The Data Protection Act 1998 implements the requirements of the EU Data Protection Directive. Stephen Groom checks out the aspects of the new law that are particularly relevant to marketing.
The Data Protection Act 1998 gives effect to the requirements of the EU Data Protection Directive. The three main intentions of the Directive are to:
- harmonise data protection legislation throughout the EU;
- protect individuals’ rights and freedoms, especially the right to privacy regarding the processing of personal data; and
- facilitate the free flow of personal data within the EU in the interests of improving the operation of the single market.
The Directive required Member States to have implemented its provisions by 24 October 1998. However, the Data Protection Bill’s progress through Parliament was slower than the Government had intended and it did not come into force in the UK until 1 March 2000.
The 1998 Act repeals and replaces the Data Protection Act 1984 in its entirety although in many areas it follows a similar scheme and structure.
Complementing the EU Data Protection Directive is the Telecoms Data Protection Directive. It concerns the Processing of Personal Data and the protection of privacy in the telecoms sector. It too should have been implemented by the Member States by 24 October 1998, but was not introduced in the UK in its entirety until 1 March 2000.
This paper introduces significant provisions of the new legislation and looks at aspects relevant to marketers. For a fuller description we recommend the book "The Data Protection Act, Explained" written by Osborne Clarke's James Mullock and Piers Leigh-Pollitt and published by the Stationery Office (contact 020 1809 1098 for further details).
The new Act extends data protection controls beyond the requirements of the 1984 Act in a number of areas:
1998 Act 1984 Act
(1) Applies to automatically processed and certain types of manually Processed data. Applies only to automatically processed data.
(2) Contains a wide definition of Processing (i.e. everything from collection to destruction). Contained a narrower definition of Processing.
(3) Sets conditions which must be met before Personal Data may be Processed. No express equivalent provision. Relies on Data Protection Principles.
(4) Sets tighter conditions for the Processing of "sensitive" data (e.g. data about racial or ethnic origin). Allows special conditions for "sensitive" data to be set by Order. No Order was ever made.
(5) Provides certain exemptions for Personal Data processed for journalistic, literary and artistic purposes. No corresponding provision.
(6) Requires individuals whose data are processed to be provided with certain information (e.g. about the purpose of processing) No express equivalent provision. Relies on Data Protection Principles.
(7) Gives individuals the right of access to their Personal Data, and the right to have inaccurate data amended, etc. Makes broadly equivalent provision, but with some important differences.
(8) Gives individuals the right at any time to require that their data is not used for direct marketing purposes. Requires the data user at the time of collection to notify the Data Subject of its intended use of the data and, in some cases, to give the Data Subject the right to opt out of all uses, such as direct marketing.
(9) Places restrictions on fully automated decision-making. Sets specific requirements for security of processing operations. No equivalent provision. Relies on Data Protection Principles.
(10) Sets detailed conditions for transfer of personal data to countries outside the EEA. Contains much simpler provisions.
The Data Protection Principles
The eight Data Protection Principles are the cornerstone of the application of the Act, since they provide the general rules which the Registrar uses in enforcing the Act.
The Data Protection Principles listed in the 1998 Act lay down general rules as to:
(1) the fair and lawful obtaining and Processing of Personal Data;
(2) the holding of Personal Data for specified and lawful purposes and the requirement that the Processing of data shall not be incompatible with the specified purpose;
(3) the requirement that Personal Data must be adequate, relevant and not excessive in relation to the specified purpose;
(4) the requirement that Personal Data must be accurate and up-to-date;
(5) the requirement that Personal Data shall not be kept longer than is necessary for the specified purpose;
(6) the requirement that Personal Data must be Processed in accordance with the rights of Data Subjects;
(7) security and the requirement for appropriate technical and organisational measures to prevent accidental loss, destruction of, or damage to, Personal Data; and
(8) The transferring of Personal Data to countries outside the EEA.
The main changes to the eight principles under the Act concern the newly drafted Principle 8 (see later for further detail), and changes made to the criteria which, under the first Principle, will lead to data being deemed to have been fairly and lawfully obtained (see below for details.)
