Data protection and employment practice (1)

In the first of a series of guidance notes on data protection we look at how the legal regime is being interpreted today in the light of new developments, and how these affect employment practice and procedure.

The first transitional period under the Data Protection Act 1998 ended on 23 October 2001, bringing fully into force most of the Act's provisions. Simultaneously, the Information Commissioner published her Legal Guidance1 on the Act, showing how her thinking has evolved on its provisions since it was promulgated. Numerous statutory instruments which throw further light on the meaning of the Act's provisions have also come into force.

Recent developments include the release by the Commissioner of Part 1 of the new Employment Practices Data Protection Code of Practice2 and, from 1 April 2002, the opening of the Criminal Records Bureau to all organisations, providing wider access to criminal record information for employment-related and other purposes.

In this series of guidance notes, we look at how the legal regime for data protection is being interpreted today in the light of all these developments. Parts 1 and 2 will take a fresh look at the Act itself, the Legal Guidance and relevant statutory instruments. Having set out the context, future parts will focus on the Code of Practice and the Criminal Records Bureau, and what "adequate" privacy protection means for the transfer of personal data to non-EU states.

Other parts in this series will follow as and when the Commissioner publishes the other three parts of the Code. And finally, throughout the series, we draw attention, where relevant, to the Act's interrelationship with other primary and secondary legislation - in this part, the Human Rights Act 1998 and the Freedom of Information Act 2000.

The Data Protection Act 1998 ("the DPA") replaced the first Data Protection Act of 1984 ("the 1984 Act", now repealed) and implemented in the UK the 1995 European Community Data Protection Directive (No.95/46/EC) ("the Data Protection Directive"). Although the DPA came into force on 1 March 2000, it created two periods of transitional relief that prevented it from coming fully into force on that date, in that most of the requirements it introduced for the first time did not apply to personal data immediately.

The first transitional period was from 1 March 2000 until 23 October 2001. During this period, the 1984 Act continued to apply to eligible processing. The second transitional period continues from 24 October 2001 until 23 October 2007. This, however, applies to such a limited category of personal data (processed for historical record purposes only), that it is true to say that, since 24 October 2001, the DPA has become fully operational. The effect of this is that full compliance by data controllers with the DPA's provisions - in particular, the three fundamental obligations of notification, abiding by the data protection principles and observing the rights of data subjects - is now required.

The interpretation of the DPA's provisions has not been without difficulty. However, a number of statutory instruments introducing significant additional requirements upon data controllers, as well as aiding in interpreting the DPA's provisions, have also come into force since 1 March 2000. Moreover, to coincide with the coming into full force of the DPA, the Information Commissioner, (currently Mrs Elizabeth France, whose retirement from this position is due to take effect from the end of 2002), has issued Legal Guidance to serve as a reference document for data controllers and their advisers. It is to be "further developed over time, increasing its detail and authority" as the Office of the Commissioner gains practical experience in applying the DPA and in the light of the developing case law on the subject.

Furthermore, the developing law on privacy in general means that the DPA cannot be interpreted in isolation, but must be seen within the context of such legislation as the Human Rights Act 1998 ("the HRA") and the Freedom of Information Act 2000 ("the FoIA"). The HRA came into force on2 October 2000. It incorporates the European Convention on Human Rights, and together (in particular, articles 8 and 10 on the rights to respect for private and family life, and to freedom of expression) they provide the legal framework within which to interpret the DPA. Althoughnot yet fully implemented, some of the FoIA's provisions came into force on and after30 January 2001, including the changes of name of the Office of the Data Protection Commissioner to the Information Commissioner, and of the Data Protection Tribunal to the Information Tribunal.

Also aiding in our interpretation of the DPA is the new Employment Practices Data Protection Code of Practice. While it does not have the legal status of the DPA, the Code is designed to bring about compliance with it, and develops and applies its provisions in the context of employment practices. The Code contains, in effect, the Information Commissioner's recommendations as to how the legal requirements of the DPA can be met. Any "enforcement action" by the Commissioner in relation to the processing of personal data in employment will be based on a failure to meet the requirements of the DPA itself, but the Code will be cited by the Commissioner in connection with such enforcement action, and disregarding its recommendations may be taken to mean that an employer has not complied with the DPA. The first part of the Code, covering recruitment and selection, was published on 14 March 2002. The three other parts of the Code to be published at later dates are: employment records; monitoring at work; and medical information.

It is against this background that we examine what full compliance with the data protection regime now means for employers and employees. The main points to note are set out in the box below.

The data protection regime

The purpose of the DPA is to regulate the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. It does so in the following ways:

  • Firstly, it provides "data subjects", that is, the individuals who are the subjects of personal data, with mechanisms for gaining access to that data; challenging any misuse or abuse of the data; preventing processing that is likely to cause damage or distress; and for seeking redress if they suffer damage or distress as a result of breaches of the law.

  • Secondly, it provides mechanisms such as registration procedures and enforcement powers to ensure that "data controllers", that is, those in control of personal data, comply with the law.

    Definitions

    The DPA uses certain strictly defined words and expressions that dictate its scope and the nature of its requirements. Some of these key definitions, set out in section 1 of the DPA, can now be further interpreted in light of the Commissioner's Legal Guidance.

    Data

    The term "data" refers first to information that is:

    (a)being processed by means of equipment operating automatically in response to instructions given for that purpose; or

    (b)recorded with the intention that it should be processed by means of such equipment.

    This definition relating to automated systems covers all types of computers including mainframe, hand-held and laptop computers and organisers, and any other type of equipment that can process information automatically, such as microfiche and microfilm, audio and video systems and telephone logging systems. The "operating instructions" referred to include general instructions stored in software or hardware packages (or a mixture of the two) as well as particular instructions given for the purposes of a specific processing operation.

