1. Data Protection Act 1998 Explanatory Guidance Purpose Of Guidance Part 1 of this guidance provides a brief overview of the Data Protection Act 1998. Part II of the guidance contains more detailed guidance on the Act and also how the Scottish Executive deals with subject access requests and notifications under the Act. Part 1 • • • • • • • Introduction Registration / Notification The Data Protection Principles Data Subject Rights Exemptions Transfer of Data Overseas Manual Records Part II • • • • • • • • • • Notifications And Amendment Of Register Entries Right Of Access To Personal Data The Data Protection Unit Responsibilities Of User Divisions Identifying The Individual Fair Processing Code Exemptions Criminal Liability Personal Data Contained in E-mails Further Advice Part 1 Introduction 1. The Data Protection Act 1998 and the secondary legislation required to support it were brought into force on 1 March 2000. Data Protection is a reserved issue. The Lords Chancellor’s Department has policy responsibility for the matter. 2. The Act contains familiar elements from the previous legislation (Data Protection Act 1984) such as; the Data Protection Principles of good practice; a registration system; an independent supervisory authority to oversee data protection legislation; and the data subject's right to have access to his or her personal data and to correct it where inaccurate. However there are additional requirements which are explained in this guidance. 3. The Act provided for two periods of transitional relief during which data controllers can bring their existing systems into compliance with the new law. The first period elapsed on 24 October 1998. The second period of transitional relief is very limited in scope and only applies to some data, which was already held in manual filing systems prior to 24 October 1998. This exemption will apply until 2007. 4. The following is a brief glossary of some of the terms used in this guidance: Data: Personal data processed or which is intended to be processed Processing: means obtaining, recording or holding data; and any operation or set of operations on the data Personal data: Data from which it is possible to identify a living individual. It includes information about the intention s of a data controller towards the data subject and applies not only to information which identifies the data subject but also to information relating to an individual who can be identified from other information which is in the possession of, or is likely to come into the possession of, the data controller. A reference to a name, on its own, without any other information may not be sufficient to constitute personal data under the Act. However, it is likely that the context in which the name is held will enable some information to be inferred about an individual in such a way that it would be personal data for these purposes. Manual data: Personal data which is recorded as part of a relevant filing system Relevant filing system: Any structured set of information which is organised either by reference to individuals or by criteria relating to individuals so that specific details about a particular person may easily be selected from that system Data controller: isa person who (either alone or jointly in common with other persons) determines the purposes for which and the manner in which data is processed. The Scottish Executive is a data controller. Information Commissioner: The Office of the Information Commissioner has responsibility for enforcement of the Act and also for the provision of information and advice on the Act. Registration / Notification 5. The Information Commissioner maintains a public register of data controllers. Each register entry includes the name and address of the data controller and a general description of the processing of personal data by a data controller. Individuals can consult the register to find out what processing of personal data is being carried out by a particular data controller. Notification is the process by which a data controller's details are added to the register. The Data Protection Act 1998 requires every data controller who is processing personal data to notify unless they are exempt. The Data Protection Principles 6. The Data Protection Principles are dealt with in Schedule 1 of the Act. 7. The Act states that personal data must be processed 'fairly and lawfully'. The Act expressly provides that personal data are not to be treated as processed fairly unless, as far as practicable, certain criteria are met (see guidance on fair processing code in Part II). These include informing data subjects of the identity of the data controller and any nominated representative, as well as informing the data subject of the purposes for which the data is to be processed. 8. In addition Schedule 2 provides that processing may only be carried out where one of the following conditions has been satisfied i.e., where; • • • • • • the individual has given his consent to the processing the processing is necessary for the performance of a contract with the individual the processing is required under a legal obligation the processing is necessary to protect the vital interests of the individual for the administration of justice, for the exercise of any functions conferred by enactment or for the exercise of any functions of a Minister of the Crown or government department The processing is necessary in order to pursue the legitimate interests of the data controller or certain third parties (unless prejudicial to the interests of the individual). 