Content of the Act
The Act is divided into six Parts and has 16 Schedules:
Preliminary: Part I of the Act begins with definitions of the main terms used and introduces the first four Schedules which deal with:
- the Data Protection Principles and the interpretation of them;
- criteria to be met before Processing may begin, particularly in the case of Sensitive Personal Data; and
- circumstances in which transfers of Personal Data may take place to countries outside the EEA which have "inadequate protection".
Data Subjects' Rights: A Data Subject will have a right of access to his Personal Data including data held by credit reference agencies. He will have the right to prevent Processing for the purposes of direct marketing and to receive, on request, a description of the purposes of Processing and all recipients. A Data Subject will also have a right to know the logic behind any automated decision-taking and will, subject to exceptions, be able to prevent decisions significantly affecting him from being based solely on automated means. He will also, in certain circumstances, have the right to prevent Processing likely to cause him damage or distress and will be able to claim compensation where a Data Controller fails to comply with the requirements of the Act. In the case of inaccurate data, he will be able to apply to the courts for its correction, blocking, erasure or destruction.
Notification: The current registration system will be replaced with a similar system of "notification". The new system will be a simplification of the present one and there will be some exemptions from the requirement to notify. The Act lists a broad description of information which a Data Controller must notify to the Commissioner. Data Controllers will be required to notify the Commissioner before Processing certain Personal Data. However, notification will not apply to manual records. The register must be made publicly available. Exemptions from notification, in cases where Processing is "unlikely to prejudice the rights and freedoms of Data Subjects" are to be dealt with in notification regulations. The details of the notification regulations are not yet available.
Exemptions: Provisions are made for exemptions in limited cases, for example, to safeguard national security, crime prevention, collection of tax or duty. Personal Data processed for journalistic, artistic or literary purposes will be exempt from certain provisions of the Act where the Processing is "in the public interest".
Enforcement: The Commissioner may issue an Enforcement Notice where a Data Controller has contravened the Data Protection Principles. The Commissioner may also issue an "Information Notice" requiring the Controller to provide him with information where he suspects a Principle has been breached. Failure to comply with either notice will be an offence.
Miscellaneous and General: The Commissioner's powers and duties are set out in this Part.
Data Falling within the Scope of the Act
Included are all "personal" data., which are:
- processed automatically;
- recorded with the intention that they should be Processed automatically; or
- recorded as part of a relevant filing system or with the intention that they should form part of a relevant filing system.
"Personal data" is defined in S.1(1) as data which relates to a living individual who can be identified:
- from those data; or
- from those data and other information which is in the
The Conditions Applicable to the Obtaining and Processing of Personal Data
Schedule 1 indicates how the eight principles should be interpreted while Schedule 2 lays down conditions to be complied with when collecting/processing Personal Data and Schedule 3 includes additional conditions applicable to the Processing of Sensitive Personal Data.
Schedule 1 provides that in determining whether data are processed fairly, regard should be had to the method by which they were obtained, including whether any person is deceived or misled as to the purposes for which the data are to be processed. The Schedule goes on to stipulate that data will not be treated as processed fairly unless the Data Controller ensures that so far as practicable the data subject is provided with, or he has made readily available to him, e.g. the identity of the Data Controller and the purposes for which the data are intended to be processed.
Processing all data
At least one of the following conditions in Schedule 2 must be fulfilled whenever data are collected:
- the Data Subject has given his consent to the Processing;
- Processing is necessary for the performance of a contract to which the Data Subject is a party, or necessary for the taking of steps at the request of the Data Subject with a view to entering into a contract, or where there is any legal obligation on the Data Controller, other than an obligation imposed by contract;
- Processing is necessary to protect the vital interests of the Data Subject;
- Processing is necessary for the exercise of functions required by the administration of justice, statute or in the public interest;
- Processing is necessary for the purposes of legitimate interests pursued by the Data Controller or a third party, provided that the rights of the Data Subject are not prejudiced to an unwarranted extent. The circumstances in which this condition may be fulfilled can be specified by order of the Secretary of State.
