Legal advice: Keys to data protection compliance
Data protection is increasingly in the news, whether from high profile cases involving celebrities’ privacy, the tapping into voicemails by private investigators, or the loss of unencrypted memory sticks containing sensitive personal data. The Data Protection Act 1998 governs what can lawfully be done, and what may not be done, with personal data. The purpose is to balance the legitimate need to collect and use personal information against the principle that individual privacy is a fundamental human right, and that people have the right to know what information is held about them.
Personal data is information which relates to a living identifiable individual, the ‘data subject’. There are additional obligations in respect of sensitive personal data – information about a person’s politics, medical history, religious beliefs, ethnicity, criminal convictions, and so on. At least one of a list of conditions must be met for processing sensitive data: for instance, the subject must have freely given express consent, or the information must be required by law for employment purposes.
All processing of personal data must comply with the terms of eight data protection principles set out in the Act. Together these principles cover all aspects of processing personal data: obtaining, holding, using and deleting it. For example, the first principle is that processing must be both lawful and fair. Further stipulations are that the personal information held must be relevant for the purposes for which it is required, must be accurate and up-to-date, and processed securely – and not kept for longer than necessary. An organisation is responsible as data controller for determining why and how that personal data should be held and processed, to comply with these data protection principles.
Can your business afford to not comply?
The Information Commissioner’s Office (ICO) is the data protection authority in the UK. Its latest annual report states that almost a third of reported security breaches originate from the private sector. Last year it was given the power to issue serious fines for non-compliance with data protection law in addition to other sanctions and procedures at its disposal. The maximum fine the ICO can issue is £500,000, and it can do so without having to go to court. So far, the smallest fine has been for £1,000 and the largest for £100,000. Other consequences for non-compliance include adverse publicity, potentially leading to reputational damage, and increased regulatory scrutiny.
Risk management
A well constructed and comprehensive organisation-wide programme for data protection compliance can represent an effective risk management tool. Aspects of implementing a successful and workable compliance strategy are likely to include:
• developing and maintaining an appropriate organisational culture;
• adopting a policy, standards and procedures;
• ensuring adequate resources;
• providing training;
• carrying out regular reviews of an organisation’s privacy and data protection activities.
Privacy and data protection audit
Organising and implementing a privacy and data protection audit is a useful step on the road to regulatory compliance, and to fostering and maintaining commercial standards which meet customer and employee expectations. The purpose of a privacy and data protection audit is to obtain as complete a picture as possible of the structure of the information flows within a business, so that the correct compliance procedures can be put in place for an organisation to deal with personal data in accordance with laws and best practice. Policies and procedures can be created, or existing ones reviewed, and steps taken to ensure continued adherence to these.
The sorts of questions to be asked when conducting an audit will depend on the business and methods of an organisation. Data protection audit questionnaires are a helpful way of ensuring that the right questions are asked of the right people. Relevant questions may include:
• What personal information is collected and for what purpose?
• How is the data collected, stored and processed?
• How is an individual advised of the purpose of collecting the data and is the individual given opportunities to opt in or decline to provide personal data?
• Where is personal data kept? Is it sent outside the European Economic Area?
• What are the procedures for supplying personal data in response to subject access requests?
• What physical and technological security procedures are in operation in relation to personal data?
• What training is given to staff in relation to personal data?
Once questionnaires have been completed, an organisation is then in a position to compile a complete diagram of the use of information which can form the basis of a review of the organisation’s compliance for data protection.
Businesses should be determining whether their privacy and data protection procedures are adequate. Current business activities and compliance mechanisms should be identified. Policies for procedures, systems and controls required for compliance with the relevant legislation should be implemented or reviewed.
FREEDOM OF INFORMATION
The Freedom of Information Act gives the public a right to see information held by public authorities. Specific information can be extremely useful for businesses to acquire, to help them achieve strategic benefits and competitive advantage in meeting their business goals.
The starting point is that public authorities have a general duty to disclose information if requested, regardless of who has asked for it, or the purpose of the request. It will not only be information created by the authority. Any contractors may have to supply information in bidding for work or in negotiating their contracts, which the public authority may be required to disclose.
Unlocking the public filing cabinets
Written requests by individuals and businesses for information to be disclosed may be made to public sector organisations. These include:
• government departments;
• local and health authorities;
• governing bodies of maintained schools, and further and higher education institutions; and
• advisory committees, boards and commissions.
Requests must be made in writing, with a name and address. No other information is required. Motive or reason for asking is irrelevant. In fact, a public authority cannot ask why an applicant wants information or what he or she is going to do with it.
Once a request is received, the information must be provided by the public authority within 20 working days. Failure to find the information is no excuse, and deliberate destruction or alteration of records to prevent disclosure is a criminal offence. There are some exemptions to the right of access: information about national security, defence and law enforcement is exempt from disclosure. There are other exceptions, such as information where disclosure would be likely to prejudice commercial interests, whether of the public authority holding the information or those of a third party. These exceptions operate narrowly in practice. The authority must consider whether the public interest requires disclosure irrespective of an exemption, and must supply a reason with any refusal.
Contractors
Contractors may wish to consider including clauses in their contracts with public authorities in relation to “commercially sensitive information” and “confidential information”. Generalised confidentiality provisions will not be sufficient. They should try to ensure that they will at least be consulted in the event of any request for disclosure of information they have supplied. They may be able to present commercially sensitive information so that it is separable from other information and can therefore be redacted, and set a time limit for it to be returned, destroyed or archived. However, this is no guarantee against disclosure, and the contractor should review what information needs to be disclosed in the particular circumstances.
Enforcement
The number of requests for information under the Act continues to rise, with individuals and businesses using the Act as a means of accessing potentially relevant information.
The Information Commissioner’s Office (ICO) is responsible for promoting and enforcing the law in this area. The ICO has seen a marked increase in the number of complaints this year in respect of public authorities. The ICO has started “naming and shaming” authorities who fail to comply, and has the ability to take formal regulatory action.
The Protection of Freedoms Bill currently working through the parliamentary process will require a public authority to provide data in reusable electronic format if requested as a preference by an applicant or if held in an electronic dataset, with the objective of greater transparency. It will extend the number of public authorities who must provide the information, such as the Financial Services Ombudsman and the higher education admissions body UCAS. It will also strengthen the powers of the Information Commissioner.
Our lawyers advise on all aspects of data protection and freedom of information. Our expertise spans our regulatory, IT/IP and dispute resolution teams. Please contact one of us for further information or if you have any questions.
By Emma Foster and Rachel Burnett
emma.foster@parissmith.co.uk
rachel.burnett@parissmith.co.uk
Related posts:
- Legal advice: Why a risk audit is essential Businesses face commercial risks on a day-to-day basis. Some risks, if not properly managed, have the potential to devastate the financial viability or reputation of...
- Legal advice: New rights for agency workers explained The Agency Workers Regulations 2010, in force from October 1, 2011, give unprecedented new rights to agency workers. Hiring employers (“hirers”) and employment businesses (“agencies”)...
- South: Consumer protection regs to change On May 26, new regulations affecting all UK businesses that trade with consumers are set to come into force, if they are approved in Parliament....
- Oxford: Thresher franchisees get free legal advice Thresher/First Quench Retailing franchisees are to attend a free legal advice session following the announcement of the appointment of administrators to the insolvent company. Thresher...
- Bracknell: Compliance software in sales push Innovator in compliance solutions Tabaq Software has announced its continued UK expansion with the appointment of xDox’s Tim Anderson as Sales Manager. Sought for his...
