1. Data Protection Act 1998 Explanatory Guidance

advertisement
1.
Data Protection Act 1998 Explanatory Guidance
Purpose Of Guidance
Part 1 of this guidance provides a brief overview of the Data Protection Act 1998. Part II of
the guidance contains more detailed guidance on the Act and also how the Scottish Executive
deals with subject access requests and notifications under the Act.
Part 1
•
•
•
•
•
•
•
Introduction
Registration / Notification
The Data Protection Principles
Data Subject Rights
Exemptions
Transfer of Data Overseas
Manual Records
Part II
•
•
•
•
•
•
•
•
•
•
Notifications And Amendment Of Register Entries
Right Of Access To Personal Data
The Data Protection Unit
Responsibilities Of User Divisions
Identifying The Individual
Fair Processing Code
Exemptions
Criminal Liability
Personal Data Contained in E-mails
Further Advice
Part 1
Introduction
1. The Data Protection Act 1998 and the secondary legislation required to support it were
brought into force on 1 March 2000. Data Protection is a reserved issue. The Lords
Chancellor’s Department has policy responsibility for the matter.
2. The Act contains familiar elements from the previous legislation (Data Protection Act
1984) such as; the Data Protection Principles of good practice; a registration system; an
independent supervisory authority to oversee data protection legislation; and the data
subject's right to have access to his or her personal data and to correct it where inaccurate.
However there are additional requirements which are explained in this guidance.
3. The Act provided for two periods of transitional relief during which data controllers can
bring their existing systems into compliance with the new law. The first period elapsed on 24
October 1998. The second period of transitional relief is very limited in scope and only
applies to some data, which was already held in manual filing systems prior to 24 October
1998. This exemption will apply until 2007.
4. The following is a brief glossary of some of the terms used in this guidance: Data: Personal data processed or which is intended to be processed
Processing: means obtaining, recording or holding data; and any operation or set of
operations on the data
Personal data: Data from which it is possible to identify a living individual. It includes
information about the intention s of a data controller towards the data subject and applies not
only to information which identifies the data subject but also to information relating to an
individual who can be identified from other information which is in the possession of, or is
likely to come into the possession of, the data controller.
A reference to a name, on its own, without any other information may not be sufficient to
constitute personal data under the Act. However, it is likely that the context in which the
name is held will enable some information to be inferred about an individual in such a way
that it would be personal data for these purposes.
Manual data: Personal data which is recorded as part of a relevant filing system
Relevant filing system: Any structured set of information which is organised either by
reference to individuals or by criteria relating to individuals so that specific details about a
particular person may easily be selected from that system
Data controller: isa person who (either alone or jointly in common with other persons)
determines the purposes for which and the manner in which data is processed. The Scottish
Executive is a data controller.
Information Commissioner: The Office of the Information Commissioner has responsibility
for enforcement of the Act and also for the provision of information and advice on the Act.
Registration / Notification
5. The Information Commissioner maintains a public register of data controllers. Each
register entry includes the name and address of the data controller and a general description
of the processing of personal data by a data controller. Individuals can consult the register to
find out what processing of personal data is being carried out by a particular data controller.
Notification is the process by which a data controller's details are added to the register. The
Data Protection Act 1998 requires every data controller who is processing personal data to
notify unless they are exempt.
The Data Protection Principles
6. The Data Protection Principles are dealt with in Schedule 1 of the Act.
7. The Act states that personal data must be processed 'fairly and lawfully'. The Act expressly
provides that personal data are not to be treated as processed fairly unless, as far as
practicable, certain criteria are met (see guidance on fair processing code in Part II). These
include informing data subjects of the identity of the data controller and any nominated
representative, as well as informing the data subject of the purposes for which the data is to
be processed.
8. In addition Schedule 2 provides that processing may only be carried out where one of the
following conditions has been satisfied i.e., where;
•
•
•
•
•
•
the individual has given his consent to the processing
the processing is necessary for the performance of a contract with the individual
the processing is required under a legal obligation
the processing is necessary to protect the vital interests of the individual
for the administration of justice, for the exercise of any functions conferred by
enactment or for the exercise of any functions of a Minister of the Crown or
government department
The processing is necessary in order to pursue the legitimate interests of the data
controller or certain third parties (unless prejudicial to the interests of the individual).
9. Most processing carried out by the Scottish Executive will satisfy the condition above
shown in bold (the Scottish Ministers are not strictly speaking Ministers of the Crown and
the departments of the Scottish Executive are similarly not government departments, but
there are provisions in the Scotland Act 1998 and in the Scotland Act 1998 (Consequential
Modifications)(No.2) Order 1999 (S.I. 1999/1820) which extend the meaning of these terms
in the Data Protection Act appropriately).
