- Email: [email protected]
Data controllers and the new data protection law
Data
Protection
DATA PROTECTION DATA CONTROLLERS AND THE NEW DATA PROTECTION LAW David Bainbridge and Graham Pearce David Bainbridge with the second part of his analysis of the UK Data Protection Bill 1998 considers the position of data controllers.
INTRODUCTION Information relating to individuals has b e c o m e a very valuable commodity.As the uses to w h i c h personal data are put b e c o m e ever more sophisticated and, potentially, prejudicial to individuals' rights and freedoms, there is a real need to establish an appropriate framework in which personal data may be used and exploited whilst guaranteeing basic h u m a n rights, including a right to privacy. Central to this is the goal of transparency of processing of personal data so that individuals can determine w h o is processing data relating to them and the purposes of such processing together with granting data subjects more effective rights in respect of such processing.This is the approach taken by the n e w law on data protection. The Data Protection Act 1998, presently a Parliamentary Bill, will come into force by 24 October 1998. It implements Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ~ ('the Directive') and marks a significant change in data protection law. Every organization processes personal data, w h e t h e r by computer or by manual means. Even the humble newsagent processes personal data in order that he can organize delivery of newspapers and keep track of customers' accounts. Mmost without exception, organizations in the public and private sectors, charities, unincorporated associations, sole traders and individual persons engaged in processing personal data will be affected by the n e w law, in some cases, quite seriously.These bodies and persons are data controllers u n d e r the n e w lawfl Many will have to modify their processing activities significantly to comply with tim n e w law and, furthermore, more obligations are placed u p o n them than is the case under the Data Protection Act 1984. The purpose of this article is to examine the implications of the n e w law from the perspective of data controllers, especially in terms of the notification requirements and the constraints u p o n processing. Figure 1 shows the relationships b e t w e e n the data controller and others and gives an indication of the impact of the changes to data protection law.The data controller has a duty to notify processing activity, much as under the old law though with some differences, and may
only process under specific conditions. Data subjects have greatly enhanced and extended rights which directly impact on the data controller's processing activities and which may be enforced through the Data Protection Commissioner3 or the courts. The data controller has to insist on written contractual guarantees of security with processors and may only transfer to a third country not ensuring an adequate level of protection under certain circumstances. This article is based u p o n the Data Protection Bill following the House of Lords amendments.
NOTIFICATION The present system of registration is replaced by one of notification. Manual processing is not required to be notified (unless subject to prior checking) although a data controller may choose to notify such processing.The Directive allowed greater exemption from notification or simplification of notification and, apart from manual processing, the Bill has not taken advantage of this. 4 One possible route to exemption or simplification is the appointment of in-house 'data protection supervisors' and this may be taken up in the future as the Secretary of State is given the power to make orders providing for such supervisors, who will be responsible for ensuring in an i n d e p e n d e n t m a n n e r that the data controller is complying with the n e w law. 5 The first thing to note is that the word processing exception 6 finds n o room in the n e w law nor does the e x e m p t i o n from registration and data subjects l:ight of access and associated rights that applied to processing for payroll and accounts. 7 A great many small businesses and sole traders relied on these exemptions and will n o w have to notify their processing activity unless it is confined to manual processing. Data controllers notifying their processing activities will be required to submit registrable particulars which are similar to those presently required. Where appropriate, the data controller must also make a statement to the effect that.he is also processing personal data not required to be notified, for example, where it is processing manually. Additionally, the data controller must give a general description of security measures taken in order to comply with the seventh data pro-
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
259
Data Protection
assessment/assistance -- - --
duties
Data Protection Commissioner
enforc
order/award
bring action
processor
•• •
I /
] / I S [
J =i
' court
~
trans!eronlyin ~situlti°ns
"X,I ~
th,rdcoun,,yoo,
enSpirnge:t1:quate
Figure 1.'Data controller's relationships
tection principle (appropriate technical and organizational measures against unauthorized or unlawful processing etc.). The Commissioner is required to keep a register of persons w h o have notified wh i c h will contain the registrable particulars but not the description of security measures. The fine detail of the form in w h i c h the registrable particulars must be submitted and the fees will be determined by regulations made under the n ewA c t. Apart from cases w h e r e prior checking is required, it would appear that the Commissioner has no p o w e r to refuse to accept a notification providing the registrable particulars and description of security measures are given in the appropriate detail and form and the correct fee has been tendered. This is a significant change from the 1984 Act under which the Registrar could refuse to register a data user if she considered that the applicant would be likely to contravene the principles, or if insufficient information was furnished to allow determination of the matter or if insufficient information was provided generally; section 7. 8 Where a data controller is not required to notify, for exampie in relation to manual processing or processing, he must within 21 days of receiving a written request from any person make the relevant particulars available in writing free of charge.These are the registrable particulars except any statement that the notification does not extend to other processing n o t required to be notified, for example, manual processing.The Directive did not specify that the information has to be given in writing nor did it specify a time limit. The possibility of prior checking, w h e r e b y processing may n o t p r o c e e d until it has b e e n c h e c k e d by the Commissioner, has caused some c o n c e r n . T h e types processing co v ered will be those w h i c h appear likely to cause substantial damage or substantial to data subjects or to othe r wi s e significantly prejudice the rights and freedoms of data subjects. The classes of processing c o v e r e d will be specified by regulations. The Directive did not specifically
260
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
m en t i o n damage or distress. Recital 53 to the Directive gives examples w h e r e prior checking w o u l d be required being processing excluding individuals from some right, benefit or contract or by virtue of the specific use of n e w technologies. Recital 54 suggests that the amount of such processing, w h i c h will be subject to prior checking, will be very limited and this is likely to be the a p p r o a c h taken by the Secretary of State. 9 The mechanism for prior checking is contained in clause 21 of the Bill. On notification from the data controller, the Commissioner will consider w h e t h e r the processing is such as to require prior checking and, if so, within 28 days will inform the data controller as to the extent to which the processing is likely or unlikely to comply with the n e w law. l0 No processing within the prior checking provisions may take place unless the time for the Commissioner's response has elapsed or a favourable notice has b e e n given to the data controller before the time limit.There is provision for the 28 day period to be extended for a further period not exceeding 14 days by reason of'special circumstances'.
CONDITIONS FOR PROCESSING The Data Protection Act 1984 did not constrain processing by requiring that one or more conditions be present before processing could take place. Basically, processing could proceed as long as it was covered by the registration and it would be registered unless the Data Protection Registrar considered that the processing would breach the data protection principles or if insufficient information was supplied to allow her to determine w h e t h e r there was likely to be a breach of the principles.At first sight, the n ew law appears far more restrictive because processing may only proceed under specified conditions. Following the Directive fairly closely, the first data protection principle, that personal data shall be processed fairly and
Data
lawfully, requires that at least o n e of the conditions in Schedule 2 is met or, in the case of sensitive data, additionally, at least one of the conditions in Schedule 3 must apply.There are further restrictions o n a u t o m a t e d decision-takhlg.
