As a member of the European Union, the United Kingdom implemented the EU Data Protection Directive 95/46/EC in March 2000 with the Data Protection Act 1998 ("Act"). Enforcement is through the Information Commissioner's Office ("ICO").
DEFINITION OF PERSONAL DATA
"Personal data" is defined under the Act as data relating to living individuals who can be identified a) from the data, or b) from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
DEFINITION OF SENSITIVE PERSONAL DATA
"Sensitive personal data" means personal data consisting of information as to: (a) the racial or ethnic origin of the data subject; (b) his political opinions; (c) his religious beliefs or other beliefs of a similar nature; (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992); (e) his physical or mental health or condition; (f) his sexual life; (g) the commission or alleged commission by him of any offence; or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
NATIONAL DATA PROTECTION AUTHORITY
Information Commissioner's Office
Data controllers who process personal data must inform the Information Commissioner so that their processing of personal data may be registered and made public in the Register of data controllers, unless an exemption applies. Any changes to the processing of personal data will require the registration to be amended.
The notification should include the following information:
- what data is being collected;
- why the data will be processed;
- the categories of data subject; and
- whether the data will be transferred either within or outside the European Economic Area.
DATA PROTECTION OFFICERS
There is no requirement in the UK for organisations to appoint a data protection officer.
COLLECTION AND PROCESSING
Data controllers may collect and process personal data when any of the following conditions are met:
- the data subject consents;
- the data controller needs to process the data to enter into or carry out a contract to which the data subject is a party;
- the processing satisfies the data controller's legal obligation;
- the processing protects the data controller's vital interests;
- the processing is required by an enactment, the Crown or the government;
- the processing is required to perform a public function in the public interest, or to administer justice; or
- the data controller has a legitimate reason for the processing, except if the processing would damage the data subject's rights, freedoms or other legitimate interests.
Where sensitive personal data is processed, one of the above conditions must be met plus one of a further list of more stringent conditions.
Whichever of the above conditions is relied upon, the data controller must provide the data subject with "fair processing information". This includes the identity of the data controller, the purposes of processing and any other information needed under the circumstances to ensure that the processing is fair.
Data controllers may transfer personal data out of the European Economic Area if any of the following conditions are met:
- the data subject consents;
- the transfer is essential to a contract to which the data subject is party;
- the transfer is needed to carry out a contract between the data controller and a third party if the contract serves the data subject's interests;
- the transfer is legally required or essential to an important public interest;
- the transfer protects the data subject's vital interests; or
- the data is public.
Transfers of personal data to jurisdictions outside of the European Economic Area are allowed if the jurisdiction provides "adequate protection" for the security of the data, or if the transfer is covered by "standard contractual clauses" approved by the European Commission, or subject to an organisation's Binding Corporate Rules. There is no requirement in the UK to notify the ICO of the use of the standard contractual clauses or to file these with the ICO.
For transfer of data to the United States, compliance with the US/EU Safe Harbor principles can satisfy the requirements of the UK's transfer restrictions.
Data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. The measures taken must ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as mentioned above, and appropriate to the nature of the data.
The Act does not specify specific security measures to adopt and implement. However, the ICO recommends that organisations should adopt best practice methodologies such as ISO 27001.
There is no mandatory requirement in the Act to report data security breaches or losses to the ICO or to data subjects, however, ICO guidance indicates that if a large number of people are affected or the consequences of the breach are particularly serious, the ICO should be informed.
Sector specific regulations/guidance also imposes obligations to notify the relevant regulation and data subjects in the event of a security breach (e.g. the Financial Services Authority).
MANDATORY BREACH NOTIFICATION
None contained in the Act. However, the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PEC Regulations"), as amended, require providers of a public electronic communications service ("service providers") to notify the ICO (and in some cases subscribers) in the event of a personal data breach.
Failure to notify can result in a fine of GBP 1,000 and negative publicity.
In the UK the Information Commissioner is responsible for the enforcement of the Act. If the Information Commissioner becomes aware that a data controller is in breach of the Act, he can serve an enforcement notice requiring the data controller to rectify the position. Failure to comply with an enforcement notice is a criminal offence and can be punished with fines of up to GBP 5,000 in the Magistrates' Court or with unlimited fines in the Crown Court.
Additionally, the Information Commissioner can impose fines of up to GBP 500,000 for serious breaches of the Act. This penalty, introduced in April 2010, can be imposed in respect of breaches of the data protection principles which are:
- serious; and
- likely to cause substantial damage or distress; and either
- the contravention was deliberate; or
- the data controller knew or ought to have known that there was a risk that the breach would occur and would be likely to cause substantial damage or distress, but failed to take reasonable steps to prevent the breach.
The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (e.g. an email address is likely to be "personal data" for the purposes of the Act). The Act does not prohibit the use of personal data for the purposes of electronic marketing but provides individuals with the right to prevent the processing of their personal data (e.g. a right to "opt-out") for direct marketing purposes.
There are a number of different opt-out schemes/preference registers for different media types. Individuals (and, in some cases, corporate subscribers) can contact the following schemes and ask to be registered as not wishing to receive direct marketing material. If advertising materials are sent to a person on the list, sanctions can be levied by the ICO using his powers under the Act.
The PEC Regulations prohibit the use of automated calling systems without the consent of the recipient and unsolicited emails can only be sent without consent if:
- The contact details have been provided in the course of a sale;
- The marketing relates to a similar product; and
- The recipient was given a means of refusing the use of their contact details for marketing when they were collected.
Direct marketing emails must not disguise or conceal the identity of the sender. SMS marketing is also likely to be included within the prohibition on email marketing.
The restrictions on marketing by email only applies in relation to individuals and not where email marketing is sent to corporations.
ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)
Traffic Data – Traffic Data held by a CSP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:
- It is being used to provide a value added service; and
- Consent has been given for the retention of the Traffic Data.
Traffic Data can only be processed by a CSP for:
- The management of billing or traffic;
- Dealing with customer enquiries;
- The prevention of fraud; or
- The provision of a value added service.
Location Data – Location Data may only be processed for the provision of value added service with consent.
CSPs are also required to take measures and put a policy in place to ensure the security of the personal data they process.
Cookie Compliance – The use and storage of cookies and similar technologies requires: a) clear and comprehensive information; and b) consent of the website user. The ICO has confirmed that implied consent will also be a valid form of consent under certain circumstances. The PEC Regulations allow for the continued use of the website to be taken as an indication of implicit consent, subject to the requirement to provide relevant information.
Consent is not required for cookies that are;
- used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- strictly necessary for the provision of a service requested by the user.
Enforcement of a breach of the PEC Regulations is dealt with by the ICO and sanctions for breach are the same as set out in the Enforcement section above.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com