9. Most processing carried out by the Scottish Executive will satisfy the condition above shown in bold (the Scottish Ministers are not strictly speaking Ministers of the Crown and the departments of the Scottish Executive are similarly not government departments, but there are provisions in the Scotland Act 1998 and in the Scotland Act 1998 (Consequential Modifications)(No.2) Order 1999 (S.I. 1999/1820) which extend the meaning of these terms in the Data Protection Act appropriately). 10. Stricter conditions apply to the processing of sensitive data. This category includes information relating to racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life and criminal convictions. Where such data is being processed not only must the controller meet the requirements of the Principles and Schedule 2, but also processing is prohibited unless at least one of the conditions in Schedule 3 can be satisfied. 11. The explicit consent of the individual will usually have to be obtained before sensitive data can be processed unless the controller can show that the processing is necessary based on one of the criteria laid out in Schedule 3 of the Act. Most processing carried out by the Scottish Executive will satisfy the following condition in Schedule 3 . • The processing is necessary for the administration of justice, for the exercise of any functions conferred by enactment or for the exercise of any functions of a Minister of the Crown or government department 12. There is a requirement for data controllers to take security measures to safeguard personal data (Principle 7, Schedule 1, Part I) but the Act states explicitly what precautions data controllers must take (Schedule 1, Part II). Under the Act appropriate technical and organisational measures must be taken to prevent the unauthorised or unlawful processing or disclosure of data. There is also a requirement for data controllers to ensure that where a data processor processes data on behalf of the controller there is a written contract between the parties whereby the processor agrees only to act on the instructions of the controller and to abide with the provisions of the security principle. Data Subject Rights 13. The Data Protection Act 1998 provides an individual who is the subject of personal data (the "data subject") with a right of access to the data. 14. Section 7 of the Act provides that an individual is entitled: to be told by the data controller whether they or someone else on their behalf is processing that individual's personal data, if so, to be given a description of:• • • a) the personal data, b) the purposes for which they are being processed, and c) those to whom they are or may be disclosed, to be told, in an intelligible manner, of:• • a) all the information which forms any such personal data. This information must be supplied in permanent form by way of a copy, except where the supply of such a copy is not possible or would involve disproportionate effort or the data subject agrees otherwise. If any of the information in the copy is not intelligible without explanation, the data subject should be given an explanation of that information, e.g. where the data controller holds the information in coded form which cannot be understood without the key to the code, and b) any information as to the source of those data. Where a decision significantly affecting a data subject is, or is likely to be, made about them by fully automated means, for the purpose of evaluating matters about them such as their performance at work, their creditworthiness, their reliability or their conduct, they are entitled to be told of the logic involved in that process. This right of access may be exercised by the submission of a request in writing and on payment of a fee, set at £10 for the Scottish Executive. 15. Section 1 of the Act defines personal data as meaning data which relate to a living individual who can be identified – • • from those data, or from those data and other information which is in the possession of or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Other Data Subject Rights 16. The Act also provides data subjects with certain other rights. The rights are :• • • Right to prevent processing likely to cause damage or distress Right to prevent processing for the purpose of direct marketing Right in relation to automated decision making • • Right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller Right to make a request to the Information Commissioner for an assessment to be made as to whether any provision of the Act has been contravened. Exemptions 17. There are a number of exemptions from the provisions of the Act. Most either exempt personal data from the "subject information " or the "non-disclosure" provisions of the Act. What these exemptions cover is complex and cannot be summarised easily. Full details of the exemptions are described in Part II. Transfer Of Data Overseas 18. The Act restricts the transfer of personal data outside the EU. There are to be no restrictions on the free flow of personal data between countries in the European Economic Area (which consists of Norway, Iceland and Liechtenstein, as well as the 15 EU Member States). However, personal data may only be transferred to other third countries if those countries ensure an "adequate level of protection for the rights and freedoms of data subjects". Manual Records 19. The Act applies to a limited range of manual records. Three criteria must be met for a manual record to be within the scope of the Act: • • • the information must be part of a structured set of information, relating to individuals; the structuring must be done either by reference to individuals or by reference to criteria relating to individuals (e.g a unique personal identification number); the structuring must allow specific information relating to a particular individual to be readily accessible. 