blake lapthorn in house lawyer forum - 11 sept 2012
DESCRIPTION
Blake Lapthorn held its In-House Lawyer forum in its Oxford office on Tuesday 11 September 2012.TRANSCRIPT
In-House Lawyer forumData Protection breakfast
Tuesday, 11 September 2012
Introduction and Welcome
Nicola DiggleAssociate
Commercial Dispute Resolution
Data Protection seminar
Recognising Personal DataData SharingOverseas Transfers of Personal DataElectronic MarketingThe New Data Protection RegulationShort case study
Recognising ‘Personal Data’
Before establishing if the Data Protection Act 1998 (Act) is engaged, you need to recognise what personal data is.
(1) Is the information ‘data’?
– Four categories of data:
Automatically processed data
Data Forming part of a ‘relevant filing system’
Data forming part of an ‘accessible record’
Data recorded by a public authority.
(2) is the data ‘personal data’?
– Once you have established that the information is ‘data’, you need to establish if it is ‘personal’ data.
– Defined in s1 (1) of the Act as:
“Data which relate to a living individual who can be identified:(a) from those data; or(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”.
“Living Individual”
“Individual”
Recognising ‘Personal Data’ (2)
Examples of personal data include:
– addresses, telephone numbers, job titles and dates of birth
– expressions of opinions about an individual
– indications of the intentions of the data controller or any other person in respect of the individual.
Anonymised data is not personal data.
Recognising ‘Personal Data’ (3)
Data Sharing (1)
(1) What is ‘data sharing’?
– Disclosure of data by one or more organisations to a third party organisation or sharing of data between different parts of an organisation.
– If the data sharing does not involve personal data ie where only statistics that cannot identify anyone are being shared, then the Act does not apply.
(2) Data sharing has two legal components:– Whether you can share personal data eg lawful, powers etc. – How to share personal data eg securely, transparently etc.
Your legal status affects your ability to share information eg it depends on whether you are a public sector body or a private/third sector one.
The public sector:
– (1) Identity the legislation that is relevant to your organisation.
(a) Express obligations.(b) Express powers.(c) Implied powers.
Data Sharing (2)
Data Sharing (3)
– (2) If there is no power to data share then the data must not be shared unless, for example, there is an overriding public interest to do so.
– (3) The Freedom of Information Act 2000 requires all public authorities to disclose any information they hold to anybody who asks for it. Although there are various exemptions eg for disclosure which would breach any data protection principle.
The private sector:– Most private organisations have a general ability to share
data so long as it does not breach the Data Protection Act or any other law.
(3) Sharing Confidential Personal Data
– Obligation of confidence can be overridden if:
• consent is obtained
• it is in the Public interest – Helen Maddock –v- Devon CC (2003): there was no breach of confidence when a council passed on concerns about the suitability of a woman to become a social worker to the university where she was training. Considered a matter of public interest that unsuitable persons should not become social workers
• statutory requirements provide for it.
Data Sharing (4)
(4) Advice: Apply the Statutory Code of Practice on data sharingto help you collect and share personal data in a way that is fair, transparent and in line with the rights and expectations of the people whose information you are sharing and consider the following.
– Whether you are obliged to share.– Whether you have the power to share.– Stick to any statutory limits.– Confidentiality requirements before disclosure. – Disclose the minimum that you need to disclose. – Disclose in a secure manner.– Whether you have to inform the data subject.– Keep records of the disclosure. – If you are routine data sharing then consider having a formal
agreement in place.
Data Sharing (5)
Overseas Transfers of Personal Data
Due to the globalisation of trade, record amounts of customer and employee data now has to be transferred overseas from the UK.
Data Protection Act 1998, 8th Principle
• “Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
4 Step “Good Practice” Approach. Consider:
– (1) if there is a transfer of personal data to a third country
– (2) if the third country ensures an adequate level of protection to data
– (3) whether the parties have or can put in place, adequate safeguards to protect the data
– (4) if any of the other derogations to the 8th principle apply.
Overseas Transfers of Personal Data (2)
(1) Is it a transfer? Two questions must be considered:
– (a) Whether the country of the transferee of personal data is outside the EEA;
– (b) Whether the transmission in question actually amounts to a transfer.
What is a ‘transfer’?
Transfer or Transit?
Overseas Transfers of Personal Data (3)
Examples from ICO:
– (1) A company in the UK uses a centralised human resources system in the US belonging to its parent company to store information about its employees – TRANSFER
– (2) Personal data is transferred from the UK to Germany via a server in Switzerland, which does not access or manipulate the information while it is in Switzerland – TRANSIT
Overseas Transfers of Personal Data (4)
(2) Adequacy
– If there will be a transfer to a third country, you need to consider whether the third country ensures an adequate level of protection. Finding of adequacy normally based on a Community finding or a positive outcome when applying the adequacy test.
– “Community finding”: where the European Commission makes a finding that a country outside the EEA has an adequate level of protection. A list can be found on the ICO website.
– “Adequacy test”: Where there is no Community finding, a data exporter should assess the general adequacy criteria.
– Binding Corporate Rules.
