ICT and the Law Lecture 10 ... Variations in interpretations

1
ICT and the Law Lecture 10

• Data Protection Act
• Kerry Clamp

2
Outline of lecture 10

• Introduction to Data Protection
• Difference between 84 and 98 DPAs
• DPA terminology
• Data controllers
• Information Commissioner
• Classes of exemptions
• International Comparisons
• Case study and quiz
• Overview of DPA 98 (sourced from
• http//www.school-resources.co.uk/DataProtectionA
  ct1998Quiz.htm)

3
DPA 98Significant history and influences

Minor exceptions, e.g. breach of confidence
defamation
No right to privacy in UK law
Council of Europe Convention 1950 (Human Rights)
Council of Europe Convention 1981 (protection of
personal data)
UK Data Protection Act 1984
Increased trend in promotion of rights of
individuals and in transparency of processing
UK Data Protection Act 1998
EC Directive 1995 (protection of personal data)
UK Human Rights Act 2000
24 S.I.s modifications to Data Protection Act
1998, to date
4
DPA 1998 Motivating concerns

• Increasing junk email / spam from computer
  mailing lists
• Processing of personal data without subjects
  knowledge
• Electronic communication of personal data to
  other organizations
• Messaged personal data merged personal data
• Personal data used on the basis of decision
  making (e.g. to calculate credit ratings)
• Personal data used by the security services,
  especially the use of sensitive data

5
Comparison of DPA 84 and 98

• Only applied to automatic processing of
  computer data
• Based on set of DP principles, derived
  from EC model

• Includes relevant manual/paper filing systems
• Broader interpretation of processing
• Relies on (almost) the same set of DP
  principles

6
DPA 1998 Terms

• The 1998 Act is primarily concerned with
  three categories of
• persons
• Data Subject This is the person that the data is
  being collected from or stored about.
• Data User This is any person who needs to access
  or use the data as part of their job. This could
  be a secretary who needs to look up your address
  so that they can send a letter home, it could be
  a personnel officer who needs to know the medical
  history of an employee who regularly takes time
  off sick.
• Data Controller This is often the person in
  charge of the organisation - but it doesn't
  necessarily have to be. This person decides what
  data the organisation needs to collect and what
  it will be used for. This is the person who must
  apply for permission to collect and store data in
  the first place.

7
DPA 1998 Additional terminology

• Data Commissioner This is the person who
  enforces the Data Protection Act. This is the
  person that organisations need to apply to in
  order to gain permission to collect and store
  personal data.
• Personal Data Personal data covers both facts
  and opinions about a living individual. Facts
  would include name, address, date of birth,
  marital status or current bank balance. Results
  in examinations, details of driving offences,
  record of medications prescribed and financial
  credit rating are further examples of facts that
  could relate to an individual. Personal opinions
  such as political or religious views are also
  deemed to be personal data.
• Sensitive Data The Act mentions specific things
  which it deems to be sensitive or personal to an
  individual. If a company was to collect this
  data, it cannot be disclosed or told to anyone
  else
• racial or ethnic origin
• membership of a trade union
• criminal convictions or offences
• political opinions
• religious beliefs
• mental or physical welfare.
• the commission or alleged commission by them of
  any offence.

8
Duties on Data Controllers

• Ensure processing is examined by
  Commissioner before it commences, if it is
  likely to pose risk to rights and freedom
• Satisfy specific conditions when processing
  sensitive data, such as health, religious
  belief etc
• Fulfil security obligations and contract
  with data processors (e.g. Computer bureau)
  to provide equivalent security arrangements

9
DPA 98 Role of Information Commissioner

• Consultation and dissemination of information
  (e.g. Publishes guidelines)
• Investigation (e.g. Findings into adequacy
  of protection in third countries)
• Intervention
• Enforcement (e.g. Serves information notices
  has powers of entry and inspection)
• Co operation (e.g. With supervisory
  authorities throughout the EEA)
• Reports to parliament annually

10
DPA 1998 8 Principles

• Personal data must be processed fairly and
  lawfully.
• Personal Data shall be obtained only for one or
  more specified and lawful purposes and shall not
  be further processed in any manner incompatible
  with that purpose or those purposes.
• Personal Data held must be adequate, relevant
  and not excessive in relation to the purpose or
  purposes for which they are processed
• Personal Data shall be accurate and, where
  necessary, kept up to date.
• Personal Data should not be kept for longer than
  is necessary for the data controllers purpose.
• Personal Data shall be processed in accordance
  with the rights of data subjects under this Act
• The data controller must ensure a level of
  security which is appropriate to the damage
  which would be caused by a breach of the security
  principle and the nature of the data to be
  protected
• Personal Data must only be transferred from this
  jurisdiction to a jurisdiction with similar and
  adequate legal protection for those data.

