Compliance guide:
Data protection
A practical guide to meeting your regulatory
and best practice obligations
Contents
Introduction
5
Principle 1: Data must be fairly and lawfully processed
5
Principle 2: Data must be processed for limited purposes
6
Principle 3: Data must be adequate, relevant and
9
not excessive
12
Principle 4: Data must be accurate and up to date
3
4
7
10
13
15
Principle 5: Data must not be kept for longer than is necessary
16
18 Principle 6: Data must be processed in line with the data
subject’s right
22
Principle 7: Data must be secure
25
Principle 8: Data must not be transferred to other
28
countries without adequate protection
32
Glossary
Please note that this guide
should not be taken as
legal advice. Its purpose is
simply to promote compliant
activity and best practice. If
you have any legal concerns,
you should seek independent
legal advice.
2
19
23
26
27
Introduction
The Data Protection Act
Under the Data Protection Act
(1998), an individual has several
rights in relation to their
personal data.
The act aims to balance these rights
against the legitimate needs of an
organisation to process personal
data. It is underpinned by eight
‘common sense’ principles.
Personal data must:
• Be fairly and lawfully processed
• Be processed for limited purposes
• Be adequate, relevant and not
excessive
• Be accurate and up to date
• Not be kept for longer than is
necessary
• Be processed in line with the data
subject’s rights
• Be secure
• Not be transferred to other
countries without adequate
protection
If you are involved with the
processing of personal data, you will
be required by law to comply with the
Data Protection Act. The Experian
UK Compliance team have written
this guide to help you understand
the eight principles and fulfil your
obligations under the act.
The Information Commissioners
Office (ICO)
The Information Commissioner’s
Office is an independent authority
who is responsible for promoting
awareness, good practice and
ensuring compliance within the Data
Protection Act. Where appropriate,
the Information Commissioner has
powers to issue enforcement notices
for organisations to take steps or
introduce methods in order to be
compliant with the act. The ICO can
also impose financial penalties on
organisations where there has been
a serious breach of the act.
The ICO also maintains a list
of organisations that process
personal data. The Data Protection
Register is available to the public
on the ICO website, www.ico.gov.
uk and describes the type of data
and the purpose for which it will be
processed. It is a requirement of
the Data Protection Act to notify
the Information Commissioner of
this information. Details of how
to notify the ICO can be found
on their website. Alternatively,
please see our ‘Guide for Small to
Medium Businesses’ – copies can
be obtained from the Experian UK
Compliance Team (contact details at
the back of this guide)
OUR AIM
To ensure that Experian’s Compliance Department is a centre of
excellence; developing robust, professional, reliable and effective
policies and processes, which underpin and fully support the
business in meeting its regulatory and best practice obligations.
3
Principle 1:
Data must be fairly and
lawfully processed
Obtaining data
In order to ensure that you are
processing personal data fairly,
you must have a legitimate reason
for processing the data. The
individual should also be aware of
and understand exactly how you
are going to use their data. This
is particularly important where
the individual has a choice about
whether to enter into a relationship
with you. Being open and clear about
how you are going to process an
individual’s data allows them to make
an informed decision, and therefore
your processing is more likely to be
considered fair.
The Experian UK Compliance team
have written a set of Fair Processing
Notices (FPN) to help our clients
ensure that they are obtaining data
from individuals fairly. They can be
found on our website:
http://www.experian.co.uk/
responsibilities/compliance/fairobtaining-clauses.html
Our FPN have been endorsed by
the Information Commissioner’s
Office and can be directly used by
our clients, or adapted to suit their
business and products. Obtaining
personal data fairly also means that
it must be provided by someone who
is legally authorised or required to
do so. You must also ensure that
your FPN covers all purposes for
processing that are specific to
your business.
The impact of processing
In addition to ensuring that data
is obtained fairly, the general impact
on the individual of processing their
personal data should also
be considered.
Processing that has
an adverse effect on
the individual is not
necessarily unfair,
the important issue
is whether or not the
negative affect
is justified.
• The data subject has given their
explicit consent
• The processing is done by a none
profiting organisation and does
not involve disclosing personal
data to a third party, unless the
individual consents to this (Extra
limitations apply)
• The data subject has deliberately
made the information public
Conditions of processing
The Data Protection Act stipulates
that you must be able to satisfy
one or more of the “conditions for
processing” as set out in Schedules
2 and 3 of the act. Satisfying one
or more of the conditions does not
guarantee that your processing is
fair and lawful. However, having a
legitimate reason and processing
data fairly will usually mean that you
are able to satisfy at least one of the
conditions below:
• In order to be compliant with
employment law
• To protect the ‘vital interests’ of
the data subject or another person
(where the individual’s consent
has been unreasonably withheld)
• In relation to legal proceedings;
for obtaining legal advice; or
otherwise for establishing,
exercising or defending
legal rights
• For the administration of justice,
or for exercising statutory or
governmental functions
• For medical purposes, and
is undertaken by a health
professional or someone who is
subject to an equivalent duty
of confidentiality
• To monitor equal opportunities
• The data subject has consented to
the processing
Or the processing is necessary:
• In relation to a contract which the
individual has entered into
• Because the individual has asked
for something to be done so they
can enter into a contract
• Because of a legal obligation that
applies to you (except obligations
imposed by a contract)
• To protect the individual’s ‘vital
interests’ (see definitions on p32)
• For the administration of justice,
or for exercising statutory,
governmental, or other
public functions
• To pursue ‘legitimate interests’
When processing sensitive personal
data, you must also be able to satisfy
one of these conditions:
4
Or the processing is necessary:
Lawful processing
The term ‘lawful’ is not defined
within the Data Protection Act.
Many areas of law are complex and
therefore neither Experian, nor the
Information Commissioner’s Office
can be expected to be knowledgeable
or expert in all of them.
Some unlawful acts are obvious,
for example committing of a crime.