10. Stricter conditions apply to the processing of sensitive data. This category includes
information relating to racial or ethnic origin, political opinions, religious or other beliefs,
trade union membership, health, sex life and criminal convictions. Where such data is being
processed not only must the controller meet the requirements of the Principles and Schedule
2, but also processing is prohibited unless at least one of the conditions in Schedule 3 can be
satisfied.
11. The explicit consent of the individual will usually have to be obtained before sensitive
data can be processed unless the controller can show that the processing is necessary based
on one of the criteria laid out in Schedule 3 of the Act. Most processing carried out by the
Scottish Executive will satisfy the following condition in Schedule 3 .
•
The processing is necessary for the administration of justice, for the exercise of
any functions conferred by enactment or for the exercise of any functions of a
Minister of the Crown or government department
12. There is a requirement for data controllers to take security measures to safeguard personal
data (Principle 7, Schedule 1, Part I) but the Act states explicitly what precautions data
controllers must take (Schedule 1, Part II). Under the Act appropriate technical and
organisational measures must be taken to prevent the unauthorised or unlawful processing or
disclosure of data. There is also a requirement for data controllers to ensure that where a data
processor processes data on behalf of the controller there is a written contract between the
parties whereby the processor agrees only to act on the instructions of the controller and to
abide with the provisions of the security principle.
Data Subject Rights
13. The Data Protection Act 1998 provides an individual who is the subject of personal data
(the "data subject") with a right of access to the data.
14. Section 7 of the Act provides that an individual is entitled:
to be told by the data controller whether they or someone else on their behalf is processing
that individual's personal data,
if so, to be given a description of:•
•
•
a) the personal data,
b) the purposes for which they are being processed, and
c) those to whom they are or may be disclosed,
to be told, in an intelligible manner, of:•
•
a) all the information which forms any such personal data. This information must be
supplied in permanent form by way of a copy, except where the supply of such a copy
is not possible or would involve disproportionate effort or the data subject agrees
otherwise. If any of the information in the copy is not intelligible without explanation,
the data subject should be given an explanation of that information, e.g. where the
data controller holds the information in coded form which cannot be understood
without the key to the code, and
b) any information as to the source of those data.
Where a decision significantly affecting a data subject is, or is likely to be, made about them
by fully automated means, for the purpose of evaluating matters about them such as their
performance at work, their creditworthiness, their reliability or their conduct, they are entitled
to be told of the logic involved in that process.
This right of access may be exercised by the submission of a request in writing and on
payment of a fee, set at £10 for the Scottish Executive.
15. Section 1 of the Act defines personal data as meaning data which relate to a living
individual who can be identified –
•
•
from those data, or
from those data and other information which is in the possession of or is likely to
come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the
intentions of the data controller or any other person in respect of the individual.
Other Data Subject Rights
16. The Act also provides data subjects with certain other rights. The rights are :•
•
•
Right to prevent processing likely to cause damage or distress
Right to prevent processing for the purpose of direct marketing
Right in relation to automated decision making
•
•
Right to take action for compensation if the individual suffers damage by any
contravention of the Act by the data controller
Right to make a request to the Information Commissioner for an assessment to be
made as to whether any provision of the Act has been contravened.
Exemptions
17. There are a number of exemptions from the provisions of the Act. Most either exempt
personal data from the "subject information " or the "non-disclosure" provisions of the Act.
What these exemptions cover is complex and cannot be summarised easily. Full details of the
exemptions are described in Part II.
Transfer Of Data Overseas
18. The Act restricts the transfer of personal data outside the EU. There are to be no
restrictions on the free flow of personal data between countries in the European Economic
Area (which consists of Norway, Iceland and Liechtenstein, as well as the 15 EU Member
States). However, personal data may only be transferred to other third countries if those
countries ensure an "adequate level of protection for the rights and freedoms of data
subjects".
Manual Records
19. The Act applies to a limited range of manual records. Three criteria must be met for a
manual record to be within the scope of the Act:
•
•
•
the information must be part of a structured set of information, relating to individuals;
the structuring must be done either by reference to individuals or by reference to
criteria relating to individuals (e.g a unique personal identification number);
the structuring must allow specific information relating to a particular individual to be
readily accessible.
