The law relating to data protection is designed to regulate organisations known as data controllers who collect and process information relating to living and identifiable individuals and to provide those individuals with rights in relation to such data. In the UK the position is currently governed by the Data Protection Act 1998 ("the Act"), which is designed to comply with a European Union Directive on Data Protection to harmonise the different data protection laws within different Member States.
Personal data are information about a living individual who can be identified from that information and other information which is in, or likely to come into, the data controller's possession and can be minimal such as a name, address, e-mail or even a phone number. Certain data (e.g. political opinions, religious beliefs, ethnic origin, health information, sexual life, criminal convictions or membership of a trade union) are classified as sensitive personal data. To process this type of data a data controller must have special reasons for doing so.
The Act applies whenever personal data are processed. Processing covers anything done to personal data, for example when it is used, disclosed, stored, collected, amended or deleted. Once personal data have been irretrievably deleted they can no longer be processed and the Act ceases to apply.
The Act applies to data processed automatically by computers and manually, where data are stored in a structured set by reference to an individual which enables specific information about that individual to be readily accessible.
The Data Protection principles
For personal data to be lawfully processed in the UK, a data controller has to ensure that all processing activities with respect to personal data comply with the eight Data Protection Principles. The Principles comprise a broad code of good processing practice which balances the legitimate need for organisations to process personal data in order to deliver goods and services, but which at the same time protects the privacy of the individuals to whom such data relates.
Schedule 1 of the Act sets out eight Data Protection Principles which require personal data to be:
- processed fairly and lawfully, and to be processed only under certain specified conditions;
- processed only for specified lawful purposes and not processed in any way incompatible with those purposes;
- adequate, relevant and not excessive in relation to the purpose (or purposes) for which personal data are processed;
- accurate and where necessary kept up-to-date;
- processed no longer than is necessary for the purpose or purposes;
- processed in accordance with the rights of the data subject, e.g. so that a copy can be made available to the individual concerned;
- protected by appropriate technical and organisational measures; and
- not be transferred to any country outside the European Economic Area unless that country ensures in relation to processing of personal data an "adequate level of protection" for rights and freedoms of data subjects acceptable to the EU.
Security and Data Processors
The seventh principle requires that all data controllers put in place appropriate technical and organisational measures to safeguard personal data against unauthorised or unlawful processing or accidental loss, destruction or damage. The interpretation section to this principle takes this requirement one step further by imposing upon all data controllers who use data processors certain additional obligations.
Data processors are defined in the Act as any person (other than an employee of the data controller) who processes personal data on behalf of the data controller. This is a very broad definition made more so by the wide meaning of "processing" which covers every processing operation imaginable from collection to destruction. A data processor is, therefore, any one who does anything with or to personal data. For example, IT consultants, statutory auditors, pension administrators, external payroll providers, mailing houses and even other companies within a group, are all potentially data processors.
The Act requires that a contract in writing must be put in place between the data controller and each of his data processors. The contract must:
- require the data processor to comply with obligations equivalent to those of the seventh principle. In fact, a data controller must not use a data processor who is unable to provide sufficient guarantees in respect of the technical and organisational security measures it will take in respect of the processing;
- grant to the data controller the right to audit the data processor at any time (this will enable the data controller to ascertain whether the data processor is complying with its contractual obligations); and
- specify that the data processor is to act only on instructions from the data controller.
It also makes sound commercial sense to ensure the contract specifies that under no circumstances will the data processor gain any rights in the personal data. The contract should also describe what is to happen upon termination (e.g. the return or irretrievable destruction of the personal data or it being held by the data processor subject to continuing obligations or confidentiality).
Many organisations have for many years transacted business with their data processors in such a way that the initial contract (if there ever was one) has long expired, and the parties conduct their business on the basis of a course of dealings. There is no doubt that this is a contract. However, the Act requires that contract to be in writing or at least evidenced in writing. Companies with group structures will also be affected and have to put in place inter-group processor contracts. For example, where one company deals with payroll for all the others and another handles the company car scheme for the group's employees. According to the European Commission, inter-group transfers may now also take place on the basis of "binding corporate rules" subject to strict conditions.
Nothing in The Privacy and Electronic Communications (EC Directive) Regulations 2003 ("the Regulations") replaces or changes the responsibilities of organisations under the Act. Organisations will therefore have to comply with both the Act and the Regulations.
Contact details held on individuals in a private capacity or individuals in a business capacity, are likely to be personal data under the Act. Organisations will therefore have to comply with the eight data protection principles. The first principle requires data to be processed fairly and lawfully and a key requirement of this is that individuals are aware who is the data controller, what their information is being used for and anything else necessary in the circumstances to make the processing fair. This information is provided in the data protection notice.
In a marketing context this means that communications should be clear as to who they are from and that when contact details are collected individuals should be told about the use for marketing purposes and generally how this will be done, for example by telephone, email, SMS or fax.
Where a data controller uses a marketing company to carry out mailings on its behalf then the processor requirements of principle seven must be met.
In addition, the Act contains an absolute right for individuals to object to marketing at any time by notifying the data controller in writing.