This document provides a summary of UK data protection laws and principles. It discusses key definitions like personal data, sensitive personal data, and data controllers. The 8 data protection principles are outlined, including requirements for fair and lawful processing, specified purposes, accuracy, retention, security, and international transfers. New enforcement powers for the UK Information Commissioner are described, such as monetary penalties and mandatory breach notification. Future developments around issues like breach notification and data sharing are also mentioned.
1. COMPETITION &
REGULATORY
GROUP
Charles Russell LLP
5 Fleet Place
London
EC4M 7RD
www.charlesrussell.co.uk
Charles Russell LLP
Floor 31, World Trade
Centre
West Tower
Is Al Kabeer Avenue
PO Box 31249
Manama
Kingdom of Bahrain
www.charlesrussell.bh
Data Protection Update
Andrew Sharpe
18 March 2010
2. DATA PROTECTION
• Introduction
– Laws
– Definitions/jargon
• Data Protection Principles
• New Enforcement Powers
• “Hot topics” and future for data
protection
3. INTRODUCTION
LAW
• Data Protection Act 1998
– Data Protection Directive 95/46/EC
– see Europa website for other national laws
(http://ec.europa.eu/justice_home/fsj/privacy
/index_en.htm)
– “the Act is certainly a cumbersome and
inelegant piece of legislation” (Morland J,
Naomi Campbell v MGN Limited [2002] EWHC
499 (QB))
4. INTRODUCTION - Law
• Privacy and Electronic Communications
(EC Directive) Regulations 2003 (SI
2003/2426)
– Privacy and Electronic Communications (EC
Directive)(Amendment) Regulations 2004
(SI 2004/1039)
– Privacy and Electronic Communications
Directive 2002/58/EC
• Durant -v- Financial Services Authority
[2003] EWCA Civ 1746
5. INTRODUCTION - Definitions
Section 1(1) Data Protection Act 1998:
• “data controller” means, subject to
subsection (4), a person who (either
alone or jointly or in common with other
persons) determines the purposes for
which and the manner in which any
personal data are, or are to be,
processed;
6. INTRODUCTION - Definitions
• “data processor”, in relation to personal
data, means any person (other than an
employee of the data controller) who
processes the data on behalf of the data
controller;
• “data” means information which is or is
intended to be processed automatically
(i.e. computerised) or forms part of a
relevant filing system
7. INTRODUCTION - Definitions
• “relevant filing system” means any set of
information relating to individuals
structured by reference to individuals or
criteria relating to individuals in such a
way that specific information relating to
an individual is readily accessible
– “on a par” with a computerised filing system
– “temp test”
8. INTRODUCTION - Definitions
• “personal data” means information
relating to a living individual who can be
identified from that data or from other
information in the possession of the
data controller
– narrow interpretation
– must be significantly biographical, have
individual as its focus and affect an
individual’s privacy (personal or
professional)
9. INTRODUCTION - Definitions
• “sensitive personal data” means
personal data relating to race, politics,
religious beliefs, physical or mental
condition, sexual life, offences
(allegations and sentence), membership
of trade union
10. INTRODUCTION - Definitions
• “processing data” means obtaining it,
recording it, holding it, carrying out
operations with respect to it, including:
– alteration
– retrieval
– consultation
– use
– disclosure
– erasure
11. INTRODUCTION - Definitions
Section 1(4) Data Protection Act 1998:
• where personal data are processed only for
purposes for which they are required by or
under any enactment to be processed, the
person on whom the obligation to process the
data is imposed by or under that enactment is
for the purposes of this Act the data controller.
DATA CONTROLLER LIABLE FOR DATA
PROCESSOR.
12. INTRODUCTION - DPA 1998
Exemptions
• National security
• Crime and taxation
• Regulatory activities usually statutory
and usually designed to protect the
public
• Health, education social work
• Research history and statistics
• Disclosures required by law or made in
connection with legal proceedings
13. DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Personal data must be processed fairly
and lawfully and, in particular, shall not
be processed unless-
(a) at least one condition in Schedule 2 is met,
and
(b) in the case of sensitive personal data, at
least one of the conditions in Schedule 3 is
also met.
