Data Protection: the current regime

Data Protection and Data Retention: Commercial Implications and Strategy

This guide provides an overview of the Data Protection Act 1998 and related legislation, its implications for business and strategic issues companies may wish to bear in mind when processing personal data for the purposes of their business, such as dealing with subject access requests, the retention and destruction of personal data and the ability to transfer such data outside the EEA.

It also deals briefly with the forthcoming General Data Protection Regulation, which takes effect on 25 May 2018. The law is stated as at June 2016.

Topics covered include:

• How is my organisation affected?
•  What is personal data?
• What are my obligations as a controller?
• Transfers of personal data
• Enforcement
• The General Data Protection Regulation
• Schedule 1: Table – The data protection principles
• Schedule 2: Flow chart – Do I need to disclose data following a subject access request?
• Schedule 3: Flow chart – Can I transfer personal data to a third party abroad?How might my organisation be affected?

1. How might my organisation be affected?

If your organisation gathers, holds or otherwise uses personal data and makes decisions about what to do with the data, it will constitute a "data controller". The use by the organisation of that data in the UK will be subject to the Data Protection Act 1998 (the DPA) (which implements into UK law the EC Data Protection Directive (95/46)).

All data controllers must ensure compliance with the DPA. In some instances, this may be onerous and run counter to the increasingly global nature of business today. In particular, the DPA focuses on the security of personal data and the rights of individuals to be informed of, and in certain circumstances to object to, the use of their data. It also prohibits the transfer of personal data outside the European Economic Area (the EEA) without sufficient safeguards. In addition, the DPA requires that data controllers notify their data processing activities with the Data Protection Regulator, which in the UK is the Information Commissioner's Office (the ICO).

The DPA applies to all "processing" of personal data. This covers any operation involving personal data in the life cycle of that data, from its acquisition (whether from the relevant individual or a third party), through its ongoing use to its retention and, finally, its destruction and includes the anonymisation of the data.

It is important that data controllers carry out regular and thorough audits of all their activities that involve personal data. Notifications with the ICO should be checked and, if necessary, updated to make sure that they cover current processing. Additionally, data controllers must put in place procedures to enable them to comply with the DPA generally and should carry out privacy impact assessments in relation to the business processes they operate. Companies should consider the methods by which they gather and use personal data. Where required, the correct form of consent should be obtained from data subjects before their personal data is processed and data subjects should be provided with all the information specified by the DPA to ensure fair processing.

2. What is personal data?

• racial or ethnic origin;
• political opinions;
• religious beliefs or other beliefs of a similar nature;
• membership of a trade union;
• physical or mental health;
• sexual life;
• the commission, or alleged commission of, any offence; and
• any proceedings for any offence committed or alleged to have been committed and the outcome of such proceedings.

Sensitive personal data does not include financial records or other information that individuals may regard as private or confidential.

The DPA applies to data held on computers and to manual data, such as paper files, which is structured either by reference to individuals or to criteria relating to individuals where that personal data is readily accessible. Where personal data in manual folders or documents is not readily accessible (for example, a box of documents that are in no particular order), the DPA may not apply, meaning that the data subject is not entitled to inspect their personal data further to a subject access request. Subject Access Requests are discussed further below.

3. What are my obligations as a data controller?

General compliance

All data controllers must comply with eighth data protection principles (set out at Schedule 1 of this Quickguide) in the processing of the personal data. These include:

Fair processing: As part of the requirement that the processing is fair and lawful, data controllers must comply with at least one of the schedule 2 conditions set out in the DPA and, where the data they process is "sensitive personal data", at least one of the conditions in schedule 3 of the DPA as well. The most relevant of these conditions are:

• that the data subject has given his or her consent to the processing of the personal data;
• that the processing is necessary for the performance of a contract to which the data subject is a part; or

• that the processing is necessary for the purposes of legitimate interests pursued by the data controller without prejudicing the rights, freedoms or legitimate interests of the relevant data subject.

In addition (and in order to comply with the fair processing code in the DPA), data controllers must provide specified information to data subjects which includes information on the purpose(s) for which the data is intended to be processed, the identity of the data controller processing that data and any further information that is required to ensure that the processing is fair. For information gathered and processed via a website, this is normally achieved in the form of a privacy policy.

Security: Compliance with the seventh principle (security) will inevitably become increasingly onerous with the growth of information technology and the nature and extent of personal data held on systems. The DPA does not set a fixed minimum standard for the security measures required by the seventh principle, although the standards in place must be "appropriate" to the harm that might result from the misuse of the personal data in question and the nature of that data. Accordingly, what is appropriate will depend on the circumstances of the case. Clients will be aware that "cyber security" is of increasing importance.

