UK: Data Protection Act Guidelines – a Practical Summary

Privacy and data protection has been the subject of considerable recent public comment. The Humberside Police made an extraordinary decision to dispose of information relating to the "Soham" murderer. A gas supplier has been vilified over the death of two vulnerable customers, when it stated it could not provide social services with their details under privacy rules. Companies have received official looking letters from bogus "Data Protection" agencies asking for sums far in excess of the statutory notification fee of £35 to act as a mere post-box.

Data Protection legislation has been with us since 1984 but there is still uncertainty about what is "personal information" protected by law and what can, or cannot, be done with it. This uncertainty has lead to the making of regrettable decisions. Below Sarah Staines, one of Pictons Data Protection specialists puts the fundamentals into plain English, using examples.

The Data Protection Act 1998 (the "Act") is unusual in English law in that it gives considerable discretion to the person (or company) controlling and handling information which identifies living individuals. There are eight Data Protection Principles in the Act which oblige "best practice" when businesses are collecting, using or keeping computer (or other regulated paper system) stored information, which identifies living individuals.

The Act uses obtuse definitions such as "data subject", "personal data" and "data controller". The supervisory authority enforcing the Data Protection Act - the Information Commissioner's Office (ICO) encourages business owners to "embrace the spirit of the legislation" and recommends a practical and pragmatic approach to the Act; but only provides guidance which it admits is intended for lawyers and not for Directors or Managers of SME's.

One thing is clear - paying lip service to the Act is not an option; even if your business is "notified" to the Information Commissioner as a controller of personal information, unless you are complying with the Act your actions could lead to civil and/or criminal prosecution.

The starting point is to decide whether the information is protected by the Act. In the recent Court of Appeal case of Durant v Financial Services Authority¹ the Court stated that "personal data" protected by the Act was "information affecting a person’s privacy whether in his personal or family life, business or professional capacity". Often this test is subjective and depends on context and focus.

For example, a static CCTV photograph of a crowd may not amount to personal information protected by the Act, even if everyone in it can be individually identified. But what if I own the camera and the film and control the information derived from it and I know that the person standing in the fourth row is my brother's company sales manager. I also recognise the person next to him as their biggest competitor’s sales director. Does that change the anonymous crowd scene into focused personal data? Would it matter if the two people had accidentally stood next to each other and had no idea who the other was; or they were meeting to pass over trade secrets? In these circumstances the test of "context and focus" is subjective as it depends on what other information is known and how the information is presented.

Best practice is to be cautious and use an objective test. Consider all information which identifies individuals as potentially "personal data" as its status may change during its capture and storage life.

Best Practice: The Eight Principles

The First Principle requires you to process information "fairly and lawfully", which means not misleading the people whose information you hold, ensuring that you have consent, or if no consent has been obtained, that the way you gather and use the information is "necessary".

The Act sets out particular situations in which the word "necessary" can be applied. These include:

• performing a contract you have been asked to undertake by the person whose information you hold (an optician writes to its customer at home to tell her that her glasses are ready);
• compliance with legal obligations (a Government Department may legitimately demand information);
• your legitimate business interests (unless this conflicts with the rights and freedoms or legitimate interests of the subject of the information); (you would be well advised to take specific advice if you want to rely on this exemption).

Consent must be freely given, informed and unambiguous. You will have to set out clearly what information you intend to obtain and hold and, very specifically, what it will be used for. For instance the use of "opt-out" boxes when gathering personal information may not be sufficient to grant consent. Special rules apply to sensitive information (e.g. racial or ethnic origin, religious beliefs, political opinions etc). There are also special rules that apply to direct electronic marketing.

You need to be precise and clear in setting out what personal information you are gathering and what it will be used for, before you collect and process it, and if possible, obtain the individual's consent to use that information in that particular way, and only use it in that agreed way.

The obligation of only using personal data for "specified and lawful purposes" is set out in The Second Principle. For instance a company selling car washing products obtains information from an individual customer, i.e. their name, address and type of car they own, and an agreement to send out marketing information about any of it's new products. That information could not then be passed on to anyone else, even if that was to send out details of complimentary products.