20. Lord Williams of Mostyn set out the Government’s view of what this meant in the House
of Lords (OR: 16 March 1998, Cols 467-468):
"Our intentions are clear. We do not wish the definition to apply to miscellaneous collections
of paper about individuals, even if the collections are assembled in a file with the individual’s
name or other unique identifier on the front, if specific data cannot be readily extracted from
that collection.
An example might be a personnel file with my name on the front. Let us assume that the file
contains every piece of paper or other document about me which the personnel section has
collected over the course of my career, and those papers are held in the file in date order, with
no means of readily identifying specific information about me, except by looking at every
document. The Government’s clear intention is that such files should not be caught. We want
to catch only those records from which specific information about individuals can be readily
extracted.
Let us take the case of a personnel file consisting only of information about my sickness
record during my career. If that file has my name on the front and is part of a structured set,
that file will be caught because the specific information about me, my sickness record, is
readily available.
"Specific" information is intended to mean and does mean distinct information within the file
which can be distinguished from other information in the file and separately accessed. It
means information of a distinct identity which sets it apart from the rest of the generality of
personal information held."
21. Information should not be disclosed from manual records unless, on a strict interpretation
of the legislation (as outlined above), the records fall within the scope of the 1998 Act .
Part II
Notifications And Amendment Of Register Entries
The Register includes a number of entries for the Scottish Executive, which is notified as a
data controller.
Divisions, Agencies and professional units must ensure that any new holdings of personal
data (processed by a computerised system) or changes affecting existing data holdings are
notified. Initial notification packs are available from the Data Protection Unit. Completed
forms should be sent to the Data Protection Unit (DPU), who will arrange for transmission to
the Information Commissioner’s Office along with the necessary fee. A copy of the
notification as submitted will be returned to the responsible Division, Agency or professional
unit. Annex A to this entry details exemptions from the requirement to notify NB Even if data
is exempt from the requirement to notify the data protection principles still apply to such
data.
The DPU will also provide Notification Handbooks issued by the Office of the Information
Commissioner, on request.
The notifications which Divisions submit constitute the boundaries within which they may
process that personal data or have it processed on their behalf. It is important, therefore, that
Divisions have effective arrangements for ensuring that all staff directly involved in handling
personal data (including new staff on their arrival) are made aware of the terms of the register
entry or entries applicable to that data.
Members of staff should be aware of certain legal liabilities which the Act created for
Government departments and Crown employees (see Criminal Liabilty).
Annex A
Exemptions From The Requirement To Notify
Manual data
The Scottish Executive will be required to notify that it processes personal data processed
automatically and manually. There will however not be a requirement to provide details of
the manual data that is processed.
General
The following processing operations are exempt from the need to notify :Staff administration exemption
The processing (a) is for the purposes of appointments or removals, pay, discipline, superannuation, work
management or other personnel matters in relation to the staff of the data controller;
(b) is of personal data in respect of which the data subject is (i) a past, existing or prospective member of staff of the data controller; or
(ii) any person the processing of whose personal data is necessary for the exempt purposes;
(c) is of personal data consisting of the name, address and other identifiers of the data subject
or information as to (i) qualifications, work experience or pay; or
(ii) other matters the processing of which is necessary for the exempt purposes;
(d) does not involve disclosure of the personal data to any third party other than
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt purposes; and
(e) does not involve keeping the personal data after the relationship between the data
controller and staff member ends, unless and for so long as it is necessary to do so for the
exempt purposes.
Advertising, marketing and public relations exemption
The processing (a) is for the purposes of advertising or marketing the data controller's business, activity,
goods or services and promoting public relations in connection with that business or activity,
or those goods or services;
(b) is of personal data in respect of which the data subject is (i) a past, existing or prospective customer or supplier; or necessary to do so for the exempt
purposes.
(ii) any person the processing of whose personal data is necessary for the exempt purposes;
(c) is of personal data consisting of the name, address and other identifiers of the data subject
or information as to other matters the processing of which is necessary for the exempt
purposes;
(d) does not involve disclosure of the personal data to any third party other than -
(i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt purposes; and
(e) does not involve keeping the personal data after the relationship between the data
controller and customer or supplier ends, unless and for so long as it is necessary to do so for
the exempt purposes.