In a marketing context, perhaps the first, second and fifth conditions are most likely to be relevant. See section 3 below.
Processing Sensitive Personal Data
Where sensitive Personal Data are concerned at least one of the following conditions must also be fulfilled:
- the Data Subject must give his explicit consent unless consent cannot be given or reasonably obtained; or
- consent is withheld and Processing is necessary to protect the interests of a third party;
- Processing is necessary for exercising or performing any legal right or obligation in connection with employment;
Processing is carried out as part of its legitimate activities by a non-profit making organisation and which exists for political, philosophical, religious or trade-union purposes;
- Processing is carried out with appropriate safeguards for the rights and freedoms of Data Subjects
the information has been made public deliberately by the Data Subject
- Processing is necessary for legal purposes, required by statute or government or for medical purposes (subject to the particulars set out in Schedule 3)
- Processing is of Sensitive Personal Data consisting of information as to racial or ethnic origin, and is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and is carried out with appropriate safeguards for the rights and freedoms of Data Subjects.
What exactly is meant by 'consent' in relation to Personal Data or 'explicit consent' in relation to Sensitive Personal Data is not defined in the Act. At the least, explicit consent is likely to be interpreted as express written consent. See section 3 below for more discussion of this for marketers.
Extension of Individual Rights
As referred to earlier, Part II of the Act gives individuals, for the first time, the right to object to the Processing of Personal Data in certain circumstances. However, the individual cannot object when the requirements set out in Schedule 2, or if applicable, Schedule 3 have been met, including the giving of consent or explicit consent depending on the sensitivity of the data.
An individual is also entitled at any time to give notice in writing to a Data Controller stating that no Personal Data relating to that individual should be used for direct marketing. It does not matter in this case whether explicit consent has been given earlier.
In effect this means that non-sensitive Personal Data which have been gathered in accordance with one of the conditions contained in Schedule 2 will be available for direct marketing by the Data Controller or anyone to whom he gives or sells such Personal Data until that Data Controller receives notice that the Personal Data may not be used for any direct marketing. It remains unclear as to whether on receipt of such a notice a Data Controller is obliged to notify anyone to whom he has passed the Personal Data and so on down the line.
If the Data Controller does not comply with a legitimate request to remove data the individual is entitled to compensation. This extends the right to compensation under the 1984 Act which was solely for damage and/or distress suffered by the individual caused by inaccurate data or loss of data.
As referred to earlier, Part IV of the Act provides exemptions from the Principles and other provisions. A number of exemptions mirror those in the 1984 Act, such as crime and taxation, health and social work, legal professional privilege, national security and Processing for purely personal or household activities.
New exemptions include Processing for the purposes of journalism, artistic purposes and literary purposes, confidential references, management forecasts and in respect of information recorded by candidates in examinations.
The Act goes further than the Directive in a number of areas. The Registrar published a detailed note dated 5 May 1998 which analyses the exemption provisions (The full text of the Registrar's comments can be found at http://www.open.gov.uk/dpr/com-exem.htm). The Registrar's case as put to the Committee stage of the House of Commons warned that the widening of the existing exemptions under the 1984 Act would be, in many respects, unjustified. These comments passed unheeded and the exemptions in the new Act will widen the provisions of the 1984 Act.
The Act provides for a transitional period during which ‘Processing already underway’ as of 24 October 1998 will be exempt from some of the requirements of the new law until 23 October 2001. The Government have stated that they intend this expression to include, amongst other things:
amendments to existing Personal Data;
the addition of Personal Data on existing Data Subjects;
the addition of Personal Data of new Data Subjects; and
essential program and software changes to enable such Processing to continue.
For manual data where Processing was already under way immediately before the date at which the new Act comes into force, the special transitional exemptions continue after 23 October 2001 until 23 October 2007.