20. Lord Williams of Mostyn set out the Government’s view of what this meant in the House of Lords (OR: 16 March 1998, Cols 467-468): "Our intentions are clear. We do not wish the definition to apply to miscellaneous collections of paper about individuals, even if the collections are assembled in a file with the individual’s name or other unique identifier on the front, if specific data cannot be readily extracted from that collection. An example might be a personnel file with my name on the front. Let us assume that the file contains every piece of paper or other document about me which the personnel section has collected over the course of my career, and those papers are held in the file in date order, with no means of readily identifying specific information about me, except by looking at every document. The Government’s clear intention is that such files should not be caught. We want to catch only those records from which specific information about individuals can be readily extracted. Let us take the case of a personnel file consisting only of information about my sickness record during my career. If that file has my name on the front and is part of a structured set, that file will be caught because the specific information about me, my sickness record, is readily available. "Specific" information is intended to mean and does mean distinct information within the file which can be distinguished from other information in the file and separately accessed. It means information of a distinct identity which sets it apart from the rest of the generality of personal information held." 21. Information should not be disclosed from manual records unless, on a strict interpretation of the legislation (as outlined above), the records fall within the scope of the 1998 Act . Part II Notifications And Amendment Of Register Entries The Register includes a number of entries for the Scottish Executive, which is notified as a data controller. Divisions, Agencies and professional units must ensure that any new holdings of personal data (processed by a computerised system) or changes affecting existing data holdings are notified. Initial notification packs are available from the Data Protection Unit. Completed forms should be sent to the Data Protection Unit (DPU), who will arrange for transmission to the Information Commissioner’s Office along with the necessary fee. A copy of the notification as submitted will be returned to the responsible Division, Agency or professional unit. Annex A to this entry details exemptions from the requirement to notify NB Even if data is exempt from the requirement to notify the data protection principles still apply to such data. The DPU will also provide Notification Handbooks issued by the Office of the Information Commissioner, on request. The notifications which Divisions submit constitute the boundaries within which they may process that personal data or have it processed on their behalf. It is important, therefore, that Divisions have effective arrangements for ensuring that all staff directly involved in handling personal data (including new staff on their arrival) are made aware of the terms of the register entry or entries applicable to that data. Members of staff should be aware of certain legal liabilities which the Act created for Government departments and Crown employees (see Criminal Liabilty). Annex A Exemptions From The Requirement To Notify Manual data The Scottish Executive will be required to notify that it processes personal data processed automatically and manually. There will however not be a requirement to provide details of the manual data that is processed. General The following processing operations are exempt from the need to notify :Staff administration exemption The processing (a) is for the purposes of appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller; (b) is of personal data in respect of which the data subject is (i) a past, existing or prospective member of staff of the data controller; or (ii) any person the processing of whose personal data is necessary for the exempt purposes; (c) is of personal data consisting of the name, address and other identifiers of the data subject or information as to (i) qualifications, work experience or pay; or (ii) other matters the processing of which is necessary for the exempt purposes; (d) does not involve disclosure of the personal data to any third party other than (i) with the consent of the data subject; or (ii) where it is necessary to make such disclosure for the exempt purposes; and (e) does not involve keeping the personal data after the relationship between the data controller and staff member ends, unless and for so long as it is necessary to do so for the exempt purposes. Advertising, marketing and public relations exemption The processing (a) is for the purposes of advertising or marketing the data controller's business, activity, goods or services and promoting public relations in connection with