'NORMAL' DATA Schedule 2 is based on Article 7 of the Directive. The conditions are: • the data subject has g i v e n his c o n s e n t to the p r o c e s s i n g 11 • p r o c e s s i n g n e c e s s a r y for t h e p e r f o r m a n c e of a c o n t r a c t to w h i c h t h e data subject is a party or for taking steps at the data subject's r e q u e s t for e n t e r i n g into a c o n t r a c t • p r o c e s s i n g n e c e s s a r y for c o m p l i a n c e w i t h any legal obligation to w h i c h t h e data c o n t r o l l e r is subject o t h e r than a contractual obligation • p r o c e s s i n g n e c e s s a r y to p r o t e c t the vital interests of the data subject • p r o c e s s i n g n e c e s s a r y for the administration of justice, e x e r c i s e of f u n c t i o n s c o n f e r r e d on any p e r s o n u n d e r any e n a c t m e n t , e x e r c i s e o f state f u n c t i o n s ( C r o w n , Minister, or g o v e r n m e n t d e p a r t m e n t , e x e r c i s e of f u n c t i o n s of public nature e x e r c i s e d in the public interest by any p e r s o n • p r o c e s s i n g n e c e s s a r y for the p u r p o s e of the legitimate interests p u r s u e d by the data c o n t r o l l e r or by the third party to w h o m the data are disclosed e x c e p t w h e r e the p r o c e s s i n g is u n w a r r a n t e d in any particular case by reason of p r e j u d i c e to t h e rights and f r e e d o m s o r legitimate interests of the data subject In relation to t h e latter, 'legitimate interests' processing, the Secretary of State may by o r d e r specify particular circumstances in w h i c h t h e c o n d i t i o n is o r is not to be taken to be satisfied. Legitimate interests p r o c e s s i n g will apply in a great m a n y cases and will be relied u p o n by m a n y data controllers.That b e i n g so, it is r e g r e t t a b l e that it is so v a g u e . J u s t w h a t are l e g i t i m a t e interests? Are t h e y i n t e r e s t s relating to any p u r p o s e or goal w h i c h is intra vires? A f u r t h e r p r o b l e m is d e t e r m i n i n g w h e n t h e p r o c e s s i n g is u n w a r r a n t e d . S c h e d u l e 2 to t h e Bill uses t h e t e r m ' u n w a r r a n t e d ' by r e a s o n o f p r e j u d i c e to rights and f r e e d o m s or l e g i t i m a t e interests w h e r e a s t h e D i r e c t i v e is in t e r m s o f t h e l e g i t i m a t e interests b e i n g o v e r - r i d d e n by t h e interests for 12 f u n d a m e n t a l s rights and f r e e d o m s o f data subjects. T h e Bill, t h e r e f o r e , s e e m s m o r e restrictive t h a n the Directive. ' U n w a r r a n t e d ' m e a n s unjustified; ' o v e r - r i d d e n ' m e a n s h a v e p r e c e d e n c e o r superiority o v e r . T h e D i r e c t i v e s e e m s to r e q u i r e a b a l a n c e b e t w e e n t h e p r o c e s s i n g and rights and f r e e d o m s w h e r e a s t h e Bill w o u l d s e e m to suggest t h e c o n d i t i o n c a n n o t b e m e t if t h e r e is any p r e j u d i c e or, at least, less p r e j u d i c e t h a n t h e D i r e c t i v e m i g h t allow, t.~
SENSITIVE DATA 'Sensitive p e r s o n a l data' are d e f i n e d in clause 2 of the Bill as p e r s o n a l data consisting of information as to: • racial or e t h n i c origin • political o p i n i o n s • religious o r o t h e r beliefs • w h e t h e r the data subject is a m e m b e r of a trade u n i o n 14 physical or m e n t a l health o r c o n d i t i o n
Protection
• • •
sexual life the c o m m i s s i o n o r alleged c o m m i s s i o n of any o f f e n c e any p r o c e e d i n g s for any o f f e n c e or alleged offence, the disposal of such p r o c e e d i n g s or the s e n t e n c e o f any c o u r t in such p r o c e e d i n g s This is slightly w i d e r than the definition of sensitive data in the Directive in Article 8(1), is especially in t e r m s of o f f e n c e s and related information, but it is clear from the r e m a i n d e r of Article 8 that such information also can be d e e m e d sensitive. Schedule 3 contains t h e additional c o n d i t i o n s that apply in relation to sensitive data, o n e of w h i c h must apply in addition to o n e in Schedule 2.16The c o n d i t i o n s are that: • t h e data subject has g i v e n his e x p l i c i t c o n s e n t to t h e p r o c e s s i n g 17 • p r o c e s s i n g is n e c e s s a r y for e m p l o y m e n t law rights or obligations (subject to modification by o r d e r of the Secretary of State) • p r o c e s s i n g is n e c e s s a r y to p r o t e c t the vital interests of the data subject or a n o t h e r w h e r e c o n s e n t c a n n o t be given by o r o n b e h a l f o f the data subject or t h e data controller c a n n o t reasonably be e x p e c t e d to obtain the consent of the data subject • p r o c e s s i n g is n e c e s s a r y to p r o t e c t vital interests of another p e r s o n in a case w h e r e c o n s e n t by or o n b e h a l f of the data subject has b e e n unreasonably w i t h h e l d • p r o c e s s i n g is c a r r i e d o u t s u b j e c t the a p p r o p r i a t e safeguards by non-profit m a k i n g b o d y or association w h i c h exists for political, p h i l o s o p h i c a l , religious o r tradeu n i o n p u r p o s e s p r o c e s s i n g m u s t relate only to individuals w h o are m e m b e r s o r have regular c o n t a c t in connection with the body's or association's purposes and w h i c h d o e s n o t involve disclosure to a third p a r t y without consent • the information c o n t a i n e d in the data has b e e n m a d e public by deliberate steps taken by the data subject • p r o c e s s i n g is n e c e s s a r y in r e s p e c t o f legal p r o c e e d i n g s , legal advice or legal rights • p r o c e s s i n g is n e c e s s a r y for the administration of justice, e x e r c i s e of f u n c t i o n s c o n f e r r e d by o r u n d e r any enactm e n t or f u n c t i o n s e x e r c i s e d by the C r o w n , Minister o r government department • p r o c e s s i n g is n e c e s s a r y for m e d i c a l p u r p o s e s ( i n c l u d e s preventative medicine, medical diagnosis, medical research, p r o v i s i o n of care and t r e a t m e n t and managem e n t o f h e a l t h c a r e s e r v i c e s ) and is u n d e r t a k e n by a h e a l t h professional or p e r s o n u n d e r a d u t y of c o n f i d e n tiality e q u i v a l e n t to that o w e d by a h e a l t h professional The Secretary of State may by o r d e r allowing sensitive data to be p r o c e s s e d in o t h e r circumstances. 'Health professional' is defined in clause 61 as having same m e a n i n g as that in the Access to Health Records Act 1990. In t e r m s o f t h e 'vital interests' c o n d i t i o n s for p r o c e s s i n g , the Bill allows p r o c e s s i n g w h e r e the data c o n t r o l l e r c a n n o t reasonably be e x p e c t e d to o b t a i n t h e data s u b j e c t ' s c o n s e n t o r w h e r e t h e data subject u n r e a s o n a b l y w i t h h o l d s c o n s e n t . N e i t h e r o f t h e s e o p t i o n s are in t h e D i r e c t i v e and t h e Bill d o e s n o t fully c o m p l y w i t h the D i r e c t i v e in t h e s e respects. T h e r e is no p r o v i s i o n for p r o c e s s i n g data relating to offences, c o n v i c t i o n s etc. T h e r e f o r e s u c h data, w h i c h are
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
261
Data
Protection
w i t h i n t h e m e a n i n g o f s e n s i t i v e data, m a y o n l y b e p r o c e s s e d , unless o t h e r w i s e e x e m p t , w h e r e n e c e s s a r y for t h e a d m i n i s t r a t i o n o f justice or statutory functions. Organizations in the financial s e c t o r and public bodies responsible for making statutory p a y m e n t s to individuals, such as the DSS, c o u l d be seriously p r e j u d i c e d if t h e y c o u l d not p r o c e s s p e r s o n a l data relating to criminal offences. However, t h e y should be able to rely o n clause 28 w h i c h gives e x e m p t i o n from t h e first data p r o t e c t i o n p r i n c i p l e (and h e n c e from the c o n d i t i o n s in Schedules 2 and 3) and the data subject's right o f access, inter alia, to p r o c e s s i n g for the prev e n t i o n or d e t e c t i o n of crime.
