Compliance guide: Data protection A practical guide to meeting your regulatory and best practice obligations Contents Introduction 5 Principle 1: Data must be fairly and lawfully processed 5 Principle 2: Data must be processed for limited purposes 6 Principle 3: Data must be adequate, relevant and 9 not excessive 12 Principle 4: Data must be accurate and up to date 3 4 7 10 13 15 Principle 5: Data must not be kept for longer than is necessary 16 18 Principle 6: Data must be processed in line with the data subject’s right 22 Principle 7: Data must be secure 25 Principle 8: Data must not be transferred to other 28 countries without adequate protection 32 Glossary Please note that this guide should not be taken as legal advice. Its purpose is simply to promote compliant activity and best practice. If you have any legal concerns, you should seek independent legal advice. 2 19 23 26 27 Introduction The Data Protection Act Under the Data Protection Act (1998), an individual has several rights in relation to their personal data. The act aims to balance these rights against the legitimate needs of an organisation to process personal data. It is underpinned by eight ‘common sense’ principles. Personal data must: • Be fairly and lawfully processed • Be processed for limited purposes • Be adequate, relevant and not excessive • Be accurate and up to date • Not be kept for longer than is necessary • Be processed in line with the data subject’s rights • Be secure • Not be transferred to other countries without adequate protection If you are involved with the processing of personal data, you will be required by law to comply with the Data Protection Act. The Experian UK Compliance team have written this guide to help you understand the eight principles and fulfil your obligations under the act. The Information Commissioners Office (ICO) The Information Commissioner’s Office is an independent authority who is responsible for promoting awareness, good practice and ensuring compliance within the Data Protection Act. Where appropriate, the Information Commissioner has powers to issue enforcement notices for organisations to take steps or introduce methods in order to be compliant with the act. The ICO can also impose financial penalties on organisations where there has been a serious breach of the act. The ICO also maintains a list of organisations that process personal data. The Data Protection Register is available to the public on the ICO website, www.ico.gov. uk and describes the type of data and the purpose for which it will be processed. It is a requirement of the Data Protection Act to notify the Information Commissioner of this information. Details of how to notify the ICO can be found on their website. Alternatively, please see our ‘Guide for Small to Medium Businesses’ – copies can be obtained from the Experian UK Compliance Team (contact details at the back of this guide) OUR AIM To ensure that Experian’s Compliance Department is a centre of excellence; developing robust, professional, reliable and effective policies and processes, which underpin and fully support the business in meeting its regulatory and best practice obligations. 3 Principle 1: Data must be fairly and lawfully processed Obtaining data In order to ensure that you are processing personal data fairly, you must have a legitimate reason for processing the data. The individual should also be aware of and understand exactly how you are going to use their data. This is particularly important where the individual has a choice about whether to enter into a relationship with you. Being open and clear about how you are going to process an individual’s data allows them to make an informed decision, and therefore your processing is more likely to be considered fair. The Experian UK Compliance team have written a set of Fair Processing Notices (FPN) to help our clients ensure that they are obtaining data from individuals fairly. They can be found on our website: http://www.experian.co.uk/ responsibilities/compliance/fairobtaining-clauses.html Our FPN have been endorsed by the Information Commissioner’s Office and can be directly used by our clients, or adapted to suit their business and products. Obtaining personal data fairly also means that it must be provided by someone who is legally authorised or required to do so. You must also ensure that your FPN covers all purposes for processing that are specific to your business. The impact of processing In addition to ensuring that data is obtained fairly, the general impact on the individual of processing their personal data should also be considered. Processing that has an adverse effect on the individual is not necessarily unfair, the important issue is whether or not the negative affect is justified. • The data subject has given their explicit consent • The processing is done by a none profiting organisation and does not involve disclosing personal data to a third party, unless the individual consents to this (Extra limitations apply) • The data subject has deliberately made the information public Conditions of processing The Data Protection Act stipulates that you must be able to satisfy one or more of the “conditions for processing” as set out in Schedules 2 and 3 of the act. Satisfying one or more of the conditions does not guarantee that your processing is fair and lawful. However, having a legitimate reason and processing data fairly will usually mean that you are able to satisfy at least one of the conditions below: • In order to be compliant with employment law • To protect the ‘vital interests’ of the data subject or another person (where the individual’s consent has been unreasonably withheld) • In relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights • For the administration of justice, or for exercising statutory or governmental functions • For medical purposes, and is undertaken by a health professional or someone who is subject to an equivalent duty of confidentiality • To monitor equal opportunities • The data subject has consented to the processing Or the processing is necessary: • In relation to a contract which the individual has entered into • Because the individual has asked for something to be done so they can enter into a contract • Because of a legal obligation that applies to you (except obligations imposed by a contract) • To protect the individual’s ‘vital interests’ (see definitions on p32) • For the administration of justice, or for exercising statutory, governmental, or other public functions • To pursue ‘legitimate interests’ When processing sensitive personal data, you must also be able to satisfy one of these conditions: 4 Or the processing is necessary: Lawful processing The term ‘lawful’ is not defined within the Data Protection Act. Many areas of law are complex and therefore neither Experian, nor the Information Commissioner’s Office can be expected to be knowledgeable or expert in all of them. Some unlawful acts are obvious, for example committing of a crime. However, ‘lawful’ includes both statute and common law, whether criminal or civil. If you have any doubts about whether or not your processing is lawful, you should seek independent legal advice. Case Study: Principle 1 The newspaper subscription A newsagent offers a newspaper delivery service to its local