Data Protection Act 1998 - what you need to know

The first article published in the Journal (March 2003) considered definitions within the Act and the requirement and process of notification.  

In this second article, the Principles of the Act will be set out (1 and 7 in some detail).

It had been the intention to discuss subject access requests in this article. However, this will be held over to a later article as a result of the need to additionally consider subject access to health records.  Since the first article some members have raised questions in connection with access to health records and this deserves proper attention as it is expected to be of wide interest.

As was noted in the last article the intention is to provide introductory information. The Act is a complex piece of legislation with complex rules and it may be necessary to seek expert advice from time to time.  A fuller understanding of the Act is always to be encouraged.

The Principles

Cornerstones of the Act are the eight data protection principles. They are set out in Schedule 1 and summarised below. These set out a code by which data controllers must handle and obtain personal data. Anyone processing personal data must comply with these regardless of:

• Whether an exemption from notification exists;
• Whether the data controller has been notified.

The 8 principles state Personal Data:

• Shall be processed fairly and lawfully;
• Shall be obtained only for one or more specified and lawful purposes;
• Shall be adequate, relevant and not excessive to the purpose or purposes for which they are processed;
• Shall be accurate and where necessary kept up to date;
• Are not kept for longer than required to fulfil the purposes for which they were collected;
• Must reflect the rights of data subjects under the Act;
• Shall be processed in a secure environment with appropriate security measures being in place;
• Shall not be transferred outside the EEA unless the recipient of the data resides in a country that gives data subjects similar strong rights over their information.

An observation often made is that the principles are very generic and this makes it difficult to see how they can be applied in a given situation. Their generality is intentional as this provides flexibility, as they have to cover all sorts of processing in all manner of organisations. It is necessary therefore for data controllers to apply them to their own data processing circumstances. In some circumstances firms may need to modify their procedures to comply.

While it is not possible to go into detail on each of the Principles, some examination of the first is worthwhile as members often put questions to the Society in connection with it.

Setting out principle one in more detail shows that personal data shall not be processed unless:

• At least one of the conditions in Schedule 2 is met, and;
• In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 sets out 6 conditions only one of which needs to be met for compliance with the first principle. Concern is often expressed with condition 1 of Schedule 2:

• The data subject has given his consent to the processing.

The Society is often asked if this requires firms to write to each data subject (e.g. clients and staff) and obtain their written consent to process their data as this would be very onerous and time consuming. It is important, however, to note that Schedule 2 only requires one of its conditions to be met for compliance with principle one. It would seem that people get stuck on the first condition and do not look past it.  Looking at the other conditions of Schedule 2, it should be possible to identify one accommodating the solicitor-data subject relationship. For example:

• Sch.2, 2(a) – the processing is necessary for the performance of a contract to which the data subject is party;
• Sch.2, 5(a) – The processing is necessary for the administration of justice.

In the circumstances where sensitive data is being processed the conditions are more demanding. In the first instance, note the definitions of sensitive data:

• Racial or ethnic origin of the data subject;
• Political opinions;
• Religious beliefs;
• Membership or non-membership of a trade union;
• Physical or mental health or condition;
• Sexual life;
• Commission or alleged commission of any offence; or
• Any proceedings for an offence committed or alleged to have been committed, the disposal of any such proceedings or the sentence of any court to such proceedings.

It would seem reasonable that firms will find it necessary to hold such information on some data subjects at some point. In these circumstances it is necessary to comply with one condition from Schedule 2 and one condition from Schedule 3. In all there are 10 conditions and they are quite demanding. Members holding, or expecting to hold, sensitive data need to study Schedule 3 and identify an applicable condition. As with Schedule 2 it should be possible to identify one which will be suitable.

While it has been suggested that it may not be necessary for a firm to write to each data subject seeking consent, consideration should be given to the development of a data protection notice for the firm. Such notices are commonplace (e.g. credit card applications, Sainsbury’s have in-store leaflets).  This would set out the types of data being obtained, processed and the purposes to which it will be put. If data may be passed on to third parties then this needs to be detailed. Such notices could be distributed with engagement letters, fee notes, placed on firms’ web sites, at reception and so on. The notice should also include the name and address of the data controller.

Considering now the seventh principle. This principle states:

• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Data controllers need to ensure when handling personal data they take appropriate security measures to protect that data. The type of measures taken will be dictated by the nature of the data but will be more demanding in the case of sensitive data.

Proper measures need to be put in place when destroying paper based material and a secure disposal service should be considered. Files should not be left unattended in an office where an office cleaner, for example, could peruse them during early morning cleaning –  unauthorised processing. Don’t believe this does not happen as I have personally witnessed this when passing a solicitor’s firm at 7:30 in the morning!

Within the firm, training should be provided for staff and access only permitted to data that is relevant to the job being carried out. Few firms will not have some form of IT system and will therefore need to have appropriate IT measures in place for virus protection, data back-up and recovery, etc. Appropriate security measures should be put in place for logging on to internal systems.

Increasingly, firms will use e-mail to communicate with other solicitors and clients using the Internet. Sending e-mail on the Internet poses its own risks. In the Employment Practices Data Protection Code the Information Commissioner discusses the transmission of confidential information by e-mail without taking proper security measures and it would seem that to do so breaches the seventh principle. This is one of the reasons the Society is pioneering the Lawseal project, which provides a secure electronic communications environment.

Gordon Brewster, Director of IT, The Law Society of Scotland