Data Protection Solicitors
Data Protection and Management
Data protection is increasingly becoming a key concern for businesses in not only their day-to-day operations but also when negotiating commercial agreements. Any business operating in the United Kingdom which holds information about individuals (including employees, customers, individuals on contact or marketing lists or any other individual) must comply with the laws around data protection. Data protection should be at the forefront of business concerns as the penalties (criminal as well as civil) for breach of the legislation can be severe.
We are experienced in advising businesses on their roles and responsibilities on Data Protection issues and negotiating Data Protection provisions during a corporate or commercial transaction.
Key features of data protection
The collection and use of data in the United Kingdom is governed primarily by the Data Protection Act 1998 (DPA). The DPA is largely concerned with the “processing” of “personal data”. If you are a “data controller” you must comply with the obligations set out in the DPA.
Are you a “data controller” or a “data processor”?
Data controller: this is the entity who (alone, jointly or in common with others) determines the purposes for which and the manner in which any personal data is, or is to be, processed.
For instance businesses will control the data of its employees and customers. Even where data is held by a third party (e.g. where a function or service has been outsourced), the originating entity may still be data controller.
Data processor: this is the entity (other than an employee of the data controller) which processes data on behalf of the data controller. Although the data processor does not have specific obligations imposed on it under the DPA, the DPA does require the data controller to pass on certain obligations to the data processor. The data processor is expected to have more legal obligations in the future.
Who is the “data subject”?
The data subject is the individual who is the subject of personal data. This could be employees, customers, contractors, consultants, individuals on contact lists or marketing databases, or individual partners of a partnership.
What is “personal data”?
Personal data is any data which relates to a living individual who can be identified from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller. It includes any expression of opinion about the individual and of the intentions of the data controller or any other person in respect of the individual. The information does not have to be confidential.
What is “processing”?
Processing is the obtaining, recording or holding of information or data or carrying out any operation or set of operations on the information or data, including:
- organising, adapting or altering the information or data;
- retrieving, consulting or using the information or data;
- disclosing the information by transmission, dissemination or otherwise making it available; or
- aligning, combining, blocking, erasing or destroying the information or data.
This broad definition means that any activity involving personal data will be caught. If you hold personal data then it is likely that you will be engaged in processing that data.
What are your obligations?
Personal data must be processed in accordance with the eight data protection principals set out in Schedule 1 of the DPA:
- It must be processed fairly and lawfully.
- It must only be obtained for one or more of the specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- It must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- It must be accurate and, where necessary, kept up to date.
- It must not be kept longer than is necessary for the purpose.
- It must be processed in accordance with the rights of data subjects under the DPA.
- Appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- It must not be transferred outside the European Economic Union unless the destination country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to processing data.
There are additional rules relating to sensitive personal data which includes data relating to race, political opinions, health, sexual orientation, religion and beliefs, trade union membership and criminal records.
What are the rights of data subjects?
The individual whose data is held has certain rights under the DPA, these include:
- Right of access: the individual is entitled to be informed whether its personal data is being processed by or on behalf of the data controller and if so, has a right to be given a description of the personal data, the purposes for which it is being processed, and the recipients or classes of recipients to whom it is or may be disclosed. The individual also has the right for a copy of the data to be provided to it in a permanent form.
- Right to object to processing: individuals have a limited right to prevent processing of their personal data where such processing causes, or is likely to cause, the individual or anyone else with unwarranted substantial damage or distress. Individuals also have right to prevent processing of data for direct marketing purposes, even where consent has previously been given.
What are your obligations where processing is to be carried out by third parties?
Where data is processed on behalf of the data controller by another party, the data controller must:
- Choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing being carried out; and
- Take reasonable steps to ensure compliance with those measures.
The data controller is also required to enter into a written contract with any data processor which requires the data processor to act only on instructions from the data controller and requires the data processor to comply with obligations equivalent to those imposed on the data controller by the seventh principle.
If you are a data controller or data processor and you would like advice on how you can comply with the eight data protection principals or your other obligations under the DPA, please contact our Corporate Commercial team.
Electronic Communications & Direct Marketing
Direct marketing is communication (by email, phone, text or post) of any advertising or marketing material which is directed to particular individuals.
Direct marketing is now a focus of government policy. The government wants to make it easier for the Information Commissioner’s Office (ICO) to fine companies in non-compliance of the rules. It is recommended that compliance with the law on consent to direct marketing should be treated by businesses as a board level issue in the context of corporate risk. Failure to comply with the rules can lead to reputational damage, loss of goodwill, loss of customers, fines, regulatory and legal action, and criminal prosecution.
There are strict direct marketing rules, however the application of the rules differ according to the type of communication and whether the recipient is an individual or corporate subscriber. Individual subscribers include residential subscribers, sole traders and non-limited liability partnerships.