Until 23 October 2001 all manual data and, subject to certain conditions, backup data; data Processed only for the purposes of payroll and accounts; producing mailing lists; or by unincorporated members clubs will be exempt from compliance with the Principles and Data Subjects rights and notification requirements of the Bill. Manual data will also enjoy a more limited exemption from some of the Principles until 2007.
In addition all eligible automated data (i.e. data which are the subject of Processing already under way before the date on which the new Act comes into force) will be exempt until 23 October 2001 from many of the additional requirements of the new law.
Particular aspects relevant for marketers
This Directive (97/66) has been implemented by the Telecommunications (Data Protection and Privacy) Regulations 1999 (S1999/2093).
Key to the new regulations are statutory preference schemes covering the use for direct marketing purposes of unsolicited faxes and automated and non-automated telephone calls.
Oftel is required to set up the schemes, which has been done through the Direct Marketing Association. The schemes are called the Telephone Preference Service (TPS) and the Fax Preference Service (FPS). The Regulations prohibit the use of faxes for direct marketing to individuals, except where, in a particular case, the called subscriber, has previously given his consent. If the unsolicited direct marketing faxes are directed at companies, these will be allowed unless the Company has either notified the marketer that it does not wish to receive them or registered with the FPS.
So far as non-authorised unsolicited telephone calls to individuals are concerned, the regime is "opt-out", so that these calls are allowed unless the called person has previously notified the caller that such calls should not be made or where the called person has registered with the TPS.
Regarding automated faxing systems, there is a general prohibition unless the called subscriber has given his prior consent.
Separately, where a direct marketing call is made, the name of the caller must be given and, on the request of the person receiving the call, his address or freephone telephone number.
Compensation may be awarded to individuals who suffer damage by reason of any contravention of these regulations.
Marketing by post
Although the scheme is not statutory, individuals and businesses may register with the Mailing Preference Service so as not to receive unsolicited mail. Tel: 020 7766 4410 for more information.
Marketing by email
(a) Is an e-mail address "personal data"
The 1998 Data Protection Act defines "personal data" as follows:
"data which relates to a living individual who can be identified:
from those data; or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller."
The question arises therefore as to whether an individual or "data subject" can be identified from his or her e-mail address. The answer might be that it depends on the particular e-mail address. Stephen.firstname.lastname@example.org can clearly been seen as an e-mail address from which the writer of this paper could be identified. A corporate domain name in the UK is being used and using any available directory, the writer's whereabouts could be quickly traced.
But different considerations may apply to an address such as email@example.com. The person's full name is not stated and so he or she cannot be looked up in the telephone directory and all that is known is that the person might or might not call himself "Stephen" as a Christian name and he uses Yahoo! mail as his e-mail service provider. It seems highly arguable therefore that such an address is one from which the person behind it cannot be identified.
Having said this, the Data Protection Commissioner has recently indicated strongly that she regards all e-mail addresses as "personal data". The rationale for this appears to be that e-mail addresses are unique to one individual and that an electronic record can therefore be built up about that person. Although this rationale seems un-persuasive the writer is certainly not suggesting that at the present time those who e-mail addresses should do anything other than treat them as they would all other personal data as required by the 1988 Act.
The point remains, however, as to whether certain types of e-mail addresses might indeed be treated differently without fear of breaching the legislation.
(b) A separate question that arises is in relation to "sensitive personal data"
There is a new category of personal data created by the new 1988 Act. This is "sensitive personal data". This is defined as consisting of information as to:
the racial or ethnic origin of the subject;
his political opinions;
his religious beliefs or other beliefs of a similar nature;
whether he is a member of a trade union;
his physical mental health or condition;
his sexual life;
commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
There may arguably be e-mail addresses which give an indication as to one or more of the above factors themselves. For instance, firstname.lastname@example.org or email@example.com. Certainly neither address would be conclusive as to these characteristics of the individual concerned, but there is no express requirement in the Act that the data should be determinative as to these matters.
One of the most critical consequences of data being classified as "sensitive personal data" is that the data subject's explicit consent must be obtained before that data can be processed. This is another area therefore, where depending upon the particular content of the e-mail address itself, aside from any other data, the address should be treated in a different way.