AUTOMATED DECISION-TAKING As originally p u b l i s h e d and following the Directive closely, the Bill was very restrictive of a u t o m a t e d decision-taking. Clause 13 of the Bill as originally p u b l i s h e d allowed automated decision-taking in limited c i r c u m s t a n c e s w h e r e t h e decision w a s b a s e d solely o n a u t o m a t i c p r o c e s s i n g and significantly affected the data subject for the p u r p o s e o f evaluating matters such as p e r f o r m a n c e at work, creditworthiness, reliability or c o n d u c t . The list was n o t exhaustive, mirroring Article 15 of the Directive. Processing for a u t o m a t e d decision-taking was a l l o w e d only subject to the following conditions: • the d e c i s i o n is taken in the c o u r s e of steps taken to consider w h e t h e r to e n t e r into a c o n t r a c t w i t h the data subject or w i t h a v i e w to e n t e r i n g such a c o n t r a c t o r for p e r f o r m i n g such a contract or is a u t h o r i z e d by statute, and • the effect of the d e c i s i o n is to grant a r e q u e s t of the data subject or steps have b e e n taken to safeguard his legitim a t e interests (for e x a m p l e , allowing him to m a k e representations) M e m b e r States w e r e a l l o w e d to add to this subject to satisfactory safeguards. In a substantial and significant a m e n d m e n t in the H o u s e o f Lords, there are n o particular restrictions o n a u t o m a t e d decision-taking e x c e p t that data subjects are given a right to p r e v e n t t h e m by serving a n o t i c e o n the data controller, e x c e p t in the c o n t e x t of c o n t r a c t s as set out above. Apart from the contractual e x c e p t i o n and w h e r e n o notice has b e e n given by the data controller, the a p p r o p r i a t e safeguards are g i v e n by m e a n s o f the data c o n t r o l l e r notifying the data subject that the d e c i s i o n was taken on the basis of a u t o m a t e d decision-taking as s o o n as practicable and offering the data subject t h e o p p o r t u n i t y to ask the data c o n t r o l l e r to r e c o n s i d e r the d e c i s i o n or take a n e w d e c i s i o n by o t h e r m e a n s w i t h i n 21 days of a w r i t t e n r e q u e s t to do so by the data subject. A c o u r t can o r d e r that a p e r s o n taking a d e c i s i o n on the basis of a u t o m a t e d decision-taking r e c o n s i d e r s it or takes a n e w decision by o t h e r m e a n s if h e has failed to c o m p l y w i t h a data subject's n o t i c e n o t to take an a u t o m a t e d d e c i s i o n or has not r e c o n s i d e r e d that d e c i s i o n or taken a n e w d e c i s i o n by o t h e r means. As m a n y d e c i s i o n s are n o w taken by c o m p u t e r s r u n n i n g s c o r i n g systems o r ' e x p e r t systems', this is a w e l c o m e relaxation of t h e p r e v i o u s draft o f clause 13 and a p p e a r s to give a d e q u a t e safeguards w i t h i n the spirit of t h e Directive.
262
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
THE RELATIONSHIP WITH DATA SUBJECTS Data subjects have significantly e n h a n c e d rights c o m p a r e d w i t h those u n d e r the 1984Act.They also have n e w right to prevent processing likely to cause damage or distress and to prev e n t p r o c e s s i n g for direct m a r k e t i n g p u r p o s e s and, as m e n t i o n e d above, a right to p r e v e n t automated decision-taking e x c e p t in the c o n t e x t of a contract w i t h the data subject.The changes in data subjects' rights of access, rectification and compensation and their n e w rights to p r e v e n t processing will be dealt w i t h in a further article on the n e w law. Here, w e will concentrate the data controller's n e w duties to inform data subjects of processing activity.These are n e w statutory duties and do not d e p e n d o n data subjects proactively exercising their rights.Apart from the e x t e n s i o n of data p r o t e c t i o n law to manual processing, this was s e e n as the most onerous set of obligations u n d e r the n e w law (ref HO/CBI study). Again, the key to these n e w obligations is the first data p r o t e c t i o n p r i n c i p l e (fair and lawful processing). As before, the m e t h o d o f obtaining shall be regarded, for e x a m p l e , w h e t h e r any p e r s o n f r o m w h o m the data w e r e o b t a i n e d was d e c e i v e d or misled. But now, additionally, data controllers are r e q u i r e d to inform data subjects if p e r s o n a l data relating to t h e m are to be treated as b e i n g p r o c e s s e d fairly.These obligations are the equivalent to Articles 10 and 11 in the Directive and have no e x p r e s s e q u i v a l e n t u n d e r the 1984Act. H o w e v e r , case law already d e m o n s t r a t e d that data subjects should be given information in s o m e c i r c u m s t a n c e s if t h e p r o c e s s i n g was to be c o n s i d e r e d 'fair'. For e x a m p l e , in I n n o v a t i o n s (Mail O r d e r ) Ltd v Data P r o t e c t i o n Registrar, 18 the Data P r o t e c t i o n Tribunal h e l d that data subjects should be i n f o r m e d of any n o n o b v i o u s p u r p o s e for w h i c h t h e data w e r e to be u s e d at the time of obtaining t h e p e r s o n a l data from the data subject and n o t at s o m e later t i m e A l t h o u g h this p r e - e m p t s at least part o f the obligations to inform data subjects u n d e r the n e w law, it is by no m e a n s as all e m b r a c i n g as the n e w l a w U n d e r t h e n e w law, w h e r e the data are o b t a i n e d from the data subject, t h e data c o n t r o l l e r shall e n s u r e so far as is p r a c ticable that the data subject has o r is p r o v i d e d w i t h the relevant information or has m a d e it readily available to h i m The relevant information is: • the identity of the data c o n t r o l l e r (and his representative, if any) • t h e p u r p o s e of p u r p o s e s of the p r o c e s s i n g (but see b e l o w on the s e c o n d data p r o t e c t i o n p r i n c i p l e ) • any further information, having regard to the c i r c u m stances in w h i c h the data are or are to be p r o c e s s e d to e n a b l e such p r o c e s s i n g in r e s p e c t of the data subject to be fair. 19 The guidelines o n the s e c o n d p r i n c i p l e state that the purp o s e s may be specified in a n o t i c e given to the data subject or by notification to the Commissioner. If the data c o n t r o l l e r has notified his p r o c e s s i n g activity to the C o m m i s s i o n e r and no further information is r e q u i r e d to be given (for e x a m p l e , b e c a u s e the p u r p o s e s of the p r o c e s s i n g are obvious), t h e n the data c o n t r o l l e r may only b e r e q u i r e d to identify himself, w h i c h in m o s t cases h e will already have done. Even if further information is required, it is arguable that, if the information is i n c l u d e d in the notification to the Commissioner, the data subject has it readily available as h e can obtain a c o p y of the register entry.Z°
Data
In any other case, for example, w h e r e the data have not been obtained directly from the data subject, the data controller must ensure so far as practicable that, before the relevant time or as soon as practicable thereafter, the data subject has or is provided with the relevant information or has made it readily available to him. This latter requirement does not apply w h e r e the provision would involve a disproportionate effort or w h e r e the recording or disclosure is necessary to comply with a legal obligation to w h i c h the data controller is subject (other than a contractual obligation) together with such further conditions prescribed by regulations. In the Directive, the disproportionate effort ex cep t io n is stated as being, in particular, for processing for statistical purposes or historical or scientific research.The Bill gives no specific examples of w h e n a data controller can rely on disproportionate effort and appears to be more generous, especially if the examples in the Directive are treated as ejusdem generis. The 'relevant time' is w h e n the controller first processes the data or, w h e r e disclosure to a third party within a reasonable period is envisaged: • if it is in fact disclosed to such a person within that period, the time of disclosure • if during that period the data controller b e c o m e s or ought to b e c o m e aware that the data are unlikely to be disclosed to such a person within that period, the time he does b e c o m e or ought to b e c o m e so aware, or • in any other case at the end of that period These provisions are bizarre.Take the second situation as an example. Data controller A obtains personal data from a data subject and he intends to disclose it to data controller B within, say, three months. 2~ After two months, he decides not to so disclose the data to B. He then has to inform the data subject that he is not going to do something the data subject was unaware of in the first place unless, of course, w e take "envisaged" as meaning "envisaged by both the data subject and the data controller", in w h i c h case, it could be argued that the data subject already knows.