Accounts and records exemption
The processing (a) is for the purposes of keeping accounts relating to any business or other activity carried on
by the data controller, or deciding whether to accept any person as a customer or supplier, or
keeping records of purchases, sales or other transactions for the purpose of ensuring that the
requisite payments and deliveries are made or services provided by or to the data controller in
respect of those transactions, or for the purpose of making financial or management forecasts
to assist him in the conduct of any such business or activity;
(b) is of personal data in respect of which the data subject is (i) a past, existing or prospective customer or supplier; or
(ii) any person the processing of whose personal data is necessary for the exempt purposes;
(c) is of personal data consisting of the name, address and other identifiers of the data subject
or information as to (i) financial standing; or
(ii) other matters the processing of which is necessary for the exempt purposes;
(d) does not involve disclosure of the personal data to any third party other than (i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt purposes; and
(e) does not involve keeping the personal data after the relationship between the data
controller and customer or supplier ends, unless and for so long as it is necessary to do so for
the exempt purposes.
Sub-paragraph (1)(c) shall not be taken as including personal data processed by or obtained
from a credit reference agency.
Non profit-making organisations exemptions
The processing (a) is carried out by a data controller which is a body or association which is not established
or conducted for profit;
(b) is for the purposes of establishing or maintaining membership of or support for the body
or association, or providing or administering activities for individuals who are either
members of the body or association or have regular contact with it;
(c) is of personal data in respect of which the data subject is (i) a past, existing or prospective member of the body or organisation;
(ii) any person who has regular contact with the body or organisation in connection with the
exempt purposes; or
(iii) any person the processing of whose personal data is necessary for the exempt purposes;
(d) is of personal data consisting of the name, address and other identifiers of the data subject
or information as to (i) eligibility for membership of the body or association; or
(ii) other matters the processing of which is necessary for the exempt purposes;
(e) does not involve disclosure of the personal data to any third party other than (i) with the consent of the data subject; or
(ii) where it is necessary to make such disclosure for the exempt purposes; and
(f) does not involve keeping the personal data after the relationship between the data
controller and data subject ends, unless and for so long as it is necessary to do so for the
exempt purposes.
Arrangements For Subject Access Requests
The administrative arrangements for dealing with requests from members of the public for
access to their personal data apply to all Scottish Executive computerised and manual
information covered by the Act. See entry on the Data Protection Unit.
The Data Protection Unit
The Data Protection Unit (DPU) within CISD acts as a central clearing house for subject
access requests. Any requests arriving in other parts of The Scottish Executive should be
passed to the Unit as quickly as possible. The Unit’s address is:
The Scottish Executive Data Protection Unit
CISD:Records Management
J Spur
Saughton House
Broomhouse Drive
EDINBURGH
EH11 3XD (Telephone 0131 (GTN 7188) 244 8119)
Responsibilities Of The Data Protection Unit
The DPU is responsible for ensuring that a response is issued within the 40 days allowed by
the Act. On receipt of a request, the DPU’s role is to:
•
•
•
•
•
•
•
•
Log the request.
Check that the appropriate fee has been sent.
Check that an appropriate notification entry has been specified in the request.
Check that the request contains sufficient information to identify the data specific to
the data subject. Where necessary, contact the data subject to secure the fee or the
required information to identify the data specific to the data subject.
Send the request with a covering minute to the user division. Where necessary a copy
of the request may be sent to the BSU(This minute should be initialled and dated each
time the request passes from the DPU to user division to BSU)
On instruction from the user division, write to the applicant to seek verification of
identity
receive the validated output supplied by the user division.
Send the validated output supplied by the user division or the BSU to the data subject.
Responsibilities Of User Divisions
Each user division is responsible for:
•
•
•
•
•
•
Ensuring that division staff are aware that any subject access request they receive
directly must be sent first to the Data Protection Unit to be logged.
Ensuring that arrangements exist which enable the personal data held to be extracted.
Verifying the identity of the person making the request (see Identifying The
Individual). Where insufficient information is supplied, the user division should return
the subject access request to the DPU which will ask the data subject for additional
information which is required.
Locating the relevant data and producing a copy (liaising with the BSU as necessary).
Ensuring that data for the right person have been produced, checking the accuracy of
the output, editing out where necessary third party data (see Information relating to
another individual) and explaining any unintelligible terms.
Send the validated data to the Data Protection Unit for issue.
Identifying The Individual
User divisions are responsible for verifying the identity of the data subject making the
request. The means of such verification will vary but in most cases a comparison of the
signature on the request with that held on branch records will be sufficient. In cases of
reasonable doubt, user divisions might instruct the Data Protection Unit (DPU) to:
•
•
•
ask the data subject for additional personal identification details;
ask the data subject for information which he or she might be expected to know about
the nature of the data held;
ask for the data subject’s signature to be witnessed by another person who is over 18
and not a relative. Details of the occupation, full name and address of the witness
should be provided.