Opt-in or Opt-out
Consent by an individual subscriber to receive marketing by email must be obtained via an ‘opt-in’ method rather than ‘opt-out’. This means that a consumer must tick a box to consent to receiving electronic communications rather than tick a box stating that they do not wish to receive them.
For post and non-automated telephone marketing individual subscribers have the right to ‘opt-out’ and to register free of charge with the Mail Preference Service (MPS) or the Telephone Preference Service (TPS). Although the relevant legislation does not require the “opt-in” method for non-electronic communications the ICO advises that it is best practice to obtain “opt-in” consent in all circumstances.
Even where a subscriber has “opted-into” direct marketing (or not “opted-out”), the subscriber must be given the option to “unsubscribe” following receipt of marketing. Businesses must always provide a valid address to enable the subscriber to unsubscribe. The ability to unsubscribe must be clear on the face of the marketing.
The rules are much more lenient in relation to corporate subscribers. Corporate subscribers do not have a statutory right to opt-out of direct marketing prior to such marketing (whether by email, phone, post or SMS). This means that the opt-in/out tick box is not strictly required for corporate subscribers. However, the guidance from the ICO is that even where the subscriber is a corporate entity it is best practice to gain consent by an “opt-in” mechanism or in the very least an “opt-out” mechanism. Further, although prior consent is not required by law, the corporate subscriber must be given the option to “unsubscribe”.
Buying and selling data
It is recommended that, as a minimum, businesses should commit to reviewing and implementing the ICO’s guidance relating to collecting and buying data. The following ICO guidance should be made clear in business policies:
- Inform other companies in the data chain when a consumer has opted out of marketing calls or texts.
- Businesses relying on third party consent should satisfy themselves that the consent was not obtained from the consumer more than six months before it is used.
- Third party consent will not be sufficient to override TPS registration and businesses that purchase data must screen against the TPS all telephone numbers obtained.
- Businesses should record proof of consent in a format that can be used by future recipients of the data.
Big data describes a massive volume of both structured and unstructured data that is so large it is difficult to process using standard database and software methods. It has been described in The Gartner IT glossary as “high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making”. Big data:
- uses massive, diverse, complex, longitudinal, and/or distributed datasets that are generated by, or collected from, a variety of different devices, sensors and transactions (volume);
- brings together data from different sources, both structured and unstructured (variety); and
- is processed quickly, often exceeding current processing capacity (velocity).
As big data is a burgeoning phenomenon, the legal framework is quickly developing to try to keep up with and manage compliance with data protection laws. The Information Commissioner Office (ICO) published a report on big data in the UK in 2014 which is a useful tool for understanding big data and your obligations (https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf).
Although much of big data is not personal data (for instance world climate and weather data) there are examples where big data analytics include the processing of personal data (for instance data from monitoring devices on patients in clinical trials, mobile phone location data, data on purchases made with loyalty cards and biometric data from body-worn devices). As such, the authorities have decided that big data should fall within the scope of data protection laws and therefore must comply with the eight data protection principles.
In particular, businesses processing big data should:
- Abide by the rules of fairness and transparency and meet the reasonable expectations of the data subject in processing data;
- Explain the benefits of analytics to the data subject and obtain prior consent;
- Collect and use data for specified, explicit and legitimate purposes;
- Use and collection of data must be adequate, relevant, not excessive and must not be kept longer than is strictly necessary;
- Anonymise data;
- Respect the rights of data subject; and
- Consider carrying out a privacy impact assessment to assess how big data analytics is likely to affect individuals whose data is being processed and where such use is fair.
If you would like advice in relation to big data and how you can comply with your data protection obligations please contact our Corporate Commercial team.
The regulator responsible for overseeing and enforcing data protection compliance is the Information Commissioner. The Office of the Information Commissioner (ICO) has issued a Guide to Data Protection which is a useful starting point for businesses to understand their obligations.
Register of Data Controllers
Data controllers must notify the ICO before processing personal information. Failure to do so is an offence. The name and address of data controllers, as well as a description of the type of processing, is published on the data protection register.
Part of the ICO’s role is to deal with complaints raised by members of the public. Once a complaint is raised the ICO will record it and consider it. Where there is evidence of a clear and serious breach of the legislation, the ICO will take direct action on the concern raised. If it becomes apparent that there has been a serious failure to comply with the law, the ICO will provide advice and instruction to the organisation. If the organisation does not take its responsibility seriously, the ICO may take enforcement action which can include a fine of up to £500,000.
Enforcement actions available to the ICO include:
- Criminal prosecution;
- Non-criminal enforcement;
- Audit; and
- Fines of up to £500,000.