RELATIONSHIP BETWEEN DATA CONTROLLERS AND PROCESSORS We all have a vested interest in the application of appropriate security measures to the processing of personal data, bearing in mind h o w sensitive those data may be. The 1984 Act required appropriate security measures, having regard to the nature of the data and the c o n s e q u e n c e s of a failure in security, such as unauthorized access, disclosure or loss of the data in addition to the place w h e r e the data were stored, software security measures (for example, password systems) and ensuring the reliability of staff having access to the data. These requirements applied to data users and c o m p u t e r bureau alike.The n e w security measures are broadly similar in respect of the standard of security required. Processors are defined in the Bill as persons, other than an employee of the data controller, w h o process personal data on behalf of the data controller. This will certainly include c o m p u t e r bureau but it is much w i d e r than this because of the extensive definition of processing w h i c h includes obtaining, holding, recording, disclosure, retrieval, erasure as well other processing activities. Persons providing back-up ser-
Protection
vices and facilities management will be processors as will be persons employed to stand in t o w n centres asking unsuspecting persons to answer a few questions for a 'survey'. Processors are not required to notify processing they carry out for data controllers nor the fact that they carry out such processing. 22 It is important, therefore, that there is some form of control over processors and this is achieved by virtue of the contract b et w een the data controller and the processor. Data controllers must choose processors w h o provide sufficient guarantees (technical and organizational measures) and take reasonable steps to ensure compliance with those measures.The processing must be carried out under a written contract under w h i c h the processor is to act only on the instructions of the data controller and w h i ch imposes equivalent security obligations on the processor.The latter requirement means that the contract must impose obligations on the contractor to act only in compliance with instructions from the data controller and comply with the Seventh Principle. If the processor fails in his obligations there will be remedies for breach of contract. A data controller might want an indemnity against any claims made against him by a data subject resulting from the breach.The Directive required that the security obligations were 'incumbent' on the processor.This should be satisfied simply by the presence of a contractual duty.
TRANSFERS TO THIRD COUNTRIES The eighth data protection principle is n e w and prohibits the transfer of personal data to a country outside the European Economic Area that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to p r o c e s s i n g personal data. Previously, the Data Protection Registrar had to be notified of transfers to other countries and would accept them providing she considered that none of the data p r o t e c t i o n principles w oul d be breached. Given that many countries have no data protection law or weak data protection laws, this provision could cause great anxiety to the many organizations w i t h i n the United Kingdom that regularly transfer or transmit personal data to other countries for processing. However, if the country in question does not meet the required standard of protection. The eighth principle does not apply to data within Schedule 4 (except by order of the Secretary of State), being where: • the data subject has given consent to transfer • transfer is n e c e s s a r y for p e r f o r m a n c e o f c o n t r a c t b e t w e e n data subject and data controller or for taking steps at request of data subject with a view to his entering into a contract with the data controller • with respect to a contract b e t w e e n the data controller and a third person entered into at the request of the data subject of in his interests, transfer necessary for the performance or conclusion of such a contract • transfer is necessary for reasons of substantial public interest • transfer is necessary with respect to legal proceedings, legal rights or obtaining legal advice • transfer is necessary to protect the vital interests of the data subject
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
263
Data
Protection
• •
transfer of personal data on public register transfer is made on terms of a kind approved by the Commissioner as ensuring adequate safeguards or the transfer is authorized by the Commissioner as being in manner ensuring adequate safeguards The 'contractual' transfers are w id e r than in the Directive w hi ch does not cover taking steps with a view to entering into a contract with the data subject. In relation to the terms approved by the Commissioner, these are likely to be contractual terms approved by the Commission to the European Communities. In any proceedings under the n e w law, questions as to w h e t h e r the eighth principle has been met are to be determined in accordance with a finding made by the European Commission under Article 31(2) of the Directive as to transfers of the kind in question.
SUMMARY It can be seen that the provisions in the Bill go significantly further than the constrains on processing by data users under the 1984 Act. In particular, having to ensure one or more of the conditions for processing applies, being at risk of data subjects objecting to processing and providing information to data subjects may all contribute to the need to reconsider
Footnotes 1OJ L281,23.11.95, p.31. ZThe data controller is the p e r s o n who, alone or jointly or in c o m m o n with other persons, d e t e r m i n e s t h e purposes for w h i c h and the m a n n e r in w h i c h any personal data are, or are to be processed; Clause 1(1) to the Bill.The equivalent p e r s o n u n d er the Data Protection Act 1984 is the data USer.
3The n e w title for the Data Protection Registrar. 4The Secretary of State may e x e m p t from notification processing unlikely to prejudice the rights and freedoms of data subjects; clause 16(3). Likely candidates m e n t io n ed in the White Paper include payroll, personnel and work planning administration; purchase and sales administration; advertising, marketing and public relations and general administration;White Paper, p. 13. SClause 22. Such supervisors may have some of the Commissioner's functions devolved to them and o w e duties to the Commissioner. ('Data Protection Act 1984, section 1(8) excluded from the definition of processing any operation performed only for the purpose of preparing the text of documents. 7Data Protection Act 1984, section 32. 8This was subject to a right of appeal. 9Data Protection: The G o v e r n m e n t ' s Proposals, Cm 3725, p.14 and HL Deb 2 February 1998, c.440.
264
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
and adapt processing activities. Fortunately, the transitional provisions will ease the burden of compliance somewhat. Existing registrations under the 1984 Act will continue to be valid until the end of their normal registration period and any application to register befbre the c o m m e n c e m e n t of the n ew requirements as to notification will be determined under the principles and provisions of the 1984 Act. There are two transitional periods relating to processing. The first period ends on 23 O ct o b er 2001 and exempts, inter alia, all eligible automated data (subject to processing already under way as at 24 October 1998) from the obligations to inform data subjects, the conditions for processing and the enhanced rights of data subjects. Other exemptions relate to payroll and accounts and unincorporated m e m b e r s ' clubs and mailing lists and back-up data. Eligible manual data (held immediately be~bre 24 O ct o b er 1998 are e x e m p t from much of the first principle, the second to fifth principles and rights of rectification etc. until 24 O c t o b e r 2007. Nevertheless, data controllers might be well advised to consider h o w and w h e n to bring such processing into line with the n e w law. David Bainbridge and Graham Pearce, Aston Business School, Aston University
rain special circumstances, the Commissioner may extend the period of 28 days. l i t h e Directive requires the consent to be 'unambiguous'. 12sic - surely this should be 'or'- see recital 30. 13One might ask why the language of the Directive was not used here. 14Within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992. t SReferred to in Article 8 as special categories of data. l("Sensitive personal data' is defined in clause 2, above. IVThere is no reference to the possibility of prohibition nevertheless because of law as in the Directive. 18(unreported) 29 S e p t e m b e r 1993, Data Protection Tribunal, Case DA/92 31/49/1. 19The White Paper suggested that it would be the controller w h o would decide w h e t h e r the 'fiirther information' should be given.The Bill is neutral on this point. 2°The register entry will contain all the registrable particulars. 21It is arguable that the data subject should have been informed of the envisaged disclosure at the time the data w e r e collected. However, this might not be required w h e r e the planned disclosure is to another company within the same group of companies. 22Of course, they have to notify any processing they do on their o w n behalf.