The DPU will not treat the 40 day period for responding to a subject access request as having
started until such necessary additional information/confirmation has been received.
Information relating to another individual
A particular problem arises for user divisions who may find that in complying with a subject
access request they will disclose information relating to an individual other than the data
subject who can be identified from that information, including the situation where the
information enables that other individual to be identified as the source of the information.
The Act recognises this problem and sets out only two circumstances in which the data
controller is obliged to comply with the subject access request in such circumstances,
namely:•
•
where the other individual has consented to the disclosure of the information, or
where it is reasonable in all the circumstances to comply with the request without the
consent of the other individual.
The Act assists in interpreting whether it is reasonable in all the circumstances to comply
with the request without the consent of the other individual concerned. In deciding this
question regard shall be had, in particular, to:•
•
•
•
any duty of confidentiality owed to the other individual,
any steps taken by the data controller with a view to seeking the consent of the other
individual,
whether the other individual is capable of giving consent, and
any express refusal of consent by the other individual.
If a user division is satisfied that the data subject will not be able to identify the other
individual from the information, taking into account any other information which, in the
reasonable belief of the user division, is likely to be in (or to come into) the possession of the
data subject, then the information must be provided.
Form of Reply
All the information which forms any such personal data should be provided (but see guidance
above on third party information). This information must be supplied in permanent form by
way of a copy, except where the supply of such a copy is not possible or would involve
disproportionate effort or the data subject agrees otherwise.
The information provided must be intelligible to the data subject. This means that any codes
must be explained. This can be done in several ways, e.g. by arranging for the codes to be
translated as part of the computer processing, by providing a separate explanation of the
specific codes contained in the personal data, or by providing a code list from which the data
subject can interpret the relevant entries for him or herself.
Errors in the Personal Data
If errors are found, they should not be amended before the personal data are made available
to the data subject. The DPU should nevertheless be notified of any such errors, and should in
turn advise the data subject that the errors have been or will be corrected
Fair Processing Code
The First Data Protection Principle requires that data controllers have at least one lawful basis
for processing personal data. Data controllers however also have to ensure that such
processing is fair and the Act sets out how this requirement should be met. The Office of the
Information Commissioner has called this important requirement of the Act the "Fair
Processing Code".
The Fair Processing Code provides that the manner in which personal data is obtained will be
one of the factors, which will determine whether or not processing is fair. The validity of
consents from data subjects to the processing of their personal data or indeed the basis for
processing such data may be brought into question if data subjects have not been properly
informed of the purpose for which their personal data is to be processed. Compliance with the
Fair Processing Code does not in itself ensure fair processing but processing will in such
circumstances be treated as having been done fairly unless there is evidence to the contrary.
There are two specified cases where data will always be treated as having been fairly
obtained. These are when data consist of information obtained from a person who is either
(i) Authorised to supply it by or under any enactment; or
(ii) Required to supply it by or under any enactment.
The provisions of the Fair Processing Code are set out in Part II of Schedule 1 of the Data
Protection Act 1998. The following summarises these requirements: Information to be provided to Data Subjects (data obtained from data subject)
When personal data is obtained from the data subject the data subject should be provided
with the following information
•
•
•
The identity of the Data Controller i.e. the Scottish Executive
The purpose or purposes for which the data are intended to be processed
Any further information, which is necessary, taking into account the specific
circumstances in which the data is, or will be processed.
The first two requirements are self-explanatory. The third requirement needs consideration of
whether or not the data subjects are likely to understand the following: •
•
•
The purposes for which their personal data are going to be processed
The likely consequences of such processing; and
More particularly whether particular disclosures can reasonably be envisaged.
In essence the data subject should be provided with enough information so that they are fully
aware of the ways in which their personal data may be processed including details of
disclosures which may be made of the data.
Information to be provided to data subjects (where the data is obtained from a third
party)
The same information as described above should be provided to data subjects when someone
else has supplied their data. There is however some instances where the fair processing code
need not be followed: -
•
•
Where providing the information would involve disproportionate effort; The term
"disproportionate" is not defined in the Act and has to be determined on a case by
case basis. A number of factors should be taken into account including the costs,
length of time and how easy or difficult it is to provide the information. These factors
should however be considered against the data subjects’ rights and whether the
withholding of the fair processing information may be prejudicial to the data subject.
Where the recording or disclosure of information contained in any data received from
a third party is necessary to comply with any legal obligation to which the data
controller is subject (other than an obligation imposed by contract)
For these exceptions to be applied no notice in writing should have been received from the
data subject requesting information under the fair processing code.
