3. Data Protection seminar
Recognising Personal Data
Data Sharing
Overseas Transfers of Personal Data
Electronic Marketing
The New Data Protection Regulation
Short case study
4. Recognising ‘Personal Data’
Before establishing if the Data Protection Act 1998 (Act) is
engaged, you need to recognise what personal data is.
(1) Is the information ‘data’?
– Four categories of data:
Automatically processed data
Data Forming part of a ‘relevant filing system’
Data forming part of an ‘accessible record’
Data recorded by a public authority.
5. Recognising ‘Personal Data’ (2)
(2) is the data ‘personal data’?
– Once you have established that the information is ‘data’, you
need to establish if it is ‘personal’ data.
– Defined in s1 (1) of the Act as:
“Data which relate to a living individual who can be identified:
(a) from those data; or
(b) from those data and other information which is in the
possession of, or is likely to come into the possession of, the
data controller”.
“Living Individual”
“Individual”
6. Recognising ‘Personal Data’ (3)
Examples of personal data include:
– addresses, telephone numbers, job titles and dates of birth
– expressions of opinions about an individual
– indications of the intentions of the data controller or any
other person in respect of the individual.
Anonymised data is not personal data.
7. Data Sharing (1)
(1) What is ‘data sharing’?
– Disclosure of data by one or more organisations to a third
party organisation or sharing of data between different parts
of an organisation.
– If the data sharing does not involve personal data ie where
only statistics that cannot identify anyone are being shared,
then the Act does not apply.
8. Data Sharing (2)
(2) Data sharing has two legal components:
– Whether you can share personal data eg lawful, powers etc.
– How to share personal data eg securely, transparently etc.
Your legal status affects your ability to share information eg it
depends on whether you are a public sector body or a
private/third sector one.
The public sector:
– (1) Identity the legislation that is relevant to your
organisation.
(a) Express obligations.
(b) Express powers.
(c) Implied powers.
9. Data Sharing (3)
– (2) If there is no power to data share then the data must not
be shared unless, for example, there is an overriding public
interest to do so.
– (3) The Freedom of Information Act 2000 requires all public
authorities to disclose any information they hold to anybody
who asks for it. Although there are various exemptions eg for
disclosure which would breach any data protection principle.
The private sector:
– Most private organisations have a general ability to share
data so long as it does not breach the Data Protection Act or
any other law.
10. Data Sharing (4)
(3) Sharing Confidential Personal Data
– Obligation of confidence can be overridden if:
• consent is obtained
• it is in the Public interest – Helen Maddock –v- Devon CC
(2003): there was no breach of confidence when a
council passed on concerns about the suitability of a
woman to become a social worker to the university where
she was training. Considered a matter of public interest
that unsuitable persons should not become social
workers
• statutory requirements provide for it.
11. Data Sharing (5)
(4) Advice: Apply the Statutory Code of Practice on data sharing
to help you collect and share personal data in a way that is fair,
transparent and in line with the rights and expectations of the
people whose information you are sharing and consider the
following.
– Whether you are obliged to share.
– Whether you have the power to share.
– Stick to any statutory limits.
– Confidentiality requirements before disclosure.
– Disclose the minimum that you need to disclose.
– Disclose in a secure manner.
– Whether you have to inform the data subject.
– Keep records of the disclosure.
– If you are routine data sharing then consider having a formal
agreement in place.
12. Overseas Transfers of Personal Data
Due to the globalisation of trade, record amounts of customer
and employee data now has to be transferred overseas from the
UK.
Data Protection Act 1998, 8th Principle
• “Personal data shall not be transferred to a country or
territory outside the European Economic Area (EEA) unless
that country or territory ensures an adequate level of
protection for the rights and freedoms of data subjects in
relation to the processing of personal data.”
13. Overseas Transfers of Personal Data (2)
4 Step “Good Practice” Approach. Consider:
– (1) if there is a transfer of personal data to a third country
– (2) if the third country ensures an adequate level of protection
to data
– (3) whether the parties have or can put in place, adequate
safeguards to protect the data
– (4) if any of the other derogations to the 8th principle apply.
14. Overseas Transfers of Personal Data (3)
(1) Is it a transfer? Two questions must be
considered:
– (a) Whether the country of the transferee of personal
data is outside the EEA;
– (b) Whether the transmission in question actually
amounts to a transfer.
What is a ‘transfer’?
Transfer or Transit?
15. Overseas Transfers of Personal Data (4)
Examples from ICO:
– (1) A company in the UK uses a centralised human
resources system in the US belonging to its parent company
to store information about its employees – TRANSFER
– (2) Personal data is transferred from the UK to Germany via
a server in Switzerland, which does not access or
manipulate the information while it is in Switzerland –
TRANSIT
16. Overseas Transfers of Personal Data (5)
(2) Adequacy
– If there will be a transfer to a third country, you need to
consider whether the third country ensures an adequate level
of protection. Finding of adequacy normally based on a
Community finding or a positive outcome when applying the
adequacy test.
– “Community finding”: where the European Commission
makes a finding that a country outside the EEA has an
adequate level of protection. A list can be found on the ICO
website.
– “Adequacy test”: Where there is no Community finding, a
data exporter should assess the general adequacy criteria.