Protection
DATA PROTECTION DATA CONTROLLERS AND THE NEW DATA PROTECTION LAW David Bainbridge and Graham Pearce David Bainbridge with the second part of his analysis of the UK Data Protection Bill 1998 considers the position of data controllers.
INTRODUCTION Information relating to individuals has b e c o m e a very valuable commodity.As the uses to w h i c h personal data are put b e c o m e ever more sophisticated and, potentially, prejudicial to individuals' rights and freedoms, there is a real need to establish an appropriate framework in which personal data may be used and exploited whilst guaranteeing basic h u m a n rights, including a right to privacy. Central to this is the goal of transparency of processing of personal data so that individuals can determine w h o is processing data relating to them and the purposes of such processing together with granting data subjects more effective rights in respect of such processing.This is the approach taken by the n e w law on data protection. The Data Protection Act 1998, presently a Parliamentary Bill, will come into force by 24 October 1998. It implements Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ~ ('the Directive') and marks a significant change in data protection law. Every organization processes personal data, w h e t h e r by computer or by manual means. Even the humble newsagent processes personal data in order that he can organize delivery of newspapers and keep track of customers' accounts. Mmost without exception, organizations in the public and private sectors, charities, unincorporated associations, sole traders and individual persons engaged in processing personal data will be affected by the n e w law, in some cases, quite seriously.These bodies and persons are data controllers u n d e r the n e w lawfl Many will have to modify their processing activities significantly to comply with tim n e w law and, furthermore, more obligations are placed u p o n them than is the case under the Data Protection Act 1984. The purpose of this article is to examine the implications of the n e w law from the perspective of data controllers, especially in terms of the notification requirements and the constraints u p o n processing. Figure 1 shows the relationships b e t w e e n the data controller and others and gives an indication of the impact of the changes to data protection law.The data controller has a duty to notify processing activity, much as under the old law though with some differences, and may
only process under specific conditions. Data subjects have greatly enhanced and extended rights which directly impact on the data controller's processing activities and which may be enforced through the Data Protection Commissioner3 or the courts. The data controller has to insist on written contractual guarantees of security with processors and may only transfer to a third country not ensuring an adequate level of protection under certain circumstances. This article is based u p o n the Data Protection Bill following the House of Lords amendments.
NOTIFICATION The present system of registration is replaced by one of notification. Manual processing is not required to be notified (unless subject to prior checking) although a data controller may choose to notify such processing.The Directive allowed greater exemption from notification or simplification of notification and, apart from manual processing, the Bill has not taken advantage of this. 4 One possible route to exemption or simplification is the appointment of in-house 'data protection supervisors' and this may be taken up in the future as the Secretary of State is given the power to make orders providing for such supervisors, who will be responsible for ensuring in an i n d e p e n d e n t m a n n e r that the data controller is complying with the n e w law. 5 The first thing to note is that the word processing exception 6 finds n o room in the n e w law nor does the e x e m p t i o n from registration and data subjects l:ight of access and associated rights that applied to processing for payroll and accounts. 7 A great many small businesses and sole traders relied on these exemptions and will n o w have to notify their processing activity unless it is confined to manual processing. Data controllers notifying their processing activities will be required to submit registrable particulars which are similar to those presently required. Where appropriate, the data controller must also make a statement to the effect that.he is also processing personal data not required to be notified, for example, where it is processing manually. Additionally, the data controller must give a general description of security measures taken in order to comply with the seventh data pro-
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
259
Data Protection
assessment/assistance -- - --
duties
Data Protection Commissioner
enforc
order/award
bring action
processor
•• •
I /
] / I S [
J =i
' court
~
trans!eronlyin ~situlti°ns
"X,I ~
th,rdcoun,,yoo,
enSpirnge:t1:quate
Figure 1.'Data controller's relationships
tection principle (appropriate technical and organizational measures against unauthorized or unlawful processing etc.). The Commissioner is required to keep a register of persons w h o have notified wh i c h will contain the registrable particulars but not the description of security measures. The fine detail of the form in w h i c h the registrable particulars must be submitted and the fees will be determined by regulations made under the n ewA c t. Apart from cases w h e r e prior checking is required, it would appear that the Commissioner has no p o w e r to refuse to accept a notification providing the registrable particulars and description of security measures are given in the appropriate detail and form and the correct fee has been tendered. This is a significant change from the 1984 Act under which the Registrar could refuse to register a data user if she considered that the applicant would be likely to contravene the principles, or if insufficient information was furnished to allow determination of the matter or if insufficient information was provided generally; section 7. 8 Where a data controller is not required to notify, for exampie in relation to manual processing or processing, he must within 21 days of receiving a written request from any person make the relevant particulars available in writing free of charge.These are the registrable particulars except any statement that the notification does not extend to other processing n o t required to be notified, for example, manual processing.The Directive did not specify that the information has to be given in writing nor did it specify a time limit. The possibility of prior checking, w h e r e b y processing may n o t p r o c e e d until it has b e e n c h e c k e d by the Commissioner, has caused some c o n c e r n . T h e types processing co v ered will be those w h i c h appear likely to cause substantial damage or substantial to data subjects or to othe r wi s e significantly prejudice the rights and freedoms of data subjects. The classes of processing c o v e r e d will be specified by regulations. The Directive did not specifically
260
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
m en t i o n damage or distress. Recital 53 to the Directive gives examples w h e r e prior checking w o u l d be required being processing excluding individuals from some right, benefit or contract or by virtue of the specific use of n e w technologies. Recital 54 suggests that the amount of such processing, w h i c h will be subject to prior checking, will be very limited and this is likely to be the a p p r o a c h taken by the Secretary of State. 9 The mechanism for prior checking is contained in clause 21 of the Bill. On notification from the data controller, the Commissioner will consider w h e t h e r the processing is such as to require prior checking and, if so, within 28 days will inform the data controller as to the extent to which the processing is likely or unlikely to comply with the n e w law. l0 No processing within the prior checking provisions may take place unless the time for the Commissioner's response has elapsed or a favourable notice has b e e n given to the data controller before the time limit.There is provision for the 28 day period to be extended for a further period not exceeding 14 days by reason of'special circumstances'.
CONDITIONS FOR PROCESSING The Data Protection Act 1984 did not constrain processing by requiring that one or more conditions be present before processing could take place. Basically, processing could proceed as long as it was covered by the registration and it would be registered unless the Data Protection Registrar considered that the processing would breach the data protection principles or if insufficient information was supplied to allow her to determine w h e t h e r there was likely to be a breach of the principles.At first sight, the n ew law appears far more restrictive because processing may only proceed under specified conditions. Following the Directive fairly closely, the first data protection principle, that personal data shall be processed fairly and
Data
lawfully, requires that at least o n e of the conditions in Schedule 2 is met or, in the case of sensitive data, additionally, at least one of the conditions in Schedule 3 must apply.There are further restrictions o n a u t o m a t e d decision-takhlg.
