Advice Note

August 2003

UK Data Protection
The Data Protection Act 1998 (DPA) has now been in force for over 3 years since it was implemented in the United Kingdom in March 2000 and applies to the 'processing' of 'personal data' by individuals or organisations that qualify as so called 'data controllers' under the Act. Scope of the Legislation 'Processing' includes virtually every use of personal data from collection, alteration and distribution to amendment and deletion. 'Personal data' includes information from which living individuals can be identified (e.g. names, contact details, video images and expressions of opinion and/or intention about employees, customers and suppliers etc). The Act extends to personal data processed in an automated fashion (e.g. on computers) and/or in a structured manual fashion (e.g. in manual records such as structured filing cabinets, microfiche and card index systems). An individual or organisation will fall within the definition of a data controller if it determines the purposes for which and manner in which personal data is processed. The data controller will also need to be established in the UK and processing personal data in the context of that establishment or using equipment based in the UK to process personal data. Core Requirements of the Act To comply with the DPA, data controllers must: Notify their processing operations to the Information Commissioner's Office; and Comply with the eight data protection principles in the DPA. How to Notify If your organisation qualifies as a data controller, it must notify its data processing operations to the Information Commissioner's Office (the ICO), unless it qualifies for exemption from this requirement under the DPA. The ICO can be contacted at: Wycliffe House Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 01625 545 740 (Notification) Tel: 01625 545 745 (Information) Tel: 01625 545 700 (Switchboard) The ICO will provide you with the necessary notification forms and an information pack which will assist you to complete your notification. The ICO also allows you to complete your notification online at: www.dataprotection.gov.uk. It is a criminal offence to process personal data without a notification or for purposes outside of those stated on your notification. Should you require assistance with and/or have any questions about completing your notification forms, please feel free to discuss this with us. How to Comply with the Eight Data Protection Principles To comply with the DPA, your organisation will need to process personal data in accordance with the eight data protection principles. These principles are set out in Figure 1. Figure 1 The Eight Data Protection principles: 1. Data must be processed fairly and lawfully. 2. Data must be obtained for one or more specified and lawful purposes and may not be further processed in any manner incompatible with those purposes. 3. Data shall be adequate, relevant and not excessive in relation to the purposes for which the data is processed. 4. Data shall be accurate and kept up to date. 5. Data shall not be kept for longer than is necessary. 6. Data must be processed in accordance with the rights of the data subjects under the Act. 7. Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data as well as against accidental loss, destruction or damage to such data. 8. Personal data must not be transferred outside the European Economic Area (EEA) unless the recipient provides an adequate level of protection in line with the EU Data Protection Directive.

Continued on reverse

Fair Processing To comply with principles 1 and 2 of the DPA, you will need to ensure that you provide those individuals whose personal data you process, (such as employees, customers, agents and suppliers), with so-called 'fair collection notices'. Ideally, these notices should be provided to individuals at the point where such information is collected from them. These notices should contain information about who will hold any personal data provided to your organisation and the purposes for which this information will be processed. These notices can therefore be included in employment contracts with employees and in contractual arrangements or data collection forms with customers, agents, suppliers etc and on any other medium used to collect personal data (e.g. on websites). To the extent that any information will be made available to third parties (e.g. group companies), transferred to foreign jurisdictions and/or used for non-obvious purposes (e.g. credit reference checks or direct marketing) this use of information should also be brought to the attention of the individuals in question. Lawful Processing Schedules 2 and 3 of the DPA set out the conditions for processing personal data lawfully. Principle 1 of the DPA requires you to ensure that at least one of the Schedule 2 conditions set out in Figure 2 applies to the processing of personal data by your organisation: Figure 2 Conditions for Processing Personal Data Fairly and Lawfully 1. The data subject has given his/her consent 2. The processing is necessary for the performance of a contract or for entering into a contract with the data subject 3. processing is necessary for compliance with any legal obligation to which the Company is subject (other than an obligation imposed by a contract 4. The processing is necessary to protect the vital interest of the data subject 5. The processing is necessary for the administration of justice 6. The processing is necessary for the purposes of legitimate interests pursued by the Company, except where the processing is unwarranted by reason of prejudice to the rights or legitimate interests of the data subject.

