1 GENERAL DATA PROTECTION ACT 1998v1 GENERAL DATA PROTECTION ACT 1998 NOTE Some of the notes focus on personnel data so trainer may need to use other examples.

2 COVERAGE AND AIMS Overview and background Main definitionsData protection principles Individual rights Enforcement The delegates will not necessary know each other so an icebreaker will be needed or introductions. They are from different local authorities. AIMS: Achieve an understanding of the scope and impact of the DPA 98 Understand the interface with freedom of information

3 THE DEVELOPMENT OF PRIVACYBusiness has to operate in a more “privacy aware” world Court cases since the HRA came into force High profile breaches of security New powers under the Data Protection Act 1998 Fears about loss of identity Although information about individuals is protected under the DPA, the concept of privacy is much broader than that of protection of personal data right to be let alone, ability to be secure in one’s person, to be free from the intrusion of others in person and in property No general right to privacy recognised by English law, right to private and family life is one of the rights enshrined by the HRA and there has been some development in case law towards recognising a right to privacy for example in the Michael Douglas and Catherine Zeta-Jones case against Hello! magazine. Confidentiality is already a recognised area of English law and some protection is given to information which is subject to an obligation of confidence such as medical and financial information. reputation - the public increasingly expect privacy controls to be in place and a perceived breach of privacy can lead to negative publicity.

4 KEY THEMES Transparency notification data protection notices Qualityv1 KEY THEMES Transparency notification data protection notices Quality principles 3, 4 and 5 Security Principle 7 Individual Rights Exemptions The Act combines a number of key themes, an understanding of which may assist when applying the strict letter of the legislation Transparency is a key theme under the Act; therefore individuals should know who is collecting information on them and the purposes for this. They should also be able to access this information. The Act incorporates the transparency requirement by providing for the notification of data controllers on a public register, by giving individuals the right to access information held on them and by imposing information provision requirements on data controllers Quality and accuracy are also important concepts and, by requiring compliance with certain data protection principles, the Act imposes quality standards on those processing personal data Because it is individuals who are directly affected by the processing of information about them, the Act grants rights to such individuals to enable them to modify or in some cases prevent the processing of their personal information. As with most Acts, there are exemptions to the rules and the Act contains exemptions that can be claimed in specific cases.

5 v1 DATA CONTROLLER Means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are or are to be processed section 1(1) Determines the purposes for which and the manner in which any personal data are to be processed Important to establish, in each instance of processing, who is the data controller. Key definition as it’s the data controller that’s the person or organisation required to comply with the provisions of the Act - notification, compliance with the principles, subject access etc.

6 v1 DATA PROCESSOR “in relation to personal data means any person (other than an employee of the data controller) who processes the data on behalf of the data controller “ section 1(1) A person who processes the data on behalf of the data controller but who is not an employee of the data controller. No obligations under the Act but will have contractual obligations imposed by the data controller because a data controller must put in place a contract with its processors to ensure that they have adequate security measures in place and requiring them to act only on the instructions of the data controller. Includes outsourced IT suppliers, pensions and payroll providers, consultants, temps and so on.

7 v1 PERSONAL DATA Means data which relate to a living individual who can be identified a) from those data or b) from those data and other information which is in the possession of or is likely to come into the possession of the data controller Durant v Financial Services Authority section 1(1) Data which relate to a living individual who can be identified from that information, or from that information and other information in the possession of the data controller or which are likely to come into its possession. Includes any expression of opinion about the individual and of the intentions of the data controller in respect of that individual e.g. appraisals on a personnel file. Whether or not data relate to a particular individual is a question of fact in each case - does it relate to a living individual? can a data controller form a connection between the data and the individual? Can the individual be identified from the data or from other data in the possession of the data controller? Whether or not information is in the possession of the data controller is interpreted widely and does not necessarily mean that information has to be in the physical control of the data controller - outsourced data processing In many cases it will be obvious that something is personal data, a name and address for example will clearly be personal data. The definition of personal data will also extend to something like a payroll number or a membership number as the data controller will be able to cross reference this back to the relevant individual Automated and manual data information which “is being processed by means of equipment operated automatically in response to instructions given for that purpose” information recorded as part of a relevant filing system data which are intended to become part of a computer or manual system

8 v1 PRINCIPLE 1 Personal data shall be processed fairly and lawfully fair justification under schedule 2 and, where necessary, schedule 3 data protection notice lawful There are 8 data protection principles in the Act which all data controllers must comply with. The first principle states that personal data shall be processed fairly and lawfully. What does this mean? Taking lawfully first - the sort of areas this would cover include confidentiality, defamation, trade secrets, health and safety - if you breach a legal obligation such as disclosing information in breach of confidence, you will also be breaching the first principle of the DPA. Fairly - this involves looking at the way in which the data were collected and in particular if the individual was misled or deceived as to the purpose for which their data will be used - we will look at the provision of information to individuals shortly. In order to be processing fairly, you are also required to have a justification for doing so under Schedule 2 of the Act and, if you process sensitive personal data, a justification under Schedule 3 as well.