The Third Principle requires personal data held to be "adequate, relevant and not excessive". You will have to evaluate whether the information you collect and hold is reasonably required to carry out the agreed or "necessary" objective. For example, if you collect customer's names and addresses to let them know about price changes for your food products should you be keeping information about their children's ages? If you sold children's clothing and price changes fluctuated for age/sizes in the range then keeping this information may not be considered excessive.

The Fourth Principle insists that "personal data shall be accurate and, where necessary, kept up to date". It is your duty to ensure that the information you hold about individuals is accurate, as you will be liable for any loss or damage that an individual suffers if it is not. If you keep information about employees health and they fall ill at work and you release inaccurate information that could have a detrimental effect on any emergency treatment given. Therefore it is important to put in time and effort to ensure that the information is well managed.

The Fifth Principle requires that any personal information "be kept for no longer than is necessary". Procedures need to put in place for culling information, which is not longer needed. Culled information must be disposed of securely. Electronic information needs to be burnt from electronic media and storage disks need to be disposed of at a recognised outlet. There was a reported incident where a computer was thrown onto the local council dump with personal information still held on it. The information was read by an unauthorised third party putting the owner company at risk of prosecution.

The Sixth Principle requires that personal data shall be "processed in accordance with the rights of data subjects". This means you are obliged to reply to written requests from individuals for a description of what personal data you hold about them, what it is to be (or has been) used for and to whom it has been disclosed.

The Seventh Principle obliges you to take appropriate, technical and organisational measures to "avoid accidental loss or destruction" of, or damage to, personal data. Reasonable steps should be taken to ensure the reliability of staff who handle personal information and the effectiveness of technical safeguards for the information that you hold. The level of care taken and company expenditure in this regard will depend on how secure you need to keep the information and the harm that would be caused if it was accidentally released, lost or destroyed. Attached to this responsibility is the need to identify potential threats and risks to your computer system and the effect of a security breach. It is advisable to familiarise yourself with BS7799 and ISO/IEC standard 17799.

The Eighth Principle puts a "bar on transferring personal information outside the European Economic Area ("EEA")", unless that country or territory has similar data protection rights and freedoms for individuals. There are a number of countries which have equivalent protection but some, particularly the USA, that do not. This is particularly pertinent to a UK subsidiary of a foreign company where the computer server is outside the EEA, any management task involving use of personal information (such as employment and salary administration) may involve the cross border transfer of personal information. It is advisable to seek specific legal advice if you are transferring information from within the EEA to a country outside the area.

The ICO is currently preparing a set of guidelines specifically for SME's that should be available soon. In the meantime the best advice is to be cautious when identifying personal information and a practical and pragmatic approach to the use of that information. Complying with the Act has cost implications for any business but failure to take action has such onerous consequences to the company and its individual officers that we suggest you strike a balance between your business needs and the rights of the individual.

The following questions may be helpful to ask:

• What harm would be caused to the individual if we failed to meet the Act's strict requirements?
• How would it look to the shareholders if we spent too much money and time managing the personal information that we collect? and;
• What would be said about the company if we make a foolish and unwarranted decision about the information we hold?

If you are still in difficulty as to whether or not the information you collect and process falls under the Act's protection or if you are undertaking an information audit or writing your company data protection policy then talk to the ICO direct or to your specialist legal team. Alternatively, try talking it through with the individual whose information you hold and if you cannot convince them of your authority to hold or use their information then perhaps you shouldn’t be doing it!

^{1. Durant –v- Financial Services Authority [2003] EWCA Civ 1746}

Pictons Solicitors has a team of lawyers trained and experienced in advising small to medium sized businesses on Data Protection, Confidentiality and Intellectual Property.

© Pictons 2004

Pictons Solicitors is regulated by the Law Society. The information in this article is correct at the time of publication in January 2004. Every care is taken in the preparation of this article. However, no responsibility can be accepted to any person who acts on the basis of information contained in it. You are recommended to obtain specific advice in respect of individual cases.