11
DPA 98 some classes of exemption

• S28 National security (all principles)
• S29 Detection and prevention of crime
  assessment and collection of
• taxes (first principle)
• S30 Health, education and social work data
  where access would be
• likely to cause serious harm
• S32 Journalism, literature and art where
  processing is with a view to
• publication and where information is
  in public interest (all
• principles except 7)
• S33 Research, history and statistics where
  data not processed to
• support decisions on individuals and
  where damage/distress not
• likely to be caused to subjects
• S36 Domestic purposes where data processed
  as part of family
• household affairs or recreation

12
DP law International comparisons

• Some countries have inadequate laws (Japan
  and USA)
• Variations in interpretations of data
• Variations in media (e.g. Paper files and
  microfiche)
• Prohibition on storage of some sensitive
  data (France and Luxembourg) no notion of
  sensitive data (Germany)
• Exemptions for journalistic purposes
  (Germany) for data in public domain
  (France)

13
DP law International comparisons

• Variations in subject rights
• Data controller must inform data subjects
  (e.g. Germany, France, Netherlands, Denmark
  Luxembourg)
• No such obligation to inform (Britain,
  Ireland, Greece and Portugal)
• Disclosure to 3rd party (OK in UK) (needs
  ministerial permission in Luxembourg)

14
Data Protection Act 1998 Case Study and Quiz

• Case Study
• Mr. Singh, the newsagent sells newspapers and
  magazines over
• the counter but also keeps customer lists  for
  home delivery in a
• database on a standalone computer.  Teenagers are
  employed to
• deliver orders early each morning and each
  evening.  Details of the
• delivery staff are also stored in the database so
  that Mr. Singh can
• pay them and get in contact with them for queries
  or emergency
• deliveries.  There is one full-time and 3
  part-time shop assistants.
• Because of the small number of employees, Mr.
  Singh uses a
• bureau for payroll.  Invoices are sent out to
  customers at the end of
• each month.  Mr. Singh accepts payment by cash,
  cheque, and
• credit or debit card.

15
Quiz

• Mr. Singh needs to notify the Commissioner about
  some of his business data (true / false)
• The only data that has to notified is (stock
  records / employee records /
• employee and customer records)
• The bureau that Mr. Singh uses for payroll can be
  described as a (data subject / data processor /
  security manager)
• People who have the right of access to records
  about themselves are the (customers / the
  employees / the customers and employees)
• Another data processor that Mr. Singh uses is the
  (newspaper publishers / credit card processing
  company / bank)
• Mr. Singh is very worried about the new Data
  Protection Act because of   the seventh
  principle.  What would you recommend he does? (go
  back to a paper based system / backup and virus
  check his data regularly, password protect files
  / prevent unauthorised access to his computer)

16
Quiz

• Occasionally, Mr. Singh is left with a bad debt
  when customers have left the area without
  payment.  Mr. Singh has used debt recovery
  companies in the past to try to get some of his
  money back.  Would Mr. Singh have to notify this
  as a new purpose? (Yes / No)
• Mr. Singh receives his notification documents and
  is completely bewildered by the definitions.  Is
  he a (commissioner / controller / data subject)
• What category does Mr. Singh's customer data come
  under? (sensitive personal data / exempt data /
  personal data)
• Mr. Singh does not believe that he needs to check
  his data for accuracy because customers and
  employees usually inform him of any change of
  address.  What does the law state? Is he right or
  wrong?

17
Further Reading

• Spend some time browsing the following
  sites to ensure that
• you have understood today's lecture
• www.privireal.org
• www.informationcommissioner.gov.uk