customers. Individuals complete a short form with their name, address and choice of newspaper(s) in order to ‘sign up’ for the service. The newsagent collects and stores this personal data, as it needs to know which newspapers to deliver to which customers and at which address they live. There is a short paragraph at the bottom of the registration form explaining to customers that their personal data will be used for the purposes of providing and maintaining the service, it also explains that the personal data may be passed to third parties for the same purpose. The customer then signs the form consenting to the processing of their personal data as per the explanation on the registration form. • The data has been obtained fairly, because it has been explained to the customer exactly how their information will be used. The customer has made an informed decision to consent to the processing of their personal data as described on the registration form. • Some ‘conditions of processing’, have been satisfied, as the customer has given their consent and the processing is required in relation to the agreement that the customer has entered into with the newsagent. • The newsagent would not be able to use or pass details of its customers to a third party for marketing purposes, as this has not been specified in the agreement on the registration form and therefore would be considered unfair. The newsagent is carrying out their daily paper round and arrives at one of their customer’s property to deliver their newspaper. The newsagent notices through the window that the customer has collapsed and is on the floor unconscious and calls for an ambulance. The customer is well known to the newsagent and the newsagent is aware that they have a serious medical condition. • Although the individual may be embarrassed that others will know about their medical condition, the negative impact of embarrassment is justified as it is in the interests of the customer that the newsagent’s knowledge of their medical condition is disclosed. • Given that the customer has a serious medical condition. It is likely that disclosing this information in this scenario satisfies the ‘vital interests’ condition of processing. 5 Checklist: Principle 1 Has the individual consented to the processing of their data? Do they clearly understand exactly how their data will be used? Have you considered the potential impact on the individual of processing their data? Can any negative impacts be legitimately justified? Are you able to satisfy at least one of the ‘conditions of processing’? Will you be processing any sensitive personal data? If so, are you able to satisfy at least one of the additional ‘conditions of processing’? Is the processing lawful? / Have you considered any legal obligations or implications? See ‘Glossary’ for explanation of terms Notes: 6 Principle 2: Data must be processed for limited purposes Specified purposes The second principle of the Data Protection Act states that you must specify the purpose(s) for which you will process data. In addition, it states that you must not process personal data ‘in any manner incompatible with that purpose or those purposes’, i.e. you may only process data: • For the purpose(s) that you have specified Or: • For a purpose that is in relation to the purpose(s) you have specified and could be reasonably expected by the data subject The aim of this principle is to ensure that organisations: • Are open and clear about why they are obtaining data and how they will use it • Are compliant with the fair processing requirements of the Data Protection Act as discussed in Principle 1 (pages 5 and 6) • Who wish to use personal data in any new or additional purposes do so in a way that is fair to the individual New or additional purposes If you wish to use personal data for a purpose that is incompatible with the purpose(s) for which it was originally obtained, it is usual that you would need to obtain additional consent from the individual concerned prior to processing their data for the new purpose(s). This links with the first data protection principle of processing data fairly (see pages 5 and 6). Being specific about the purposes for which you wish to obtain and process data also helps to determine what information you should provide to the data subject in your fair processing notices. Notifying the Information Commissioner’s Office It is a requirement of the Data Protection Act that organisations notify the ICO of the types of personal data that they intend to process and the purposes for which they intend to process it. All organisations are required to register their notification with the ICO, unless they are exempt from notification. Exempt organisations must still comply with the rest of the provisions of the Data Protection Act and may choose to notify voluntarily. Details of how to notify the ICO and guidance on exemptions from notification can be found on their website, www.ico.gov.uk. Registrations must be updated if you wish to process data for any new or additional purposes and must be renewed annually, even if there are no changes. You should also update your registration with the ICO if there are any changes in the Data Controller’s name, address or contact details. It is a criminal offence to fail to notify the ICO or renew your registration unless you are exempt from notification 7 Case Study: Principle 2 The mailing list A DVD rental company creates and uses a mailing list to notify its customers of promotional offers and new movie releases. Customers who wish to receive marketing of this nature sign up to the mailing list and can ask to be taken off it at any time. The registration form does not include notification or request consent to pass the individual’s data to any 3rd parties. • As the company have notified the individual that their data will be used specifically for marketing purposes (and the individual has consented to this), it is acceptable to send a regular newsletter or similar marketing material to them. The company expands its business to include rental of video games. To encourage uptake of this new service, the company wish to advertise it to customers on their existing mailing list. • As the new video game rental service is of a similar nature to DVD rentals, the customer could reasonably expect to receive information and offers relating to this. Therefore it is likely to be considered compatible with the original purpose and so it would be acceptable to include information and offers on the new product offering in their material that is sent to customers on the existing mailing list. 8 Checklist: Principle 2 Have you registered a notification with the ICO? Have you specified to the individual the purpose(s) for which you are obtaining and processing their personal data, e.g. Fair Processing Notice as discussed on pages 5 and 6? Are you processing the data only for the purpose(s) that you have specified? Do you anticipate or intend to process the data for any new or additional purposes? If so, are you processing the data in a way that could be reasonably expected by the data subject? Have you obtained consent from the individual to process the individual’s data for the new purpose(s) (if they could not already reasonably expect their data to be processed in this way)? See ‘Glossary’ for explanation of terms Notes: 9 Principle 3: Data must be adequate, relevant and not excessive Establishing what is adequate, relevant and not excessive The Data Protection Act states: “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed” Although the Data Protection Act does not specifically define the terms, in order to be able to measure whether data is ‘adequate’, ‘relevant’ and ‘not excessive’; you need to be clear about the purpose for which you are processing it (see details of the second DPA principle). To ensure that you are compliant with the act, you should: • Identify the minimum amount of personal data that would be sufficient to fulfil the purpose for which you are processing it • Obtain, process and store that amount of personal data – no more and no less • Not hold any personal data on the ‘off-chance’ that it could be useful in the future 10 You should also consider the terms ‘Adequate’, ‘Relevant’ and ‘Not Excessive’ in relation to each data subject. Information that is required for a certain person may be excessive in relation to another individual. This, in addition to the points previously mentioned, is especially important in relation to sensitive personal data. Adequacy and relevance in relation to opinions An opinion about an individual is considered to be their personal data. To comply with the Data Protection Act, it is important to ensure that there is sufficient information for an opinion and its context to be interpreted correctly. This could include the name and position of the author and / or evidence of the circumstances that the opinion is based on. Case Study: Principle 3 The gym membership A local leisure centre operates a membership scheme. Upon registration for the scheme, customers fill in a form with their personal details including their name, address, date of birth, contact details, some health information and bank details in order to set up a direct debit for payment of the membership fee. • The data collected is adequate in order to for the leisure centre to be able to identify their customer and administer the membership (for example contact and payment in relation to the membership). • Health information will be relevant for some customers, for example certain health conditions may mean that a customer is not able to use certain items of equipment, or may require assistance from staff in certain circumstances. • The data that the leisure centre is requesting and processing is not excessive as they are only asking for information relevant for the purpose of administration of the customer’s membership. If irrelevant information is obtained, such as a customer putting in their health information that they had the flu several years ago, should be deleted. 11 Checklist: Principle 3 Have you identified the minimum amount of data you require for the purpose you wish to process it? Is the amount of data you are collecting sufficient (adequate) for its purpose? Is all of the data you are collecting relevant to the purpose for which you are processing it? Are / will you be processing any sensitive personal data? (If so, consideration of the above is especially important!) Does / could the data you hold contain opinions about an individual? If so, is the context of the opinion clear and is it clear whose opinion it is? See ‘Glossary’ for explanation of terms Notes: 12 Principle 4: Data must be accurate and up to date Accuracy of data In order for data to be accurate, it ’must not be incorrect or misleading as to any matter of fact’. The context in which the data is held can also affect whether or not it is accurate. For example, if an individual works for Company A and then moves to a new job within Company B, it would be inaccurate to say ‘the individual works for Company A’. However, it would still be accurate to say that the individual ‘used to work for Company A’. If data that has been recorded is then deemed to be inaccurate, it should be amended or deleted. In certain circumstances, it would be impractical to check and double check every single item of data you receive – and the Data Protection Act recognises this. The legislation therefore makes special provision about the accuracy of information that is obtained from the data subject themselves or that is provided by a third party. Regarding the accuracy of personal data provided by the data subject or obtained from a third party, you must: • Accurately record the information as it has been provided to you, i.e. by the data subject or third party • Take ‘reasonable steps’ to ensure that the data is accurate • Make it clear if the accuracy of the information has been challenged, such as by adding a note Reasonable steps The definition of the term ‘reasonable steps’ will vary, depending on the type of data and the purpose for which it will be processed. The greater the potential impact of processing the data, the more important the accuracy of it is and therefore the greater the effort you should make to ensure that it is accurate. Keeping data up to date Whether or not data needs to be updated, and the frequency that it should be updated, usually depends on the purpose(s) for which it is being processed. This is usually fairly obvious – i.e. if the purpose for which data is being processed is reliant upon it being up to date (for example an organisation that delivers goods to a customer’s address), it is important to ensure that the information is up to date. Recording and retaining a record of mistakes As long as an organisation’s records are accurate and not misleading, it is deemed acceptable within the Data Protection Act to retain a record of mistakes that have occurred. It should be made clear that a mistake has occurred, for example by adding notes to the information. Challenged accuracy If the data subject challenges the accuracy of data you hold about them, although it is not a legal obligation to mark the record as being in dispute – it is good practice to do so. The advantage of this is that, if it does transpire that the data is inaccurate, you are not likely to be found in breach of this principle - as long as you have met the other criteria in the three points previously described above. 13 Case Study: Principle 4 The Credit Reference Agency Credit Reference Agencies obtain data from a variety of public and financial sources about individuals, for multiple purposes, such as helping banks and other companies make decisions about whether to lend money to them or not. One of the sources of data is financial information from organisations that the data subject already has dealings with, for example in relation to an existing loan agreement. Banks and other creditors provide regular ‘feeds’ of data (usually monthly) to the Credit Reference Agency. • As the data is being provided to the Credit Reference Agency by a third party, i.e. the existing loan account information from the data subject’s bank, the information can be deemed accurate, as long as it is recorded correctly as has been provided by the lender. • Because credit referencing data can have a significant impact on the data subject, i.e. it can affect credit decisions made about them. Althought the data has been obtained from a lender, the Credit Reference Agency must take reasonable steps to ensure its accuracy. It does this, by conducting tests on a sample of data received each month – to check for any discrepancies or inconsistencies. 