'NORMAL' DATA Schedule 2 is based on Article 7 of the Directive. The conditions are: • the data subject has g i v e n his c o n s e n t to the p r o c e s s i n g 11 • p r o c e s s i n g n e c e s s a r y for t h e p e r f o r m a n c e of a c o n t r a c t to w h i c h t h e data subject is a party or for taking steps at the data subject's r e q u e s t for e n t e r i n g into a c o n t r a c t • p r o c e s s i n g n e c e s s a r y for c o m p l i a n c e w i t h any legal obligation to w h i c h t h e data c o n t r o l l e r is subject o t h e r than a contractual obligation • p r o c e s s i n g n e c e s s a r y to p r o t e c t the vital interests of the data subject • p r o c e s s i n g n e c e s s a r y for the administration of justice, e x e r c i s e of f u n c t i o n s c o n f e r r e d on any p e r s o n u n d e r any e n a c t m e n t , e x e r c i s e o f state f u n c t i o n s ( C r o w n , Minister, or g o v e r n m e n t d e p a r t m e n t , e x e r c i s e of f u n c t i o n s of public nature e x e r c i s e d in the public interest by any p e r s o n • p r o c e s s i n g n e c e s s a r y for the p u r p o s e of the legitimate interests p u r s u e d by the data c o n t r o l l e r or by the third party to w h o m the data are disclosed e x c e p t w h e r e the p r o c e s s i n g is u n w a r r a n t e d in any particular case by reason of p r e j u d i c e to t h e rights and f r e e d o m s o r legitimate interests of the data subject In relation to t h e latter, 'legitimate interests' processing, the Secretary of State may by o r d e r specify particular circumstances in w h i c h t h e c o n d i t i o n is o r is not to be taken to be satisfied. Legitimate interests p r o c e s s i n g will apply in a great m a n y cases and will be relied u p o n by m a n y data controllers.That b e i n g so, it is r e g r e t t a b l e that it is so v a g u e . J u s t w h a t are l e g i t i m a t e interests? Are t h e y i n t e r e s t s relating to any p u r p o s e or goal w h i c h is intra vires? A f u r t h e r p r o b l e m is d e t e r m i n i n g w h e n t h e p r o c e s s i n g is u n w a r r a n t e d . S c h e d u l e 2 to t h e Bill uses t h e t e r m ' u n w a r r a n t e d ' by r e a s o n o f p r e j u d i c e to rights and f r e e d o m s or l e g i t i m a t e interests w h e r e a s t h e D i r e c t i v e is in t e r m s o f t h e l e g i t i m a t e interests b e i n g o v e r - r i d d e n by t h e interests for 12 f u n d a m e n t a l s rights and f r e e d o m s o f data subjects. T h e Bill, t h e r e f o r e , s e e m s m o r e restrictive t h a n the Directive. ' U n w a r r a n t e d ' m e a n s unjustified; ' o v e r - r i d d e n ' m e a n s h a v e p r e c e d e n c e o r superiority o v e r . T h e D i r e c t i v e s e e m s to r e q u i r e a b a l a n c e b e t w e e n t h e p r o c e s s i n g and rights and f r e e d o m s w h e r e a s t h e Bill w o u l d s e e m to suggest t h e c o n d i t i o n c a n n o t b e m e t if t h e r e is any p r e j u d i c e or, at least, less p r e j u d i c e t h a n t h e D i r e c t i v e m i g h t allow, t.~
SENSITIVE DATA 'Sensitive p e r s o n a l data' are d e f i n e d in clause 2 of the Bill as p e r s o n a l data consisting of information as to: • racial or e t h n i c origin • political o p i n i o n s • religious o r o t h e r beliefs • w h e t h e r the data subject is a m e m b e r of a trade u n i o n 14 physical or m e n t a l health o r c o n d i t i o n
Protection
• • •
sexual life the c o m m i s s i o n o r alleged c o m m i s s i o n of any o f f e n c e any p r o c e e d i n g s for any o f f e n c e or alleged offence, the disposal of such p r o c e e d i n g s or the s e n t e n c e o f any c o u r t in such p r o c e e d i n g s This is slightly w i d e r than the definition of sensitive data in the Directive in Article 8(1), is especially in t e r m s of o f f e n c e s and related information, but it is clear from the r e m a i n d e r of Article 8 that such information also can be d e e m e d sensitive. Schedule 3 contains t h e additional c o n d i t i o n s that apply in relation to sensitive data, o n e of w h i c h must apply in addition to o n e in Schedule 2.16The c o n d i t i o n s are that: • t h e data subject has g i v e n his e x p l i c i t c o n s e n t to t h e p r o c e s s i n g 17 • p r o c e s s i n g is n e c e s s a r y for e m p l o y m e n t law rights or obligations (subject to modification by o r d e r of the Secretary of State) • p r o c e s s i n g is n e c e s s a r y to p r o t e c t the vital interests of the data subject or a n o t h e r w h e r e c o n s e n t c a n n o t be given by o r o n b e h a l f o f the data subject or t h e data controller c a n n o t reasonably be e x p e c t e d to obtain the consent of the data subject • p r o c e s s i n g is n e c e s s a r y to p r o t e c t vital interests of another p e r s o n in a case w h e r e c o n s e n t by or o n b e h a l f of the data subject has b e e n unreasonably w i t h h e l d • p r o c e s s i n g is c a r r i e d o u t s u b j e c t the a p p r o p r i a t e safeguards by non-profit m a k i n g b o d y or association w h i c h exists for political, p h i l o s o p h i c a l , religious o r tradeu n i o n p u r p o s e s p r o c e s s i n g m u s t relate only to individuals w h o are m e m b e r s o r have regular c o n t a c t in connection with the body's or association's purposes and w h i c h d o e s n o t involve disclosure to a third p a r t y without consent • the information c o n t a i n e d in the data has b e e n m a d e public by deliberate steps taken by the data subject • p r o c e s s i n g is n e c e s s a r y in r e s p e c t o f legal p r o c e e d i n g s , legal advice or legal rights • p r o c e s s i n g is n e c e s s a r y for the administration of justice, e x e r c i s e of f u n c t i o n s c o n f e r r e d by o r u n d e r any enactm e n t or f u n c t i o n s e x e r c i s e d by the C r o w n , Minister o r government department • p r o c e s s i n g is n e c e s s a r y for m e d i c a l p u r p o s e s ( i n c l u d e s preventative medicine, medical diagnosis, medical research, p r o v i s i o n of care and t r e a t m e n t and managem e n t o f h e a l t h c a r e s e r v i c e s ) and is u n d e r t a k e n by a h e a l t h professional or p e r s o n u n d e r a d u t y of c o n f i d e n tiality e q u i v a l e n t to that o w e d by a h e a l t h professional The Secretary of State may by o r d e r allowing sensitive data to be p r o c e s s e d in o t h e r circumstances. 'Health professional' is defined in clause 61 as having same m e a n i n g as that in the Access to Health Records Act 1990. In t e r m s o f t h e 'vital interests' c o n d i t i o n s for p r o c e s s i n g , the Bill allows p r o c e s s i n g w h e r e the data c o n t r o l l e r c a n n o t reasonably be e x p e c t e d to o b t a i n t h e data s u b j e c t ' s c o n s e n t o r w h e r e t h e data subject u n r e a s o n a b l y w i t h h o l d s c o n s e n t . N e i t h e r o f t h e s e o p t i o n s are in t h e D i r e c t i v e and t h e Bill d o e s n o t fully c o m p l y w i t h the D i r e c t i v e in t h e s e respects. T h e r e is no p r o v i s i o n for p r o c e s s i n g data relating to offences, c o n v i c t i o n s etc. T h e r e f o r e s u c h data, w h i c h are
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
261
Data
Protection
w i t h i n t h e m e a n i n g o f s e n s i t i v e data, m a y o n l y b e p r o c e s s e d , unless o t h e r w i s e e x e m p t , w h e r e n e c e s s a r y for t h e a d m i n i s t r a t i o n o f justice or statutory functions. Organizations in the financial s e c t o r and public bodies responsible for making statutory p a y m e n t s to individuals, such as the DSS, c o u l d be seriously p r e j u d i c e d if t h e y c o u l d not p r o c e s s p e r s o n a l data relating to criminal offences. However, t h e y should be able to rely o n clause 28 w h i c h gives e x e m p t i o n from t h e first data p r o t e c t i o n p r i n c i p l e (and h e n c e from the c o n d i t i o n s in Schedules 2 and 3) and the data subject's right o f access, inter alia, to p r o c e s s i n g for the prev e n t i o n or d e t e c t i o n of crime.