(c) email preference service
This was set up by the Direct Marketing Association in January 2000. It provides access to a global register, operated by the US DMA, of those who do not wish to receive unsolicited commercial emails. Marketers wishing to "clean" their emailing lists can do it through this service for a modest annual fee, whilst the service is free for those wishing to register.
(d) Distance selling Directive/Regulations
The EU Distance Selling Directive was signed off by the Council of Ministers in May 1997. Implementation of the Directive was due by 4 June 2000, but is now unlikely until Summer 2000 and Article 10 includes the following:
"Member states shall ensure that means of distance communication, other than those referred to in paragraph 1 [paragraph 1 does not refer to e-mail] which allow individual communications may only be used where there is no clear objection from the consumer".
Member states are given the freedom to choose whether to adopt an "opt in" or "opt out" approach. In November 1999, the DTI published its consultation paper in relation to implementation of the Directive. For details of the proposals in relation to marketing/distance selling by fax, telephone and post, see the "Distance Selling" section in the "Webvertising" paper in the course bundle. This included a separate section devoted to the implementation of the parts of the Directive affecting unsolicited commercial e-mails.
The DTI pointed out that a number of EU states including Austria, Italy, Germany and Sweden had gone or were likely to go for "opt in" and invited representations on the issue. Although clearly undecided on the matter, the DTI cites difficulties of enforcement as one reason for choosing "opt out" as opposed to "opt in". As of 31 May 2000, the DTI was still undecided on this crucial point.
If the DTI opts for "opt out" it is likely it will use the existing DMA email preference services as the model for a statutory scheme.
(e) The e-commerce Directive
This was signed off by the Council of Ministers in May 2000 and implementation is due by November 2001. This gives member states the right to introduce a complete ban on unsolicited commercial e-mail and in any event will require that these communications are readily identifiable as such, presumably in the "Subject" box.
Transfer of data outside the EEA
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The European Economic Area consists of the fifteen EU member states plus Norway, Iceland and Liechtenstein.
Paragraph 13 of Part II of Schedule I tells us that
13. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to:
the nature of the personal data;
the country or territory of origin of the information contained in the date;
the country or territory of final destination of that information;
the purposes for which and period during which the data are intended to be processed;
the law in force in the country or territory in question;
the international obligations of that country or territory;
any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases); and
any security measures taken in respect of the data in that country or territory.
This list is not necessarily exhaustive and as suggested by the European Data Protection Directive, "appropriate contractual solutions" may be a solution to the problem. Model commercial contract clauses designed to enable an EEA resident business to show that the transfer of the date out of the EEA will not breach the Eighth Principle have been drafted by the International Chamber of Commerce and the Confederation of British Industry, but have not yet been formally approved by the UK Data Protection Commissioner or the European Commission.
Cases where the Eighth Principle does not apply:
1. The data subject has given his consent to the transfer.
2. The transfer is necessary:
(i) for the performance of a contract between the data subject and the data controller; and
(ii) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller.
3. The transfer is necessary:
(a) for the conclusion of a contract between the data controller and a person other than the data subject which:
(i) is entered into at the request of the data subject; or
(ii) is in the interests of the data subject; or
(b) for the performance of such a contract.
4. The transfer is necessary for reasons of substantial public interest.
4.1 The Secretary of State may by order specify:
(a) circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest; and
(b) circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.
5. The transfer:
(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);
(b) is necessary for the purpose of obtaining legal advice; or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
6. The transfer is necessary in order to protect the vital interests of the data subject.
7. The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.
8. The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
9. The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
Taking into account all the factors set out above, the accepted view is that as things presently stand in the US, any transfer of personal data out of the EEA to the USA may not be regarded as a transfer to a country with "adequate" personal data protection as required by the Eighth Principle. With a view to resolving the problems created by this, bilateral negotiations have been going on for some months between the US and the European Union.