14 • The Credit Reference Agency ensures that they are keeping data from lenders and other sources up to date by obtaining regular (usually monthly) updates from its sources. An individual obtains a copy of their credit report and notices that it shows a mistake. They contact the Credit Reference Agency to notify them of the inaccuracy. • The Credit Reference Agency takes reasonable steps to ensure the accuracy of the data by contacting the third party that provided it (for example, a lender). • In the meantime, they add a ‘dispute notice’ to the item of data, so that anyone viewing it while the accuracy of the data is being challenged will be aware that it may be inaccurate. • The individual could also add a ‘notice of correction’ to explain circumstances surrounding information on their credit report, for example late payments due to losing their job unexpectedly. Checklist: Principle 4 Are you obtaining data from either the data subject or a third party? If so, how will you make sure you record the data accurately as it is provided to you? What ‘reasonable steps’ will you take to ensure that the data you process is accurate? Have you considered the impact of inaccurate data? Do your ‘reasonable steps’ reflect this? What process do you have in place for when an individual disputes the accuracy of the data you hold? What process do you have for correcting the data? How often will you update the data? Is your frequency of updates sufficient for the purpose(s) for which you are processing the data? See ‘Glossary’ for explanation of terms Notes: 15 Principle 5: Data must not be kept for longer than is necessary Retention of personal data The Data Protection Act does not specify how long you should retain data for, it simply states: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.” As with some of the other principles, this suggests that, in order to decide how long you should keep data for, you need to be clear on the purpose(s) for which you intend to use it. You must also ensure that information is securely deleted or disposed of when it is no longer required for its specified purpose. Data which is still required for the specified purpose, however is not accessed regularly, should be archived and stored securely. It is important to regularly review the personal data you hold and delete or archive it as appropriate. 16 Defining retention periods It is a good idea to consider the following points, as they may help you to decide on how long your retention periods should be: • The purpose for which the data will be processed. • Any surrounding circumstances, e.g. whether or not you still have dealings with the data subject. • Legislation and regulatory requirements. • Agreed practice within the industry. You should also consider the implications of retaining data, for example: • Larger capacity may be required in order to store larger amounts of data, i.e. if data is needed and kept for a long time. • You must be able to satisfy a data subject’s request for access to their personal data. This could be more difficult if you retain data for longer than you need it. • It may be more difficult to verify the accuracy of data that was obtained a long time ago. • Data may become out of date and could be used in error. Data should not be retained ‘just in case…’ however it is acceptable to retain data for foreseeable circumstances that may only happen occasionally. The data should still only be kept for as long as the purpose for which it is stored is reasonably foreseeable, and there must always be a genuine business reason for keeping it. Depending on the size of your business, you may wish to create a data retention policy to define the periods for which you are going to hold data and to ensure consistency across your organisation. Your policy should also be reviewed from time to time to ensure that it is still appropriate. Case Study: Principle 5 The online account An independent online music retailer has a mixed customer base, ranging from DJ’s who place regular orders with them to individual members of the general public that make one off purchases. When placing an order through the website, the customer is required to set up an online account by providing personal information and setting up login details, so that the order will be sent to the correct address and the customer can be identified should they have any enquiries or need to make any changes. • The retailer should retain customer data long enough to fulfil the order and for a period of time after, as it is reasonably foreseeable that the customer may make queries or complaints following delivery of their order. It is the retailer’s decision how long to keep the data for, however they should be able to justify the chosen timescale and ensure that it is not longer than necessary. When signing up for an online account, customer’s have the option to receive regular updates and promotions from the retailer. A customer that had previously opted into the marketing, then contacts the retailer and states that they no longer wish to receive this information. • Most of the data that was originally collected for marketing purposes, for example details of the customer’s music preferences, will no longer be required and therefore should be deleted. It is however, permissible to retain enough information to ensure that marketing is no longer sent to that particular customer. • Regular customers returning to the retailer’s website in future to place further orders will find it more convenient if they can just log in and do not have to reenter all of their personal details, however this reason alone would not justify keeping their data indefinitely. Personal data of customer’s who have not placed an order for some time should therefore be deleted. 17 Checklist: Principle 5 Have you defined the retention periods for which you will keep each type of data you hold? Are the retention periods sufficient and not excessive in relation to the purpose(s) for which you are processing the data? Have you considered legislative and regulatory obligations when deciding on retention periods? Have you considered any agreed practices within your industry? Do you have the facility and capacity to keep data for the length of time you require? Is there a data retention policy in place within your organisation? See ‘Glossary’ for explanation of terms Notes: 18 Principle 6: Data must be processed in line with the data subject’s rights Rights under the Data Protection Act The Data Protection Act sets out the rights that an individual has in terms of their personal data. Principle 6 of the act states that personal data must be processed in line with these rights. If an individual is not satisfied that you are processing their data within their rights under the act, they can apply to a court to order you to do so. Access to personal data Section 7 of the DPA states that an individual is entitled to know whether a data controller is processing personal data about them, including a description of the type of data being processed, the purpose for which it is being processed and to whom the data may be disclosed to. Section 7 of the act also stipulates that an individual is entitled to request