When should fair processing information be provided to data subjects
The Office of the Information Commissioner advise that in the case of data obtained direct
from data subjects the fair processing information should be provided to the data subject
when the data is obtained.
With regard to data obtained from third parties the information should be provided to the data
subject before the data is processed or disclosed to a third party NB Even if no disclosures of
such data are envisaged and no processing is carried out (apart from holding the material) the
data subject must receive the fair processing information within a reasonable period of time
after the data was first received.
Exemptions
There are a number of exemptions from various provisions of the Act. NB Careful
consideration must be given before any use of the exemptions. In most cases legal advice
should be sought on whether an exemption is appropriate to the personal data in
question .
There are two types of exemptions namely "the primary exemptions", and "the miscellaneous
exemptions". In general, the primary exemptions are the ones which are either more likely to
be claimed or which are more wide-ranging in terms of the scope of the exemption available.
The exemptions cannot easily be categorised into classes which enjoy the same type of
exemption. However, a number of categories of exemption consist of, or include, an
exemption from one or other of the following categories of provisions:"the subject information provisions", which are defined as:•
•
that part of the first Data Protection Principle which requires compliance with
paragraph 2 of Part II of Schedule 1 of the Act (which require data controllers to
inform data subjects of various matters )
Section 7 of the Act (subject access).
"the non-disclosure provisions", which are defined as:-
•
•
•
the first Data Protection Principle, except where it requires compliance with the
conditions in Schedules 2 and 3 of the Act (the conditions for processing and
conditions for processing sensitive data),
the second, third, fourth and fifth Data Protection Principles, and
Sections 10 (right to prevent processing likely to cause damage or distress) and 14(1)
to (3) (rectification, blocking, erasure and destruction) of the Act
to the extent to which they are inconsistent with the disclosure in question.
The Primary Exemptions
National Security
If required for the purpose of safeguarding national security, personal data are exempt from
any of the provisions of:•
•
•
the Data Protection Principles,
Part II (individuals' rights), Part III (notification) and Part IV (enforcement) of the
Act, and
Section 55 of the Act (which prohibits the unlawful obtaining of personal data )
A certificate of exemption, signed by a Minister of the Crown, is conclusive evidence of the
requirements of the exemption having been met. Such a certificate may identify the personal
data by describing it in general terms and may have effect at a time in the future.
Crime and Taxation
There are four categories of exemption which may be claimed under this heading. The first
three all refer to what shall be referred to as "the crime and taxation purposes", namely:•
•
•
the prevention or detection of crime,
the apprehension or prosecution of offenders, or
the assessment or collection of any tax or duty or of any imposition of a similar
nature.
The first category
Personal data processed for any of the crime and taxation purposes are exempt from:•
•
the first Data Protection Principle except that part which requires compliance with the
conditions for processing and the conditions for processing sensitive data, and
subject access
to the extent to which the application of those provisions to the data would be likely to
prejudice any of the crime and taxation purposes.
The second category
Personal data which :•
are processed for the purpose of discharging statutory functions, and,
•
consist of information obtained for such a purpose from a person who had it in their
possession for any of the crime and taxation purposes,
are exempt from the subject information provisions to the extent to which the application of
the subject information provisions to the data would be likely to prejudice any of the crime
and taxation purposes.
The third category
Personal data are exempt from the non-disclosure provisions in any case where the
disclosure is for any of the crime and taxation purposes and where the application of those
provisions in relation to the disclosure would be likely to prejudice any of the crime and
taxation purposes.
The fourth category
This exemption can only be claimed where personal data are processed for any of the crime
and taxation purposes, albeit limited to offences concerning fraudulent use of public funds, in
addition to the assessment/collection of any tax/duty. Further, it can only be claimed:•
•
when the data controller is a relevant authority: i.e. a government department, a local
authority, or any other authority administering housing benefit or council tax benefit,
and
where the personal data consist of a classification applied to the data subject as part of
a system of risk assessment which is operated for the crime and taxation purposes (as
limited).
Where the exemption applies, personal data are exempt from subject access to the extent to
which such exemption is required in the interests of the operation of the system.
Health, Education and Social Work
Orders made under section 30 of the Act exempt in certain circumstances personal data
consisting of information as to the physical or mental health of the data subject from the
subject information provisions.