In taking action, the ICO may:
- serve information notices requiring organisations to provide the ICO with specified information within a certain time period;
- issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
- serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
- conduct consensual assessments (audits) to check organisations are complying;
- serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice; and
- report to Parliament on issues of concern.
Breaches of Data Protection
The Information Commissioner Office (ICO) has certain powers where an organisation has breached data protection legislation which includes the ability to issue a monetary penalty of up to £500,000 and instigate criminal prosecution. Please see Information Commissioner.
An individual may apply to court to enforce his rights where the data controller has failed to respond to certain requests made or notices given by the individual, including:
- a subject access request where the courts may order the data controller to comply with the request;
- a notice requiring the data controller to cease or refrain from processing certain personal data where the courts may require the organisation to comply with the request; and
- a notice requiring the data controller to ensure that no decision significantly affecting the individual is based solely on the automated processing of his personal data, require it to reconsider the automated decision, or take a new decision on a different basis. The court may order the data controller to reconsider the decision or take a new decision on a different basis.
Compensation may also be awarded by the courts to individuals where:
- damage has been caused by breach of the legislation; or
- the individual has suffered distress as a result of a breach.
Certain breaches can lead to criminal prosecution, for example:
- breach of the obligation to notify or inform the ICO of any changes to registrable particulars;
- failure to comply with an information notice, a special information notice or an enforcement notice, or knowingly to make a false statement in response to an information notice;
- knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller or selling or offering to sell data so obtained or disclosed.
Criminal proceedings can be brought by the ICO or the Director of Public Prosecution. Those convicted can be subject to unlimited fines in both the magistrate’s court and the crown court.
The Home Secretary has the power, after consultation, to issue secondary legislation to introduce custodial sentences of up to 12 months on summary conviction, and up to two years imprisonment for a conviction on indictment for those involved in the illegal trade of personal information. The government consulted on the introduction of custodial sentences in 2009/2010. Following the consultation the government said it intended to bring in the new custodial sentences but it is yet to do so. However, custodial sentences for breaches of certain data protection rules may be introduced in the future.
Breaches of data protection can also lead to:
- bad publicity;
- loss of reputation, brand and goodwill;
- loss of customers and future customers.
Social media is at the forefront of today’s world and is used by most in one form or another. There are benefits and risks of social media and its use in a corporate context should be strictly managed and controlled.
Use of social medial within your business
- A company may:
- manage a Facebook page;
- use LinkedIn;
- run a twitter feed;
- broadcast video content on YouTube;
- publish blogs;
- An employee may:
- use a third party social media site to promote the business;
- use social media in their personal capacity but which may have an impact on the company;
- Third parties connected to the company may refer to the company’s business or products on their own social media sites.
Where used well, the benefits of social media are wide. These include:
- Raising a company’s profile;
- Boosting reputation;
- Enhancing brand and image;
- Promoting products and services;
- Providing direct links to customers and potential customers;
- Access to marketing and advertising initiatives;
- Increasing cohesion between employees.
Some of the risks are the converse of the benefits in circumstances where use of social media is mismanaged or abused. The risks include:
- Damage to reputation, brand and image;
- Discrimination where one employee uses social media to make comments about another employee;
- Confidential information becoming public if posted by an employee in error;
- Breach of third party intellectual property;
- Breach of data protection laws if an employee publishes personal data;
- Loss of productivity where an employee uses social media for personal use during work time;
- Breach of privacy laws, particularly relating to employees.
How to limit the risks of social media
- Manage and carefully monitor user generated content;
- Ensure compliance with laws relating to:
- prohibitions on deceptive acts such as false advertising;
- unethical marketing practices;
- promotions and competitions;
- insider trading and other market abuse; and
- industry specific rules;
- Educate and train employees on:
- The consequences of disclosing confidential information or intellectual property online;
- Harassment and bulling of colleagues and customers;
- Privacy; and
- Marketing and advertising in the social media context;
- Consider banning personal use of social media by an employee during work hours;
- Give strict guidance to employees on use of social media; and
- Create a social media policy.
Social media policy
Adopting a social media policy is a good way to limit the risks of social media. A policy will make it clear to employees what is expected of them in terms of social media and will make them aware that use of social media may be used in disciplinary actions if an employee’s conduct breaches such policies.
A social media policy should cover the following:
- Employee use of company IT resources;
- Employee use of intellectual property, confidential information and privileged information;
- Employee use of third party intellectual property;
- Protection of third-party confidentiality and privacy;
- Prohibition on harassment and bullying of other employees;
- Prohibition on discrimination; and
- Prohibition on negative comments about the company, its employees, its business contacts or its competitors.
If you would like assistance in drafting a social media policy or any other advice in relation to social media in a legal context, please contact our Corporate Commercial team.