However, ‘lawful’ includes both
statute and common law, whether
criminal or civil. If you have any
doubts about whether or not your
processing is lawful, you should seek
independent legal advice.
Case Study: Principle 1
The newspaper subscription
A newsagent offers a newspaper
delivery service to its local
customers. Individuals complete a
short form with their name, address
and choice of newspaper(s) in
order to ‘sign up’ for the service.
The newsagent collects and stores
this personal data, as it needs
to know which newspapers to
deliver to which customers and at
which address they live. There is a
short paragraph at the bottom of
the registration form explaining
to customers that their personal
data will be used for the purposes
of providing and maintaining the
service, it also explains that the
personal data may be passed to
third parties for the same purpose.
The customer then signs the form
consenting to the processing of their
personal data as per the explanation
on the registration form.
• The data has been obtained fairly,
because it has been explained to
the customer exactly how their
information will be used. The
customer has made an informed
decision to consent to the
processing of their personal
data as described on the
registration form.
• Some ‘conditions of processing’,
have been satisfied, as the
customer has given their consent
and the processing is required in
relation to the agreement that the
customer has entered into with
the newsagent.
• The newsagent would not be
able to use or pass details of
its customers to a third party
for marketing purposes, as this
has not been specified in the
agreement on the registration
form and therefore would be
considered unfair.
The newsagent is carrying out their
daily paper round and arrives at
one of their customer’s property
to deliver their newspaper. The
newsagent notices through the
window that the customer has
collapsed and is on the floor
unconscious and calls for an
ambulance. The customer is well
known to the newsagent and the
newsagent is aware that they have a
serious medical condition.
• Although the individual may be
embarrassed that others will know
about their medical condition, the
negative impact of embarrassment
is justified as it is in the interests
of the customer that the
newsagent’s knowledge of their
medical condition is disclosed.
• Given that the customer has
a serious medical condition.
It is likely that disclosing this
information in this scenario
satisfies the ‘vital interests’
condition of processing.
5
Checklist: Principle 1
Has the individual consented to the processing of their data?
Do they clearly understand exactly how their data will be used?
Have you considered the potential impact on the individual of
processing their data?
Can any negative impacts be legitimately justified?
Are you able to satisfy at least one of the ‘conditions
of processing’?
Will you be processing any sensitive personal data?
If so, are you able to satisfy at least one of the additional
‘conditions of processing’?
Is the processing lawful? / Have you considered any legal
obligations or implications?
See ‘Glossary’ for explanation of terms
Notes:
6
Principle 2:
Data must be processed for
limited purposes
Specified purposes
The second principle of the Data
Protection Act states that you must
specify the purpose(s) for which
you will process data. In addition,
it states that you must not process
personal data ‘in any manner
incompatible with that purpose or
those purposes’, i.e. you may only
process data:
• For the purpose(s) that you
have specified
Or:
• For a purpose that is in relation to
the purpose(s) you have specified
and could be reasonably expected
by the data subject
The aim of this principle is to ensure
that organisations:
• Are open and clear about why they
are obtaining data and how they
will use it
• Are compliant with the fair
processing requirements of the
Data Protection Act as discussed
in Principle 1 (pages 5 and 6)
• Who wish to use personal data in
any new or additional purposes do
so in a way that is fair to
the individual
New or additional purposes
If you wish to use personal data for a
purpose that is incompatible with the
purpose(s) for which it was originally
obtained, it is usual that you would
need to obtain additional consent
from the individual concerned prior
to processing their data for the
new purpose(s). This links with the
first data protection principle of
processing data fairly (see pages
5 and 6). Being specific about the
purposes for which you wish to
obtain and process data also helps
to determine what information you
should provide to the data subject in
your fair processing notices.
Notifying the Information
Commissioner’s Office
It is a requirement of the Data
Protection Act that organisations
notify the ICO of the types of
personal data that they intend
to process and the purposes for
which they intend to process it.
All organisations are required to
register their notification with the
ICO, unless they are exempt from
notification. Exempt organisations
must still comply with the rest of the
provisions of the Data Protection Act
and may choose to notify voluntarily.
Details of how to
notify the ICO
and guidance on
exemptions from
notification can be
found on
their website,
www.ico.gov.uk.
Registrations must be updated if
you wish to process data for any new
or additional purposes and must be
renewed annually, even if there are no
changes. You should also update your
registration with the ICO if there are
any changes in the Data Controller’s
name, address or contact details.
It is a criminal offence to fail to notify the ICO or
renew your registration unless you are exempt
from notification
7
Case Study: Principle 2
The mailing list
A DVD rental company creates
and uses a mailing list to notify its
customers of promotional offers
and new movie releases. Customers
who wish to receive marketing of
this nature sign up to the mailing
list and can ask to be taken off it at
any time. The registration form does
not include notification or request
consent to pass the individual’s data
to any 3rd parties.
• As the company have notified the
individual that their data will be
used specifically for marketing
purposes (and the individual has
consented to this), it is acceptable
to send a regular newsletter or
similar marketing material
to them.
The company expands its business
to include rental of video games.
To encourage uptake of this new
service, the company wish to
advertise it to customers on their
existing mailing list.
• As the new video game rental
service is of a similar nature to
DVD rentals, the customer could
reasonably expect to receive
information and offers relating
to this. Therefore it is likely to be
considered compatible with the
original purpose and so it would be
acceptable to include information
and offers on the new product
offering in their material that is
sent to customers on the existing
mailing list.
8
Checklist: Principle 2
Have you registered a notification with the ICO?
Have you specified to the individual the purpose(s) for which
you are obtaining and processing their personal data, e.g. Fair
Processing Notice as discussed on pages 5 and 6?
Are you processing the data only for the purpose(s) that you
have specified?
Do you anticipate or intend to process the data for any new or
additional purposes?
If so, are you processing the data in a way that could be
reasonably expected by the data subject?