Regulatory Activity
Section 31 of the Act provides an exemption from the subject information provisions for the
processing of personal data by reference to numerous different categories of regulatory
function exercised by public "watch-dogs" which are all variously concerned with the
protection of members of the public, charities or fair competition in business. Again, this is
not a blanket exemption from the subject information provisions and is only available, in any
case, to the extent that the application of any or all of such provisions would be likely to
prejudice the proper discharge of those functions
Research, History and Statistics
Section 33 of the Act provides for various exemptions in respect of the processing (or further
processing) of personal data for research purposes (including statistical or historical
purposes) provided that the processing (or further processing) is exclusively for those
purposes and, also, that the following conditions are met:•
•
that the data are not processed to support measures or decisions relating to particular
individuals, and
that the data are not processed in such a way that substantial damage or substantial
distress is, or is likely to be, caused to any data subject.
Where the exemption applies:•
the further processing of personal data will not be considered incompatible with the
purposes for which they were obtained
[It is important to note that the exemption does not excuse the data controller from complying
with that part of the second Data Protection Principle which states that personal data shall be
obtained only for one or more specified and lawful purposes.]
•
•
personal data may be kept indefinitely despite the fifth Data Protection Principle, and
subject access does not have to be given provided that the results of the research or
any resulting statistics are not made available in a form which identifies data subjects.
The exemption will not be lost just because the data are disclosed:a) to any person, for research purposes only;
b) to the data subject or someone acting on their behalf;
c) at the request, or with the consent, of the data subject or someone acting on their behalf;
d) where the person making the disclosure has reasonable grounds for believing the
disclosure falls within (a), (b) or (c) above.
Information made available to the public by or under enactment
Section 34 of the Act provides that when data consist of information which the data controller
is obliged by or under any enactment to make available to the public, personal data are
exempt from:•
•
•
•
•
the subject information provisions,
the fourth Data Protection Principle (accuracy),
Section 12A of the Act (applicable to exempt manual data during transitional periods
Section 14, sub-sections (1) to (3) of the Act (rectification, blocking, erasure and
destruction); and
the non-disclosure provisions
In addition, there is no requirement to notify where the sole purpose of any processing is the
maintenance of a public register
Disclosures required by law
Where the disclosure is required by or under any enactment, by any rule of law or by the
order of a court, personal data are exempt from the non-disclosure provisions.
Disclosures made in connection with legal proceedings
Where the disclosure is necessary:•
•
•
for the purpose of, or in connection with, any legal proceedings (including prospective
legal proceedings),
for the purpose of obtaining legal advice, or
is otherwise necessary for the purposes of establishing, exercising or defending legal
rights,
personal data are exempt from the non-disclosure provisions.
The Miscellaneous Exemptions
Confidential references given by the data controller
Personal data which consist of a confidential reference given or to be given by the data
controller for specified purposes (education, training or employment, appointment to office or
provision of any service) are exempt from subject access. This exemption is not available for
such references where they are received by the data controller.
Judicial Appointments and Honours
Personal data processed for three specific purposes:•
•
•
assessing suitability for judicial office,
assessing suitability for the office of Queen's Counsel, or
the conferring of any honour
are exempt from the subject information provisions.
Crown employment and Crown or Ministerial appointments
The Act provides for exemption from the subject information provisions, subject to an order
being made by the Secretary of State, in the case of personal data processed for the purposes
of assessing suitability for employment by the Crown or Ministerial appointments.
Legal professional privilege
If personal data consist of information in respect of which a claim to confidentiality as
between client and professional legal adviser could be maintained in legal proceedings, the
personal data are exempt from the subject information provisions.
Self incrimination
If by complying with any subject access request or order under Section 7 of the Act a person
would reveal evidence of the commission of any offence, other than an offence under the Act,
exposing them to proceedings for that offence, that person need not comply with a subject
access request or order.
If in complying with any subject access request or order under Section 7 of the Act a person
discloses information which is proposed to be used in evidence against them in proceedings
for an offence under the Act then such information shall not be admissible in evidence
against them.
Criminal Liability
The Scottish Executive
Under Section 63 of the Data Protection Act 1998 the Scottish Executive is subject to the
same obligations and liabilities as any other organisation, but under Section 63(5) it is not
liable to prosecution. Although the Scottish Executive is not liable to prosecution, it should
be noted that the Information Commissioner is under a duty to report annually to Parliament
and her report could refer to a department which had not been complying with the Act.
Employees of the Scottish Executive
Under Section 63(5) of the Act an employee of the Scottish Executive may be prosecuted for
certain offences; these are described below.