AUTOMATED DECISION-TAKING As originally p u b l i s h e d and following the Directive closely, the Bill was very restrictive of a u t o m a t e d decision-taking. Clause 13 of the Bill as originally p u b l i s h e d allowed automated decision-taking in limited c i r c u m s t a n c e s w h e r e t h e decision w a s b a s e d solely o n a u t o m a t i c p r o c e s s i n g and significantly affected the data subject for the p u r p o s e o f evaluating matters such as p e r f o r m a n c e at work, creditworthiness, reliability or c o n d u c t . The list was n o t exhaustive, mirroring Article 15 of the Directive. Processing for a u t o m a t e d decision-taking was a l l o w e d only subject to the following conditions: • the d e c i s i o n is taken in the c o u r s e of steps taken to consider w h e t h e r to e n t e r into a c o n t r a c t w i t h the data subject or w i t h a v i e w to e n t e r i n g such a c o n t r a c t o r for p e r f o r m i n g such a contract or is a u t h o r i z e d by statute, and • the effect of the d e c i s i o n is to grant a r e q u e s t of the data subject or steps have b e e n taken to safeguard his legitim a t e interests (for e x a m p l e , allowing him to m a k e representations) M e m b e r States w e r e a l l o w e d to add to this subject to satisfactory safeguards. In a substantial and significant a m e n d m e n t in the H o u s e o f Lords, there are n o particular restrictions o n a u t o m a t e d decision-taking e x c e p t that data subjects are given a right to p r e v e n t t h e m by serving a n o t i c e o n the data controller, e x c e p t in the c o n t e x t of c o n t r a c t s as set out above. Apart from the contractual e x c e p t i o n and w h e r e n o notice has b e e n given by the data controller, the a p p r o p r i a t e safeguards are g i v e n by m e a n s o f the data c o n t r o l l e r notifying the data subject that the d e c i s i o n was taken on the basis of a u t o m a t e d decision-taking as s o o n as practicable and offering the data subject t h e o p p o r t u n i t y to ask the data c o n t r o l l e r to r e c o n s i d e r the d e c i s i o n or take a n e w d e c i s i o n by o t h e r m e a n s w i t h i n 21 days of a w r i t t e n r e q u e s t to do so by the data subject. A c o u r t can o r d e r that a p e r s o n taking a d e c i s i o n on the basis of a u t o m a t e d decision-taking r e c o n s i d e r s it or takes a n e w decision by o t h e r m e a n s if h e has failed to c o m p l y w i t h a data subject's n o t i c e n o t to take an a u t o m a t e d d e c i s i o n or has not r e c o n s i d e r e d that d e c i s i o n or taken a n e w d e c i s i o n by o t h e r means. As m a n y d e c i s i o n s are n o w taken by c o m p u t e r s r u n n i n g s c o r i n g systems o r ' e x p e r t systems', this is a w e l c o m e relaxation of t h e p r e v i o u s draft o f clause 13 and a p p e a r s to give a d e q u a t e safeguards w i t h i n the spirit of t h e Directive.
262
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
THE RELATIONSHIP WITH DATA SUBJECTS Data subjects have significantly e n h a n c e d rights c o m p a r e d w i t h those u n d e r the 1984Act.They also have n e w right to prevent processing likely to cause damage or distress and to prev e n t p r o c e s s i n g for direct m a r k e t i n g p u r p o s e s and, as m e n t i o n e d above, a right to p r e v e n t automated decision-taking e x c e p t in the c o n t e x t of a contract w i t h the data subject.The changes in data subjects' rights of access, rectification and compensation and their n e w rights to p r e v e n t processing will be dealt w i t h in a further article on the n e w law. Here, w e will concentrate the data controller's n e w duties to inform data subjects of processing activity.These are n e w statutory duties and do not d e p e n d o n data subjects proactively exercising their rights.Apart from the e x t e n s i o n of data p r o t e c t i o n law to manual processing, this was s e e n as the most onerous set of obligations u n d e r the n e w law (ref HO/CBI study). Again, the key to these n e w obligations is the first data p r o t e c t i o n p r i n c i p l e (fair and lawful processing). As before, the m e t h o d o f obtaining shall be regarded, for e x a m p l e , w h e t h e r any p e r s o n f r o m w h o m the data w e r e o b t a i n e d was d e c e i v e d or misled. But now, additionally, data controllers are r e q u i r e d to inform data subjects if p e r s o n a l data relating to t h e m are to be treated as b e i n g p r o c e s s e d fairly.These obligations are the equivalent to Articles 10 and 11 in the Directive and have no e x p r e s s e q u i v a l e n t u n d e r the 1984Act. H o w e v e r , case law already d e m o n s t r a t e d that data subjects should be given information in s o m e c i r c u m s t a n c e s if t h e p r o c e s s i n g was to be c o n s i d e r e d 'fair'. For e x a m p l e , in I n n o v a t i o n s (Mail O r d e r ) Ltd v Data P r o t e c t i o n Registrar, 18 the Data P r o t e c t i o n Tribunal h e l d that data subjects should be i n f o r m e d of any n o n o b v i o u s p u r p o s e for w h i c h t h e data w e r e to be u s e d at the time of obtaining t h e p e r s o n a l data from the data subject and n o t at s o m e later t i m e A l t h o u g h this p r e - e m p t s at least part o f the obligations to inform data subjects u n d e r the n e w law, it is by no m e a n s as all e m b r a c i n g as the n e w l a w U n d e r t h e n e w law, w h e r e the data are o b t a i n e d from the data subject, t h e data c o n t r o l l e r shall e n s u r e so far as is p r a c ticable that the data subject has o r is p r o v i d e d w i t h the relevant information or has m a d e it readily available to h i m The relevant information is: • the identity of the data c o n t r o l l e r (and his representative, if any) • t h e p u r p o s e of p u r p o s e s of the p r o c e s s i n g (but see b e l o w on the s e c o n d data p r o t e c t i o n p r i n c i p l e ) • any further information, having regard to the c i r c u m stances in w h i c h the data are or are to be p r o c e s s e d to e n a b l e such p r o c e s s i n g in r e s p e c t of the data subject to be fair. 19 The guidelines o n the s e c o n d p r i n c i p l e state that the purp o s e s may be specified in a n o t i c e given to the data subject or by notification to the Commissioner. If the data c o n t r o l l e r has notified his p r o c e s s i n g activity to the C o m m i s s i o n e r and no further information is r e q u i r e d to be given (for e x a m p l e , b e c a u s e the p u r p o s e s of the p r o c e s s i n g are obvious), t h e n the data c o n t r o l l e r may only b e r e q u i r e d to identify himself, w h i c h in m o s t cases h e will already have done. Even if further information is required, it is arguable that, if the information is i n c l u d e d in the notification to the Commissioner, the data subject has it readily available as h e can obtain a c o p y of the register entry.Z°
Data
In any other case, for example, w h e r e the data have not been obtained directly from the data subject, the data controller must ensure so far as practicable that, before the relevant time or as soon as practicable thereafter, the data subject has or is provided with the relevant information or has made it readily available to him. This latter requirement does not apply w h e r e the provision would involve a disproportionate effort or w h e r e the recording or disclosure is necessary to comply with a legal obligation to w h i c h the data controller is subject (other than a contractual obligation) together with such further conditions prescribed by regulations. In the Directive, the disproportionate effort ex cep t io n is stated as being, in particular, for processing for statistical purposes or historical or scientific research.The Bill gives no specific examples of w h e n a data controller can rely on disproportionate effort and appears to be more generous, especially if the examples in the Directive are treated as ejusdem generis. The 'relevant time' is w h e n the controller first processes the data or, w h e r e disclosure to a third party within a reasonable period is envisaged: • if it is in fact disclosed to such a person within that period, the time of disclosure • if during that period the data controller b e c o m e s or ought to b e c o m e aware that the data are unlikely to be disclosed to such a person within that period, the time he does b e c o m e or ought to b e c o m e so aware, or • in any other case at the end of that period These provisions are bizarre.Take the second situation as an example. Data controller A obtains personal data from a data subject and he intends to disclose it to data controller B within, say, three months. 2~ After two months, he decides not to so disclose the data to B. He then has to inform the data subject that he is not going to do something the data subject was unaware of in the first place unless, of course, w e take "envisaged" as meaning "envisaged by both the data subject and the data controller", in w h i c h case, it could be argued that the data subject already knows.