Have you obtained consent from the individual to process the
individual’s data for the new purpose(s) (if they could not already
reasonably expect their data to be processed in this way)?
See ‘Glossary’ for explanation of terms
Notes:
9
Principle 3:
Data must be adequate,
relevant and not excessive
Establishing what is adequate,
relevant and not excessive
The Data Protection Act states:
“Personal data shall be adequate,
relevant and not excessive in relation
to the purpose or purposes for which
they are processed”
Although the Data Protection Act
does not specifically define the
terms, in order to be able to measure
whether data is ‘adequate’, ‘relevant’
and ‘not excessive’; you need to be
clear about the purpose for which you
are processing it (see details of the
second DPA principle).
To ensure that you are compliant with
the act, you should:
• Identify the minimum amount
of personal data that would be
sufficient to fulfil the purpose for
which you are processing it
• Obtain, process and store that
amount of personal data – no more
and no less
• Not hold any personal data on the
‘off-chance’ that it could be useful
in the future
10
You should also consider the terms
‘Adequate’, ‘Relevant’ and ‘Not
Excessive’ in relation to each
data subject.
Information that is
required for a
certain person may be
excessive in relation to
another individual.
This, in addition to the points
previously mentioned, is especially
important in relation to sensitive
personal data.
Adequacy and relevance in relation
to opinions
An opinion about an individual is
considered to be their personal data.
To comply with the Data Protection
Act, it is important to ensure that
there is sufficient information for
an opinion and its context to be
interpreted correctly. This could
include the name and position of
the author and / or evidence of the
circumstances that the opinion is
based on.
Case Study: Principle 3
The gym membership
A local leisure centre operates
a membership scheme. Upon
registration for the scheme,
customers fill in a form with their
personal details including their
name, address, date of birth, contact
details, some health information
and bank details in order to set up
a direct debit for payment of the
membership fee.
• The data collected is adequate in
order to for the leisure centre to be
able to identify their customer and
administer the membership (for
example contact and payment in
relation to the membership).
• Health information will be relevant
for some customers, for example
certain health conditions may
mean that a customer is not able
to use certain items of equipment,
or may require assistance from
staff in certain circumstances.
• The data that the leisure centre
is requesting and processing is
not excessive as they are only
asking for information relevant
for the purpose of administration
of the customer’s membership. If
irrelevant information is obtained,
such as a customer putting in their
health information that they had
the flu several years ago, should
be deleted.
11
Checklist: Principle 3
Have you identified the minimum amount of data you require for
the purpose you wish to process it?
Is the amount of data you are collecting sufficient (adequate) for
its purpose?
Is all of the data you are collecting relevant to the purpose for
which you are processing it?
Are / will you be processing any sensitive personal data? (If so,
consideration of the above is especially important!)
Does / could the data you hold contain opinions about
an individual?
If so, is the context of the opinion clear and is it clear whose
opinion it is?
See ‘Glossary’ for explanation of terms
Notes:
12
Principle 4:
Data must be accurate
and up to date
Accuracy of data
In order for data to be accurate, it
’must not be incorrect or misleading
as to any matter of fact’. The context
in which the data is held can also
affect whether or not it is accurate.
For example, if an individual works
for Company A and then moves to a
new job within Company B, it would
be inaccurate to say ‘the individual
works for Company A’. However,
it would still be accurate to say
that the individual ‘used to work for
Company A’.
If data that has been
recorded is then
deemed to be
inaccurate, it should
be amended
or deleted.
In certain circumstances, it would
be impractical to check and double
check every single item of data you
receive – and the Data Protection
Act recognises this. The legislation
therefore makes special provision
about the accuracy of information
that is obtained from the data subject
themselves or that is provided by a
third party.
Regarding the accuracy of personal
data provided by the data subject or
obtained from a third party, you must:
• Accurately record the information
as it has been provided to you, i.e.
by the data subject or third party
• Take ‘reasonable steps’ to ensure
that the data is accurate
• Make it clear if the accuracy of the
information has been challenged,
such as by adding a note
Reasonable steps
The definition of the term
‘reasonable steps’ will vary,
depending on the type of data and
the purpose for which it will be
processed. The greater the potential
impact of processing the data, the
more important the accuracy of it is
and therefore the greater the effort
you should make to ensure that it
is accurate.
Keeping data up to date
Whether or not data needs to be
updated, and the frequency that it
should be updated, usually depends
on the purpose(s) for which it is
being processed. This is usually
fairly obvious – i.e. if the purpose
for which data is being processed
is reliant upon it being up to date
(for example an organisation that
delivers goods to a customer’s
address), it is important to ensure
that the information is up to date.
Recording and retaining a record
of mistakes
As long as an organisation’s records
are accurate and not misleading, it is
deemed acceptable within the Data
Protection Act to retain a record
of mistakes that have occurred. It
should be made clear that a mistake
has occurred, for example by adding
notes to the information.
Challenged accuracy
If the data subject challenges the
accuracy of data you hold about
them, although it is not a legal
obligation to mark the record as
being in dispute – it is good practice
to do so. The advantage of this is
that, if it does transpire that the data
is inaccurate, you are not likely to
be found in breach of this principle
- as long as you have met the other
criteria in the three points previously
described above.
13
Case Study: Principle 4
The Credit Reference Agency
Credit Reference Agencies obtain
data from a variety of public and
financial sources about individuals,
for multiple purposes, such as
helping banks and other companies
make decisions about whether to
lend money to them or not. One
of the sources of data is financial
information from organisations that
the data subject already has dealings
with, for example in relation to an
existing loan agreement. Banks
and other creditors provide regular
‘feeds’ of data (usually monthly) to
the Credit Reference Agency.
• As the data is being provided to
the Credit Reference Agency by
a third party, i.e. the existing loan
account information from the data
subject’s bank, the information can
be deemed accurate, as long as it
is recorded correctly as has been
provided by the lender.