Overseas Transfers of Personal Data (5)
(3) Model clauses and Binding Corporate Rules
– Model clauses
Failure to comply with the 8th Principle– Enforcement– Fine: of up to £500,000– Directors and officers of companies who have committed
offences may also be liable to prosecution– Civil proceedings
Topical issues: Cloud computing has raised concerns with regard to the storage of personal data by cloud service providers on servers outside the EEA. A checklist for data protection compliance by cloud clients and cloud providers has been issued.
Overseas Transfers of Personal Data (6)
Electronic MarketingTo collect and use personal data (eg to send out marketing material) there are certain steps you should follow at the time you collect it.
In addition to the Data Protection Act, the Privacy and Electronic Communications Regulations 2003 (PECR) apply to certain marketing activities. The PECR impose two rules regarding unsolicited email marketing. You must:
– Rule 1 - provide certain information (name/organisation name, what you will use the information for, address (for opt-out requests)); AND
– Rule 2 - obtain consent – You cannot send unsolicited email marketing messages unless you have the individual’s prior consent to do so. This strict ‘opt-in’ rule is relaxed if three exemption criteria are satisfied.
Electronic Marketing (2)
You must not send unsolicited electronic marketing to any individual or company who has asked you not to contact them or who has signed up to an opt-in or preference service.
What is prior consent?
– Explicit ‘opt-in’ consent: “I consent to you sending me marketing information about your products by email from time to time. [ ] Please tick box”.
– Consent may be any positive action eg sending an email or subscribing to a service.
There must be some form of positive action by the individual and the individual must know that they are agreeing to receive marketing and to a specified means of communication.
Electronic Marketing (3)
Electronic Marketing (4)
An individual can opt-out at any time under the Act and any opt-out message must be actioned and a list of all individuals who have opted-out must be kept.
Rules do not apply to marketing sent to companies.
Glossary of terms:
– “Electronic Mail” – includes emails, texts, picture and video messages.
– “Individuals” – includes individuals as well as sole traders and unincorporated partnerships.
– “Unsolicited” – something that is not invited.
Additional regulators/bodies such as the Advertising Standard Authority and the Direct Marketing Association should be considered.
Electronic Marketing (5)
If you wish to carry on using the “opt-out” method but you want it to amount to prior consent, you must do three things:
– Draw attention to the fact that you are collecting mobile numbers and email addresses for marketing.
– Use a consent statement.
– Provide an ‘opt-out’ facility.
Electronic Marketing (6)
Advice:
– Recommend marketing campaigns are always permission- based.
– Explain clearly what a person’s details will be used for.
– Provide a simple way for them to opt-out of marketing messages.
– Have a system in place to deal with complaints.
Electronic Marketing (7)
Cookies
– Obtain consent before setting cookies.
– Consent can be implied eg “our website uses cookies to create a secure and effective website for our customers and to improve your browsing experience. By using this website you agree hat we may store and access cookies on your device. For more information, together with how to block cookies, please see our privacy policy [LINK]”.
– Only set strictly necessary cookies without prior consent.
Electronic Marketing (8)
The New Data Protection Regulation
On 25 January 2012, the European Commission published a proposal for a new Regulation.
The European Commission has called for:
– an effective new data protection framework
– clear, effective rights for individuals
– clear responsibility and accountability
– obligations to be focussed on processing that poses genuine risks to individuals or societies
– data protection authorities that are independent with a clearer role.
Potential changes:
– Higher fines
– Stronger data subject rights
– Consent
– More responsibility on data controllers.
The New Data Protection Regulation (2)
The Regulation should essentially be a harmonised EU regime.
The draft Regulation will need to be approved by EU member states and ratified by the European Parliament. It could possibly take up to 2 years before the Regulation is adopted.
The New Data Protection Regulation (3)
Case Study (1) (Recognising Personal Data)
A potential member of a gym meets with a sales manager of a local gym to discuss membership options. The sales manager asks the prospective member for certain information (name, address, age) and records these details manually on a ‘new membership application form’. These details will subsequently be added to the gym’s computer system.
Is this data?
Case Study (2) (Overseas Transfer of Data)
UK Gadgets is one of the leading suppliers of gadgets in the UK. It has recently been bought out by a US multinational, US Gadgets.
As part of its new reporting obligations, UK Gadgets has been asked tosend copies of all of its employee records to US Gadget’s head office inNew York.
However, compliance with this request may be difficult as it is one of themain principles of the Data Protection Act that personal data should not betransferred outside the EEA unless the data will be adequately protected.
The commercial director is a little concerned that if he sends these, hecould be in breach of Principle 8, but head office is adamant that they mustbe sent.
What are his options?
NB: This case study assumes that the other Data Protection principles have been complied with and that the data does not consist of 'sensitive' personal data where consent to transfer may need to be obtained.
Case Study (2) (Overseas Transfer of Data)
Case Study (3) (Electronic Marketing)
Please tick here if you do not want us to contact you by electronic means (e-mail or SMS) with information about goods and services which we feel may be of interest to you.
Is this acceptable?
Contact Details
Gemma Tominey, Associate, Commercial/ITT: 01865 253287E: [email protected]
Simon Stokes, Partner, Commercial/ITT: 0207 8145482E: [email protected]
Nicola Diggle, Associate, Commercial Dispute Resolution T: 01865 254285E: [email protected]