a copy of their personal data that an organisation holds on them. Data Subject Access Requests (DSAR) A DSAR is the request made by the data subject, to obtain a copy of their personal data from an organisation. As the data controller, you are obliged to supply this information when: • The request has been made in writing. • You have received such fee that you may require (the maximum amount you can charge is £10). The time specified within which you must comply with the DSAR is 40 calender days. You are however also entitled to request additional information in order to either identify the individual, or to enable you to satisfy the request for information. An example of this could be details that will help you to locate the data that the individual is requesting. If you reasonably require such additional information and have requested it, you are not obliged to release the data until you have received the additional information. You should also consider whether releasing data on the individual requires you to disclose another person’s personal data. If this is the case, you are only obliged to supply the data if: • The other individual has given their consent Or: ‘It is reasonable in all circumstances’ to comply with the DSAR without the consent of the other individual. Consideration should be given to any applicable duty of confidentiality, steps taken to obtain consent, whether the other individual is capable to give consent and any express refusal of consent by the other individual. Prevention of processing that is likely to cause damage or distress An individual has the right to give notice that an organisation must cease to process their personal data, if that processing is causing, or is likely to cause substantial and unwarranted damage or distress. The objection to the processing should be made in writing and specify the reasons for which damage or distress is being or could be caused. An individual does not have the right to object to processing in certain circumstances. These include: • Where the individual has consented to the processing. Or when the processing is necessary: • In relation to a contract that the individual has entered into. • Because the individual has asked for something to be done to enable them to enter into a contract. • In relation to your legal obligations • To protect the individual’s ‘vital interests’. As the data controller, an organisation should respond to the individual within 21 calender days. You must either confirm that you will be complying with the notice, or give the reasons for which you believe the notice to be unjustified. 19 Prevention of processing for direct marketing The Data Protection Act defines direct marketing as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.” An individual has the right to ask an organisation not to process or to cease processing their personal data for this purpose. The request can be made at any time and must be complied with by the data controller. A response to such request should be sent to the individual within 21 calendar days Prevention of automated decision making An individual has three rights in relation to automated decisions made about them and which may have a significant impact on them. Examples of ‘significant’ decisions defined within the Data Protection Act are performance at work, creditworthiness, reliability and conduct. The first right is the right to prevent automated decision making. You must not make an automated decision where an individual has provided a written request not to. Individuals also have the right to be informed when an automated decision has been made. An organisation must notify the individual that an automated decision has been made using their personal data as soon as is reasonably practicable to do so. 20 Finally, an individual has the right to request that an automated decision is reconsidered or reviewed. The individual has 21 days from when they are notified of the automated decision to appeal against it. As the data controller, you have 21 calendar days within which you must respond to the individual. There are some automated decisions which are exempt from the individual’s rights under the act. These include decisions that are: • Authorised or required by legislation. • Made in preparation or in relation to a contract with the individual who is the data subject. • To give the individual something that they have requested. Or: • Where safeguards have been put in place to protect the individual’s legitimate interests, for example allowing them to appeal the automated decision. Recification, blocking, erasure and destruction of data The fourth principle covers the accuracy of data. In the event that personal data is inaccurate, the data subject can apply to the court to have the data rectified, blocked, erased or destroyed. Alternatively, the court may order you to add a statement of true facts to the record that contains the personal data (any such statement must be in terms approved by the court). It is good practice to take reasonable steps to notify any third parties of changes to or deletions of inaccurate personal data. The court may also order you to do this, however they are only likely to do so if it is reasonably practicable to comply with the request. Compensation The Data Protection Act gives individuals the right to compensation for damage or distress caused by the data controller failing to comply with their obligations under the act. The DPA does not specifically define damage, however if an individual has suffered financial loss as a result of a breach of the act, then they are likely to be entitled to compensation. Distress alone is not usually sufficient to entitle an individual to compensation. The act states that an individual will only be entitled to compensation in relation to distress, if damage has also been suffered as a result of contravention of the act, or the breach relates to the processing of personal data for special purposes. The DPA also allows you to defend a request for compensation, on the basis that you took all reasonable care in the circumstances to avoid the breach. Case Study: Principle 6 The letting agent An individual contacts their local letting agent, to enquire about a property that the agent is advertising for rent. Prior to arranging a viewing, the agent asks the individual to register with them, so that they can check the individual meets their criteria as a suitable tenant. The agent would also like to contact them about any other properties that they think the individual may be interested in. As part of the registration process, the individual signs the letting agent’s terms and conditions, which include consent to a credit check being undertaken. As part of the terms and conditions, the individual also agrees that the letting agent may contact their previous landlords for tenant references. • As the individual has consented to the processing of their personal data as part of the registration, they do not have the right to request that the letting agent ceases processing that is in relation to the contractual agreement. • When conducting the credit check, the letting agent uses an automated system to score the individual’s application. The decision is then produced automatically based on the automated scoring. • The individual