• Because credit referencing data
can have a significant impact
on the data subject, i.e. it can
affect credit decisions made
about them. Althought the data
has been obtained from a lender,
the Credit Reference Agency
must take reasonable steps to
ensure its accuracy. It does this,
by conducting tests on a sample
of data received each month – to
check for any discrepancies
or inconsistencies.
14
• The Credit Reference Agency
ensures that they are keeping data
from lenders and other sources
up to date by obtaining regular
(usually monthly) updates from
its sources.
An individual obtains a copy of
their credit report and notices that
it shows a mistake. They contact the
Credit Reference Agency to notify
them of the inaccuracy.
• The Credit Reference Agency
takes reasonable steps to ensure
the accuracy of the data by
contacting the third party that
provided it (for example, a lender).
• In the meantime, they add a
‘dispute notice’ to the item of data,
so that anyone viewing it while
the accuracy of the data is being
challenged will be aware that it
may be inaccurate.
• The individual could also add a
‘notice of correction’ to explain
circumstances surrounding
information on their credit report,
for example late payments due to
losing their job unexpectedly.
Checklist: Principle 4
Are you obtaining data from either the data subject or a
third party?
If so, how will you make sure you record the data accurately as it
is provided to you?
What ‘reasonable steps’ will you take to ensure that the data you
process is accurate?
Have you considered the impact of inaccurate data?
Do your ‘reasonable steps’ reflect this?
What process do you have in place for when an individual
disputes the accuracy of the data you hold?
What process do you have for correcting the data?
How often will you update the data?
Is your frequency of updates sufficient for the purpose(s) for
which you are processing the data?
See ‘Glossary’ for explanation of terms
Notes:
15
Principle 5:
Data must not be kept for
longer than is necessary
Retention of personal data
The Data Protection Act does not
specify how long you should retain
data for, it simply states:
“Personal data
processed for any
purpose or purposes
shall not be kept for
longer than is
necessary for that
purpose or
those purposes.”
As with some of the other principles,
this suggests that, in order to
decide how long you should keep
data for, you need to be clear on
the purpose(s) for which you intend
to use it. You must also ensure that
information is securely deleted or
disposed of when it is no longer
required for its specified purpose.
Data which is still required for
the specified purpose, however is
not accessed regularly, should be
archived and stored securely. It is
important to regularly review the
personal data you hold and delete or
archive it as appropriate.
16
Defining retention periods
It is a good idea to consider the
following points, as they may help
you to decide on how long your
retention periods should be:
• The purpose for which the data
will be processed.
• Any surrounding circumstances,
e.g. whether or not you still have
dealings with the data subject.
• Legislation and regulatory
requirements.
• Agreed practice within the
industry.
You should also consider the
implications of retaining data,
for example:
• Larger capacity may be required
in order to store larger amounts of
data, i.e. if data is needed and kept
for a long time.
• You must be able to satisfy a data
subject’s request for access to
their personal data. This could be
more difficult if you retain data for
longer than you need it.
• It may be more difficult to verify
the accuracy of data that was
obtained a long time ago.
• Data may become out of date and
could be used in error.
Data should not be retained ‘just
in case…’ however it is acceptable
to retain data for foreseeable
circumstances that may only happen
occasionally. The data should still
only be kept for as long as the
purpose for which it is stored is
reasonably foreseeable, and there
must always be a genuine business
reason for keeping it.
Depending on the size of your
business, you may wish to create a
data retention policy to define the
periods for which you are going to
hold data and to ensure consistency
across your organisation. Your policy
should also be reviewed from time to
time to ensure that it is
still appropriate.
Case Study: Principle 5
The online account
An independent online music retailer
has a mixed customer base, ranging
from DJ’s who place regular orders
with them to individual members of
the general public that make one off
purchases. When placing an order
through the website, the customer is
required to set up an online account
by providing personal information
and setting up login details, so that
the order will be sent to the correct
address and the customer can be
identified should they have any
enquiries or need to make
any changes.
• The retailer should retain
customer data long enough to
fulfil the order and for a period
of time after, as it is reasonably
foreseeable that the customer
may make queries or complaints
following delivery of their order.
It is the retailer’s decision how
long to keep the data for, however
they should be able to justify the
chosen timescale and ensure that
it is not longer than necessary.
When signing up for an online
account, customer’s have the option
to receive regular updates and
promotions from the retailer. A
customer that had previously opted
into the marketing, then contacts
the retailer and states that they no
longer wish to receive
this information.
• Most of the data that was
originally collected for marketing
purposes, for example details of
the customer’s music preferences,
will no longer be required and
therefore should be deleted. It is
however, permissible to retain
enough information to ensure that
marketing is no longer sent to that
particular customer.
• Regular customers returning to
the retailer’s website in future
to place further orders will find
it more convenient if they can
just log in and do not have to reenter all of their personal details,
however this reason alone would
not justify keeping their data
indefinitely. Personal data of
customer’s who have not placed
an order for some time should
therefore be deleted.
17
Checklist: Principle 5
Have you defined the retention periods for which you will keep
each type of data you hold?
Are the retention periods sufficient and not excessive in relation
to the purpose(s) for which you are processing the data?
Have you considered legislative and regulatory obligations when
deciding on retention periods?
Have you considered any agreed practices within your industry?
Do you have the facility and capacity to keep data for the length
of time you require?
Is there a data retention policy in place within
your organisation?
See ‘Glossary’ for explanation of terms
Notes:
18
Principle 6:
Data must be processed in line
with the data subject’s rights
Rights under the Data Protection Act
The Data Protection Act sets out the
rights that an individual has in terms
of their personal data. Principle 6
of the act states that personal data
must be processed in line with these
rights. If an individual is not satisfied
that you are processing their data
within their rights under the act, they
can apply to a court to order you to
do so.