    "Data" next refers to information that is recorded:

    (c)as part of a relevant filing system; or

    (d)with the intention that it should form part of such a system.

    This definition relates to manual data. A "relevant filing system" is defined as "any set of information relating to individuals to the extent that . . . the set is structured either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible." In her Legal Guidance, the Commissioner reiterates the view we expressed in our previous feature on data protection that this definition is far from clear and is likely to remain so pending a court ruling. Although she recognises that it is likely to be of particular significance in certain areas of business whether or not manual information such as personnel files fall within the definition of "relevant filing system", she is able only to give the following general guidance:

    (i) There must be a set of information about individuals.

    The word "set" suggests a grouping together of things by reference to a distinct identifier, or a common theme or element, such as a set of information on employees. The "grouping together" need not necessarily be in the same file or files, in the same drawer of a filing cabinet or even in the same filing cabinet. There is not even any need for the set(s) of information to be maintained centrally by the organisation. They might indeed be located in different places within an organisation, such as in different departments, branch offices, or in the homes of homeworkers. On the other hand, the grouping together might be done for example by prefix codes or by attaching an identifying sticker on information within a file or files.

    (ii)The set of information must be structured in such a way that specific information about a particular individual is readily accessible.

    Each individual case will be different, but ready accessibility of a set of information may be assumed to exist if the set is in fact generally accessible at any time to one or more people within the data controller's organisation in connection with the day-to-day operation of that organisation. In practice, manual files within an organisation may consist partly of information forming or intended to form part of a "relevant filing system", and partly of information which does not. It is the information and the ease with which it may be located, rather than whether it is in itself a file or filing system, that must be assessed by data controllers. Whereas a file is not synonymous with a relevant filing system, if manual information forms part of what are clearly highly structured files - for example, card indexes or records - then it is likely to fall within the definition.

    (iii) Where it is not clear whether or not manual information falls within the definition, data controllers should evaluate its accessibility by making reasoned judgements. If it is reasonably likely that the individual will be prejudiced by the information not being treated as being covered by the definition, data controllers would be expected to err on the side of caution and take steps to ensure compliance.

    (e)The term "data" also refers to accessible records. This is defined in s.68 of the DPA and, for our purposes, includes health records consisting of information about an individual's physical or mental health or condition and which were made by or on behalf of a health professional "in connection with the care of that individual". This could in some cases include reports made by in-house occupational health practitioners (including doctors, nurses and clinical psychologists). It should be noted that data forming part of an accessible record might fall within all the definitions of data.

    Personal data

    The term "personal data" means "data which relate to a living individual" who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. It includes "any expression of opinion about the individual, and any indication of the intentions of the data controller or any other person in respect of that individual."

    By virtue of the definition of "data" above, all automated and computerised personal data, as well as personal data put on paper or microfiche or held in any relevant filing system, or with the intention that it will be so recorded or held, will be covered by the DPA and by the Code.

    The Legal Guidance breaks down the definition of personal data into the following cumulative elements:

    (a)The data must relate to an individual.

    Whether or not data relates to an individual will be a matter of fact in each particular case. One element of data relating to an individual is whether a data controller can form a connection between the data and the individual. Note, in this respect, that although the DPA refers to individuals and not other legal entities such as limited companies, there will be situations where information about a limited company or other legal entity amounts to personal data because it relates to a specific individual, for example, the performance of a department which is under the control of a specific individual. But information relating solely to the legal entity will not amount to personal data.

    (b)The individual must be living.

    Information about a dead person cannot be personal data within the meaning of the DPA.

    (c)The individual must be capable of being identified.

    The individual must be capable of being identified from data in the possession of the data controller or from those data and other information in the possession of, or likely to come into the possession of, the data controller. An individual may be "identified" even if his or her name and address are not known. The Commissioner believes it is sufficient if the data are capable of being processed by the data controller to enable it to distinguish that individual from any other individual. This would be the case if the individual could be treated differently from other individuals. For example:

  • CCTV footage will be personal data where it is possible to match the image of an individual caught by the camera with a photograph, a physical description, or a physical person.

  • Email addresses that clearly identify a particular individual, for example, elizabethfrance@dataprotection.gov.uk are personal data about the individual - in this case, the Commissioner.

  • In the majority of cases, the ability to "identify" an individual will be achieved by knowing the name and address of that individual or by the data controller being in, or likely to come into, the possession of some other information. It will be for the data controller to satisfy itself as to whether it is likely that such information will come into its possession to render data "personal data". This will depend largely on the nature of the processing it undertakes.

    (d)In the "possession" of, or likely to come in the possession of, the data controller.

    "Possession" is a very wide concept that goes beyond the identifying data being in, or likely to come under, the data controller's physical control. It extends, for example, to the situation where, under a contractual arrangement between a data controller and data processor for the processing of personal data, the data controller determines the purposes for which, and the manner in which, the personal data are to be processed by the data processor, but may not have had sight of all or any of the information that identifies a living individual from that data. This may be because the data processor receives some of the identifying data from a third party. Nevertheless, the data controller is deemed to be "in possession of" those data.

    (e)Anonymisation of personal data.

    "Anonymisation" means stripping data of all personal identifiers. The aim is to achieve better data protection and so it is to be encouraged wherever information relating to a data subject is not necessary for the particular processing being undertaken. However, the following points should be noted:

    (i) The stripping process itself amounts to the processing of data in respect of which the data controller must comply with the DPA's provisions.