may exercise their right to prevent automated decision making and ask the letting agent to conduct the credit check manually. The letting agent could satisfy this request by putting an appeals process in place for applications that are declined as the result of an automated check. If the individual was declined, they could then have a manual decision made by following the appeals process. The letting agent sends out a weekly update, including details of new properties that are available to rent. After the individual has found and moved into their new home, they decide that they no longer wish to receive this marketing and contact the letting agent to advise them of their request. • The letting agent is obliged to comply with the individual’s right to prevent direct marketing and must respond to the individual within 21 calendar days. The individual decides that they would like to see a copy of their personal data that the letting agent holds about them. They write a letter to the letting agent requesting the information and enclose a cheque for £10. • The letting agent is obliged to satisfy the Data Subject Access Request (DSAR) and must ensure that they have adequate procedures in place to locate and provide the individual with a copy of their personal data. 21 Checklist: Principle 6 Do you have a process in place to deal with Data Subject Access Requests, i.e. would you be able to identify, locate and supply a copy of all of an individual’s personal data, if they were to ask for it? Have you considered whether your processing of an individual’s personal data is likely to cause them damage or distress? If an individual asks you to stop marketing to them, would you be able to easily comply with this request? Does your business make any automated decisions? If so, is there a process in place to make manual decisions if an individual requests you to do so, e.g. a referral or appeals process? Do you have a procedure in place to handle compensation requests, for example as part of a complaints procedure? See ‘Glossary’ for explanation of terms Notes: 22 Principle 7: Data must be secure Information security The Data Protection Act states that a data controller must ‘take appropriate technical and organisational measures’ to protect personal data from being compromised. The measures appropriate will depend on the nature of the personal data that you hold and the impact or harm that could result in the event of a security breach. Data that is particularly valuable, sensitive or confidential is likely to have a more significant impact if it were to get into the wrong hands or be used in an inappropriate way. In order to protect personal data and keep it secure, it is important to: • Create and implement robust policies and procedures regarding information security • Put in place sufficient physical and technical security that is appropriate to the data you hold • Train staff to ensure that they are aware of and are able to meet their obligations • Be clear about who within your organisation is responsible for ensuring information security • Be prepared and able to respond to any breach of security swiftly and effectively Although the act does not define the term ‘appropriate’, you should take a risk based approach which takes into account technological advances and the cost involved in relation to information security. You should also regularly review the data you hold, how you use it and how you protect it in order to ensure that the security measures in place remain appropriate. Security within the DPA also extends to state that the data controller must: • Take reasonable steps to ensure the reliability of employees • Obtain guarantees from any data processor working on their behalf in respect of using adequate protection to keep personal data secure. • Put in place a written contract with the data processor, under which they are only able to act under the data controllers instructions and must comply with equivalent obligations to those under the DPA. Breach management It is important for an organisation to consider how they would react and respond to a breach, as breaches can occur even when there are appropriate security measures in place. A good breach management plan can help damage limitation and aid recovery from the breach. There are four main topics to consider when creating and implementing a breach management plan: • Containment and recovery: reaction to an incident should include a recovery plan and procedures to limit any damage caused by the breach. • Risk Assessment: will help you to establish actions to take in response to the breach and learn how to prevent future breaches of a similar nature. • Notification: you should consider who needs to be notified and why. Examples of who you may consider making aware of the breach include the data subject(s) concerned, the ICO, other regulatory bodies, the police or the media. • Evaluation and response: It is important to investigate causes of the breach and evaluate the effectiveness of your reaction and response to it. You should take the opportunity to learn from a breach and update any policies, procedures and other security elements where necessary. Further information There is further information in relation to breaches and breach management on the ICO website: www.ico.gov.uk You can also find further information and advice on information security at the following sites: General Information Security: www.berr.gov.uk/sectors/infosec/ infosecadvice/page10059.html Information Security Advice for Small and Medium Businesses: www.berr.gov.uk/infosec E-Learning Package: www.bobs-business.co.uk 23 Case Study: Principle 7 The travel agent A travel agent obtains a variety of information from its customer’s, including their general details such as name and address, passport number and payment details. For customers who wish to arrange travel insurance through the agent, sensitive health information is also collated. • Sensitive data, such as health and payment information could cause a great deal of damage or distress to the individual concerned if it were to be compromised. Therefore the travel agent should take extra care to ensure the data is kept secure. As part of its information security measures, the travel agent creates and implements an information security policy. The policy sets out a wide range of procedures to protect the organisation’s data, including verifying the identity of staff upon employment and obtaining references from former employers to confirm reliability. • The travel agent is meeting its obligation to take reasonable steps to ensure the reliability of its employees by implementing this element of the policy. • Employees should be trained to ensure that they understand and meet their obligations regarding keeping data secure. • The travel agent should also ensure that it is clear about who within the organisation is responsible for information security to ensure that a high standard is maintained. 