Access to personal data
Section 7 of the DPA states that an
individual is entitled to know whether
a data controller is processing
personal data about them, including a
description of the type of data being
processed, the purpose for which it
is being processed and to whom the
data may be disclosed to. Section
7 of the act also stipulates that an
individual is entitled to request a
copy of their personal data that an
organisation holds on them.
Data Subject Access Requests
(DSAR)
A DSAR is the request made by the
data subject, to obtain a copy of their
personal data from an organisation.
As the data controller, you are
obliged to supply this information
when:
• The request has been made in
writing.
• You have received such fee that
you may require (the maximum
amount you can charge is £10).
The time specified
within which you must
comply with the DSAR
is 40 calender days.
You are however also entitled to
request additional information in
order to either identify the individual,
or to enable you to satisfy the
request for information. An example
of this could be details that will
help you to locate the data that
the individual is requesting. If you
reasonably require such additional
information and have requested it,
you are not obliged to release the
data until you have received the
additional information.
You should also consider whether
releasing data on the individual
requires you to disclose another
person’s personal data. If this is the
case, you are only obliged to supply
the data if:
• The other individual has given
their consent
Or:
‘It is reasonable in all circumstances’
to comply with the DSAR without
the consent of the other individual.
Consideration should be given to
any applicable duty of confidentiality,
steps taken to obtain consent,
whether the other individual is
capable to give consent and any
express refusal of consent by the
other individual.
Prevention of processing that is
likely to cause damage or distress
An individual has the right to give
notice that an organisation must
cease to process their personal
data, if that processing is causing,
or is likely to cause substantial and
unwarranted damage or distress. The
objection to the processing should
be made in writing and specify
the reasons for which damage or
distress is being or could be caused.
An individual does not have the right
to object to processing in certain
circumstances. These include:
• Where the individual has
consented to the processing.
Or when the processing is necessary:
• In relation to a contract that the
individual has entered into.
• Because the individual has asked
for something to be done to enable
them to enter into a contract.
• In relation to your legal obligations
• To protect the individual’s ‘vital
interests’.
As the data controller, an
organisation should respond to
the individual within 21 calender
days. You must either confirm
that you will be complying with
the notice, or give the reasons for
which you believe the notice to be
unjustified.
19
Prevention of processing for
direct marketing
The Data Protection Act
defines direct marketing as “the
communication (by whatever
means) of any advertising or
marketing material which is
directed to particular individuals.”
An individual has the right to ask
an organisation not to process or
to cease processing their personal
data for this purpose. The request
can be made at any time and must be
complied with by the data controller.
A response to such request should
be sent to the individual within 21
calendar days
Prevention of automated
decision making
An individual has three rights in
relation to automated decisions
made about them and which may
have a significant impact on them.
Examples of ‘significant’ decisions
defined within the Data Protection
Act are performance at work,
creditworthiness, reliability
and conduct.
The first right is the right to prevent
automated decision making. You
must not make an automated
decision where an individual has
provided a written request not to.
Individuals also have the right to
be informed when an automated
decision has been made.
An organisation must notify the
individual that an automated
decision has been made using
their personal data as soon as is
reasonably practicable to do so.
20
Finally, an individual has the right to
request that an automated decision
is reconsidered or reviewed. The
individual has 21 days from when
they are notified of the automated
decision to appeal against it. As the
data controller, you have 21 calendar
days within which you must respond
to the individual.
There are some automated
decisions which are exempt from
the individual’s rights under the act.
These include decisions that are:
• Authorised or required by
legislation.
• Made in preparation or in relation
to a contract with the individual
who is the data subject.
• To give the individual something
that they have requested.
Or:
• Where safeguards have been put
in place to protect the individual’s
legitimate interests, for example
allowing them to appeal the
automated decision.
Recification, blocking, erasure and
destruction of data
The fourth principle covers the
accuracy of data. In the event that
personal data is inaccurate, the
data subject can apply to the court
to have the data rectified, blocked,
erased or destroyed.
Alternatively, the court may order
you to add a statement of true facts
to the record that contains the
personal data (any such statement
must be in terms approved by the
court). It is good practice to take
reasonable steps to notify any third
parties of changes to or deletions
of inaccurate personal data. The
court may also order you to do this,
however they are only likely to do
so if it is reasonably practicable to
comply with the request.
Compensation
The Data Protection Act gives
individuals the right to compensation
for damage or distress caused by
the data controller failing to comply
with their obligations under the act.
The DPA does not specifically define
damage, however if an individual has
suffered financial loss as a result of a
breach of the act, then they are likely
to be entitled to compensation.
Distress alone is not usually
sufficient to entitle an individual to
compensation. The act states that
an individual will only be entitled
to compensation in relation to
distress, if damage has also been
suffered as a result of contravention
of the act, or the breach relates to
the processing of personal data for
special purposes.
The DPA also allows you to defend
a request for compensation, on the
basis that you took all reasonable
care in the circumstances to avoid
the breach.
Case Study: Principle 6
The letting agent
An individual contacts their local
letting agent, to enquire about a
property that the agent is advertising
for rent. Prior to arranging a viewing,
the agent asks the individual to
register with them, so that they can
check the individual meets their
criteria as a suitable tenant. The
agent would also like to contact them
about any other properties that
they think the individual may be
interested in.
As part of the registration process,
the individual signs the letting
agent’s terms and conditions, which
include consent to a credit check
being undertaken. As part of the
terms and conditions, the individual
also agrees that the letting agent
may contact their previous landlords
for tenant references.
• As the individual has consented
to the processing of their personal
data as part of the registration,
they do not have the right to
request that the letting agent
ceases processing that is in
relation to the
contractual agreement.
• When conducting the credit
check, the letting agent uses
an automated system to score
the individual’s application.
The decision is then produced
automatically based on the
automated scoring.