    (ii) True anonymisation is difficult to achieve in practice. If the original data set from which the personal identifiers have been stripped to create the anonymised data is retained, and these two data sets can be linked together so as to enable a living individual to be identified from them, anonymisation cannot be said to have taken place. Both data sets will remain personal data in the hands of the data controller, and it will be immaterial that the data controller has no intention of linking them up.

    (iii) A data controller who destroys the original data set and retains only the information which has been stripped of all personal identifiers, that is, the anonymised data, and who assesses that it is not likely that information will come into its possession subsequently to enable it to reconstitute the anonymised data into personal data, ceases to be a data controller in respect of the anonymised data.

    (iv) The disclosure to another person of anonymised data may become personal data in the hands of that other person if that person is in possession of, or likely to come into the possession of, other information which will enable it to identify a living individual from the anonymised data. Such disclosure may amount to processing under the DPA.

    (v) Anyone processing anonymised data must take such "technical and organisational measures" as are necessary to ensure that the data cannot be reconstituted to become personal data, and must be prepared to justify any decision he or she makes with regard to the processing of the data.

    (vi) Data stripped of all personal identifiers, so that it is no longer possible to single out an individual from them, cease to be personal data. Whether this has been achieved may be open to challenge. Data controllers may therefore be required to justify the grounds for their view that the data are no longer personal data.

    (vii)A data subject making a "subject access request" might provide the data controller with sufficient information to enable it to identify data relating to him or her and to enable it to distinguish this from data relating to other individuals where the data controller would not otherwise be able to do so because the information in its possession has been anonymised. The information supplied by the data subject itself becomes personal data, but in the Commissioner's view, it does not render the anonymised data personal data unless the data controller believes it likely that it will come to possess other information that will render the anonymised data personal data.

    (viii) If it is unclear whether or not data are personal data, the Commissioner's advice is to treat it as such, having particular regard to whether those data are sensitive personal data. In respect of the latter, a data controller is not obliged to comply with a subject access request if it is unable to satisfy itself as to the identity of the person making the request or as to its ability to locate the information sought because the data has been anonymised.

    (f)Expression of opinion or intention.

    In the employment context, this means, for example, an employer who is involved in appraising employees disclosing its opinions of the employees as well as its intentions, if any, to offer or decline promotion based on those opinions, subject to any exemption available at any particular time.

    Sensitive personal data

    This is personal data consisting of information as to a data subject's racial or ethnic origin; political opinions; religious or other similar beliefs; trade union membership within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992; physical or mental health or condition; sexual life; offences or alleged offences; or information as to any proceedings for offences committed or allegedly committed by the data subject, including the outcome of those proceedings.

    The DPA provides special protection for such data over and above that provided for other personal data, in the form of a series of conditions set out in Schedule 3 to the DPA, at least one of which must be met before an employer can process such personal data. Additional Schedule 3 conditions are now set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI No.417) ("the Sensitive Data Order"). We examine these requirements below.

    Processing

    In relation to information or data, "processing" means the following:

  • obtaining, recording or holding information or data;

  • carrying out any operation or set of operations on the information or data, including organising, adapting or altering it;

  • retrieving, consulting or using the information or data;

  • disclosing the information or data by transmitting, disseminating or otherwise making it available; or

  • aligning, combining, blocking, erasing or destroying the information or data.

    The Commissioner's view is that this is a compendious definition, making it difficult to envisage any action involving data that does not amount to processing within the meaning of the DPA. For example, it would appear from her views expressed above that the definition also clearly includes the process of "anonymising" data.

    Data subject

    He or she is the individual who is the subject of personal data, for our purposes described as the "worker". He or she must be a living individual. This definition excludes companies and other corporate and unincorporated bodies or persons. A data subject need not be a UK national or resident. Provided that the data controller is subject to the DPA, rights thereunder with regard to personal data are available to every data subject regardless of his or her nationality or residence.

    Data controller

    This is the person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed. "Person" in this context refers to a legal person. The term comprises not only individuals but also organisations such as companies and other corporate and unincorporate bodies of persons. (Government departments are each to be treated as separate persons for the purposes of the DPA). In effect, most employers who keep records relating to staff and job applicants will be data controllers.

    Section 5 of the DPA applies the Act to a data controller only if:

    (a) it is established in the UK and is processing data in the context of that establishment; or

    (b) it is not established in the UK or in an EEA state but is using equipment in the UK for processing data that is not merely for the purposes of transit through the UK. In this case, the data controller must nominate for the purposes of the DPA a representative established in the UK.

    "Purposes" and "manner"

    The Commissioner's view is that the determination of the purposes for which personal data are to be processed is paramount in deciding whether or not a person is a data controller, and that when a person determines the "purposes" for which personal data are to be processed, a decision as to the "manner" in which those data are to be processed is often inherent in that decision. Such determination need not be exclusive to one data controller but may be shared with others jointly or in common. "Jointly" covers the situation where the determination is exercised by acting equally. "Determination in common" is where data controllers share a pool of personal data, each processing independently of the other.

    Data processor

    In relation to personal data, this is the legal person who processes data on behalf of the data controller. It can be an agency or contractor but not an employee of the data controller. The DPA introduces specific obligations upon data controllers when the processing of personal data is carried out on their behalf by data processors. In effect, the data controller retains full responsibility for the actions of the data processor.

    Recipient

    In relation to personal data, a recipient means any person to whom data are disclosed, including employees or agents of the data controller, and a data processor and its employees or agents. It excludes any person to whom disclosure may be made because of a particular inquiry made by them or on their behalf in the exercise of any power conferred by law. Such persons are not included in the class of recipients about whom a data subject is entitled to be given a description of in accordance with s.7(1)(b)(iii) of the DPA (see "Rights of Data Subjects" in part 2 of this series of guidance notes).