•
•
•
Offence Of Unlawful Obtaining Of Personal Data
Offence Of Unlawful Selling Of Personal Data
Offences Relating To The Commissioner’s Power Of Entry And Inspection
Offence Of Unlawful Obtaining Of Personal Data
It is an offence for a person, without the consent of the data controller, knowingly or
recklessly, to:•
•
obtain or disclose personal data or the information contained in personal data, or
procure the disclosure to another person of the information contained in personal data.
The Act provides specific exceptions to liability for this offence where the person can show:that the obtaining, disclosing or procuring:•
•
was necessary to prevent or detect crime, or
was required or authorised by law,
that they acted in the reasonable belief that they had the legal right to obtain, disclose or
procure the disclosure;
that they acted in the reasonable belief that the data controller would have consented to the
obtaining, disclosing or procuring if the data controller had known,
that in the particular circumstances the obtaining, disclosing or procuring was justified as
being in the public interest.
Where personal data are subject to the national security exemption the offence does not
apply.
Offence Of Unlawful Selling Of Personal Data
It is an offence to sell or offer to sell personal data which has been unlawfully obtained.
It is also an offence to offer to sell personal data which is subsequently unlawfully obtained.
An advertisement indicating that personal data are or may be for sale is an offer to sell the
data.
For the purposes of these offences "Personal data" includes information extracted from
personal data. "Personal data" does not include personal data which are exempt by virtue of
the national security exemption
Offences Relating To The Commissioner’s Power Of Entry And Inspection
The Act gives the Information Commissioner the right to apply to the sheriff for a warrant to
enter premises if she is satisfied that an offence has been or is being committed or that any of
the data protection principles are being contravened. Under paragraph 12 of Schedule 9 of the
Act It it is a criminal offence for an employee of the Scottish Executive to
•
•
intentionally obstruct a person executing a warrant, or
fail without reasonable excuse to help a person executing a warrant.
Personal Data Contained In E -Mails
Introduction
Personal data contained in e-mails are subject to the provisions of the Data Protection Act
1998.
Specific issues arise in relation to personal data held in e-mails. In particular the matters of
the retention, holding or sending of e-mails containing personal data have to be considered in
the light of the Data Protection legislation, the Scottish Executive’s policy on records
management and IT Code of Conduct as discussed below. In general e-mails containing
personal data should not be held for longer than required and care should be taken not to
unlawfully disclose such information when sending an e-mail outwith the Scottish Executive.
Data Protection: The fifth data protection principle of the Data Protection Act 1998 states
that personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or purposes. It would be difficult to envisage a situation whereby
the retention or holding of e-mails containing personal data for an indefinite period of time
would be justified in terms of the fifth data protection principle. In addition the seventh data
protection principle places upon the data controller (The Scottish Executive) responsibility
for ensuring that personal data is securely held and that there is no unauthorised or unlawful
processing of such data. If personal data is indiscriminately held in e-mails there is a danger
given the less formal nature of this electronic medium that personal data would be processed
in contravention of the provisions of the Data Protection Act 1998. It is important to note that
such personal data would now be caught by Subject Access Requests made under the Act.
Records Management: Paragraph 3.6 of the Records Management Manual states that
electronic documents that would have been placed in a paper file had they been received or
created in paper form should continue to be placed in such a file. If it is necessary therefore to
retain personal data held in e-mails the message should be printed off, deleted and the paper
copy placed in a paper file.
IT Code of Conduct: The Code contains the following advice. "Personal data as defined in
the Data Protection Act, should not be included in any proposed Internet Web page, or other
Internet entry, and care should be taken not to supply such information inadvertently if
replying through e-mail". The Data Protection Act requires that data controllers have at least
one lawful basis for processing personal data and that such processing is fair. The definition
of the term processing includes disclosure of personal data and it is important therefore that
any disclosure of personal data is made within the terms of the Act.
Summary
•
•
•
Regularly review all e-mails containing personal data: Do not hold or retain such emails if there is no need or purpose for holding or retaining the data;
If there is a need for the information to be held or retained print off and delete the email and place the copy in a paper file;
Be careful when sending e-mails outwith the Scottish Executive not to unlawfully
disclose personal data.
Further Advice
Detailed guidance on the Act is regularly published by the Office of the Information
Commissioner and is available from http://www.dataprotection.gov.uk.
Any queries about this guidance should be made to: •
•
•
Mike Neale LPS-CPS-FOI, 4th Floor South-West, St Andrews House (ext 44613) (for general questions about the Act)
Ken Glasgow CISD - Records Management, J Spur, Saughton House (ext 43728) (for questions about notification/subject access requests).
Legal and Parliamentary Services
Download