Data Protection

Jane Lambert
27 May 2010

Data protection is a shorthand for regulating the collection, collation, exchange, storage and transfer of information related to and identifying living individuals (“personal data“). Those who process such data (“data controllers“) must notify particulars of their use of such data to the Information Commissioner and comply with minimum standards for processing such personal data known as data protection principles.

The principal statute is the Data Protection Act 1998. It implements Directive 95/46/EC (“the Data Protection Directive”). The Information Commissioner also enforces The Privacy and Electronic Communications (EC Directive) Regulations 2003which implement Directive 2002/58/EC (“Directive on Privacy and Electronic Communications“). The Commissioner also administers the Freedom of Information Act 2000. The Data Protection Directive is intended to give effect to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe (“Data Protection Convention”) and OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The Data Protection Act 1998 encourages self-regulation. S.51 (1) requires the Commissioner to promote good practice by data controllers, to prepare and disseminate codes of practice himself and to encourage trade associations to do likewise. He may also assess how far personal data processing follows good practice and inform the data controller of the results of his assessment. S.23 of the Act permits the Secretary of State to make regulations providing for data controllers to appoint data protection supervisors to monitor compliance with the Act.

Transfer of Data Overseas
The Data Protection Act prohibits the transfer of personal data outside the European Economic Area (“the EEA”) unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Art. 25 of the Data Protection Directive enables the European Commission to determine whether a country outside the EEA provides adequate protection. By a decision dated 26 Oct 2000 the Commission determined that adherence to a set of guidelines enforced by the US government known as the safe harbour principles meets those requirements.

Compliance is enforced by the Commissioner who may issue notices requiring data controllers to do or refrain from doing specified acts. An appeal from the Commissioner’s decision lies to the First Tier Tribunal – Information Rights. The Act creates various offences such as failure to notify, obtaining personal data unlawfully and unauthorized disclosure. Individuals who suffer damage or distress from any contravention of a requirement of the Act has a right of action against the data controller.

Risk Areas
This legislation is complex and it is not always well understood. Many compliance measures are needlessly bureaucratic imposing unnecessary costs on controllers and alienating customers. On the other hand individuals can suffer real damage and distress from non-compliance.