The latest report that we have on this, is that after months of delay the US and the European Union have reached agreement on a privacy safe harbour for US-based marketers. The safe harbour principle accepts the US concept of self regulation and at the time of writing this was due to be ratified by Congress and European Commission Ministers imminently. As currently formulated, the safe harbour will apply to most businesses except for financial services companies. The provisional agreement has five major facets which US-based marketers must follow to comply with EU privacy regulations:
the company must notify site visitors regarding the purpose of data collection;
the company must allow visitors to opt out of allowing the company to share information with others;
the company must ensure that the collected data remains secure;
individuals must have access to their own data; and
the company must create an enforcement mechanism to ensure compliance with the safe harbour principle.
Alternatively of course, the data subject may give his/her consent to the transfer. At this time there can be no guarantees that any particular wording will satisfy the Commissioner, but a term along the following lines to which the subject has expressly agreed may help – "By signing below you accept that we may pass details of your competition entry to Bloggs Ltd. of China, who we have chosen to manage this prize competition on our behalf. You should be aware that as of June 2000, China has no data protection laws".
The question of 'consent 'in a marketing context
The Act contains no definition of "consent", but from recent statements on behalf of the Commissioner, it is clear that she does not regard this as tantamount to an across-the-board "opt-in"/"permission marketing" requirement.
Where data is gathered on-line, the Assistant Data Protection Commissioner has indicated verbally that it would be sufficient, in order to satisfy the requirements of the first principle, to give prospective data subjects the opportunity of ticking an opt-out box, provided the box was situated in close physical proximity on the screen to information dealing appropriately with the uses the personal data was to be put to by the data controller.
As for the information to be supplied about the future use of the personal data, if the use is "obvious" (e.g. sending the data subject information about other clothing products of the Data Controller grant from those which the individual has ordered), then it is unlikely that the Commissioner would require this type of use to be stated expressly. If, however, the use is "non-obvious" (e.g. giving data to a third party, using the data as part of a list rented out to third parties or sending information about products/services unrelated to those being ordered at the time of the data being collected), then these uses should be described.
Regarding the second condition in Schedule 2 relating to the processing being "necessary for the performance of a contract to which the data subject is a party", this might be applicable in the context of, say, either the purchase of goods or services on-line or the entry on the part of the data subject into a prize promotion. If, however, there is any intention to make use of the data above and beyond the specific object of either supplying the goods or services in question or in a prize promotion context, processing the individual's personal data for the purposes of entering them into the prize promotion and dealing with that data accordingly should they be a winner, then details of those other uses should be supplied at the time that the data is captured.
In its 1999 Report "Consumer Processing in the Information Age", the National Consumer Council suggested a format for collection of personal data by marketers. In case it is of interest, this is at Appendix Two to this paper.
Subcontracting data processors.
Part II paras. 11 and 12 of the 1998 Act.
11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle:
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and
(b) take reasonable steps to ensure compliance with those measures.
12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless:
(c) the processing is carried out under a contract:
(i) which is made or evidenced in writing; and
(ii) under which the data processor is to act only on instructions from the data controller; and
(d) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle. (This means that marketers sub-contracting others to collect and process data must, to comply with this principle, have a written contract with the data processor obliging the latter to adhere to the relevant Data Protection principles and to only process the relevant data on the instruction of the Data Controller.)
The right to prevent processing for direct marketing purposes.
This can be exercised at any time, for no reason by data subjects. Data controllers must act on receipt of such a request and stop the use of that individual's data "at the end of such period as is reasonable in the circumstances". Earlier versions of the Data Protection Bill required controllers to respond in writing to such requests to confirm they had been actioned, but there is no such requirement in the final Act.
Appendix One – Extracts from the 1998 Data Protection Act
Data Controller: means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, processed.
Data Processor: in relation to Personal Data, means any person (other than an employee of the Data Controller) who carries out the day to day Processing of the data on behalf of the Data Controller. (The Act distinguishes, unlike the 1984 Act, between the Data Controller and the Data Processor. Most provisions of the Act apply to the Data Controller – presumably in an attempt to simplify accountability. The terms Data User and Computer Bureau are no longer used).