    Third party

    In relation to personal data, this means any person other than the data subject, data controller, data processor or other person authorised to process data for the data controller or processor. It excludes employees or agents of the data controller or data processor.

    The Data Protection Principles

    The eight Data Protection Principles form the backbone of the DPA and are, effectively, an enforceable Code of Practice as to how any personal data, including sensitive personal data, are to be treated. They are set out in Part I of Schedule 1 to the DPA, with the rules for their interpretation in Part II of Schedule 1. Schedule 2 provides conditions for the processing of any personal data relevant for the purposes of the First Principle, and Schedule 3 provides conditions for the processing of "sensitive personal data" relevant for the purposes of the First Principle over and above those contained in Schedule 2. Additional Schedule 3 conditions have been provided in the Sensitive Data Order. Schedule 4 consists of cases where the Eighth Principle (prohibiting the transfer of personal data outside the EEA) does not apply.

    Section 4(4) of the DPA imposes a duty on all data controllers to comply with the data protection principles in relation to all personal data which they control, unless they are able to claim an exemption from any of them (whether on a transitional or outright basis). The duty to comply is irrespective of whether the data controller is required to notify and whether or not it has actually notified.

  • First Principle: Personal data must be processed fairly and lawfully

    As a general requirement, data controllers must process personal data fairly and lawfully. In addition, and as a requisite of fair and lawful processing, data controllers must not process personal data at all unless at least one of the Schedule 2 conditions is met and, in the case of the processing of sensitive personal data, at least one of the Schedule 3 conditions is also met.

    (1) Fair and lawful processing of personal data

    The Schedule 2 conditions are that:

    (a)The data subject consents to the processing.

    "Consent" is not defined in the DPA, but the following points can be made about it from the Data Protection Directive and from the Commissioner's Legal Guidance.

    The Directive defines it as: "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed" (article 2(h)). Article 7(a) refers to the consent being given "unambiguously".

    The Commissioner's view is that consent is not particularly easy to achieve and that data controllers should consider other conditions in Schedules 2 and 3 first before relying on the data subject's consent.

    The Commissioner takes "signifies" to mean that there must be some active communication, whether written or otherwise, between the parties. Where a data subject does not so signify agreement, but is given an opportunity to object to the processing, this does not amount to consent, but may provide the basis upon which the data controller may rely on another Schedule 2 condition, such as the "legitimate interests" condition, provided in this case thatthe data subject is given the right to objectbefore the data are obtained.

    Consent cannot be inferred from the data subject's failure to respond to a communication from the data controller. It cannot be obtained under duress or on the basis of misleading information. It must be appropriate to the particular circumstances. It should, for example, cover the circumstances in which processing is intended to continue after the end of the relationship between the parties.

    Note also that consent, once given, does not necessarily endure forever. While in most cases it will endure for as long as the processing to which it relates continues, depending upon the nature of the consent given and the circumstances of the processing, the individual may be able to withdraw consent.

    (b)Processing is necessary either for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract.

    (c)Processing is necessary to comply with a legal obligation (other than contractual) to which the data controller is subject.

    (d)Processing is necessary in order to protect the vital interests of the data subject.

    The Commissioner considers that this condition may be relied upon only where the processing is necessary for matters of life and death, for example, the disclosure of a data subject's medical history to a hospital casualty department treating the data subject after a serious road accident.

    (e)Processing is necessary for various listed purposes relating to the administration of justice, statutory or official requirements or public duties.

    (f)Processing is necessary for the purposes of the data controller's legitimate interests (or for those of the third party or parties to whom the data is disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject).

    The Directive makes clear that "legitimate interests" includes the "ordinary business activities of companies and other bodies" (recital 30).

    The Commissioner takes a wide view of the "legitimate interests" condition and recommends that two tests be applied to establish whether this condition may be appropriate in any particular case. Firstly, the legitimacy of the interests pursued by the data controller or the third party to whom the data are to be disclosed must be established. Secondly, it must be established whether the processing is unwarranted in any particular case in that it will prejudice the rights and freedoms or legitimate interests of the data subject, whose interests are to be taken to override those of the data controller.

    The fact that the processing of the personal data may prejudice a particular data subject does not necessarily render the whole processing operation prejudicial to all the data subjects.

    The secretary of state may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied, but as yet has not done so.

    (2) Fair and lawful processing of sensitive personal data

    The conditions for the fair and lawful processing of sensitive personal data under Schedule 3 of the Act are that at least one of the above conditions for processing personal data are met in addition to at least one of the following conditions:

    (a)The data subject has given explicit consent to the processing.

    Explicit consent suggests that the consent of the data subject should be absolutely clear. The Commissioner states that, in appropriate cases, it should cover the specific detail of the processing, the particular type of data to be processed (or even the specific information), the purposes of the processing and any special aspects of the processing which may affect the individual, for example, disclosures which may be made of the data.

    (b)The processing is necessary for the purposes of exercising or performing any right or obligation that is conferred or imposed by law on the data controller in connection with employment.

    The secretary of state may by order specify cases where this condition is either excluded altogether or only satisfied on complying with further conditions, but as yet no such order has been made.

    (c)Processing is necessary to protect the vital interests of the data subject or another person in a case where either consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject. Processing is necessary to protect the vital interests of another person in a case where consent by or on behalf of the data subject has been unreasonably withheld.

    (d)Processing is carried out in the course of the legitimate activities of political, philosophical or religious organisations or of trade unions and their members in the following circumstances:(i) the relevant body is not established or conducted for profit; (ii) processing is carried out with appropriate safeguards for the rights and freedoms of data subjects; (iii) processing relates only to individuals who are members of, or have regular contact with, the body or its purposes; and (iv) does not involve disclosing personal data to a third party without the consent of the data subject.