9 SCHEDULE 2 GROUNDS Consent of the data subjectv1 SCHEDULE 2 GROUNDS Consent of the data subject Necessary for the performance of a contract to which the subject is a party or for taking steps at his request before entering a contract Necessary for compliance with a legal obligation other than an obligation imposed by contract Necessary to protect the vital interests of the individual Schedule 2 lists the possible justifications you can have for processing personal data. Those most relevant to private organisations will be obtaining the consent of the individual, performing a contract, complying with a legal obligation, or because the processing is in the legitimate interests of the data controller and not outweighed by prejudice to the rights and freedoms or legitimate interests of the data subject.

10 SCHEDULE 2 GROUNDS CONTINUEDv1 SCHEDULE 2 GROUNDS CONTINUED Necessary for the administration of justice, exercise of public functions or functions conferred by enactments Necessary for the purposes of the legitimate interests of the data controller or a third party to whom data are disclosed and not unwarranted by reason of prejudice to the rights or freedoms or legitimate interests of the data subject It is important to remember that you don’t need consent if you meet another condition. For example, having the name, job title and contact details of your business suppliers or business customers is in your legitimate interests and because the information is unlikely to be sensitive or confidential there should not be any prejudice to the individuals involved.

11 SCHEDULE 3 - SENSITIVE DATARacial or ethnic origins Political opinions Religious or other similar beliefs Trade union membership Physical or mental health or condition Sexual life Convictions or alleged criminal acts In addition to a ground under Schedule 2, you need a ground under Schedule 3 where you process sensitive personal data. These relate to race or ethnic origin political, religious or other similar beliefs trade union membership physical or mental health or condition sexual life information relating to offences or criminal proceedings Crops up in an employment context quite often - medical, trade union, criminal, race etc.

12 SCHEDULE 3 - GROUNDS FOR PROCESSING SENSITIVE DATAExplicit consent Necessary for performing a legal obligation in connection with employment Necessary to protect the vital interests of the data subject or another where consent cannot be given or is unreasonably withheld Explicit consent

13 SCHEDULE 3 GROUNDS CONTINUEDv1 SCHEDULE 3 GROUNDS CONTINUED Carried out by a non-profit making body about members subject to safeguards The data has already been made public voluntarily by the data subject Necessary in connection with legal proceedings Necessary for public functions Necessary for medical purposes and is undertaken by a health professional Necessary for legal proceedings, obtaining legal advice

14 SCHEDULE 3 GROUNDS CONTINUEDv1 SCHEDULE 3 GROUNDS CONTINUED Relates to racial or ethnic origin and is necessary for monitoring equal opportunities SEE ALSO THE GROUNDS ADDED BY THE SENSTIVE DATA ORDER equal opportunities monitoring SI also has added grounds, for example equal opportunities monitoring of health and religious details. Various grounds may apply in particular instances of processing but in general organisations are likely to need the explicit consent of employees and customers to have sensitive personal data on them This should be obtained in writing and individuals will need full and clear details of what they are consenting to. Sensitive data order e.g. policing, counselling, insurance information. None specifically relate to local government.

15 DATA PROTECTION NOTICEv1 DATA PROTECTION NOTICE The data subject must be told: the identity of the data controller the purposes for the processing any other information necessary, in the circumstances of the case, to make the processing fair Principle 1 also requires the provision of specified information to data subjects in order for the processing to be fair In order to be fair, the data subject must have given or made available to him certain information when his data are collected. Where the details are collected from a third party the information can be provided when the data are collected or as soon as reasonably practicable thereafter. Data subjects must be told - the identity of the data controller the purpose for the processing any other information necessary, in the circumstances of the case, to make the processing fair. “Any further information necessary to make the processing fair” is potentially wide and will depend on the circumstances of the processing. It may include how long the data will be kept, who they will be disclosed to, what rights an individual has in respect of their data etc. The way in which this information is typically provided is in the form of a data protection notice/collection notice given to data subjects. The collection notice should not be confused with the requirement to obtain consent - they are separate but the collection notice is often used as a mechanism to obtain consent.

