New Personal Data Guardianship Code Published - Privacy Protection

In response to the number of high profile data security breaches in recent years, the Information Security Awareness Forum (ISAF) and the British Computer Society (BCS) have jointly launched the Personal Data Guardianship Code ("Code"), following a two year consultation. The Code aims to change the attitude of organisations towards personal data handling by promoting best practice through high-level common sense guidance for both organisations and individuals handling personal data. Structured around five key principles of good data governance (accountability, visibility, consent, access and stewardship), the Code sets out the roles and responsibilities throughout the data life span of the data handler and the 'responsible person' (the senior member of an organisation accountable for the processing of personal data). The Code also explains the rights and responsibilities of the individual data subject in relation to their personal data. Whilst the Code is not intended to be legal advice, it is based on principles derived from the Data Protection Act 1998, the Freedom of Information Act 2000 and the Privacy and Electronic Communications Regulations 2003.

To view the article in full, please see below:

Full Article

The Data Protection Act

The Data Protection Act 1998 ("DPA") regulates the processing of personal data (information relating to a living individual from which that individual can be identified) including the obtaining, holding, use or disclosure of such personal data. Organisations and individuals processing personal data are required to do so in compliance with the eight data protection principles set out in the DPA.

The Key Principles of Personal Data Guardianship

The Code identifies five key principles of good data governance on which best practice is based:

Accountability: The need for those handling personal data to follow publicly accessible data governance principles to foster public trust and safeguard personal data.
Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA's eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject's consent should be explicitly obtained.
Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Responsibilities

The Code recommends that organisations put in place a data security and data privacy policy, setting out governance arrangements as to who is responsible (the Board) and accountable (the responsible person) for the protection of personal data collected. The Code stresses that responsibility for personal data rests with the Board in the case of a private sector organisation, the accounting officer of a public sector organisation and the trustees of a charitable organisation. Those individuals in an organisation who handle personal data (data handlers) should know what they have been authorised to do in relation to personal data and who the responsible person is, as the Board-appointed senior member of an organisation who is ultimately accountable for personal data.

A New Approach?

Certain commentators have remarked that whilst the Code is helpful, it merely reiterates existing guidance from the Information Commissioner's Office (ICO), the UK data protection watchdog. The Code has also been criticised for providing inconsistent guidance on the issue of consent, stating in the 'Principles' section that consent of the data subject to processing their personal data should be obtained where appropriate (in line with ICO guidance) yet suggesting elsewhere, contrary to ICO guidance, that data subject consent should always be obtained.

In spite of this, the Code has been welcomed by the ICO. Speaking at the launch of the Code, Jonathan Bamford, the Assistant Information Commissioner commented that it had been 'a privilege to see the industry that has gone into this document', praising the Code for encouraging organisations to manage data protection all of the way down the chain, starting from the top. It remains to be seen whether the Code will achieve its aim to bring about a change in attitude towards personal data management. However, with its practical focus and high-level approach, the Code is likely to be a useful starting point for helping small and medium sized organisations to better understand their responsibilities when dealing with personal data.

To view the Data Guardianship Code please click here.

This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq

Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.

The original publication date for this article was 01/07/2009.

UK: New Personal Data Guardianship Code Published

The Data Protection Act

The Key Principles of Personal Data Guardianship

Responsibilities

A New Approach?

Login to Mondaq.com

Why Register with Mondaq

Your Organisation