    (e)The information contained in the personal data has been made public as a result of deliberate steps taken by the data subject.

    (f)The processing is necessary for the purposes of, or in connection with, any legal proceedings (including prospective legal proceedings). The processing is necessary for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

    The Commissioner's view is that processing for the purposes of establishing, exercising or defending legal rights is of limited scope and so data controllers should adopt a narrow interpretation and rely upon another Schedule 3 condition if in doubt as to its application. In particular, it should not be used to construct a legal right where none exists.

    (g)The processing is necessary for the administration of justice, for the exercise of any functions conferred by or under any enactment, or for the exercise of any functions of the Crown, a minister of the Crown or a government department.

    The secretary of state may by order specify cases where the condition is either excluded altogether or only satisfied if further specified conditions are met. No order to this effect has been made to date.

    (h)The processing is necessary for medical purposes (including preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services) and is undertaken by a health professional or a person who owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

    (i)The processing is of sensitive personal data consisting of information as to racial or ethnic origin, and is necessary for the purpose of identifying or keeping under review the existence or absence of equal opportunities or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained. And the processing is carried out with appropriate safeguards for the rights and freedoms of data subjects.

    The secretary of state may specify by order the circumstances in which such processing is, or is not, to be taken as carried out with appropriate safeguards for the rights and freedoms of data subjects. No order to this effect has been made to date.

    (j)The personal data are processed in circumstances specified by order made by the secretary of state. Currently, the only order made to this effect is the Sensitive Data Order. This makes detailed provisions for further types of processing set out in the box below.

    The Commissioner states that where data controllers appear to experience difficulty in meeting a Schedule 3 condition, she will, in considering whether to take enforcement action, look carefully at the processing and take into account any damage or distress caused to the data subject as a result of that processing. She advises that data controllers who experience genuine difficulty in satisfying a Schedule 3 condition should make representations to the Lord Chancellor's Department so that such processing may form the basis of a further order by the secretary of state.

    (3) The general requirement of "lawfulness"

    The DPA provides no guidance on the meaning of "lawful". However, its natural meaning, as "something which is contrary to some law or enactment or is done without lawful justification or excuse" (R v R [1991] 4 All ER 481) applies it to breaches of both statute and common law, criminal or civil law. The Commissioner gives examples of information unlawfully obtained, including information obtained as a result of a breach of confidence, in breach of an enforceable contractual agreement or in breach of the HRA.

    (4) The general requirement that processing must be "fair"

    Processing of data must also be fair. Paragraphs 1 to 4 of Part II of Schedule 1 to the DPA set out the "fair processing requirements". They provide that, in deciding whether or not processing is fair:

    (a)The way in which personal data are obtained including, in particular, whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed, will be considered.

    The Commissioner's view is that such deception or misleading may also affect the validity of any consent given by the data subject, and this may then remove the basis for processing being relied upon by the data controller.

    (b)Data or information obtained from a person who is authorised by or under any enactment to supply it, or who is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the UK, is to be treated as obtained fairly.

    Where a data subject is authorised or required to supply information by virtue of any enactment, the data controller still has to comply with the requirements of the point below unless it can legitimately claim exemption from compliance with them.

    (c)Data obtained from a data subject is not to be treated as processed fairly unless the data controller has ensured that the data subject has, is provided with, or has readily available to him or her at the time that the data are obtained, the following information, known as the "fair processing information":

  • the identity of the data controller;

  • if relevant, the identity of the data controller's representative;

  • the purpose or purposes for which the data are intended to be processed; and

  • any further necessary information to enable processing in respect of that data subject to be fair, having regard to the specific circumstances in which the data are, or are to be, processed.

    Data controllers should consider, in respect of this further information, the following:

  • What processing of personal data they will be carrying out once the data has been obtained;

  • Whether or not data subjects are likely to understand the purposes for which their personal data are going to be processed; the likely consequences of such processing so that they can make a judgement as to the nature and extent of it; and, whether particular disclosures can reasonably be envisaged.

    Generally, the more unforeseen the consequences of processing, the more likely it is that the data controller will be expected to provide further information. This affects consent because in order to give "informed" consent within the meaning of the Directive's definition of the term, data subjects themselves must be fully aware of the ways in which their personal data may be processed. Personal informationwill not be fairly obtained unless, before it is obtained, the individual is informed of thenon-obvious purpose or purposes for which it is required.

    (d)In any other case (where the data is obtained from someone other than the data subject), the data controller must ensure so far as practicable that before "the relevant time", or as soon as possible after that, the data subject has, is provided with, or has made readily available to him or her, the information specified in point (c) above.

    "The relevant time" means:

  • the time when the data controller first processes the data; or

  • the time when data are first disclosed in the case where disclosure to a third party is envisaged within a reasonable period; or

  • the time when the data controller becomes aware or ought to become aware that the data are unlikely to be disclosed within the reasonable period in the point above; or

  • in any other case, the end of that period.

    This means that when personal data is obtained from sources other than the data subject, it cannot simply be held onto indefinitely by the data controller without doing more. Within a reasonable period of time, the data controller must inform the data subject in accordance with the fair processing requirements unless either an exception applies or the data are received from another data controller who provided the data subject with all that information before passing the data on.

    (e) Exceptions: The "in any other case" provisions in point (d) above do not apply, and the data controller need not comply with them, where either of the following conditions are met (together with such further conditions as may be prescribed by the secretary of state):

  • the provision of that information would involve a disproportionate effort; or

  • the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller, is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

    The existence of an exception does not absolve the data controller from the overriding duty to process personal data fairly.

