France Telecom: lessons for UK employers following 'institutional harassment' ruling
Out-Law Guide | 30 Mar 2005 | 3:19 pm | 8 min. read
Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights were revised and superseded by the Data Protection Act 1998 which came into force on 1st March 2000. This Guide explains what you should know about data protection under the Data Protection Act 1998 ('the Act').
Data protection law applies whenever a data controller processes personal data. These words are given special meanings by the Act.
A data controller is the person who determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. In other words, you will be a data controller if the processing of personal data is undertaken for your benefit and you decide what personal data should be processed and why. A typical example of a data controller is an employer.
Personal data means data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. For example, most organisations will process personal data relating to employees, customers, suppliers and business contacts. These individuals are referred to in the Act as 'data subjects'.
The Act applies when personal data is processed or is to be processed by a computer, or is recorded or to be recorded in a structured manual filing system. There are other types of system covered by the Act, but these are the most common.
Whether or not manual files are covered by the Act is not always an easy question to answer. To be covered:
The term 'processing' covers virtually any use which can be made of personal data, from collecting the data, storing it and using it to destroying it.
In order to comply with the Act, a data controller must comply with the following eight principles:
Under the first data protection principle, a data controller must justify its processing of personal data under one of the following conditions:
The data controller must also register with the Information Commissioner ('the Commissioner').
Where the data controller intends to process sensitive personal data, there are further conditions. Sensitive personal data consists of information relating to the racial or ethnic origin of a data subject, his political opinions, religious beliefs, trade union membership, sexual life, physical or mental health or condition, or criminal offences or record. Of these further conditions, the most useful to most businesses will be:
If none of the conditions can be met, processing cannot legally continue.
Data subjects must be given information about the purposes of the processing. This information is generally provided in the form of a data protection notice, which can be given in application forms, terms and conditions, by telephone or on a website. The information to be set out in a data protection notice must include a description of:
By using an appropriately worded data protection notice, an online business can ensure that there is consent from visitors to its web site to allow the business to build a valuable contacts database and market its services to the visitors.
Data controllers must put in place adequate technical and organisational measures to safeguard personal data which they are processing from destruction, adequate loss, unauthorised access or disclosure. This would include, for example, using a secure server when payments are made online.
Furthermore, all data controllers must put in place processing contracts with their 'data processors'. A data processor is a third party appointed by the data controller to process personal data on its behalf, although it will still be the data controller who ultimately decides what happens to the data. These processing contracts must be in writing and must set out what the data processor may or may not do with the personal data, including what security measures should be taken to safeguard the data. Data controllers should reserve for themselves the right to audit data processors to ensure compliance with the contract.
To give a practical example, if a website collects e-mail addresses, this could constitute personal data – so the data controller not only has to register with the Commissioner but ensure that security be put in place to guard against hacking. If the website is actually hosted by a third party on behalf of the data controller, then the data controller will have to contractually oblige that third party to put the relevant security in place. Of course, the data controller will also have to comply with other principles.
If personal data is disclosed or made available to a person overseas, that is considered a transfer for the purposes of the eighth data protection principle above. In the context of the internet, if the information is placed on a website without specific consent from the individual, this may be in breach of the Act since the data can be accessed in countries with less stringent data protection laws.
Data controllers must give the following rights to data subjects:
The most important of these rights is the right to access personal data. An individual may request access to all personal data of which he or she is the subject and which is being processed by the data controller. The data controller may require the data subject to pay a maximum fee of £10, to make the request in writing and to provide enough information to identify and verify the identity of the data subject making the request. There are exemptions from these access rules in certain limited circumstances.
Another right which will be of importance to any organisation which markets to individuals, is the right given to data subjects to object to direct marketing. There are no exemptions to this right.
Compliance should not be taken lightly as the new Act has more teeth than its predecessor, the Data Protection Act 1984. The Commissioner has been given extensive powers of enforcement which rival those of the VAT man. Data controllers could, for example, find these new powers used against them by disgruntled employees or customers, who contact the Commissioner to complain that there has been a breach of the rules.
The Commissioner can now serve a data controller with an 'information notice' requiring the data controller to provide certain information within set time limits. Failure to comply with such notice, or providing deliberately false information, is a criminal offence. If the Commissioner concludes that there has been a breach of the Act, she may then serve a data controller with an 'enforcement notice'. This could force a data controller to cease processing personal data, or cease processing data in a particular way. Failure to comply with an enforcement notice is a criminal offence.
Criminal liability does not lie just with the data controller. It is possible for officers of a company, such as its directors or managers, to be personally criminally liable if the offence has been committed with their consent, connivance or neglect. Employees may also incur criminal liability in certain limited circumstances if they disclose or obtain personal data without authority of the data subjectcontroller.
Although the commission of a criminal offence under the Act will not result in a prison sentence, it will result in fines which, depending on the circumstances, may be of an unlimited amount. In addition the introduction of custodial sentences under the Act is being considered by Parliament. It is also increasingly the case that industry regulators are looking at matters of data security which are similar to those addressed by the Act.
However, the fines are unlikely to be the reason why most data controllers will want to comply. Few data controllers will be able to continue with business as usual if they are prevented from processing personal data as a result of an enforcement notice and no data controller will want the bad publicity which is attached to the unfair processing of personal data.
The increasing use of information technology and the internet ensures that data protection remains one of the most important and relevant laws that online businesses are required to comply with. The internet is all about the transfer of information. Not only is the internet used to disseminate information, but also to collect it. Organisations must look now at how they collect, store and use personal data and ask themselves whether they comply with the Act. This may involve amending employment and marketing practices in addition to internal training.
France Telecom: lessons for UK employers following 'institutional harassment' ruling