– Binding Corporate Rules.
17. Overseas Transfers of Personal Data (6)
(3) Model clauses and Binding Corporate Rules
– Model clauses
Failure to comply with the 8th Principle
– Enforcement
– Fine: of up to £500,000
– Directors and officers of companies who have committed
offences may also be liable to prosecution
– Civil proceedings
Topical issues: Cloud computing has raised concerns with regard to
the storage of personal data by cloud service providers on servers
outside the EEA. A checklist for data protection compliance by
cloud clients and cloud providers has been issued.
18. Electronic Marketing
To collect and use personal data (eg to send out marketing material)
there are certain steps you should follow at the time you collect it.
In addition to the Data Protection Act, the Privacy and Electronic
Communications Regulations 2003 (PECR) apply to certain
marketing activities. The PECR impose two rules regarding
unsolicited email marketing. You must:
– Rule 1 - provide certain information (name/organisation name,
what you will use the information for, address (for opt-out
requests)); AND
– Rule 2 - obtain consent – You cannot send unsolicited email
marketing messages unless you have the individual’s prior
consent to do so. This strict ‘opt-in’ rule is relaxed if three
exemption criteria are satisfied.
19. Electronic Marketing (2)
You must not send unsolicited electronic marketing to any
individual or company who has asked you not to contact them or
who has signed up to an opt-in or preference service.
20. Electronic Marketing (3)
What is prior consent?
– Explicit ‘opt-in’ consent: “I consent to you sending me
marketing information about your products by email from
time to time. [ ] Please tick box”.
– Consent may be any positive action eg sending an email or
subscribing to a service.
There must be some form of positive action by the
individual and the individual must know that they are
agreeing to receive marketing and to a specified means
of communication.
21. Electronic Marketing (4)
An individual can opt-out at any time under the Act and any opt-
out message must be actioned and a list of all individuals who
have opted-out must be kept.
Rules do not apply to marketing sent to companies.
22. Electronic Marketing (5)
Glossary of terms:
– “Electronic Mail” – includes emails, texts, picture and video
messages.
– “Individuals” – includes individuals as well as sole traders and
unincorporated partnerships.
– “Unsolicited” – something that is not invited.
Additional regulators/bodies such as the Advertising Standard
Authority and the Direct Marketing Association should be
considered.
23. Electronic Marketing (6)
If you wish to carry on using the “opt-out” method but you want it
to amount to prior consent, you must do three things:
– Draw attention to the fact that you are collecting mobile
numbers and email addresses for marketing.
– Use a consent statement.
– Provide an ‘opt-out’ facility.
24. Electronic Marketing (7)
Advice:
– Recommend marketing campaigns are always permission-
based.
– Explain clearly what a person’s details will be used for.
– Provide a simple way for them to opt-out of marketing
messages.
– Have a system in place to deal with complaints.
25. Electronic Marketing (8)
Cookies
– Obtain consent before setting cookies.
– Consent can be implied eg “our website uses cookies to create
a secure and effective website for our customers and to
improve your browsing experience. By using this website you
agree hat we may store and access cookies on your device.
For more information, together with how to block cookies,
please see our privacy policy [LINK]”.
– Only set strictly necessary cookies without prior consent.
26. The New Data Protection Regulation
On 25 January 2012, the European Commission published a
proposal for a new Regulation.
The European Commission has called for:
– an effective new data protection framework
– clear, effective rights for individuals
– clear responsibility and accountability
– obligations to be focussed on processing that poses genuine
risks to individuals or societies
– data protection authorities that are independent with a clearer
role.
27. The New Data Protection Regulation (2)
Potential changes:
– Higher fines
– Stronger data subject rights
– Consent
– More responsibility on data controllers.
28. The New Data Protection Regulation (3)
The Regulation should essentially be a harmonised EU regime.
The draft Regulation will need to be approved by EU member
states and ratified by the European Parliament. It could possibly
take up to 2 years before the Regulation is adopted.
29. Case Study (1) (Recognising Personal Data)
A potential member of a gym meets with a sales manager of a
local gym to discuss membership options. The sales manager
asks the prospective member for certain information (name,
address, age) and records these details manually on a ‘new
membership application form’. These details will subsequently
be added to the gym’s computer system.
Is this data?
30. Case Study (2) (Overseas Transfer of Data)
UK Gadgets is one of the leading suppliers of gadgets in the UK. It has
recently been bought out by a US multinational, US Gadgets.
As part of its new reporting obligations, UK Gadgets has been asked to
send copies of all of its employee records to US Gadget’s head office in
New York.
However, compliance with this request may be difficult as it is one of the
main principles of the Data Protection Act that personal data should not be
transferred outside the EEA unless the data will be adequately protected.
The commercial director is a little concerned that if he sends these, he
could be in breach of Principle 8, but head office is adamant that they must
be sent.
31. Case Study (2) (Overseas Transfer of Data)
What are his options?
NB: This case study assumes that the other Data Protection
principles have been complied with and that the data does not
consist of 'sensitive' personal data where consent to transfer
may need to be obtained.
32. Case Study (3) (Electronic Marketing)
Please tick here if you do not want us to contact you by
electronic means (e-mail or SMS) with information about
goods and services which we feel may be of interest to you.
Is this acceptable?