    In respect of point (e), the secretary of state has prescribed such further conditions in the Data Protection (Conditions Under Paragraph 3 of Part II of Schedule 1) Order 2000 (SI No.185). It provides that any data controller relying on any of the exceptions above in order to disapply the requirement to provide the fair processing information must still provide this information to any individual who requests it.

    Disproportionate effort: A data controller relying on this exception must keep a record of the reasons why it believes that disapplication of the fair processing requirements is necessary. What amounts to "disproportionate effort" is not defined in the DPA and will be a question of fact to be determined in each particular case. The following considerations will be applied by the Commissioner:

  • Data controllers are not generally exempt from providing the fair processing information because they have not obtained data directly from the data subject.

  • The Commissioner will take into account the nature of the data, the length of time and the cost involved to the data controller in providing the information. The expenditure of a substantial amount of effort and/or cost does not mean that the "disproportionate effort" ground is made out. In certain circumstances, the Commissioner may well take the view that a quite considerable effort can reasonably be expected.

    (f)Personal data which contain "a general identifier" falling within a description prescribed by the secretary of state by order are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description. A general identifier means any identifier such as a number or code used for identification purposes which relates to an individual, and forms part of a set of similar identifiers which is of general application. No order has been made to date to this effect.

    Note

    The Commissioner's view is that compliance with the fair processing requirements will not of itself ensure fair processing and that, in assessing fairness, the first and paramount consideration must be given to the following:

  • The consequences of the processing to the interests of the data subject.

  • The purposes and nature of the processing.

  • Personal data that is, in general, and on most occasions, obtained and processed fairly and lawfully, but then obtained unfairly in relation to one individual, will contravene the First Principle.

  • Automated processing can be unfair either where the program itself is operating correctly,but results in the unfair use of data, or where the program is of poor quality and contains errors which mean that it does not operate as the data controller intended.

    (5) The requirement that processing must be "necessary"

    The majority of the Schedule 2 and 3 conditions stipulate that the processing must be "necessary" for the purpose set out in the particular condition. This means that data controllers must consider objectively whether:

  • the purposes for which the data are being processed are valid;

  • such purposes can only be achieved by the processing of personal data; and

  • the processing is proportionate to the aim pursued.

  • Second Principle: Personal data must be obtained only for one or more specified and lawful purposes, and must not be processed in any manner incompatible with that or those purposes

    Under Part II of Schedule 1 to the DPA, a data controller may specify the purpose or purposes for which personal data are obtained, in particular, in one of two ways:

    (a)In a notice to the data subject in accord­ance with the fair processing requirements; or

    (b)In a notification given to the Commissioner under the DPA's notification provisions and The Data Protection (Notification and Notification Fees) Regulations 2000 (SI No.188) ("the Notification Regulations").

    "In particular"

    The reference to these methods of specification "in particular" implies that other methods of specification may be possible.

    Compatibility

    The Commissioner's view is that the removal of the link between compatibility and notification (as existed under the 1984 Act) means that notification to her alone of the purpose(s) for which personal data are processed will not establish compliance with the Second Principle, that is, that the data is not being processed in a manner incompatible with the purpose(s) for which it was obtained. The Commissioner takes a strict view of what amounts to compatibility and, in deciding its existence, will give consideration also to the purpose(s) for which the personal data are intended to be processed by any person to whom they are disclosed. Such decisions cannot be made retrospectively by data controllers once the data are obtained. It will also be material to this consideration whether or not data subjects were deceived or misled as to those purposes.

  • Third Principle: Personal data must be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed

    In considering the Third Principle, data controllers should:

    (a)Bear in mind the wide definition given to processing; and

    (b)Seek to identify the minimum amount of information required to fulfil their purpose.

    This will be a question of fact in each case. Where it is deemed necessary to hold additional information about certain individuals, this should be collected and recorded only in those cases. Holding information on all individuals which will be used or useful only in relation to some of them is likely to be excessive and irrelevant in relation to those other individuals. Information cannot be held on the basis that it might possibly be useful in the future without a view as to how it will be used. However, information may be held where there is a particular foreseeable contingency, although it may never occur. For example, an employer may hold details of blood groups of employees engaged in hazardous occupations.

    (c)Continually monitor compliance with this Principle, bearing in mind its obvious links with the Fourth and Fifth Principles.

    Changed circumstances, or failing to keep information up to date, may render inadequate information that was originally adequate. Data that are kept for longer than necessary may also be rendered both irrelevant and excessive.

    (d)In most cases, excessiveness and irrelevance may be remedied by erasure of the excessive or irrelevant information, and inadequacy may be remedied by the addition of more information to particular items of personal data.

    (e)The data controller should consider for all data: the number of individuals on whom information is held; the number of individuals for whom it is used; the nature of the personal data; the length of time it is held; the way it was obtained; the possible consequences for individuals of the holding or erasure of the data; the way in which it is used; and the purpose for which it is held.

  • Fourth Principle: Personal data must be accurate and, where necessary, kept up to date

    Accuracy

    Inaccurate data is data that is incorrect or misleading as to any matter of fact. The DPA states that the requirements as to accuracy are not contravened if: the data accurately record information obtained by the data controller from the data subject or a third party in a case where (i) the data controller took reasonable steps to ensure the accuracy of the data; and (ii) if the data subject has notified the data controller of his or her view that the data is inaccurate, the data indicate this fact.

    This means that the data controller must go beyond being able to say that the information was obtained from either a data subject or third party, and do all that it reasonably could have done itself to ensure accuracy, marking the data with any objections. The extent to which such steps are necessary will be a matter of fact in each individual case, and will depend upon the nature of the data and the consequences of the inaccuracy for the data subject.

