CCN under section 158 of the Consumer Credit Act 1974 for a copy of his file. Among the information supplied was an entry showing a judgment awarded in 1987 against Mr Watson. The only link between Mr Jones and Mr Watson was that they were respectively vendor and purchaser of a house a few years earlier. Put in another way, the only link between them was that they had at different times lived at the same address. Mr Jones was distressed by this incident. |
The allegation of unfairness made by the Data Protection Registrar concerned the automatic extraction from a database of all information connected to an address that was provided by an applicant for credit. It was considered that this resulted in material that was irrelevant to the applicant being considered within the credit assessment process, particularly information relating to other individuals with whom the applicant had no other connection bar a connected address. The Data Protection Tribunal agreed that this was unfair processing:
|
Having taken due account of the evidence we have heard and the considerations urged upon us we have come to the clear conclusion that it is unfair for a credit reference agency, requested by its customers to supply information by reference to a named individual, so to program the extraction of information as to search for information about all persons associated with a given address or addresses notwithstanding that those persons may have no links with the individual the subject of the enquiry or may have no financial relationship with that individual. We believe this to be so even if the customer has requested address-based information and notwithstanding what is said to be its predictive value. We reject the notion that an organisation like CCN, with its wide specialist knowledge of and experience in credit reference and credit scoring, is a mere ‘conduit pipe’. We believe the sort of processing carried out in this case is the very sort of activity at which the Act is aimed. We think it right to say that we accept that CCN did not intend to process data unfairly, and did not believe itself to be acting unfairly. But it is necessary to determine the question of fairness objectively, and in our view the case of unfairness has been made out. |
However, the Tribunal did not consider that the first data protection principle in the 1984 Act prevented all extraction of third-party information:
|
Would it be unfair to extract information about persons, clearly not the subject, who share the same surname as the subject and who might be members of the same family living with the applicant as members of a single household? Here we recognise that it is possible to hold different views. It would often be accepted, we think, that enquiry into the credit status of members of the subject’s immediate family might yield information that was relevant in the Registrar’s sense. It would not necessarily be the case, but it would not be possible to form any sort of judgment on this without having the information available. On balance, therefore, our finding is that the extraction of such information would not be unfair, though whether it is possible to program a search with the necessary precision we do not know. |
Similar decisions were reached in Infolink Ltd v. The Data Protection Registrar 66 and in Credit and Data Marketing Services Ltd v. The Data Protection Registrar.67
Innovations (Mail Order) Ltd v. The Data Protection Registrar 68 is a 1993 decision of the Information Tribunal. The practice that offended the Data Protection Registrar was non-consensual list broking, whereby Innovations sold customer information to third parties to be used by them for direct marketing purposes. The Registrar considered that this was an act of processing that was not revealed prior to the obtaining of customer information, which made the processing unfair. However, Innovations pointed out that after receiving an order it would send an acknowledgement that also included the following message:
|
For your information. As a service to our customers we occasionally make our customer lists available to carefully screened companies whose products or services we feel may interest you. If you do not wish to receive such mailings please send an exact copy of your address label to [address]. |
The Registrar considered that the notice was insufficient to make the processing fair, because it was provided after the customer information was obtained and because it shifted the obligation to the data subject to opt-out. The Data Protection Tribunal agreed:
|
We conclude that a later notice may be a commendable way of providing a further warning, but whether it does so or not, we conclude that the law requires in the circumstance we have here that when possible the warning must be before the obtaining. This can best be done by including the warning in the advertisement itself. Where it may not be possible (e.g. the use of existing names for a new purpose) we consider that the obligation to obtain the data subject’s positive consent for the non-obvious use of their data falls upon the data user. |
The Tribunal therefore concluded that Innovations’ processing was unfair and it upheld the enforcement notice served by the Registrar.
Linguaphone Institute Ltd v. The Data Protection Registrar,69 a 1995 decision of the Data Protection Tribunal, also concerned an appeal from an enforcement notice served by the Data Protection Registrar under the Data Protection Act 1984, for unfair processing. The Registrar said that Linguaphone’s practice of list broking was unfair processing in breach of the first data protection principle in the 1984 Act, because this purpose was not disclosed to Linguaphone’s customers and enquirers at the point of collection of their data.
Linguaphone accepted that all names acquired before 1 January 1992 should be deleted from its list, but it disagreed that names acquired after that date should be deleted, because it said that it was making use of ‘opt-out’ boxes on order forms sent to potential customers. The Data Protection Tribunal was unimpressed, holding Linguaphone’s method to be unfair, because it sought to transfer to the data subject the burden of communicating their wish not to have their data transferred to third parties for marketing purposes. Instead, the 1984 Act’s fair processing requirement placed the responsibility on Linguaphone to ‘obtain the data subject’s positive prior consent’. The Data Protection Tribunal was also unimpressed by the fact that the opt-outs were ‘in minute print at the bottom of the order form’. In the Tribunal’s view ‘the position, size of print and wording of the opt-out box does not amount to a sufficient explanation to an enquirer that the company intends or may wish to hold, use or disclose that personal data provided at the time of enquiry for the purpose of trading in personal information’.
British Gas Trading Ltd v. Data Protection Registrar,70 a 1998 decision of the Data Protection Tribunal, again an appeal from the service of an enforcement notice under the Data Protection Act 1984, also reviewed the fairness of processing for direct marketing purposes. After reviewing the evidence the Tribunal found that there was unfair processing in breach of the first data protection principle in the 1984 Act.