To the extent that any sensitive data (e.g. data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of an offence or any proceedings for any offence or alleged offence), is likely to be processed by your organisation, you will need to justify processing such information, by ensuring compliance with at least one of the Schedule 2 conditions as well as at least one of the Schedule 3 conditions set out in Figure 3. Figure 3 Conditions for Processing Sensitive Data Fairly and Lawfully 1. Data subject has given his/her explicit consent 2. Processing is necessary to enable the Company to exercise rights or obligations imposed by law in connection with employment 3. Processing is necessary to protect the vital interest of the data subject (e.g. in life and death situations) 4. Processing is carried out for the purpose of monitoring equal opportunities 5. Information contained in the personal data has been made public as a result of steps deliberately taken by the data subject 6. Processing is necessary for the purposes of establishing, exercising or defending the organisation's or its employees' legal rights 7. Processing is necessary for the administration of justice 8. Processing is necessary for medical purposes and is undertaken by a health professional (or equivalent) Where your organisation is not able to easily justify processing personal data (including sensitive personal data) on any of the conditions set out in Figures 2 and/or 3, it would be prudent to try to obtain (explicit) consent to process such information. In addition, if your organisation intends to transfer any personal data which it collects to jurisdictions outside of the European Economic Area, it would be prudent to ensure that the individuals in question are informed about the transfer and provide their consent to such a transfer and any further processing of their personal data in that jurisdiction. The provision of such information and obtaining the necessary consents will assist your organisation to comply with the fair and lawful obtaining and processing requirements of this legislation. Continued on reverse

Security Principle 7 of the DPA requires your organisation to ensure that it has appropriate technical and organisational security measures in place to protect the personal data which it processes. This obligation must be considered in relation to personal data processed in both an automated fashion (e.g. on IT systems) and in a manual fashion (e.g. in structured manual records). Consequently, this principle requires data controllers to consider having appropriate technical security measures in place (such as encryption devices, virus checks etc) as well as appropriate operational security measures (such as screening employees carefully when appointing them and limiting employees' access to certain types of personal information). This requirement is subjective and the degree of security which you consider appropriate will be dictated by the nature of the personal data which is being processed and the potential harm which could result if such information was destroyed, disclosed, altered etc. Data Protection Agreements To the extent that your organisation makes any personal data available to third parties in order for your organisation to receive services from such parties (e.g. IT maintenance companies, web service providers and/or direct marketing and publicity companies), your organisation is required by Principle 7 of the DPA to put in place a written agreement with such third party organisations (referred to as 'data processors') to ensure that: They provide sufficient guarantees in respect of security measures which they will take when processing the data controller's data; and Such parties are only able to process such data on the data controller's instructions and for no other purposes. Your organisation retains the ability to ensure the third parties' compliance with these obligations (e.g. by means of an audit). If your organisation becomes involved in purchasing, selling and/or disclosure of personal data to third parties, consideration will have to be given to putting appropriate wording into contractual arrangements with the recipient parties to guarantee that the information has and/or will be processed in accordance with prevailing data protection legislation. Where necessary the data controller should consider obtaining indemnities against third party recipients of personal data, breaching such legislation. Individual's Rights The DPA provides individuals with a number of rights, namely the right to: Access any personal data which a data controller processes about them;

Correct any personal data which a data controller processes about them; Receive compensation from a data controller for breaches of the legislation; and Prevent a data controller from processing their personal data, in particular for the purposes of direct marketing. In the event that your organisation wishes to use the contact details of customers for direct marketing purposes, this should be brought to the attention of customers and they should be provided with the opportunity to prevent you from using their personal data for such purpose. This has until recently, often been done by providing individuals with the opportunity to 'opt out' from receiving direct marketing materials. However, this is no longer sufficient and recent European legislation on the use of electronic communications makes clear that organisations now need to ensure that they have 'opt in' consent from individuals to whom they wish to send marketing materials. This is subject to a relatively limited exemption whereby 'opt in' consent will not be required where details are already held by an organisation as a result of some previous purchase of similar goods or services and provided that on the occasion of each communication, the recipient is still afforded an 'opt out' option. In addition, if your organisation uses unsolicited faxes or telephone calls to market products and or services, you need to be aware that some organisations have their telephone and fax numbers listed on the preferential fax and telephone lists' held by the Direct Marketing Association. Transborder Data Flow If your organisation needs to transfer personal data out of the European Economic Area (EEA), consideration will need to be given to Principle 8 of the DPA which restricts such transfers unless the recipient territory or country offers an adequate level of protection for the information. This Principle places an obligation on your organisation to conduct a 'risk assessment' on all transfers of personal data by your organisation outside of the EEA. A data transfer should only proceed if a 'presumption of adequacy' has been reached based on a risk assessment of general, legal and contractual criteria. To assist in reaching a presumption of adequacy, the European Commission (EC) is in the process of compiling a list of countries to whom personal data can be safely transferred outside of the EEA. The EC has also made progress in reaching agreement amongst member states on a set of model transborder dataflow clauses which can be used to cover the transfer of personal data to recipients based in countries not offering an adequate level of protection for such data. If your organisation needs to transfer personal data to the USA, you may wish to consider the safe harbour' programme negotiated between the US Department of Commerce and the EC. This programme allows organisations based in the EC to transfer personal data to US based organisations that have signed up to the programme. Continued on reverse