    Up to date

    Updating is required only "where necessary" and relevant to this will be the purpose for which data are held or used. For example, updating would be inappropriate for data kept for historical record purposes only. The following factors need to be considered:

  • Is there a record of when the data were recorded or last updated?

  • Are all those involved with the data, including people to whom they are disclosed as well as employees of the data controller, aware that the data do not necessarily reflect the current position?

  • Are steps taken to update the personal data, for example, by checking back at intervals with the original source or with the data subject? If so, how effective are these steps?

  • Is the fact that the personal data are out of date likely to cause damage or distress to the data subject?

    Note

    The right of a data subject to request that personal data be rectified, blocked, erased or destroyed (s.14 of the DPA) applies whether or not data accurately record information received or obtained by the data controller from the data subject or a third party.

  • Fifth Principle: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes

    Compliance with this Principle involves the regular review of personal data and the deletion of information that is no longer required for the data controller's purposes. Data recorded because of the existence of a relationship between the data controller and the data subject may not need to be kept after the relationship ceases to exist. However, the termination of an employment relationship does not mean that all personal data should be deleted. An employer might wish to retain some information for the purpose of providing employment references, in respect of the employee's pension arrangements, or to be able to defend future legal claims. Personal data should be deleted in the latter circumstances when the possibility of a claim arising no longer exists, for example, if the relevant statutory time limit for making a claim has expired.

    Note

    The CCTV Code of Practice contains guidance on the retention periods for recorded material. This Code is issued by the Commissioner under the DPA and is intended to provide guidance as to good practice for users of CCTV (closed circuit television) and similar surveillance equipment.

  • Sixth Principle: Personal data must be processed in accordance with the rights of data subjects under the DPA

    This Principle is contravened, if, but only if, a data controller fails:

    (a)to supply information pursuant to a subject access request under s.7 of the DPA; or

    (b)to comply with notices given by the data subject in exercise of the right to prevent processing likely to cause damage or distress or rights in relation to automatic decision-taking (ss.10 and 12 of the DPA); or

    (c)to comply with a notice given by the data subject in exercise of the right to require the data controller to rectify, block, erase or destroy exempt manual data which are inaccurate or incomplete, or to cease holding such data in a way incompatible with the legitimate purposes pursued by the data controller (s.12A of the DPA) only during the transitional period up to and including 23 October 2007.

    (Data subjects' rights under the DPA will be covered in part 2 of this guidance note.)

  • Seventh Principle: Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

    The DPA states that, in deciding whether or not security measures are "appropriate", firstly, account must be taken of the state of technological development at any time and the cost of implementing any measures. The measures taken must themselves ensure a level of security appropriate to (i) the harm that might result from a breach of security and (ii) the nature of the data to be protected. Secondly, the data controller must take reasonable steps to ensure that staff with access to personal data are reliable.

    The Directive states that these security measures must be taken "both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorised processing".

    There is therefore no standard set of security measures required for compliance with this Principle. The Commissioner takes the view that what is appropriate will depend on the circumstances, in particular, on the harm that might result from, for example, an unauthorised disclosure of personal data, which in itself might depend on the nature of the data. The data controller must therefore adopt a risk-based approach to determining what measures are appropriate. In this respect, the Directive goes on to say that the level of security must be appropriate to the risks presented by the processing. Moreover, management and organisational measures will be as important as technical ones.

  • Eighth Principle: Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data

    An "adequate" level of protection is one which is adequate in all the circumstances of the case, having regard in particular to:

  • the nature of the personal data;

  • the country or territory of origin of the information contained in the data;

  • the country or territory of final destination of that information;

  • the purposes for which and period during which the data are intended to be processed;

  • the law in force in the country or territory in question;

  • the international obligations of that country or territory;

  • any relevant codes of conduct or other rules enforceable in that country or territory; and any security measures taken in respect of the data in that country or territory.

    This is not an exhaustive list.

    Schedule 4 excludes the application of the Eighth Principle to a transfer in circumstances where:

  • The data subject consents to the transfer.

  • The transfer is necessary: (a) for the performance of a contract between the data subject and the data controller; or (b) for the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data controller.

  • The transfer is necessary: (a) for the conclusion of a contract between the data controller and a person other than the data subject which is entered into at the request of the data subject; or is in the interests of the data subject; or (b) for the performance of such a contract.

  • The transfer is necessary for reasons of substantial public interest.

    The secretary of state may specify by order the circumstances in which a transfer is to be taken to be necessary for reasons of substantial public interest, but no order has as yet been made.

  • The transfer is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings); obtaining legal advice; or establishing, exercising or defending legal rights.

  • The transfer is necessary in order to protect the data subject's vital interests.

  • The transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are, or may be, disclosed after the transfer.

  • The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects. It is not the practice of the Commissioner to consider or approve individual draft contracts submitted to her.

  • The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.

    (The Eighth Data Protection Principle will be the subject of a further guidance note in this series.)

    References

    1 The Data Protection Act 1998: Legal Guidance, available from the Information Commissioner's Office or from the website www.informationcommissioner.gov.uk.

    2 The Employment Practices Data Protection Code Part 1: Recruitment and Selection, ibid.


    Data Protection 1: main points to note

  • Since 23 October 2001 when the first transitional period under the DPA came to an end, full compliance, meaning that employers have to bring their policies and procedures in line with its provisions, is now required.

  • The DPA can now be interpreted further in the light of Legal Guidance and a Code of Practice issued by the Information Commissioner, as well as a number of statutory instruments made by order of the secretary of state.