Use of data processors: If you use a third party for the processing of personal data on your behalf, that entity is likely to constitute a data processor if they are only entitled to process the data on your instructions. In these circumstances, the obligation to comply with the DPA remains with you as data controller and you should enter into a written contract with the data processor to ensure that they undertake obligations designed to make sure that you are not put in breach of the DPA as a result of their actions, for example, that they maintain an appropriate level of security with respect to that data.

Transfer of data outside the EEA: The eighth principle prohibits the transfer of personal data outside the EEA except in certain circumstances; this is discussed below.

Direct marketing: If you process personal data for direct marketing purposes you will also need to consider the provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which deal with the obligations on data controllers for telephone, email, text and fax direct marketing. Any such marketing can generally only occur with the express consent of the relevant individual. This can be obtained by a tick box or in some other manner (e.g. by clicking an icon or subscribing to that service) indicating consent. There is a limited exception to this requirement.

Data retention: As a general principle the DPA requires that data controllers only hold personal data for so long as is necessary for the purposes for which it is processed. The data controller cannot keep the information "just in case" but there is no further specific guidance in the DPA as to what that period of time should be. It is therefore up to the data controller to review the nature of the personal data it holds and processes and decide for each category how long it should be held and to then put in place retention and/or destruction policies. Note that other statutes may require certain information (which may include personal data) to be held for specific periods of time and this should be one of the factors to be taken into account by a data controller in creating and implementing its retention policies.

Special mandatory provisions apply to the retention of and access to communications data held by communications service providers in the UK. The data affected by this regime includes traffic data but does not include the content of any communication.

Notification

Subject to limited exemptions, data controllers must notify the Information Commissioner of the purposes for which they process personal data. Such notifications are kept on a publicly accessible register, which may be viewed at www.ico.org.uk. Data controllers will commit a criminal offence if they process personal data for purposes beyond those which they have notified. Notifications are renewed annually and fees are currently payable of either £35 or in the case of larger organisations £500 to effect the notification.

Subject access requests and other rights of data subjects

Under the DPA, data subjects have the right to access any of their personal data if they request it in writing and pay the data controller's fee for responding to the request, which cannot exceed £10. Such requests can be for details of the personal data, its source and to whom it may have been disclosed, and data controllers must respond to them promptly and within 40 days at the most.

Compliance with subject access requests can be time consuming and arduous, in particular in relation to emails. As a result, a data controller should ensure that all relevant sources of personal data (whether on computer or manual) are structured so that information is readily accessible. There is an assumption in the DPA that on request by a data subject, a data controller should disclose all personal data, unless it falls under one or more of the exemptions. The more common of these relate to data processed for the purposes of national security, the prevention of crime and the assessment of any tax. A full list of exempt information can be found at www.ico.gov.uk.

The individual also has rights to:

• ensure that if a data controller holds inaccurate personal data about him/her, it will be rectified, blocked, erased or destroyed;
• require the data controller not to process personal data if that processing causes or is likely to cause substantial damage or distress to him/her or to another person and that damage or distress is or would be unwarranted; and
• require a data controller not to process their personal data for the purposes of direct marketing.
• Individuals are entitled to seek compensation from a data controller if they suffer damage or distress as a result of the data controller not complying with the DPA. See Schedule 2 of this Quickguide for a diagram setting out when to disclose data following a subject access request.

4. Transfers of personal data outside the EEA

The eighth data protection principle prohibits the transfer of data to countries outside the EEA that do not have adequate levels of data protection. In light of the global nature of business, available technology and the ease with which data may be transferred anywhere in the world, this restriction can be overly burdensome. Transfers of data within the EEA are permitted, subject to compliance with other data protection principles. Transfers of data outside the EEA are permitted where any of the following apply:

• the data is transferred to the US under "Privacy Shield". This new self-certification process has replaced "Safe Harbor". Privacy Shield principles include strong obligations on US companies handling personal data, sanctions for non-compliance, and the tightening of conditions for onward transfers of personal data to third parties;
• the data controller is satisfied that adequate protections exist; whether protections are adequate is to be assessed by reference to the data protection legislation in place in those jurisdictions, the nature of the personal data, the purposes for which it is to be used and the risk to the data subjects' rights associated with the transfer; the data is being transferred to one or more of the relatively few territories outside the EEA designated by the European Commission as having an adequate level of protection. These presently include Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay;
• where the transfer is made on terms ("model clauses") that have been approved by the Information Commissioner. There are three forms of model clauses, two for transfers to another data controller and one for transfers to a data processor;
• the relevant data subject has given his/her consent to that transfer;
•  where the transfer is necessary for the performance of a contract between the data subject and the data controller; or
• where there is an intra-group transfer of data in accordance with any binding corporate rules that have been approved by the ICO and all other relevant European data protection authorities. However, to date, not many entities have received such approvals.