Data Subject: means an individual who is the subject of Personal Data.
Personal Data: are data relating to a living individual who can be identified from those data, or from those data and other information which is or is in the possession of, or is likely to come into the possession of the Data Controller, including any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual. This definition is similar to that under the 1984 Act, but it should be noted that it is extended by the inclusion of information 'likely to' come into the possession of the Data Controller.
Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
organisation, adaptation or alteration of the information or data;
retrieval, consultation or use of the information or data;
disclosure of the information or data by transmission, dissemination or otherwise making available, or
alignment, combination, blocking, erasure or destruction of the information or data.
This includes any use of information on the Internet or other electronic medium. It is immaterial whether the information is recorded with the intention of carrying out any operation in relation to it inside or outside the EEA
Processing no longer has to take place "by reference to the Data Subject". Data Controllers will therefore need to consider what search facilities need to be put in place to locate Personal Data held if they receive a request from a Data Subject.
Sensitive Personal Data is given special protection under the new Act. It is Personal Data consisting of information which relates to the Data Subject's:
racial or ethnic origin, health and sexual life
religious beliefs or other beliefs of a similar nature
trade union membership
proceedings for any offences committed or alleged to have been committed or the commission of any offence or alleged offence.
The Data Protection Commissioner is the person who, under the 1984 Act, was known as the Data Protection Registrar. The Commissioner is an independent officer who reports directly to Parliament.
The right to prevent processing for the purposes of direct marketing.
(1) an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin processing for the purposes of direct marketing personal data in respect of which he is the data subject.
(2) if the court is satisfied, on the application of any person who has given a notice under sub section (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit;
(3) in this section "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
Fair and lawful obtaining of personal data.
Schedule I Part II
Interpretation of the Principles in Part I
The First Principle
(1) In determining for the purposes of the first principle whether the personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.
(2) Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who:
(a) is authorised by or under any enactment to supply it; or
(b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.
Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless:
(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in subparagraph (3); and
(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or had made readily available to him, the information specified in sub-paragraph (3).
(2) In sub-paragraph (1) (b) 'the relevant time' means:
(a) the time when the data controller first processes the data; or
(b) in a case where at that time disclosure to a third party within a reasonable period is envisaged:
(i) if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed.
(ii) if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period, the time when the data controller does become, or ought to become, so aware, or
(iii) in any other case, the end of that period.
(3) The information referred to in sub-paragraph 1. is as follows, namely:
(a) the identity of the data controller;
(b) if he has nominated a representative for the purposes of this Act, the identity of that representative.
(c) the purpose or purposes for which the data are intended to be processed; and
(d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
Conditions relevant for purposes of the first principle: processing of any personal data.
1. The data subject has given his consent to the processing.
2. The processing is necessary:
(a) for the performance of a contract to which the data subject is party; or
(b) for the taking of steps at the request of the data subject with a view to entering into a contract.
3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4. The processing is necessary in order to protect the vital interests of the data subject.
5. The processing is necessary:
(a) for the administration of justice;
(b) for the exercise of any function conferred on any person by or under any enactment;
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department; or
(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.
6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.
Appendix Two – Options
If you give us (X Ltd) the information we requested in this document, you are automatically allowing us to use it to:
– Process your order
– Keep your account
– Ensure your satisfaction
– Check your credit is good
– Do market research
Tick 'yes' if you also agree to give us permission to use the information to see you other goods/services by:
We would like to share information with other companies who might like to sell you goods/services. Tick 'yes' if we can give them information about your:
Address Marital Status
Telephone Family members
E-mail Home ownership
Things you like to buy
At a glance guide to opt-in/opt-out rules pre and post Distance Selling Regulation
Post SR opt out
E-mail SR opt out
Telephone ST opt out
Automated telephone ST opt in ST opt in
Fax ST opt out ST opt in
After DS Regs. in force (N.B. not yet in force as of July 2000)
Post ST opt out
E-mail ST opt out
Telephone ST opt out
Automated telephone ST opt in ST opt out
Fax ST opt out ST opt in