By way of background, British Gas Trading Ltd maintained two databases. The main database, called the ‘tariff gas bill database’ contained the records of 19 million gas customers and was used to prepare gas bills. The second database was a smaller marketing database that included information gathered from a number of sources, including the tariff gas bill database. The aim of the marketing database was to facilitate effective, targeted direct marketing of related and unrelated products and services provided by British Gas Trading Ltd and by third parties. Furthermore, information on the marketing database would also be disclosed to third parties, so that they too could process for direct marketing purposes. Related to this, between March and June 1997, British Gas Trading Ltd billed all of its customers and included with each bill was a notice entitled ‘Your Data Protection Rights – the right to choose the information you need’. This notice said:
|
… we would like to write to you from time to time about our current range of products and services, as well as those we will be developing in the future. Also, we would like to send you information about products and services offered by other reputable organisations. In addition, we would like to pass on information about you to the other companies wthin our group in order that you may receive information about their products and services directly from those companies. |
In respect of fairness, the issues in the appeal can be summarized as follows:
Would customers expect their personal data to be used for direct marketing purposes? This included the transfer of data from the main database to the marketing database as well as the direct marketing itself.
Was there a distinction between the direct marketing of related products and services and the direct marketing of unrelated products and services?
Was there a distinction between direct marketing done by British Gas Trading Ltd and direct marketing done by a third party?
Assuming that all of the notices served between March and June 1997 were received, what could British Gas Trading Ltd do in the case of persons who did not respond?
The Tribunal found that reasonable customers would expect British Gas Trading Ltd to process their personal data for direct marketing purposes, so that the transfer from the main database to the marketing database was not automatically unfair. However, the direct marketing itself could only be for ‘gas related products and services’, although it did not matter if British Gas Trading Ltd sent information about their own gas-related products and services or information about the products and services provided by a third party. As regards direct marketing done by a third party, this amounted to a disclosure of personal data and was unfair if done without the data subject’s consent. Therefore, only British Gas Trading Ltd could carry out the direct marketing processing in the absence of a consent for the transfer to a third party for direct marketing purposes. The Tribunal said:
|
We consider that there is a distinction to be made between the use by BGTL and disclosure by BGTL to third parties, albeit to co-subsidiaries … the fact that disclosure is inhibited will not prevent BGTL processing personal data itself (without disclosure) so as to send out, for example, the advertising material of a third party provided that it is not for marketing or promoting suppliers or services of a type which otherwise renders processing unfair. |
In respect of the final issue, the Data Protection Tribunal said that:
|
we do not consider that it is sufficient merely to send to the customer a leaflet providing them with an opportunity to object to their personal data being processed for purposes beyond those gas related purposes to which we have referred. It would, we consider, be sufficient to prevent processing being unfair if individual customers are informed of the type or types of marketing or promotions BGTL would wish to carry out by processing their personal data, provided that they are given the choice to agree or not and either consent then and there, or do not object to such use. Alternatively thereafter, and before such processing takes place, the customer returns a document to BGTL, or by other means of communication received by BGTL indicates consent to, or by not filling in an opt-out box, or other means, indicates no objection to processing for such type or types of marketing or promotion. One such returned document could be, for example, a direct debit mandate form; others could be a part of a bill, or purpose designed leaflet. |
The critical point within the Tribunal’s analysis of the final issue is that British Gas Trading Ltd could not infer consent from the data subject’s failure to respond. This was the effect of the Data Protection Registrar’s argument, which the Tribunal paraphrased in the following manner:
|
The Registrar holds the view that any intended use must be clear to the data subject at the time at which the information is collected by the data user, unless it can be shown that there has been subsequent consent and that consent cannot be inferred from a lack of response to a circular offering an opt-out. It can be said that a data subject who receives an unwanted leaflet merely has to ignore it or throw it away. |
Another interesting case is Midlands Electricity Plc v. The Data Protection Registrar,71 a decision of the Information Tribunal in 1999. This case also concerned unfair processing under the Data Protection Act 1984 and was an appeal from an enforcement notice served by the Data Protection Registrar. The facts are straightforward. Midlands Electricity sent domestic customers a magazine, Homebright, with their quarterly bills. The magazine contained information and advice relating to the supply of electricity, such as information about energy conservation and advertisements for unrelated products and services from third-party suppliers, such as holiday promotions. The Tribunal held that this was unfair processing, because there had been an addition to the processing purpose without consent, namely personal data supplied by customers for the purposes of energy supply was being used for direct marketing purposes. This was despite the fact that no personal data was supplied to third parties and despite the fact that the magazine was unlikely to cause offence.
Although this case was decided under the 1984 Act, it is of continuing assistance, as the structure of the first and second data protection principles in the 1984 Act, which deal with fair and lawful processing and the processing purposes respectively, are very similar to the first and second data protection principles in the DPA. Furthermore, although it concerns postal direct marketing communications, the decision reflects the underlying reasoning in the Directive on Privacy and Electronic Communications (DPEC),72 which allows data controllers to send direct marketing emails on an opt-out basis only if they are about their own related goods and services. Midland Electricity’s problem was the sending of information about unrelated goods and services of third parties.