14. First Principle
• Personal data must be processed fairly
and lawfully and … one of the
conditions must be met
– fair processing only if data controller is
identified to data subject, together with
identity of any data protection
representative, and purpose(s) for which
data are intended to be processed is stated
– conditions at Schedule 2 or 3 to DPA 1998
15. First Principle Conditions
• Consent to processing is most used condition
(explicit consent for sensitive personal data )
• Can process personal data without consent in
certain circumstances e.g.:
– paragraph 6 of Schedule 2: “The processing is
necessary for the purposes of legitimate interests
pursued by the data controller or by third party or
parties to whom the data are disclosed, except
where the processing is unwarranted in any
particular case by reason of prejudice to the rights
and freedoms or legitimate interests of the data
subject.”
16. DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Personal Data shall be obtained only for
one or more specified and lawful
purposes, and shall not be further
processed in any manner incompatible
with that purpose or those purposes.
Personal Data shall be adequate,
relevant and not excessive in relation to
the purpose or purposes for which they
are processed
Personal data shall be accurate and
where necessary kept up to date
Personal data processed for any
purpose or purposes shall not be kept
longer than necessary for that purpose
or purposes
17. Fifth Principle
• Personal data processed for any
purpose or purposes shall not be kept
longer than necessary for that purpose
or purposes
– often misused as a reason not to process
personal data inappropriately, most
famously by Humberside Police (deleted
information on Ian Huntley may have
prevented Soham murders)
– question of judgement for data controller
18. DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Personal data shall be processed in
accordance with the rights of the data
subject.
19. Sixth Principle
• Personal data shall be processed in
accordance with the rights of the data
subject
– data subject access rights
– “stop” notices for damage or distress
– “stop” notices for direct marketing
– “stop” notices for automatic decision making
processes
20. DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Appropriate technical and organisational
measures shall be taken against
unauthorised or unlawful processing of
personal data and against accidental
loss destruction of or damage to
personal data
21. Seventh Principle: data
processors/outsourcing
• Express terms governing due diligence
of data processors
– where processing carried out by data
processor on behalf of data controller, data
controller must take reasonable steps to
ensure compliance with technical and
organisational measures
– ensure data processor subject to
contractual obligations AND include audit
rights for at least Seventh Principle
22. DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Personal data shall not be transferred to
a country or territory outside the EEA
unless that country or territory ensures
an adequate level of protection for the
rights and freedoms of data subjects in
relation to the processing of personal
data
23. Eighth Principle
• Personal data shall not be transferred to
a country or territory outside the EEA
unless that country or territory ensures
an adequate level of protection for the
rights and freedoms of data subjects in
relation to the processing of personal
data
– export always permitted where data subject
give consent to transfer
– other transfers without consent possible
(Schedule 4 of the DPA 1998)
24. Lawful Export of Data
• Disclosure outside of the EEA
– to third country approved by Commission
(Art. 25(6)) (Argentina, Australia, Canada,
Guernsey, Isle of Man, Jersey, Switzerland)
– US Safe Harbor -
http://www.export.gov/safeharbor/
– Binding corporate rules (Art. 26(2))
– Model Contracts (Art. 26(4))
25. Model Contracts
• In standard form for use in following
situations:
– Controller to processor:
• Commission Decision (2002/16/EC) of 27
December 2001
– Controller to controller:
• Commission Decision (2001/497/EC) of 15 June
2001
• Commission Decision C(2004)5271 of 7 January
2005 (preferred)
26. Transfer of Data Agreements
• New controller to processor approved
agreement
– effective date 15 May 2010
– set out in 2010/87/EU Commission Decision
of 5 February 2010 on standard contractual
clauses for the transfer of personal data to
processors established in third countries
under Directive 95/46/EC of the European
Parliament and of the Council (notified
under document C(2010) 593)
27. Transfer of Data Agreements
– available in Word
(http://ec.europa.eu/justice_home/fsj/privacy
/modelcontracts/index_en.htm)