24 To keep data physically secure, the travel agency also adopts a number of physical security measures. These include building security, such as alarms and window shutters, coded locks on rooms where personal data is held, confidential waste bins to ensure secure disposal of waste, and password protected access to systems. • The Data Protection Act does not define what is an ‘appropriate’ level of security. These are just some of the ideas that your organisation may wish to consider. The travel agent discovers that it has been the victim of an information security breach. An employee is suspected of selling lists of customer information to a third party and is suspended while an investigation takes place to prevent any further misuse of data. • It is important that the travel agent has a breach management system in place to limit the damage caused by the misuse of data and prevent similar occurrences in future. • It should also be considered whether anyone should be notified of the breach. If the employee was found to be guilty, the organisation may choose to involve the police. They should also decide whether to notify the Information Commissioner and the individuals that the compromised data relates to. Checklist: Principle 7 Do you have an information security policy in place? Is there a designated individual within your organisation who is responsible for information security? Have you put in place adequate physical security measures, in relation to the level of sensitivity of the personal data you hold? Do you have a training course / programme that must be completed by all employees? Do you take ‘reasonable steps’ to ensure the reliability of your employees? Have you considered how you would handle an information security breach and put relevant policies and procedures in place? See ‘Glossary’ for explanation of terms Notes: 25 Principle 8: Data must not be transferred to other countries without adequate protection The principle The Data Protection Act states: “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” Transferring data Transferring data means sending personal data to someone (in another country). If data can be accessed in another country outside of the EEA, for example on a website, then this is also considered a transfer. However, a transfer does not include data passing through another country on route to its destination. For example if you transfer data from the UK, via a server in country A to its destination country B – as long as the data is not accessed or manipulated in any way while in transit, the eighth principle of the DPA will only apply to the data having been transferred to country B. The current EEA member countries are listed below: Austria Belgium Bulgaria Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia Liechtenstein Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden Countries with an adequate level of protection The European Commission has deemed some other countries to have an ‘adequate level of protection’ for personal data and therefore data can be transferred to these countries: It is good practice to consider whether you need to process personal data or whether you can still meet your requirements by making the data anonymous. If it is not possible to identify individuals from the data (now or at any point in the future), then the data protection act does not apply and you would therefore be free to transfer data outside of the EEA. Argentina Canada Guernsey European Economic Area (EEA) Countries Personal data can currently be transferred freely within the EEA without restriction. Although the USA is not included in the list above, US companies that are signed up to the ‘Safe Harbour Scheme’ are considered to have an adequate level of protection. 26 Isle of Man Jersey Switzerland An up to date list of countries with an adequate level of protection can be found at the European Commission’s data protection website: http://ec.europa.eu/justice/ policies/privacy/thridcountries/ index_en.htm A list of companies that operate within the ‘Safe Harbour Scheme’ can be found on the US department of commerce’s website: www.export.gov/safeharbor/doc_ safeharbor_index.asp Transferring data to other countries You may be able to transfer data to countries that are not approved as having an adequate level of protection. In order to do this, you should do at least one of the following: • Assess the adequacy yourself. • Use contracts to ensure that an adequate level of protection is provided. You may wish to include the model contractual clauses approved by the European Commission. • Operate ‘Binding Corporate Rules’ and have these approved by the ICO. Alternatively, an exception to the rule may apply to some transfers. Assessing Adequacy of Levels of Protection in Other Countries: In order to assess whether an adequate level of protection is in place in another country, you should carry out a risk assessment which takes into consideration the following factors. These have been set out within the Data Protection Act: • The nature of the personal data being transferred. • Where the data is being transferred to and the laws, obligations and practices adopted by that country (and to what extent). • The purpose(s) and period for which the data will be processed. • Whether it can be ensured that the required standards are achieved in practice. • Any procedure under which individuals can enforce their rights or obtain compensation if things go wrong. There are documents that offer further guidance on assessing levels of adequacy available on the ICO website: www.ico.gov.uk Using contracts to ensure adequate levels of protection Another way to ensure that adequate levels of protection are in place in another country that you are transferring data to, is to put a contract in place between you and the organisation to which you are transferring the data. You can either create a contract yourself within your organisation, or you may wish to use the European Commission’s approved model clauses. The model clauses are attached as an annex to the European Commission decisions of adequacy, which approve their use. This can be found on the European Commission’s website: http://ec.europa.eu/justice/policies/ privacy/modelcontracts/index_ en.htm If you intend to use the European Commission’s model clauses, you are not able to amend them in anyway, such as removing parts or adding additional clauses to change the meaning. You can however, incorporate the clauses into other contracts instead of having two separate documents. outside of the European Economic Area (EEA), within a group of companies. If you choose to have a contract drawn up yourself, you do not have to have a separate contract relating to data protection. The clauses can be incorporated into any general contract you have that covers your relationship with the company concerned. You should however, ensure that your contract is comprehensive to minimise the risk of the contract’s adequacy being challenged in future. Exceptions It is always good practice to ensure, where possible, that there is an adequate level of protection for an individual’s personal data when transferring it outside of the EEA. There are however, some exceptions that allow you in certain circumstances to transfer personal data, even where there may not be an adequate level of protection. The exemptions are: Transfers approved by the information commissioner Only in exceptional circumstances, the Information Commissioner may authorise transfers of personal data on the basis that there is an adequate level of protection. Although the ICO has the power to do this, it would only be done in cases