• The individual may exercise
their right to prevent automated
decision making and ask the
letting agent to conduct the
credit check manually. The letting
agent could satisfy this request
by putting an appeals process
in place for applications that
are declined as the result of an
automated check. If the individual
was declined, they could then
have a manual decision made by
following the appeals process.
The letting agent sends out a weekly
update, including details of new
properties that are available to rent.
After the individual has found and
moved into their new home, they
decide that they no longer wish to
receive this marketing and contact
the letting agent to advise them of
their request.
• The letting agent is obliged to
comply with the individual’s right
to prevent direct marketing and
must respond to the individual
within 21 calendar days.
The individual decides that they
would like to see a copy of their
personal data that the letting agent
holds about them. They write a letter
to the letting agent requesting the
information and enclose a cheque
for £10.
• The letting agent is obliged to
satisfy the Data Subject Access
Request (DSAR) and must
ensure that they have adequate
procedures in place to locate and
provide the individual with a copy
of their personal data.
21
Checklist: Principle 6
Do you have a process in place to deal with Data Subject
Access Requests, i.e. would you be able to identify, locate and
supply a copy of all of an individual’s personal data, if they were
to ask for it?
Have you considered whether your processing of an individual’s
personal data is likely to cause them damage or distress?
If an individual asks you to stop marketing to them, would you be
able to easily comply with this request?
Does your business make any automated decisions? If so,
is there a process in place to make manual decisions if an
individual requests you to do so, e.g. a referral or
appeals process?
Do you have a procedure in place to handle compensation
requests, for example as part of a complaints procedure?
See ‘Glossary’ for explanation of terms
Notes:
22
Principle 7:
Data must be secure
Information security
The Data Protection Act states
that a data controller must
‘take appropriate technical and
organisational measures’ to
protect personal data from being
compromised. The measures
appropriate will depend on the nature
of the personal data that you hold
and the impact or harm that could
result in the event of a security
breach. Data that is particularly
valuable, sensitive or confidential
is likely to have a more significant
impact if it were to get into the wrong
hands or be used in an inappropriate
way. In order to protect personal data
and keep it secure, it is important to:
• Create and implement robust
policies and procedures regarding
information security
• Put in place sufficient physical
and technical security that is
appropriate to the data you hold
• Train staff to ensure that they are
aware of and are able to meet their
obligations
• Be clear about who within your
organisation is responsible for
ensuring information security
• Be prepared and able to respond
to any breach of security swiftly
and effectively
Although the act does not define
the term ‘appropriate’, you should
take a risk based approach which
takes into account technological
advances and the cost involved in
relation to information security.
You should also regularly review the
data you hold, how you use it and
how you protect it in order to ensure
that the security measures in place
remain appropriate.
Security within the DPA also extends
to state that the data controller must:
• Take reasonable steps to ensure
the reliability of employees
• Obtain guarantees from any data
processor working on their behalf
in respect of using adequate
protection to keep personal
data secure.
• Put in place a written contract
with the data processor, under
which they are only able to
act under the data controllers
instructions and must comply with
equivalent obligations to those
under the DPA.
Breach management
It is important for an organisation to
consider how they would react and
respond to a breach, as breaches
can occur even when there are
appropriate security measures
in place.
A good breach
management plan can
help damage limitation
and aid recovery from
the breach.
There are four main topics to
consider when creating and
implementing a breach management
plan:
• Containment and recovery:
reaction to an incident should
include a recovery plan and
procedures to limit any damage
caused by the breach.
• Risk Assessment: will help you
to establish actions to take in
response to the breach and learn
how to prevent future breaches of
a similar nature.
• Notification: you should consider
who needs to be notified and
why. Examples of who you may
consider making aware of the
breach include the data subject(s)
concerned, the ICO, other
regulatory bodies, the police or
the media.
• Evaluation and response: It is
important to investigate causes
of the breach and evaluate the
effectiveness of your reaction and
response to it. You should take
the opportunity to learn from a
breach and update any policies,
procedures and other security
elements where necessary.
Further information
There is further information in
relation to breaches and breach
management on the ICO website:
www.ico.gov.uk
You can also find further information
and advice on information security at
the following sites:
General Information Security:
www.berr.gov.uk/sectors/infosec/
infosecadvice/page10059.html
Information Security Advice for
Small and Medium Businesses:
www.berr.gov.uk/infosec
E-Learning Package:
www.bobs-business.co.uk
23
Case Study: Principle 7
The travel agent
A travel agent obtains a variety of
information from its customer’s,
including their general details such
as name and address, passport
number and payment details. For
customers who wish to arrange
travel insurance through the agent,
sensitive health information is
also collated.
• Sensitive data, such as health and
payment information could cause a
great deal of damage or distress to
the individual concerned if it were
to be compromised. Therefore the
travel agent should take extra care
to ensure the data is kept secure.
As part of its information security
measures, the travel agent creates
and implements an information
security policy. The policy sets
out a wide range of procedures to
protect the organisation’s data,
including verifying the identity of
staff upon employment and obtaining
references from former employers to
confirm reliability.
• The travel agent is meeting its
obligation to take reasonable
steps to ensure the reliability of its
employees by implementing this
element of the policy.
• Employees should be trained to
ensure that they understand and
meet their obligations regarding
keeping data secure.
• The travel agent should also
ensure that it is clear about
who within the organisation
is responsible for information
security to ensure that a high
standard is maintained.
24
To keep data physically secure, the
travel agency also adopts a number
of physical security measures. These
include building security, such as
alarms and window shutters, coded
locks on rooms where personal data
is held, confidential waste bins to
ensure secure disposal of waste, and
password protected access
to systems.
• The Data Protection Act does not
define what is an ‘appropriate’
level of security. These are just
some of the ideas that your
organisation may wish to consider.
The travel agent discovers that it has
been the victim of an information
security breach. An employee
is suspected of selling lists of
customer information to a third
party and is suspended while an
investigation takes place to prevent
any further misuse of data.