16 TYPICAL DATA PROTECTION NOTICE FOR EMPLOYEESv1 TYPICAL DATA PROTECTION NOTICE FOR EMPLOYEES Identity of the employer Purpose of the processing - personnel administration, management and (where appropriate) business development purposes, including carrying out appropriate security, financial and health checks Any other information … Disclosure (agents, pension providers, trade unions, employee benefit providers etc.) Subject access Contact details Marketing uses Information you must provide is who you are and what you do with the data - our notice says the purposes are personnel administration, management and (where appropriate) business development purposes, including carrying out appropriate security, financial and health checks Any other information to make the processing fair may include who you disclose data to, your data processors, pensions and benefits providers, trade unions etc., the right of individuals to access their data, contact details for enquiries and if any data will be used for marketing purposes (there are also specific requirements in relation to marketing - individuals have a right to object to direct marketing and the Telecommunications Regulations regulate telephone, fax and marketing). You therefore need to consider what to tell employees and how to go about this. We recommend giving a detailed notice on joining the company but also potentially including wording on application forms, adverts and at other stages in the recruitment process as necessary in respect of what you will do with the information at that stage.

17 v1 PRINCIPLES 2 AND 3 Personal data shall be obtained for specified and lawful purposes and not processed in ways incompatible with these purposes Personal data shall be adequate, relevant and not excessive in relation to the purposes Data controller should have a clear view of the purposes for which data are being collected and only use data for those purposes Principle 2 says that personal data shall be obtained for specified and lawful purposes and not processed in ways incompatible with these purposes. This can be met by ensuring that you tell data subjects the purposes for the processing and that you notify the Information Commissioner. I mentioned earlier that the Act imposes quality standards and these are contained in Principles 3, 4 and 5. Principle 3 says that personal data shall be adequate, relevant and not excessive in relation to the purposes.

18 v1 PRINCIPLES 4 AND 5 Personal data must be accurate and, where necessary, kept up to date Personal data must not be kept for any longer than necessary Principle 4 says that personal data must be accurate and, where necessary, kept up to date. Principle 5 says that personal data must not be kept for any longer than necessary for the purposes. These principles may affect your recruitment and employment processes. For example, in relation to shortlisting job applicants, you don’t need to get information on their application form that is not necessary until they are taken on. So you don’t need next of kin or medical details from all applicants, you only collect this if they are shortlisted or taken on. The accuracy of personal data should be ensured. Staff for example should be encouraged to notify changes in details. Personal data on customers or suppliers should be amended when changes come to light, if someone moves position for example. As regards retention, it is good practice to have a documented retention policy which sets out how long data will be kept for and why this is necessary. The Information Commissioner in the employment code of practice suggests some retention periods e.g. references 1 year, sickness records 3 years etc. These have been criticised but it is worth bearing these in mind and having a look at the final code when it comes out. In some cases it may be necessary to keep data indefinitely provided there is a justification for doing so, for example, statutory periods or because regulatory enquiries or investigations may be possible as with pensions data.

19 v1 PRINCIPLE 6 Personal data must be processed in accordance with the rights of data subjects Principle 6 requires processing of personal data to be in accordance with the rights of data subjects, for example subject access rights which we’ll look at.

20 v1 PRINCIPLE 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” Broken down, this definition means that both technical measures have to taken as well as organisational or physical measures and these measures have to be taken against unauthorised processing, against unlawful processing and against accidents. Measures must ensure a level of security appropriate to - the harm that might result the nature of the data - eg. sensitive The state of technological development and the cost of implementing the measures are also factors to consider.

21 PRINCIPLE 7 Reliability of employees Data processor contractsv1 PRINCIPLE 7 Reliability of employees Data processor contracts Information Security Policy Ensure reliability of employees - for example staff training, , internet and personal data handling policies. Choose data processors with sufficient security guarantees and ensure compliance with these - for example audits Data processor contracts - in writing, only act on instructions of the controller, equivalent security requirements IC asks specific questions on the notification form which all data controllers are required to complete annually - Information security policy, access controls to information, business continuity plan, staff training on security procedures and systems, BS7799

22 REQUIREMENTS FOR DATA PROCESSOR CONTRACTSContracts in writing Under which the processor is to act only on instructions from the controller Which require compliance with security standards equivalent to those imposed on the controller

23 v1 PRINCIPLE 8 Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data; or One of the Schedule 4 conditions applies Principle 8 provides that personal data shall not be transferred to a country or territory outside the EEA unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. EEA - EU plus Norway, Lichtenstein and Iceland, Hungary, Canada, Argentina and Switzerland have adequate protection, US safe harbor.

24 BASIS OF OVERSEAS TRANSFERSafe Harbor EU Contracts Controller to controller Controller to processor Finding of Adequacy Assessment of Adequacy Binding Corporate Rules Schedule 4 grounds

25 v1 SUBJECT ACCESS Whether the controller holds personal data on the applicant The nature of the data, purposes for which it is used and recipients of the data A copy of the information constituting the data in intelligible form The logic of any automated decision making process used to make significant decisions section 7 The most common right is that of subject access. A data subject is entitled to be told whether the data controller holds personal data on the applicant, the nature of the data, the purposes for which it is used and the recipients. The data subject is also entitled to a copy of the information. There are certain formalities to be complied with on both sides. The request must be in writing, a maximum of £10 fee can be charged, the request must be complied with within 40 days of receipt. The main action for you is to be aware that this right exists and to train staff to recognise requests so that the Act is complied with. Such requests may cause difficulties in relation to finding the information, for example s, in particular where deleted but still retrievable. The informal culture may also cause difficulties in relation to the content of s being potentially embarrassing or even defamatory which is why clear policies are a good idea. Remember for public authorities this right has been extended to all recorded information plus a new subject access exemption.