where the ICO can be satisfied that there is absolutely no other way to satisfy the eighth data protection principle. • Where consent to transfer the data has been obtained from the individual (it is worth noting that the consent cannot be relied upon where the individual has no choice but to consent). • If the data is part of a public register (as long as the recipient complies with restrictions regarding access and use of the information). Binding corporate rules Binding Corporate Rules (BCR) are codes of corporate conduct that can be implemented within multi-national organisations. They are legally binding and are usually implemented through the use of intra-group declarations, agreements or corporate governance. BCRs give rights to individuals, which can be exercised before the courts or data protection authorities. The standard of an organisation’s Binding Corporate Rules must be assessed by all of the relevant European data protection authorities in order to use them freely transfer personal data • In relation to contractual performance, where the contract that has been entered into is with the individual or is in their ‘vital interests’. • For reasons of substantial public interest, such as the prevention and detection of crime, national security and tax collection. The public interest must be that of the UK and this exemption should be considered very carefully on a case by case basis. • To protect the ‘vital interests’ of the individual. • In relation to legal proceedings. Or the processing is necessary: 27 Case Study: Principle 8 The mail order An UK based internet retailer sells wedding and bridesmaid dresses online that are made to order. The retailer does not manufacture the items and the dresses are delivered directly to customers from the manufacturer, who is based in Thailand. In order to satisfy dress orders, the retailer needs to transfer the customer’s details including name, address and dress measurements to the manufacturer. This is made clear and is agreed to by customers at the point of order. • It is necessary to transfer the data to the manufacturer as they deliver the orders directly to the customer. • As the customer consents to their data being transferred overseas, the transfer can take place without the need to assess adequacy of protection. However, it is still best practice to ensure adequacy of protection where possible, for example by the use of a contract between the retailer and the manufacturer. 28 Checklist: Principle 8 Do you intend to transfer any personal data overseas? If so, is the country to which you are transferring the data within the European Economic Area? Is it necessary to transfer the personal data, or can you fulfil the purpose for which you are processing it in another way? If the country to which you are transferring personal data is not within the EEA, have you checked whether it is included on the list of countries already deemed to have adequate protection? Have you put a contract in place between you and the person / organisation to which you are transferring the personal data, to ensure that it is sufficiently protected? Has consent to transfer the personal data been obtained from the individual who is the data subject? If you are not able to ensure adequate protection, can you be sure that one of the exemptions applies in order to allow the transfer to take place? See ‘Glossary’ for explanation of terms Notes: 29 Glossary Accessible record “Accessible record” is defined within the Data Protection Act as any of the following: • A health record that contains information about the physical or mental health or condition of an individual, made by or on behalf of a health professional in connection with the care of that individual • An educational record that contains information about a pupil, which is held by a local education authority or special school • An publicly available record that contains information held by a local authority for housing or social services purposes Data Information that is, or is intended to be, processed by computer. The definition of data within the act also extends to information that is recorded as part of a relevant filing system. Data controller Someone who determines the purposes for which and the manner in which any personal data are, or are to be, processed. This may be one person alone, or jointly with other persons. Data processor As defined in the Data Protection Act in relation to personal data, a “Data Processor” is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Data subject The individual who is the subject of personal data, i.e. who the personal data is about. 30 Inaccurate data Data that is incorrect or misleading as to any matter of fact. Personal data Data that relates to a living individual who can be identified from the data. The definition of “Personal Data” also extends to and includes opinions about the individual and any indications of intentions of any person in respect of the individual. Processing In relation to information or data, the Data Protection Act defines “processing” as obtaining, recording or holding the information or data, or carrying out any operation or set of operations on the information or data. This could include: • Organisation, adaptation or alteration of the information or data • Retrieval, consultation or use of the information or data • Disclosure of the information or data by transmission, dissemination, or otherwise making available • Alignment, combination, blocking, erasure or destruction of the information or data Relevant filing system • Information that is structured or organised in such a way that allows easy access to specific information about an individual. Recipient • Any person to whom the data is disclosed. Sensitive personal data Personal data consisting of information about any of the following: • Racial or ethnic original • Political opinions • Religious beliefs or other beliefs of a similar nature • Trade union membership • Physical or mental health or condition • Sexual life • The commission or alleged commission by the data subject of any offence • Any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings Third party In terms of the Data Protection Act and personal data, means any person other than: • The data subject • The data controller • Any data processor or other person authorised to process the data on behalf of the data controller or processor Vital interests Cases that are a matter of life or death, for example where an individual’s medical history is disclosed to a hospital’s accident and emergency department that is treating the individual following a serious road accident. Contact details and other useful resources Experian UK Compliance Team www.experian.co.uk/responsibilities/compliance/ compliancedept@uk.experian.com Information Commissioner’s Office (ICO) Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF www.ico.gov.uk T: 08456 306 060 / 01625 545 745 mail@ico.gsi.gov.uk 31 Landmark House Experian Way NG2 Business Park Nottingham Nottinghamshire NG80 1ZZ © Experian 2011. The word “EXPERIAN” and the graphical device are trade marks of Experian and/or its associated companies and may be registered in the EU, USA and other countries. The graphical device is a registered Community design in the EU. All rights reserved CMDS - 18.10.