– introduces obligations on sub-processors
– not yet formally adopted by Information
Commissioner
29. Criminal Justice and Immigration
Act 2008
• introduces monetary penalties for breach of
data protection principles (s.144)
– amends Data Protection Act 1998 (new sections 55A
– 55E)
– maximum penalty set by Secretary of State
– fining guidelines published by Information
Commissioner’s Office (see www.ico.gov.uk)
• only allowable for:
– “serious contravention of [a data protection
principle]”
– “likely to cause substantial damage or substantial
distress”
– deliberate breaches or where controller knew or
ought to have known that there was risk of
contravention and that the contravention would be
likely to cause substantial damage or substantial
30. Criminal Justice and Immigration
Act 2008
• secondary legislation being passed to bring
into effect
• no official announcement as to when it will be
brought into effect
• maximum penalty
– £500,000
– some lobbying, including from previous Information
Commissioner, to be given OFT-style power (i.e. up
to 10% annual turnover of offender)
• appears from secondary legislation that
measures being passed to be bring measures
into effect on 6 April 2010
31. Coroners and Justice Act 2009
• Royal Assent on 12 November 2009
• Part 8 – Data Protection Act amendments
– assessment notices - will give Information
Commissioner statutory audit powers over
government departments and public authorities
– data-sharing code – requires ICO to produce code
for data sharing, to be approved by Secretary of
State (and Parliament)
• Some lobbying, including by previous IC, for
assessment notice power to be for private as
well as public sector
33. Privacy and Electronic
Communications Directive 2002/58/EC
• Amended by Citizens’ Rights Directive
2009/135/EC
• Amendments introduce breach
notification requirements by electronic
communications networks or services
providers to national regulatory bodies
and subscribers
• Member States must implement by 18
June 2011
34. Breach Notification
• some early discussion about widening
measure to all data controllers, and
including general public notification
– Reding speech 23 October 2009
– already more extensive breach notification
in some member states (e.g. some federal
states in Germany)
– EU looking closely at mixed practice in
USA, where majority of states have some
kind of breach notification law
35. Andrew Sharpe
Charles Russell LLP
Tel: + 44 (0) 20 7203 5194
+973 17 133219
Mobile:+ 44 (0) 77 1307 9516
+973 39 035451
Email: andrew.sharpe@charlesrussell.co.uk
andrewjsharpe
TMT_Lawyer
http://www.linkedin.com/in/andrewsharpe
CRITique at http://charlesrussell.wordpress.com
36. Offices in: London, Oxford, Cambridge, Cheltenham, Guildford, Geneva (Switzerland), Manama (Bahrain)
This information has been prepared as a general guide only and does not constitute advice on any specific
matter. We recommend that you seek professional advice before taking action. No liability can be accepted by
us for any action taken or not taken as a result of this information.
Charles Russell LLP is a limited liability partnership registered in England and Wales, registered number
OC311850, and is regulated by the Solicitors Regulation Authority. Any reference to a partner in relation to
Charles Russell LLP is to a member of Charles Russell LLP or an employee with equivalent standing and
qualifications. A list of members and of non-members who are described as partners, is available for
inspection at the registered office, 5 Fleet Place, London EC4M 7RD.
www.charlesrussell.co.uk www.charlesrussell.bh
Notas del editor
SCHEDULE 2 - CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA
1. The data subject has given his consent to the processing.2. The processing is necessary- (a) for the performance of a contract to which the data subject is a party, or(b) for the taking of steps at the request of the data subject with a view to entering into a contract.3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.4. The processing is necessary in order to protect the vital interests of the data subject.5. The processing is necessary- (a) for the administration of justice,(b) for the exercise of any functions conferred on any person by or under any enactment,(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.6. - (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.
This is implemented in the Data Protection Act 1998 at paragraph 4 and 5 of Schedule 4:
“4 (1) The transfer is necessary for reasons of substantial public interest.
(2) The Secretary of State may by order specify:
(a) circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest, and
(b) circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.
5 The transfer:
(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.