Information Sharing
The Legal Framework Data Protection
The Data Protection Act 1998 ("DPA"), which updated the Data Protection Act 1984, regulates the processing and handling of personal data which has been lawfully obtained. The Act provides for a framework of notification by data controllers with an independent supervisory authority – the Data Protection Commissioner ("DPC").
Contents
The Data Protection Principles
Regulation and Enforcement of the Act
Role of the Data Protection Commissioner
The Data Protection Principles
The DPA sets out 8 Data Protection Principles. The basic purpose of the Principles is to enshrine broad formulations of acceptable processing practice. Under Schedule 1 personal data must be:
-
fairly and lawfully processed [and in accordance with one of the conditions for fair processing set forth in Schedule 2 and with regard to sensitive personal data one of the conditions set forth in Schedule 2 as well as one set forth in Schedule 3]
-
data must not be further processed in a manner incompatible with the purpose for which they were obtained
-
adequate, relevant and not excessive
-
accurate
-
not kept longer than necessary
-
processed in accordance with the data subject's rights
-
secure
-
not transferred to countries without adequate protection
The first and second data protection principles contain and require the compliance with significant conditions. The data protection principles apply to all personal data processed by data controllers, unless one of the exemptions of the Act applies, which provide limited relief.
The First Principle
Under the First Data Protection Principle, personal data is required to be processed not only "lawfully" in accordance with applicable law and the provisions of the Act, but also "fairly". On each occasion that personal data are processed, the data controller must, as a requisite of fair and lawful processing, have legitimate grounds for doing so in accordance with Schedule 2 of the Act (and with respect to sensitive personal data, Schedule 3 of the Act).
Schedule 2 sets out the following possible grounds for these purposes:
-
Processing with the consent of the data subject
-
Processing necessary for the performance of a contract to which the data subject is a party or which is necessary for entering into a contract
-
Processing which is necessary for compliance with a legal obligation other than one imposed by contract
-
Processing which is necessary in order to protect the vital interests of the data subject
-
Processing which is necessary for the administration of justice, the exercise of any functions conferred by or under any enactment, the exercise of any functions of the Crown, a Minister of the Crown, or a government department, or the exercise of any other function of a public nature exercised in the public interest
-
Processing which is necessary for the purposes of the legitimate interests of the data controller or a third party to whom the data are disclosed, providing that these are not outweighed by the interests of the data subject
When processing sensitive personal data it is necessary to satisfy both a condition from Schedule 2 and at least one from Schedule 3. The Schedule 3 conditions are:
-
Processing with the explicit consent of the data subject
-
Processing necessary for the purpose of exercising or performing a legal right or obligation in the context of employment
-
Processing necessary to protect the vital interests of the data subject or another in cases where consent cannot be obtained
-
Processing of political, philosophical, religious or trade union data in connection with its legitimate interests by any non profit bodies
-
Processing of information made public as a result of steps deliberately taken by the data subject
-
Processing necessary in connection with legal proceedings or the seeking of legal advice
-
Processing necessary for the administration of justice, the performance of statutory functions, exercise of function of the Crown, Ministers or government departments
-
Processing of medical data by medical professionals or others owing an obligation of confidence to the data subject
-
Ethnic monitoring
Public authorities will normally be able to establish the legitimacy of their processing by reference to their statutory or public functions. In some cases they may need to rely upon the final condition, i.e. the pursuit of a legitimate interest not outweighed by the interests of the data subject. In addition, there are further conditions created by order of the Secretary of State that allow public authorities to process sensitive personal data for certain purposes. These fall into a number of broad categories:
-
Crime prevention, policing, and regulatory functions (subject to a substantial public interest test)
-
Insurance
-
Equality monitoring in the area of disability and religious or other beliefs
-
Research
Legitimate aims of public authorities are thus recognised in the grounds for fair and lawful processing, again reflecting the balance that is to be struck in protecting personal data while allowing the performance of certain functions that are necessary in a democratic society.
Regulation and Enforcement of the Act
Rights Given to Data Subjects
The DPA provides individuals with rights by which they can take practical steps to protect their personal data from being unlawfully or unfairly processed:
The right of subject access: individuals are entitled to be informed by data controllers whether they are processing (directly or indirectly) personal data relating to them. If so, individuals have a right to be given a description of the personal data, the purposes for which it is being processed, the source of the data and those (if any) to whom such data may be disclosed. Individuals also have the right, with some exceptions, to be given a copy of the information constituting the data held about them. A fee may be charged and the data controller should comply with the request promptly and in any case within 40 days.