• It is important that the travel agent
has a breach management system
in place to limit the damage
caused by the misuse of data and
prevent similar occurrences
in future.
• It should also be considered
whether anyone should be notified
of the breach. If the employee was
found to be guilty, the organisation
may choose to involve the
police. They should also decide
whether to notify the Information
Commissioner and the individuals
that the compromised data
relates to.
Checklist: Principle 7
Do you have an information security policy in place?
Is there a designated individual within your organisation who is
responsible for information security?
Have you put in place adequate physical security measures, in
relation to the level of sensitivity of the personal data you hold?
Do you have a training course / programme that must be
completed by all employees?
Do you take ‘reasonable steps’ to ensure the reliability of
your employees?
Have you considered how you would handle an information
security breach and put relevant policies and procedures
in place?
See ‘Glossary’ for explanation of terms
Notes:
25
Principle 8:
Data must not be transferred
to other countries without
adequate protection
The principle
The Data Protection Act states:
“Personal data shall not be
transferred to a country or territory
outside the EEA unless that country
or territory ensures an adequate
level of protection for the rights and
freedoms of data subjects in relation
to the processing of personal data.”
Transferring data
Transferring data means sending
personal data to someone (in another
country). If data can be accessed in
another country outside of the EEA,
for example on a website, then this is
also considered a transfer. However,
a transfer does not include data
passing through another country on
route to its destination. For example
if you transfer data from the UK, via a
server in country A to its destination
country B – as long as the data is not
accessed or manipulated in any way
while in transit, the eighth principle
of the DPA will only apply to the data
having been transferred to country B.
The current EEA member countries
are listed below:
Austria
Belgium
Bulgaria
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Iceland
Ireland
Italy
Latvia
Liechtenstein
Lithuania
Luxembourg
Malta
Netherlands
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Countries with an adequate level
of protection
The European Commission has
deemed some other countries to
have an ‘adequate level of protection’
for personal data and therefore
data can be transferred to these
countries:
It is good practice to consider
whether you need to process
personal data or whether you can
still meet your requirements by
making the data anonymous. If it is
not possible to identify individuals
from the data (now or at any point in
the future), then the data protection
act does not apply and you would
therefore be free to transfer data
outside of the EEA.
Argentina
Canada
Guernsey
European Economic Area (EEA)
Countries
Personal data can currently be
transferred freely within the EEA
without restriction.
Although the USA is not included
in the list above, US companies that
are signed up to the ‘Safe Harbour
Scheme’ are considered to have an
adequate level of protection.
26
Isle of Man
Jersey
Switzerland
An up to date list of countries with
an adequate level of protection
can be found at the European
Commission’s data protection
website: http://ec.europa.eu/justice/
policies/privacy/thridcountries/
index_en.htm
A list of companies that operate
within the ‘Safe Harbour Scheme’
can be found on the US department
of commerce’s website:
www.export.gov/safeharbor/doc_
safeharbor_index.asp
Transferring data to other countries
You may be able to transfer data
to countries that are not approved
as having an adequate level of
protection. In order to do this, you
should do at least one of
the following:
• Assess the adequacy yourself.
• Use contracts to ensure that
an adequate level of protection
is provided. You may wish to
include the model contractual
clauses approved by the European
Commission.
• Operate ‘Binding Corporate Rules’
and have these approved by
the ICO.
Alternatively, an exception to the
rule may apply to some transfers.
Assessing Adequacy of Levels of
Protection in Other Countries:
In order to assess whether an
adequate level of protection is
in place in another country, you
should carry out a risk assessment
which takes into consideration the
following factors.
These have been set out within the
Data Protection Act:
• The nature of the personal data
being transferred.
• Where the data is being
transferred to and the laws,
obligations and practices adopted
by that country (and to what
extent).
• The purpose(s) and period for
which the data will be processed.
• Whether it can be ensured that the
required standards are achieved
in practice.
• Any procedure under which
individuals can enforce their rights
or obtain compensation if things
go wrong.
There are documents that offer
further guidance on assessing levels
of adequacy available on the ICO
website: www.ico.gov.uk
Using contracts to ensure adequate
levels of protection
Another way to ensure that adequate
levels of protection are in place
in another country that you are
transferring data to, is to put a
contract in place between you and
the organisation to which you are
transferring the data.
You can either create a contract
yourself within your organisation,
or you may wish to use the European
Commission’s approved
model clauses.
The model clauses are attached
as an annex to the European
Commission decisions of adequacy,
which approve their use. This can be
found on the European
Commission’s website:
http://ec.europa.eu/justice/policies/
privacy/modelcontracts/index_
en.htm
If you intend to use the European
Commission’s model clauses,
you are not able to amend them in
anyway, such as removing parts or
adding additional clauses to change
the meaning.
You can however, incorporate the
clauses into other contracts instead
of having two separate documents.
outside of the European Economic
Area (EEA), within a group
of companies.
If you choose to have a contract
drawn up yourself, you do not
have to have a separate contract
relating to data protection. The
clauses can be incorporated into
any general contract you have that
covers your relationship with the
company concerned. You should
however, ensure that your contract
is comprehensive to minimise the
risk of the contract’s adequacy being
challenged in future.
Exceptions
It is always good practice to
ensure, where possible, that there
is an adequate level of protection
for an individual’s personal data
when transferring it outside of
the EEA. There are however, some
exceptions that allow you in certain
circumstances to transfer personal
data, even where there may not be
an adequate level of protection. The
exemptions are:
Transfers approved by the
information commissioner
Only in exceptional circumstances,
the Information Commissioner may
authorise transfers of personal
data on the basis that there is
an adequate level of protection.
Although the ICO has the power
to do this, it would only be done in
cases where the ICO can be satisfied
that there is absolutely no other way
to satisfy the eighth data protection
principle.