26 v1 THIRD PARTY DATA Information identifying others should be removed as far as possible Where removal is not possible the data controller should seek the consent of the third party Where consent is not possible the controller must consider all relevant matters before deciding whether to give it

27 RELEVANT CONSIDERATIONSAny duty of confidentiality owed to the individual The possibility of seeking consent Any refusal of consent

28 v1 OTHER RIGHTS Right to prevent processing likely to cause damage or distress right to object to direct marketing rights related to automated decision making compensation right to rectification and other remedies for inaccuracy

29 v1 NOTIFICATION All data controllers unless they are exempt from notification must apply for an entry on the public register An entry lasts for one year The annual fee will be £35.00 It will be an offence to process personal data without having notified Notification replaces the existing registration scheme. Existing entries on the register have to be changed when they expire and will last for one year instead of the 3 years under registration. All data controllers, unless exempt must apply for an entry on the public register at an annual fee of £35 Only one entry is allowed for each data controller instead of the multiple entries permitted under the old law offence to process personal data without having notified

30 CONTENTS OF A NOTIFICATIONv1 CONTENTS OF A NOTIFICATION Name and address of the controller or his nominated representative A description of the data and the type of data subjects A description of the purposes of the processing A description of the recipients of the data Areas outside the EEA to which data are to be transferred section 16

31 EXEMPTIONS Processing may be exempt forv1 EXEMPTIONS Processing may be exempt for the subject information provisions the non-disclosure provisions notification the individual rights the principles

32 MAIN EXEMPTIONS National security Special purposes Crime and taxationv1 MAIN EXEMPTIONS National security Special purposes Crime and taxation Regulatory functions Domestic purposes Legal proceedings Starting point is that the Act must be complied with. Exemptions may be available on a case by case basis.

33 PROCURING INFORMATIONv1 PROCURING INFORMATION A person must not obtain, disclose or procure the disclosure of personal data to another knowingly or recklessly without the consent of the data controller Defences are available section 55 Individual employees can be liable for this offence.

34 ENFORCEMENT Information Commissioner Information notices Warrantsv1 ENFORCEMENT Information Commissioner Information notices Warrants Enforcement notices Prosecution for some transgressions Fines imposed following Criminal Justice and Immigration Act 2008 Information Commissioner responsible for enforcement of the Act. Information notices - either in response to receiving a request for assessment from an individual or of her own volition if she reasonably requires the information to determine if the data controller is in compliance with the Act Power to apply to the courts for a warrant to enter and search premises if she has reasonable grounds for suspecting an offence or breach of the principles, she must have previously demanded access on 7 days notice which was refused, unless the case is urgent or giving notice would defeat the object - entry and search, inspection, operation of equipment, inspection and seizure of documents - offence Enforcement notice if satisfied that any of the principles have been or are being contravened to either take or refrain from taking specified steps or to stop processing some or all personal data - offence to fail to comply

35 © Copyright Pinsent Masons 2008v1 © Copyright Pinsent Masons 2008 v1

36 Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) and regulated by the Solicitors Regulation Authority.  The word 'partner', used in relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm who has equivalent standing and qualifications. A list of the members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP's registered office: CityPoint, One Ropemaker Street, London EC2Y 9AH.  We use 'Pinsent Masons' to refer to Pinsent Masons LLP and affiliated entities that practise under the name 'Pinsent Masons' or a name that incorporates those words. Reference to 'Pinsent Masons' is to Pinsent Masons LLP and/or one or more of those affiliated entities as the context requires. For important regulatory information please visit:

37 Working hard to make it easierLONDON DUBAI BEIJING SHANGHAI HONG KONG SINGAPORE OTHER UK LOCATIONS: BIRMINGHAM BRISTOL EDINBURGH GLASGOW LEEDS MANCHESTER Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) and regulated by the Solicitors Regulation Authority.  The word 'partner', used in relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm who is a lawyer with equivalent standing and qualifications. A list of the members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP's registered office: CityPoint, One Ropemaker Street, London, EC2Y 9AH, United Kingdom.  We use 'Pinsent Masons' to refer to Pinsent Masons LLP and affiliated entities that practise under the name 'Pinsent Masons' or a name that incorporates those words. Reference to 'Pinsent Masons' is to Pinsent Masons LLP and/or one or more of those affiliated entities as the context requires. For important regulatory information please visit: © Pinsent Masons LLP 2008