  • The DPA regulates the processing of information relating to individuals by providing them with certain rights in respect of data held on them, and by providing the Commissioner with certain procedures and enforcement powers to ensure compliance with its provisions and to prevent breaches of the law by data controllers.

  • The DPA imposes an obligation on data controllers to process personal data only in accordance with the Data Protection Principles.

  • "Processing" is defined in the DPA in the broadest possible terms and covers every conceivable action that can be undertaken in relation to data.

  • In the workplace, data protection is concerned with data that employers might collect and keep on "workers". Also defined in the broadest possible terms under the Code, this term covers job applicants, employees and other atypical workers.


    Data covered by the Code

    Most information processed by an employer (the data controller) about a worker (the data subject) will fall within the scope of the DPA and hence the Code.


    The scope of data protection in the workplace

    In the workplace, data protection is concerned with data that employers might collect and keep on any "worker". As defined in the Code, the term "worker" covers any individual who might wish to work, who works, or who has worked for an employer. Broadly defined in this way, the term therefore includes: job applicants, whether successful or unsuccessful; former job applicants, whether successful or unsuccessful; employees, both current and former; agency workers, both current and former; casual workers, both current and former; and contract workers, both current and former. The Code also applies to some extent to volunteers and work experience placements in the workplace.


    Personal data in the workplace

    The following are personal data in the workplace covered by the DPA and the Code:

  • Details of a worker's salary and bank account held on an organisation's computer system or in a manual filing system.

  • Emails about incidents involving named workers.

  • A supervisor's notebook containing sections on several named individuals.

  • A supervisor's notebook containing information on only one individual but where there is an intention to put that information in the worker's file.

  • A set of completed application forms.

    The following data are unlikely to be covered by the Act or by the Code:

  • Information on the salary structure for the entire workforce by grade, where individuals are not named and are not identifiable.

  • A report on the comparative success of different recruitment campaigns where no details regarding individuals are held.

  • A report on the results of "exit interviews" where all responses are anonymised and where the results are impossible to trace back to individuals.

  • Manual files that contain some information about workers but are not stored in an organised way, such as a pile of papers left in a basement.


    Sensitive personal data in the workplace

    Workers' records at work might contain the following sensitive personal data:

  • Sickness records containing information about their physical or mental health.

  • A note of any disability, perhaps in order to bring about adaptations in the workplace.

  • A note of their racial origin, again, perhaps to ensure equal opportunities.

  • A note of their trade union membership in order to enable subscriptions to be deducted from payroll.

  • In recruitment and selection, sensitive personal data about job applicants' criminal records, disabilities, and racial origins might be processed.


    Processing data in the workplace

    Processing personal data in the workplace likewise encompasses the entire range of activities that data about a worker can be subjected to, from the initial obtaining of the data, through their keeping and use, and accessing and disclosing them, through to their retention or final destruction.


    The Sensitive Data Order

    One of the conditions for the fair and lawful processing of sensitive personal data are that at least one of the Schedule 2 conditions for processing personal data are met in addition to at least one of the Schedule 3 conditions. One of the Schedule 3 conditions is that sensitive personal data are processed in circumstances specified by order made by the secretary of state. This Order is the Sensitive Data Order. It makes detailed provisions for further types of processing set out below.

  • Processing that is in the substantial public interest and is necessary for the prevention or detection of any unlawful act, and that must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes.

  • Processing that is in the substantial public interest and is necessary for the discharge of any function which is designed for protecting members of the public against:

    (i)dishonesty, malpractice, or other seriously improper conduct by any person; or

    (ii)the unfitness or incompetence of any person; or

    (iii)mismanagement in the administration of, or failure in services provided by, any body or association; and that must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the discharge of that function.

  • The disclosure of personal data that is in the public interest and is in connection with any of the following:

    (i)the commission by any person of an unlawful act (whether alleged or established); (ii) dishonesty, malpractice, or other seriously improper conduct by any person (whether alleged or established);

    (iii)the unfitness or incompetence of any person (whether alleged or established);

    (iv)mismanagement in the administration of, or failures in the services provided by any body or association (whether alleged or established); or

    (v)The disclosure is for "special purposes", namely journalism, artistic and literary purposes; and is made with a view to publishing those data by any person, and the data controller reasonably believes that such publication would be in the public interest.

  • Processing that is in the substantial public interest and is necessary for the discharge of any function designed to provide confidential counselling, advice, support or any other service, and that is carried out without the data subject's explicit consent because:

    (i)the processing is necessary in a case where consent cannot be given by the data subject; or

    (ii)where the data controller cannot reasonably be expected to obtain the explicit consent; or

    (iii)must necessarily be carried out without such explicit consent so as not to prejudice the provision of that counselling, support, advice or other service.

  • Processing that is necessary for determining eligibility for, and benefits payable under, an occupational pension scheme.

  • Processing is of sensitive personal data that are subject to "processing already under way" immediately before 1 March 2000; and is necessary for establishing or administering an occupational pension scheme.

  • Processing is of sensitive personal data consisting of information as to religious or other similar beliefs, or physical or mental health or condition, and is necessary for identifying or keeping under review the existence or absence of equal opportunities or treatment between persons with a view to enabling such equality to be promoted or maintained. Such processing does not support measures or decisions relating to a data subject otherwise than with his or her explicit consent; and does not cause, nor is likely to cause, substantial damage or distress to the data subject or any other person.

    The data subject has the right to prevent such processing by notice in writing to the data controller.

  • Processing is of personal data consisting of information as to the data subject's political opinions that is carried out by certain people or political organisations where it does not cause nor is likely to cause substantial damage or substantial distress to the data subject or any other person.

    Again, the data subject can prevent such processing by notice in writing to the data controller.