DATA PROTECTION PRINCIPLES Iqbal Mohammed 1.

This talk will cover Data Protection principles, focussing on data handling, the legal obligations to provide data and making data anonymous.

OUTLINE 2. The Data Protection Act 1998 (DPA) applies to the processing of personal data. It applies to those based or working from the UK. 3. This means that practically any business operating in the UK which holds information about individuals is affected by the DPA. Breaches of data protection laws can result in criminal as well as civil liability. 4. Obligations under the DPA fall on the Data Controller (DC) who may pass on these obligations to others. All data is processed on behalf of the DC. The DC is the person who determines the purposes for which and the manner in which any personal data is, or is to be, processed. 5. Personal data is usually electronically held but the DPA may also apply to certain manual records. Personal data is all data relating to a human being which may lead to their identification. A piece of data which, together with other data held, or likely to be held by the organisation, may lead to identification is also covered. Confidentiality 6. 7. Plainly, the data need not be confidential. The definition of personal data also includes expressions of opinion and any indication of the intentions of the data controller or any other person in respect of the individual concerned.

Durant v FSA 8. The Court of Appeal has emphasised that there are two elements comprising the definition of personal data (Durant v Financial Services Authority [2003] EWCA Civ 1746). In addition to showing that the individual can be identified by the information, it must also be shown that the information relates to the individual, and it must be found to do so in a way which might affect his privacy, whether in his personal or family life, or in his business or professional capacity. 9. In addition, personal data must have the data subject as its focus and be information of a biographical nature, namely, that which goes beyond the recording of the data subject's involvement in a matter or an event that has no personal connotations (an event in respect of which his privacy could not be said to be compromised). 10. This has led to EU complaints that the UK has failed to apply the EUs data protection directive adequately. Processing 11. The DPA imposes obligations on those who process personal data. Processing is broadly defined to include obtaining, recording, holding, using, disclosing or erasing data (s. 1(1), DPA). In effect, any activity involving personal data will fall within its scope. Under Recital 15 of the Data Protection Directive (Directive 95/46/EEC): the processing of [personal] data is covered ... only if it is automated or if the data processed are contained ... in a filing system. 12. Article 3(1) of the Directive provides that it will apply: to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

13.

Personal judgement leading to the sorting of data falls outside the DPA: Johnson v Medical Defence Union Ltd [2007] EWCA Civ 262.

DATA PROTECTION PRINCIPLES 14. The following principles apply to data processing: Data must be processed fairly and lawfully (see First data protection principle: fair and lawful processing). Data must be obtained only for specified lawful purposes and not further processed in a manner which is incompatible with those purposes. Data must be adequate, relevant and not excessive in relation to the purposes for which it is processed. In practice, this means that data controllers must keep existing data under review. Data must be accurate and, where necessary, kept up to date. Generally, controllers are required to update all databases unless they constitute a static archive. Data must not be kept for longer than is necessary (see Fifth data protection principle). Data must be processed in accordance with the rights of data subjects under the DPA. Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data (see Seventh data protection principle). Personal data must not be transferred outside the EEA unless the destination country ensures an adequate level of protection for the rights of the data subject in relation to the processing of personal data
3

THE OBLIGATION TO PROVIDE DATA 15. A data subject has the right to: A description of the personal data held, the purposes for which it is being processed and the recipients or classes of recipients to whom the data may be disclosed. Any information available to the data controller as to the source of the data (subject to certain stated confidentiality and related protections for individual sources). 16. The exceptions are set out in sections 7 and 8 of DPA, subject to certain exemptions specified in Schedule 7. These include, for example, the disclosure of confidential references, examination marks and examination scripts. The Commissioner has published various Good Practice Notes on subject access request which are designed to assist data controllers in dealing with those requests. Subject Access Request 17. A subject access request must be in writing to the data controller and contain information to enable the data controller to satisfy himself as to the identity of the individual making the request. It must also provide information to enable the data controller to locate the data sought. 18. Data controllers must comply with requests promptly and, in any event, within 40 days from receipt of the request or from the receipt of the information necessary to enable the data controller to comply with the request. 19. As these provisions of the DPA are frequently used by employees to obtain information from their previous employers (particularly in relation to employment tribunal claims), it is crucial that HR personnel, who are likely to be the individuals to

whom subject access requests are addressed, are familiar with the requirements of the DPA in this respect. Disproportionate effort 20. Section 8(2) provides that data controllers must comply with their obligation to provide information in intelligible form by supplying the data subject with a copy of the information in permanent form, unless the supply of such a copy is not possible or would involve "disproportionate effort". 21. In Ezsias v Welsh Ministers [2008] Claim No 6CF90111 the High Court said that under the [DPA] . a data controller must take reasonable and proportionate steps to identify and disclose the data he is bound to disclose. The court did not explain its reasoning for this novel proposition and there are no express provisions in the DPA that support it. 22. In Elliott v Lloyds TSB Bank Plc and another [2012] EW Misc 7 (CC) the County Court chose to follow Ezsias, however that it not surprising given the rules of precedent and the fact that ICO guidance is not binding on the courts. Civil litigation 23. Despite provisions within the DPA to prevent "vexatious" subject access requests (for example, s. 8(3) provides that there is no need to comply with a request if it is similar or identical to one complied with earlier unless a reasonable interval has elapsed), organisations have found that an increasing number of requests are being made. 24. In particular, litigants and potential litigants have sought to exploit the subject access provisions as a means of assisting them in formulating or defending legal claims or potential claims.

25.

Subject access rights may be used to complement rights of disclosure under the Civil Procedure Rules (CPR), and they may be particularly useful where the information required is not available under the CPR.

26.

However, there are some limits on how far the subject access provisions may be used in this context: Those exceptions to confidential references or privileged information, in particular, may prevent a litigant or potential litigant from relying on them in formulating a court case. It appears that the rights under the DPA will not be available where the opportunity to challenge the same personal information (for example, a challenge as to the accuracy of the information) has already been afforded to the individual in previous litigation (P v David Wozencroft [2002] EWHC 1724 (fam)).

27.

The Court of Appeal in Durant stated that section 7 of the DPA was not assist him to discover documents that might help him in litigation or with complaints against third parties.

ANONYMOUS DATA 28. Data which has been made anonymous is not subject to the DPA (or, indeed the Directive). 29. Anonymous data is data for which the DC does not possess and is not likely to acquire the information necessary to enable it to identify living individuals. See the Information Commissioners Office (ICO) guidance: http://www.ico.org.uk/ about_us/consultations/~/media/documents/library/Corporate/ Research_and_reports/anonymisation_cop_draft_consultation.ashx. 30. The code is easily written and is the essential starting point for advisers and DCs seeking to limit their exposure to DPA requests, liability and regulation.
6

31.

The code makes clear that it is statutory guidance and compliance with it is likely to minimize the risk of legal liability.

32.

In R (on the application of the Department of Health) v Information Commissioner [2011] EWHC 1430 (Admin) it was held that anonymous data extrapolated from personal data was not personal data itself. Consequently, it was available under the petitioner under the Freedom of Information Act

33.

Re-identification is a risk which should be assessed when data is anonymised and the Code sets out detailed guidance on this.

TUPE

34.

Disclosures of personal data under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246) is exempt from the non-disclosure provisions of s. 35, DPA. TUPE requires the seller in a relevant transfer to provide the buyer of a business or undertaking with certain information about the transferring employees including their age and identity (Reg. 11), c.f. Employment Practices Code (2005).

35.

This exception does not apply to other commercial transactions.

IQBAL MOHAMMED 6 June 2013