In practice, data controllers will often use a combination of these alternatives for different types of data processing. See Schedule 3 of this Quickguide for a diagram setting out when to disclose data following a subject access request.

5. Enforcement

The DPA gives the Information Commissioner the power to enforce its provisions, including by means of an enforcement notice, which may require the data controller to take various remedial steps or to refrain from processing certain personal data. In practice, a large number of breaches investigated by the Information Commissioner have resulted in enforcement undertakings or, in more serious cases, fines and enforcement notices to address the cause of the breach. The DPA also gives the Information Commissioner information gathering powers in the form of "information notices" and "special information notices". These may be served where the Information Commissioner reasonably requires information for the purpose of determining whether the data controller is complying with the data protection principles.

In particular, the DPA provides the Information Commissioner with:

• the right to impose a financial penalty of up to £500,000 in the event of a serious breach of the data protection principles by a data controller; and
• the right to conduct a compulsory audit of certain data controllers to determine data protection compliance (currently only central government departments and other specified public authorities). There is no right to conduct audits of other data controllers without the consent of that data controller and the audit (whether compulsory or voluntary) will be conducted in accordance with a Code of Practice issued by the Information Commissioner.

A data controller can appeal to a Tribunal against the terms of an information notice or special information notice or against an enforcement notice. Failure to comply with these notices or providing false information in respect of a notice is a criminal offence. Where an offence is committed by a company and is proved to have been committed with the consent of, or to be attributable to neglect on the part of, an officer of the company or someone purporting to act in that capacity, that person as well as the company will be guilty of an offence.

6. The General Data Protection Regulation

On 14 April 2016, the European Parliament adopted a package of sweeping legislative changes to the EU data protection regime. The legislation, which will come into effect on 25 May 2018, is aimed at modernising and enhancing data protection rights in the EU and facilitating a borderless digital single market across the region. It includes two limbs – the General Data Protection Regulation (the GDPR) and a Directive addressing law enforcement. The GDPR is directly applicable in all Member States, replacing previous data protection legislation and putting an end to the current patchwork of local data protection regimes across Europe.

Key Changes

The GDPR brings in a host of changes to the European data protection landscape, including:

• Stricter rules for processing and stronger rights for individuals: for instance, data subjects will now have easier access to their own data, and a right to know how their data is processed and shared.
• New individual rights to reflect the internet/social media age: such as a right to data portability facilitating transmission of personal data from one service provider to another and a "right to be forgotten".
• Protection for young people: service providers must attempt to verify parental consent for use of online services by young people under 16, although Member States may lower this age to 13.
• No more notification: businesses are relieved of burdensome notification procedures to local data protection authorities that currently exist in some Member States (including the UK). Instead, they must keep records of their data processing operations.
• One-Stop-Shop: under this concept, businesses only have to deal with a single supervisory authority. Businesses will have to carry out a risk assessment – the stronger the risks of the activities for personal data, the more stringent the obligations.
• Ease of redress: to ensure proximity of legal redress, data subjects will have the right for a decision of their data protection authority to be reviewed by their national court, regardless of where the data controller is established.
• Notification of personal data breaches: businesses will have to notify the national supervisory authority of data breaches without undue delay (usually within 72 hours) unless the breach is unlikely to result in a risk to anyone’s rights and freedoms.
• New obligations applying directly to “data processors”: data processors are required to conform to a number of new obligations.
• Data protection by design: the regulation endorses this approach, which requires that privacy in any processing system, service or product is taken into account not only at delivery, but in development and design.
• The territorial scope of application is massively extended: companies based outside Europe will have to confirm with stringent conditions and safeguards.
• Supervisory authorities have much more efficient enforcement powers: these include a toolbox of significantly increased fines of up to €20 million or 4% of global turnover (whichever is higher).

The effect of Brexit

The UK Government has confirmed plans to implement the GDPR, ending uncertainty that resulted from the Brexit referendum. In her appearance before the Culture, Media and Sport Select Committee, Secretary of State Karen Bradley MP noted that the UK will still be a member of the EU in 2018, making participation in the EU's wide-ranging data protection shake-up a natural step. Her announcement has been welcomed by the UK Information Commissioner.

Schedule 1

The data protection principles

Schedule 2

Do I need to disclose data following a subject access request

 

Schedule 3

Can I transfer personal data to a third party abroad?