• Where consent to transfer the
data has been obtained from the
individual (it is worth noting that
the consent cannot be relied upon
where the individual has no choice
but to consent).
• If the data is part of a public
register (as long as the recipient
complies with restrictions
regarding access and use of the
information).
Binding corporate rules
Binding Corporate Rules (BCR)
are codes of corporate conduct
that can be implemented within
multi-national organisations. They
are legally binding and are usually
implemented through the use of
intra-group declarations, agreements
or corporate governance. BCRs give
rights to individuals, which can be
exercised before the courts or data
protection authorities. The standard
of an organisation’s Binding
Corporate Rules must be assessed
by all of the relevant European data
protection authorities in order to use
them freely transfer personal data
• In relation to contractual
performance, where the contract
that has been entered into is with
the individual or is in their
‘vital interests’.
• For reasons of substantial public
interest, such as the prevention
and detection of crime, national
security and tax collection. The
public interest must be that of the
UK and this exemption should
be considered very carefully on a
case by case basis.
• To protect the ‘vital interests’ of
the individual.
• In relation to legal proceedings.
Or the processing is necessary:
27
Case Study: Principle 8
The mail order
An UK based internet retailer sells
wedding and bridesmaid dresses
online that are made to order. The
retailer does not manufacture the
items and the dresses are delivered
directly to customers from the
manufacturer, who is based in
Thailand. In order to satisfy dress
orders, the retailer needs to transfer
the customer’s details including
name, address and dress
measurements to the manufacturer.
This is made clear and is agreed to
by customers at the point of order.
• It is necessary to transfer the data
to the manufacturer as they deliver
the orders directly to the customer.
• As the customer consents to their
data being transferred overseas,
the transfer can take place without
the need to assess adequacy of
protection. However, it is still best
practice to ensure adequacy of
protection where possible, for
example by the use of a contract
between the retailer and
the manufacturer.
28
Checklist: Principle 8
Do you intend to transfer any personal data overseas?
If so, is the country to which you are transferring the data within
the European Economic Area?
Is it necessary to transfer the personal data, or can you fulfil the
purpose for which you are processing it in another way?
If the country to which you are transferring personal data is not
within the EEA, have you checked whether it is included on the
list of countries already deemed to have adequate protection?
Have you put a contract in place between you and the person /
organisation to which you are transferring the personal data, to
ensure that it is sufficiently protected?
Has consent to transfer the personal data been obtained from
the individual who is the data subject?
If you are not able to ensure adequate protection, can you be
sure that one of the exemptions applies in order to allow the
transfer to take place?
See ‘Glossary’ for explanation of terms
Notes:
29
Glossary
Accessible record
“Accessible record” is defined
within the Data Protection Act as
any of the following:
• A health record that contains
information about the physical
or mental health or condition
of an individual, made by or on
behalf of a health professional in
connection with the care of
that individual
• An educational record that
contains information about a pupil,
which is held by a local education
authority or special school
• An publicly available record that
contains information held by a
local authority for housing or
social services purposes
Data
Information that is, or is intended
to be, processed by computer. The
definition of data within the act
also extends to information that is
recorded as part of a relevant
filing system.
Data controller
Someone who determines the
purposes for which and the manner
in which any personal data are, or are
to be, processed. This may be one
person alone, or jointly with
other persons.
Data processor
As defined in the Data Protection
Act in relation to personal data, a
“Data Processor” is any person
(other than an employee of the data
controller) who processes the data on
behalf of the data controller.
Data subject
The individual who is the subject of
personal data, i.e. who the personal
data is about.
30
Inaccurate data
Data that is incorrect or misleading
as to any matter of fact.
Personal data
Data that relates to a living individual
who can be identified from the
data. The definition of “Personal
Data” also extends to and includes
opinions about the individual and
any indications of intentions of any
person in respect of the individual.
Processing
In relation to information or data,
the Data Protection Act defines
“processing” as obtaining, recording
or holding the information or data,
or carrying out any operation or set
of operations on the information or
data. This could include:
• Organisation, adaptation or
alteration of the information
or data
• Retrieval, consultation or use of
the information or data
• Disclosure of the information
or data by transmission,
dissemination, or otherwise
making available
• Alignment, combination, blocking,
erasure or destruction of the
information or data
Relevant filing system
• Information that is structured
or organised in such a way that
allows easy access to specific
information about an individual.
Recipient
• Any person to whom the data
is disclosed.
Sensitive personal data
Personal data consisting of
information about any of
the following:
• Racial or ethnic original
• Political opinions
• Religious beliefs or other beliefs
of a similar nature
• Trade union membership
• Physical or mental health or
condition
• Sexual life
• The commission or alleged
commission by the data subject of
any offence
• Any proceedings for any offence
committed or alleged to have been
committed by the data subject, the
disposal of such proceedings or
the sentence of any court in
such proceedings
Third party
In terms of the Data Protection Act
and personal data, means any person
other than:
• The data subject
• The data controller
• Any data processor or other
person authorised to process
the data on behalf of the data
controller or processor
Vital interests
Cases that are a matter of life
or death, for example where an
individual’s medical history is
disclosed to a hospital’s accident
and emergency department that is
treating the individual following a
serious road accident.
Contact details and
other useful resources
Experian UK Compliance Team
www.experian.co.uk/responsibilities/compliance/
compliancedept@uk.experian.com
Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
www.ico.gov.uk
T: 08456 306 060 / 01625 545 745
mail@ico.gsi.gov.uk
31
Landmark House
Experian Way
NG2 Business Park
Nottingham
Nottinghamshire
NG80 1ZZ
© Experian 2011.
The word “EXPERIAN” and
the graphical device are trade
marks of Experian and/or its
associated companies and
may be registered in the EU,
USA and other countries.
The graphical device is a
registered Community design
in the EU.
All rights reserved
CMDS - 18.10.
