Data Protection The Current Regime Crispin Dick – September 2017
Data Protection Act 1998 – Terminology DATA CONTROLLER determines purposes and manner of processing (may be more than one) WIDGETS LTD DATA Computerised or in a relevant filing system PERSONAL DATA Relates to an individual Name: Joe Bloggs Employee No: 12345 Age: 30 Telephone No: 020 8888 888 Joe Bloggs DATA SUBJECT DATA PROCESSOR processes on behalf of a data controller PAYROLLS R US SENSITIVE PERSONAL DATA Data on: ethnicity, religion, union membership, health, sex life, criminal record Ethnic Origin: Aborigonal Union Membership: Yes Health Notes: Diabetic PROCESSING Anything you can do with data!
DPA 1998 – the 8 principles (in summary) Personal data must be: Processed fairly and lawfully and only if one or more specified conditions are met. Processed for limited purposes and not in any manner incompatible with those purposes. Adequate, relevant and not excessive. Accurate. Not kept for longer than is necessary. Processed in line with data subjects’ rights under the Act. Secure. Not transferred to countries that do not protect personal data adequately.
DPA 1998 – 1st principle Personal Data shall be processed fairly and lawfully. This means data controller must Provide fair processing information to Data Subject - identity of data controller (and any representative) - purposes for which data to be processed - other information required to make processing fair. Meet one of the conditions in Schedule 2 of the Act. Meet one of the conditions in Schedule 3 of the Act, if sensitive personal data.
DPA 1998 – Schedule 2 conditions (in summary) Processing of all personal data must satisfy at least one of the Schedule 2 Conditions, namely: The consent of data subject has been obtained. The processing is necessary for the performance of a contract to which the data subject is a party. for compliance with any legal obligation (non-contractual) on the data controller. in order to protect the vital interests of the data subject. for the administration of justice or public functions. to pursue a legitimate interest of the data controller, as long as data subjects not unduly prejudiced.
DPA 1998 – Schedule 3 conditions (in summary) Processing of all personal data must satisfy at least one of the Schedule 3 Conditions, namely: The explicit consent of the data subject has been obtained. Necessary to perform legal obligation in connection with employment. Necessary to protect the vital interests of the data subject or another person. For legitimate activities of a political, religious or trade union body relating to a member. Personal data made deliberately public by data subject. Necessary for legal proceedings. Necessary for administration of justice or public functions. Necessary for medical purposes and carried out by health professional. Necessary to review equality of opportunity. Circumstances specified by Secretary of State.
Data Exports – 8th principle Data must not be transferred outside the EEA unless there is an adequate level of protection Consider: Cloud based services – where will the processing take place? Do any of the exemptions in the Act apply? Has the country been confirmed as adequate by the European Commission? EU / US Privacy Shield Model contract clauses Corporate Binding Rules
Privacy and Electronic Communications Regulations (“PECR”) Applies to direct marketing by automated phone call, email, text, fax and other forms of electronic mail. Requires consent (knowingly, freely given, clear and specific). Does not apply to: Soft-opt in for similar goods and services. Messages sent to business email addresses. Postal mail or live voice calls (but note the regulator’s view on voice calls and the need to check the TPS). PECR likely to be replaced with a new EU regulation, but timetable not yet confirmed.
When does processing take place? Examples of initial processing at point of collection: a one off donation or an ongoing donation; participation in an event or campaign; signing up to receive a newsletter; or volunteering / employment. Examples of subsequent processing: storing personal data in database; requests to increase regular donations; campaign requests; details of fund raising events; invitation to subscribe to newsletter; sharing with third party fund raiser; or sharing with other charities.
How to ensure compliance? Point of collection: Provide fair processing information terms and conditions privacy policies telephone scripts Obtain consent or satisfy yourself that one of the other conditions necessary for processing applies. Subsequent Processing Ensure data is only processed for the purposes for which it was collected. Check against what fair processing information was provided Comply with other data protection principles, and refresh consents periodically.
How to ensure compliance (2) Appoint data processors in writing and impose security constraints Ensure adequate protections exist before exporting data outside EEA Keep data up to date and accurate and for no longer than necessary Keep data secure Maintain suppression lists for any supporters that have said they no longer wish to be contacted. Comply with subject access requests Notification
Enforcement Enforcement notices Information notices Data subject rights Monetary Penalty Notices Publicity
Crispin Dick Partner T: 023 8048 2107 E: crispin.dick@parissmith.co.uk