Transcript Data protection half year update

Data protection and compliance in context
Stewart Room
Partner
19 November 2007
Data protection in context
• First iterations of data protection law at Council of Europe level were
concerned only with fundamental rights and freedoms, particularly the
right to privacy.
• European Community agenda introduced concern for free movement.
• Within UK privacy legislation is contained in Human Rights Act, Data
Protection Act, Regulation of Investigatory Powers Act etc. Parliament,
regulators and the courts are obliged to act compatibly with European
Convention on Human Rights.
• The Courts have modified the domestic law of confidence to protect
privacy where a reasonable expectation of privacy exists.
• But, care must be taken in application of the law, so as not to damage
other legitimate State interests and wider economic interests.
The development of privacy law
• In 1991 the Court of Appeal would not prevent the publication of very
sensitive personal information, since there was no actionable right of
privacy:
•
Kaye v. Robertson
• But, in October 2000 the Human Rights Act came into force.
• And only 18 months later, in March 2002, the Court of Appeal was able
to confirm that where the protection of privacy is justified, an action for
breach of confidence will provide the necessary protection:
•
Flitcroft v. MGN
• And now? See the Campbell, Peck, Douglas & Zeta Jones, Prince of
Wales, McKennitt, Princess Caroline cases etc.
What is driving the law forward?
•
(1) The introduction of the Human Rights Act 1998 coupled with (2) the
Government’s adoption of advanced data processing techniques in the name
of better public services are responsible for the rapid development of the law:
•
HRA incorporated European Convention on Human Rights into UK law and imposes a legal
obligation on Parliament, Courts and Regulators (as public bodies) to develop domestic law in
order to give full effect to the right to privacy within Article 8:
•
•
•
•
•
S.1 – Incorporates ECHR into domestic law.
S.2 – Courts to take account of decisions of European Court of Human Rights.
S.3 – Legislation to be compatible with ECHR.
S.6 – Public authorities to act compatibly with ECHR.
Government is sponsoring the development of massive databases of personal data and these
need protecting:
•
•
•
Children Act 2004.
Identity Cards Act 2006.
‘Greater data sharing within the public sector - if we get it right - has the potential to be hugely beneficial to
the public, as individuals and to society as a whole. Hand in hand with this is the need to provide real
reassurance that when personal data is shared, the Government is determined to ensure both its security
and integrity.’ Dept for Constitutional Affairs consultation on ‘What price privacy?’ (June 2006).
Data protection overview
• The Data Protection Act 1998 gives effect to the UK’s obligations
under the Council of Europe Data Protection Convention 1981 and the
EC Data Protection Directive 1995.
• It describes itself as an Act to make new provision for the regulation of
the processing of information relating to living individuals.
• The actors; data controllers, data subjects and data processors.
• Personal data; information relating to an identified or identifiable living
individual. See Durant v. FSA (2003) and Article 29 Working Party
Opinion on the concept of personal data (2007).
• The data controller is the person who carries the weight of the
regulatory burdens. The controller must comply with the data
protection principles.
Data protection principles
• Fair and lawful processing and at least one criterion for
legitimacy.
• Obtaining for a specified, lawful purpose.
• Processing to purpose.
• Adequate, relevant, not excessive.
•
•
•
•
Accurate and kept up to data.
Data subject rights to be obeyed.
Security.
Prohibition on transfers to unsafe countries.
Regulatory mechanisms
• Transparency; notification to regulator, fair processing
notices, information notices, subject access.
• General rules on lawfulness; first data protection principle
and schedules 2 & 3.
• The right to object; processing that will cause substantial
and unwarranted damage/ distress, direct marketing.
• Criminal offences; particularly section 55.
• Other enforcement by the regulator.
• Data subject’s civil law remedies.
Hot topics
• The surveillance society.
• Unlawful trade in personal data.
• Privacy enhancing technologies.
• International transfers of data.
• Internet and electronic communications.
Compliance
• Intelligent processing; there are only two kinds of data in
the intelligent organisation.
• Understanding the information lifecycle.
• Classification of data.
• Criterion for legitimacy.
• Data protection principles and transparency mechanisms.
• Compliance mechanisms; practices, policies and
procedures.