Schedule 4 of the DPA sets out a number of derogations from the prohibition in Principal 8. The derogations allow personal data to be transferred out of the EEA in certain circumstances. For example, when your organisation has obtained the informed consent of individuals to transfer their personal data, or in circumstances where the transfer is taking place in order to enter into or give effect to an agreement between your organisation and the individual whose data is being transferred. In addition, or alternatively, such transfers may require contracts to be drawn up between your organisation and the recipient organisation/individual to ensure an adequate level of protection for the personal data being transferred to the recipient. Liability The breach of any of the eight data protection principles is not automatically a criminal offence. However, if the ICO become aware of any such breach, they can issue an information notice requesting further information about your data processing operations and/or an enforcement notice requesting you to change your processing operations. If either of these notices are ignored, your organisation will be committing a criminal offence and can be prosecuted with fines of up to 5,000 in a magistrates court and by unlimited fines in a crown court. Individuals who suffer damages and/or distress as a result of your organisation's breach of the DPA, can also prosecute your organisation in civil proceedings for breaches of the DPA. Furthermore, directors, company secretaries and company officers can attract personal liability where their organisation is found guilty of failing to comply with the DPA and the company officers have turned a blind eye and/or acted negligently in the circumstances. Finally, employees can also face criminal prosecution where they obtain or disclose personal data without the consent of their employer, where the employer is a data controller. Exemptions The DPA contains a number of useful exemptions from compliance with various aspects of the legislation, such as data retention periods, requests for access to data and the need to provide fair collection notices in certain circumstances. These exemptions are applicable to various forms of processing, such as processing for statistical research, corporate finance, management forecasts and planning purposes.

Practical Advice for Compliance Perform a data protection audit to identify the flow of information and databases in your organisation. An audit also helps to determine where your organisation is not yet complying with the DPA and whether it qualifies for exemptions. Review your existing data protection registration/notification in light of the audit results. Implement a data protection compliance policy/programme which would provide employees with information about the manner in which your organisation intends to process their data and the way in which your organisation requires its employees to process personal data to which they are granted access. A data protection policy would also assist you to make employees aware of any security procedures and document retention policies with which they are required to comply. Establish data retention and destruction policies based on justifiable retention periods for personal data. Include and use appropriate data protection clauses in contracts and data capture forms (for example, fair collection notices in contracts with employees and customers). Also include data processor clauses in contracts with third parties such as data processors and appropriate restrictions and indemnities in contracts for the purchase, sale or disclosure of personal data. Provide data protection training for employees. Establish and regularly review technical and operational security measures. Set up a paper trail of the steps you are taking to ensure compliance with the DPA and the reasoning behind processing decisions (e.g. document retention time periods). Appoint a data protection officer to co-ordinate and ensure compliance with the DPA. Regularly review the 'best practice guidelines' on the ICO website.
Pinsent Masons LLP 2009

This note does not constitute legal advice. Specific legal advice should be taken before acting on any of the topics covered. LONDON OTHER UK LOCATIONS: DUBAI BEIJING SHANGHAI HONG KONG SINGAPORE LEEDS MANCHESTER

BIRMINGHAM

BRISTOL

EDINBURGH

GLASGOW

T 0845 300 32 32
Pinsent Masons LLP is a limited liability partnership registered in England & Wales (registered number: OC333653) and regulated by the Solicitors Regulation Authority. The word 'partner', used in relation to the LLP, refers to a member of the LLP or an employee or consultant of the LLP or any affiliated firm who is a lawyer with equivalent standing and qualifications. Singapore location in association with MPillay. A list of members of the LLP, and of those non-members who are designated as partners, is displayed at the LLP's registered office: CityPoint, One Ropemaker Street, London, EC2Y 9AH, United Kingdom. We use Pinsent Masons to refer to Pinsent Masons LLP and affiliated entities that practise under the name Pinsent Masons or a name that incorporates those words. Reference to Pinsent Masons is to Pinsent Masons LLP and/or one or more of those affiliated entities as the context requires. For important regulatory information please visit: www.pinsentmasons.com

www.pinsentmasons.com