RELATIONSHIP BETWEEN DATA CONTROLLERS AND PROCESSORS We all have a vested interest in the application of appropriate security measures to the processing of personal data, bearing in mind h o w sensitive those data may be. The 1984 Act required appropriate security measures, having regard to the nature of the data and the c o n s e q u e n c e s of a failure in security, such as unauthorized access, disclosure or loss of the data in addition to the place w h e r e the data were stored, software security measures (for example, password systems) and ensuring the reliability of staff having access to the data. These requirements applied to data users and c o m p u t e r bureau alike.The n e w security measures are broadly similar in respect of the standard of security required. Processors are defined in the Bill as persons, other than an employee of the data controller, w h o process personal data on behalf of the data controller. This will certainly include c o m p u t e r bureau but it is much w i d e r than this because of the extensive definition of processing w h i c h includes obtaining, holding, recording, disclosure, retrieval, erasure as well other processing activities. Persons providing back-up ser-
Protection
vices and facilities management will be processors as will be persons employed to stand in t o w n centres asking unsuspecting persons to answer a few questions for a 'survey'. Processors are not required to notify processing they carry out for data controllers nor the fact that they carry out such processing. 22 It is important, therefore, that there is some form of control over processors and this is achieved by virtue of the contract b et w een the data controller and the processor. Data controllers must choose processors w h o provide sufficient guarantees (technical and organizational measures) and take reasonable steps to ensure compliance with those measures.The processing must be carried out under a written contract under w h i c h the processor is to act only on the instructions of the data controller and w h i ch imposes equivalent security obligations on the processor.The latter requirement means that the contract must impose obligations on the contractor to act only in compliance with instructions from the data controller and comply with the Seventh Principle. If the processor fails in his obligations there will be remedies for breach of contract. A data controller might want an indemnity against any claims made against him by a data subject resulting from the breach.The Directive required that the security obligations were 'incumbent' on the processor.This should be satisfied simply by the presence of a contractual duty.
TRANSFERS TO THIRD COUNTRIES The eighth data protection principle is n e w and prohibits the transfer of personal data to a country outside the European Economic Area that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to p r o c e s s i n g personal data. Previously, the Data Protection Registrar had to be notified of transfers to other countries and would accept them providing she considered that none of the data p r o t e c t i o n principles w oul d be breached. Given that many countries have no data protection law or weak data protection laws, this provision could cause great anxiety to the many organizations w i t h i n the United Kingdom that regularly transfer or transmit personal data to other countries for processing. However, if the country in question does not meet the required standard of protection. The eighth principle does not apply to data within Schedule 4 (except by order of the Secretary of State), being where: • the data subject has given consent to transfer • transfer is n e c e s s a r y for p e r f o r m a n c e o f c o n t r a c t b e t w e e n data subject and data controller or for taking steps at request of data subject with a view to his entering into a contract with the data controller • with respect to a contract b e t w e e n the data controller and a third person entered into at the request of the data subject of in his interests, transfer necessary for the performance or conclusion of such a contract • transfer is necessary for reasons of substantial public interest • transfer is necessary with respect to legal proceedings, legal rights or obtaining legal advice • transfer is necessary to protect the vital interests of the data subject
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
263
Data
Protection
• •
transfer of personal data on public register transfer is made on terms of a kind approved by the Commissioner as ensuring adequate safeguards or the transfer is authorized by the Commissioner as being in manner ensuring adequate safeguards The 'contractual' transfers are w id e r than in the Directive w hi ch does not cover taking steps with a view to entering into a contract with the data subject. In relation to the terms approved by the Commissioner, these are likely to be contractual terms approved by the Commission to the European Communities. In any proceedings under the n e w law, questions as to w h e t h e r the eighth principle has been met are to be determined in accordance with a finding made by the European Commission under Article 31(2) of the Directive as to transfers of the kind in question.
SUMMARY It can be seen that the provisions in the Bill go significantly further than the constrains on processing by data users under the 1984 Act. In particular, having to ensure one or more of the conditions for processing applies, being at risk of data subjects objecting to processing and providing information to data subjects may all contribute to the need to reconsider
Footnotes 1OJ L281,23.11.95, p.31. ZThe data controller is the p e r s o n who, alone or jointly or in c o m m o n with other persons, d e t e r m i n e s t h e purposes for w h i c h and the m a n n e r in w h i c h any personal data are, or are to be processed; Clause 1(1) to the Bill.The equivalent p e r s o n u n d er the Data Protection Act 1984 is the data USer.
3The n e w title for the Data Protection Registrar. 4The Secretary of State may e x e m p t from notification processing unlikely to prejudice the rights and freedoms of data subjects; clause 16(3). Likely candidates m e n t io n ed in the White Paper include payroll, personnel and work planning administration; purchase and sales administration; advertising, marketing and public relations and general administration;White Paper, p. 13. SClause 22. Such supervisors may have some of the Commissioner's functions devolved to them and o w e duties to the Commissioner. ('Data Protection Act 1984, section 1(8) excluded from the definition of processing any operation performed only for the purpose of preparing the text of documents. 7Data Protection Act 1984, section 32. 8This was subject to a right of appeal. 9Data Protection: The G o v e r n m e n t ' s Proposals, Cm 3725, p.14 and HL Deb 2 February 1998, c.440.
264
Computer Law & Security Report Vol. 14 no. 4 1998 © 1998, Elsevier Science Ltd.
and adapt processing activities. Fortunately, the transitional provisions will ease the burden of compliance somewhat. Existing registrations under the 1984 Act will continue to be valid until the end of their normal registration period and any application to register befbre the c o m m e n c e m e n t of the n ew requirements as to notification will be determined under the principles and provisions of the 1984 Act. There are two transitional periods relating to processing. The first period ends on 23 O ct o b er 2001 and exempts, inter alia, all eligible automated data (subject to processing already under way as at 24 October 1998) from the obligations to inform data subjects, the conditions for processing and the enhanced rights of data subjects. Other exemptions relate to payroll and accounts and unincorporated m e m b e r s ' clubs and mailing lists and back-up data. Eligible manual data (held immediately be~bre 24 O ct o b er 1998 are e x e m p t from much of the first principle, the second to fifth principles and rights of rectification etc. until 24 O c t o b e r 2007. Nevertheless, data controllers might be well advised to consider h o w and w h e n to bring such processing into line with the n e w law. David Bainbridge and Graham Pearce, Aston Business School, Aston University
rain special circumstances, the Commissioner may extend the period of 28 days. l i t h e Directive requires the consent to be 'unambiguous'. 12sic - surely this should be 'or'- see recital 30. 13One might ask why the language of the Directive was not used here. 14Within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992. t SReferred to in Article 8 as special categories of data. l("Sensitive personal data' is defined in clause 2, above. IVThere is no reference to the possibility of prohibition nevertheless because of law as in the Directive. 18(unreported) 29 S e p t e m b e r 1993, Data Protection Tribunal, Case DA/92 31/49/1. 19The White Paper suggested that it would be the controller w h o would decide w h e t h e r the 'fiirther information' should be given.The Bill is neutral on this point. 2°The register entry will contain all the registrable particulars. 21It is arguable that the data subject should have been informed of the envisaged disclosure at the time the data w e r e collected. However, this might not be required w h e r e the planned disclosure is to another company within the same group of companies. 22Of course, they have to notify any processing they do on their o w n behalf.