The right to prevent processing likely to cause damage or distress: data subjects are entitled to serve a written "data subject notice" on data controllers requiring them not to begin or to cease processing personal data relating to them, where such processing is causing or is likely to cause unwarranted substantial damage distress to them or another. In case of dispute, upon application by the data subject, the court will consider the matter and, if satisfied, will order the data controller to take such steps as are necessary to comply with the notice.
The right to prevent processing for the purpose of direct marketing:data subjects may by written notice require data controllers to refrain from processing personal data relating to them for the purpose of direct marketing.
Rights in relation to automated decision-taking: data subjects are entitled to require a data controller to ensure that no decision which significantly affects them is based solely on the processing of their personal data by automatic means. Data subjects also have the right to be informed of the logic of any automated decision process taken concerning them.
Rights to compensation in the event an individual suffers damage as a result of processing by a data controller in contravention of the Act where the data controller is unable to prove that it has taken such care as is reasonable in all the circumstances to comply with the relevant requirement.
Rights to take action to rectify, block, erase or destroy data relating to them which is inaccurate (incorrect or misleading as to any matter of fact) or contains an expression of opinion which the court finds is based on the inaccurate data.
Right to request an Assessment by the Commissioner as to whether or not personal data has been or is being processed in accordance with the Act.
Role of the Data Protection Commissioner
The first duty of the Data Protection Commissioner – now the Information Commissioner (IC) - is to promote good practice. In addition, the DPC has the power to enforce compliance with the Data Protection Principles and to bring prosecutions for breaches of the criminal provisions in the Act. The Commissioner also has a duty to assess complaints from individuals.
The Act prohibits data controllers processing personal data unless they are notified to the DPC for the purpose of processing personal data - although there are exemptions in the Act that enable some data controllers to process data without notifying the Commissioner. In notifying they must inform the DPC of the purposes for which they hold, use and disclose personal data, details of any actual or proposed transfers of the data outside the European Economic Area and details of the security measures in place to protect the data. The DPC maintains a register of notifications.
In addition to maintaining this register the DPC exercises certain supervisory functions:
Section 42 Assessments: As noted above, data subjects may request the DPC to carry out an assessment of whether any particular processing operation carried out by a data controller is likely to breach the provisions of the Act. The DPC is under a duty to make an assessment only when the request raises a matter of substance, so a detailed investigation of the data controller’s actions may not be carried out in all cases. Where the DPC does carry out an assessment, the circumstances of the processing are considered and the data subject is informed of relevant exceptions which may justify the processing and any view formed or action taken by the DPC.
Information and Enforcement Notices: data controllers are under a duty to provide information to the DPC to enable her to determine whether processing is lawful. To this end the DPC may serve an Information Notice on data controllers requiring the supply of relevant information concerning their processing actions. The DPC may also serve an Enforcement Notice. Failure to comply with an Enforcement Notice is an offence under the Act.
The data controller has a right to appeal to the Data Protection Tribunal (now the Information Tribunal) concerning the service and extent of such notices. The Act also provides the DPC with limited powers of search and entry, upon application a circuit judge.
In practice, the application of these various measures will often be sequential; Enforcement Notices may, on appeal, be upheld, withdrawn or amended by the Tribunal.
Application of the Act to Data-Sharing
The DPA regulates the use to which personal data is put each time it is processed. The Principles apply to all personal data processed by data controllers, unless the data controller is able to claim one of the exemptions listed in the Act. Controllers must comply with them, irrespective of whether they are required to notify and whether or not they are actually notified. Notwithstanding that personal data may legitimately have been collected and held by the data controller for a particular processing purpose, if the data is subsequently processed in a manner which does not comply with the Data Protection Principles, that processing is prima facie unlawful.
Aside from general compliance with the Data Protection Principles, the Second Data Protection Principle provides that "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes". The Third Principle requires that "Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed". The guidance in Part II of Schedule 1 to the Act provides that:
"the purpose or purposes for which personal data are obtained may in particular be specified in a notice given for the purposes of paragraph 2 by the data controller to the data subject, or [in the data controller’s notification to the DPC]."
