A small, but lively, group attended this seminar and tucked into the excellent buffet provided before we got down to business!
Emma gave us the background to data protection and privacy law, and then looked in a very practical way at the eight key principles of the Data Protection Act 1998 (DPA 1998) and their impact on professional bodies, vendors, employers, employees, suppliers of information services, international law firms and individuals.
The law has been derived from human rights legislation and covers, in the UK, all personal data capable of identifying a living individual (in Thailand the law extends to include dead people!). The Privacy and Electronic Communications (EC Directive) Regulations are due to come into force in the UK in December 2003, further limiting what can be done with personal data.
The eight principles of the DPA 1998 relating to personal data are:
- It should be processed fairly and lawfully
- It must be obtained for a specified purpose
- It must be adequate, relevant and not excessive
- It must be accurate and kept up to date
- It should not be kept for longer than necessary
- It should be processed in accordance with the rights of the data subject
- Appropriate technical and organisational measures should be used to protect against unlawful or unauthorised processing, against accidental loss, damage or destruction to personal data.
- It should not be transferred to a country or territory outside the EEA.
In the resume below I have only included the major principles applying to the data users covered in the talk, and/or areas where there was discussion about how the principles apply to them.
Professional bodies
These bodies must process the data that they hold on you as a professional, fairly and lawfully. If they have asked for ‘sensitive’ information from you, they should tell you exactly how they are going to process this. ‘Sensitive’ would include any race information, for instance. Basically they have to obtain your permission to use any of your personal data. If they wish to change this in any way, they should obtain further consent from you.
As an immediate demonstration of this, Charlotte very properly asked our permission to send us her revised handout by e-mail, before collecting our business cards. So we know that CLIG is compliant!!
Vendors
Can only keep that personal information necessary for the performance of their contract with you. The key principles also state that the information held should be accurate and kept up to date.
Employees
Have a right to see all data that an employer holds on them, providing the request is in writing, and is supported by proof of identification - but only where it is possible and does not involve a disproportionate effort. Here there was some discussion over a case where an employee, in dispute with his company, had asked to have a copy of every e-mail in which he had been mentioned. It was agreed that the data controller would have invoked the ‘disproportionate effort/impossible’ clause here!
Employers
There is a requirement to keep only information needed to fulfil the contract of employment. Any access requests from an employee can include not only Human Resource records, but also library records, OPAC searches, notes on CVs etc. The employer has 40 days in which to respond, but this can be extended if the request would take longer to fulfil.
There was some discussion at this point both about library records and job application forms, especially where forms are kept in case there may be a job opening in the future for the applicant. On the library records issue, disproportionate effort was cited should someone demand to see records, and permission given by an employee to have basic data made available to colleagues on an OPAC was really part of their employment. On the application forms issue, Emma advised any employer to include a time frame for retention on the application form itself. She also noted that there was a potential problem with being able to keep the data up to date and accurate if forms were kept for any length of time.
Providers of information services
Information held on databases used for marketing purposes can be held providing you have obtained consent to directly market the individual.
Details of how to unsubscribe must be included in any material sent to the individual.
The new regulations also prohibit unsolicited fax or e-mail marketing and unsolicited marketing calls if an individual is on the Direct Marketing Association (DMA) National Preference lists. It was noted that if a company sends something to an individual’s name or position without prior consent, this is now illegal, but it would be fine to send it to ‘the occupier’ or to a department in a company. There were smiles all round at the thought that calls from double-glazing companies would cease soon!
Individuals
Have a right to prevent processing of their data for direct marketing, to prevent processing likely to cause harm or distress, to have subject access and to take action for compensation if damage is suffered and to get inaccurate data blocked.
International law firms
When and how data can be transferred abroad can be tricky. For instance, in the USA spam laws are state-based so far, and ‘safe harbour’ and ‘adequate protection’ decisions need to be used with caution.
Personal data should not be transferred outside the EEA (15 member states, plus Liechtenstein, Norway and Iceland) unless consent has been given for the transfer, it is necessary for the performance of a contract, for reasons of substantial public interest, or the country has agreed to safe harbour or affords other adequate protection.
The European Commission has decreed that the following countries afford adequate protection: Hungary, Switzerland, Argentina, and in some instances, Canada.
25 large companies have signed up to safe harbour agreement, but the caveat here is that some of those companies do not include the whole company in the agreement!
There was some discussion here about the legality of recommended law firm databases and the forwarding of e-mails containing personal data that have come from non-EEA countries. Emma said that a data protection notice on stationery saying that you will be transferring data outside the EEA should get round the problem of transferring data between offices of an international firm.
Details of how to unsubscribe must be included in any material sent to the individual.
The new regulations also prohibit unsolicited fax or e-mail marketing and unsolicited marketing calls if an individual is on the Direct Marketing Association (DMA) National Preference lists.
It was noted that if a company sends something to an individual’s name or position without prior consent, this is now illegal, but it would be fine to send it to ‘the occupier’ or to a department in a company. There were smiles all round at the thought that calls from double-glazing companies would cease soon!
Individuals
Have a right to prevent processing of their data for direct marketing, to prevent processing likely to cause harm or distress, to have subject access and to take action for compensation if damage is suffered and to get inaccurate data blocked.
International law firms
When and how data can be transferred abroad can be tricky. For instance, in the USA spam laws are state-based so far, and ‘safe harbour’ and ‘adequate protection’ decisions need to be used with caution.
Personal data should not be transferred outside the EEA (15 member states, plus Liechtenstein, Norway and Iceland) unless consent has been given for the transfer, it is necessary for the performance of a contract, for reasons of substantial public interest, or the country has agreed to safe harbour or affords other adequate protection.
The European Commission has decreed that the following countries afford adequate protection: Hungary, Switzerland, Argentina, and in some instances, Canada.
25 large companies have signed up to safe harbour agreement, but the caveat here is that some of those companies do not include the whole company in the agreement!
There was some discussion here about the legality of recommended law firm databases and the forwarding of e-mails containing personal data that have come from non-EEA countries. Emma said that a data protection notice on stationery saying that you will be transferring data outside the EEA should get round the problem of transferring data between offices of an international firm.
Charlotte then introduced us to a list of Global Data Protection Resources that she has compiled (with the caveat that it is not comprehensive, but what she has found so far!). She noted that there do not seem to be any up-to-date academic looseleafs or books on the subject that are global in coverage. If you are a member and would like to receive the slides and/or the handout please e-mail Charlotte on charlotte.russell-hargreaves@reuters.com stating “Data Protection slides request” in the subject heading.
The list contains our national legislation to date, plus links to EU and OECD sources and web sites dealing with international transfers of data. The latter part includes sources for standard contractual clauses and where to find Safe Harbour Privacy Principles.
She has also listed many national Data Protection Authorities, and details of current awareness alerts/newsletters available.
It was a very practical seminar, flagging up real issues that we have to deal with and sending us away armed with the knowledge of resources to help us. Many thanks to our presenters for a great evening - it was just a shame that they did not have a bigger audience.
Anne Storey, Baker & McKenzie
- December 2003