In this manner the data subject is given an effective right to know, at the time in which his/her personal data is provided to the data controller, the purposes for which that data may be processed. It is also clear that data-sharing – the disclosure of personal data to third parties by the data controller – falls within the broad definition of "processing". Furthermore, the conditions of fair and lawful processing specified in Schedule 2 militate against data-sharing insofar as this entails dissemination of personal data for purposes beyond the immediate scope of the purpose for which it was collected.
Part II of Schedule 1 provides that:
"In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed."
The second principle must always be considered in the circumstances in which disclosure is required.
Unless the disclosure to third parties (data-sharing) can properly be considered to be compatible with the purpose for which the data were obtained, the Act effectively prohibits data-sharing. The Act contains limited exceptions to this rule of "non disclosure". Section 29(3) provides that the non-disclosure rules will be disapplied where the application of the requirements of the Act would be likely to prejudice one of the matters listed below:
-
the prevention or detection of crime
-
the apprehension or prosecution of offenders
-
the collection or assessment of any tax or duty
Under section 35 of the Act – the so-called "gateways exemption" disclosures of personal data required by law or made in connection with legal proceedings are similarly exempted from this non-disclosure requirement. Information disclosed for certain regulatory functions is also exempted from the non-disclosure requirement. In addition, the Secretary of State may make orders exempting from the non-disclosure provisions in the Act any disclosures of personal data made in circumstances specified in the order, "if he considers the exemption is necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual". These exemptions again recognise the broad balance to be struck between the protection of personal data and the necessity of certain actions in exercise of the legitimate functions of public authorities. In the absence of such a gateway, however, the disclosure of personal data by a data controller is likely to fall foul of the Act.
Case Studies
To illustrate how the data protection principles should be considered before information is disclosed or transferred:-
Take for example, a partnership arrangement that may be aimed at addressing the problem of anti social behaviour by young people on a specific estate. It needs to be decided whose data needs to be shared, and how data sharing might help to tackle the problem, such as through referrals to provision of youth club facilities, reparation and mediation schemes, obtaining anti-social behaviour orders and referrals to youth offending teams.
There must be a lawful basis for processing data. It must be determined whether the type of processing to be carried out can satisfy at least one of the criteria in Schedule 2 of the first data protection principle, which requires that all processing has a legitimate basis. It must also be determined whether the processing will involve sensitive personal data, and therefore which ground in Schedule 3 will be satisfied.
The relevant authorities (namely chief police officers, police authorities, local authorities, probation committees or health authorities) may be able to rely on Section 115 of the Crime and Disorder Act as the grounds on which they can satisfy Schedule 2. Other authorities may be able to rely on this or they may have to look for other grounds on which to satisfy the conditions under Schedule 2. Each agency will also need to consider other legal obligations they might owe in relation to the personal data they hold, such as whether they hold it under a duty of confidence. In this case, it needs to be considered whether consent can or should be sought from an individual, and if consent cannot be obtained the authority concerned will need to consider whether there are any grounds on which the need for consent can be overridden.
With the young persons in this example, it may be sufficient that they are informed by the relevant authority, that this is a potential use of their information. With other parties such as witnesses information should not normally be disclosed to other partners without their consent.
To satisfy the third principle partners will need to ascertain what categories of information need to be disclosed. Information must be adequate, relevant and not excessive for purpose. Information cannot be accessed or obtained by any person who is not an appropriate member of the initiative.
Appropriate security measures need to be taken to prevent unauthorised disclosure of or access to personal data. The means of making the referral to the initiative should ensure that the information cannot be accessed or obtained by any person who is not taking part in the initiative.
The data protection implications attached to the retention of data will need to be considered, including how the data collection will be notified, how data is to recorded and how long kept, and how individuals will exercise their rights, for example by making a subject access request about their information. The partnership will need to have a mechanism by which subject access requests are considered to determine whether the source authority wishes to rely on a subject access exemption under the Data Protection Act.
Not all exchanges may be predictable or routine. The exemptions under Section 29 of the Data Protection Act should be used to allow the exchange of data, for example, in any case arising where the ability of law enforcers to prevent a crime or bring proceedings against an offender would otherwise be prejudiced.
Where non- or depersonalised data is used, for example for the mapping of incidences of particular types of offences, the provisions of the Data Protection Act should not apply providing the data does not include identifiable personal information.
Last update: 19 June 2003