that business or activity, or those goods or services; (b) is of personal data in respect of which the data subject is (i) a past, existing or prospective customer or supplier; or necessary to do so for the exempt purposes. (ii) any person the processing of whose personal data is necessary for the exempt purposes; (c) is of personal data consisting of the name, address and other identifiers of the data subject or information as to other matters the processing of which is necessary for the exempt purposes; (d) does not involve disclosure of the personal data to any third party other than - (i) with the consent of the data subject; or (ii) where it is necessary to make such disclosure for the exempt purposes; and (e) does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes. Accounts and records exemption The processing (a) is for the purposes of keeping accounts relating to any business or other activity carried on by the data controller, or deciding whether to accept any person as a customer or supplier, or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by or to the data controller in respect of those transactions, or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity; (b) is of personal data in respect of which the data subject is (i) a past, existing or prospective customer or supplier; or (ii) any person the processing of whose personal data is necessary for the exempt purposes; (c) is of personal data consisting of the name, address and other identifiers of the data subject or information as to (i) financial standing; or (ii) other matters the processing of which is necessary for the exempt purposes; (d) does not involve disclosure of the personal data to any third party other than (i) with the consent of the data subject; or (ii) where it is necessary to make such disclosure for the exempt purposes; and (e) does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes. Sub-paragraph (1)(c) shall not be taken as including personal data processed by or obtained from a credit reference agency. Non profit-making organisations exemptions The processing (a) is carried out by a data controller which is a body or association which is not established or conducted for profit; (b) is for the purposes of establishing or maintaining membership of or support for the body or association, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it; (c) is of personal data in respect of which the data subject is (i) a past, existing or prospective member of the body or organisation; (ii) any person who has regular contact with the body or organisation in connection with the exempt purposes; or (iii) any person the processing of whose personal data is necessary for the exempt purposes; (d) is of personal data consisting of the name, address and other identifiers of the data subject or information as to (i) eligibility for membership of the body or association; or (ii) other matters the processing of which is necessary for the exempt purposes; (e) does not involve disclosure of the personal data to any third party other than (i) with the consent of the data subject; or (ii) where it is necessary to make such disclosure for the exempt purposes; and (f) does not involve keeping the personal data after the relationship between the data controller and data subject ends, unless and for so long as it is necessary to do so for the exempt purposes. Arrangements For Subject Access Requests The administrative arrangements for dealing with requests from members of the public for access to their personal data apply to all Scottish Executive computerised and manual information covered by the Act. See entry on the Data Protection Unit. The Data Protection Unit The Data Protection Unit (DPU) within CISD acts as a central clearing house for subject access requests. Any requests arriving in other parts of The Scottish Executive should be passed to the Unit as quickly as possible. The Unit’s address is: The Scottish Executive Data Protection Unit CISD:Records Management J Spur Saughton House Broomhouse Drive EDINBURGH EH11 3XD (Telephone 0131 (GTN 7188) 244 8119) Responsibilities Of The Data Protection Unit The DPU is responsible for ensuring that a response is issued within the 40 days allowed by the Act. On receipt of a request, the DPU’s role is to: • • • • • • • • Log the request. Check that the appropriate fee has been sent. Check that an appropriate notification entry has been specified in the request. Check that the request contains sufficient information to identify the data specific to the data subject. Where necessary, contact the data subject to secure the fee or the required information to identify the data specific to the data subject. Send the request with a covering minute to the user division. Where necessary a copy of the request may be sent to the BSU(This minute should be initialled and dated each time the request passes from the DPU to user division to BSU) On instruction from the user division, write to the applicant to seek verification of identity receive the validated output supplied by the user division. Send the validated output supplied by the user division or the BSU to the data subject. Responsibilities Of User Divisions Each user division is responsible for: • • • • • • Ensuring that division staff are aware that any subject access request they receive directly must be sent first to the Data Protection Unit to be logged. Ensuring that arrangements exist which enable the personal data held to be extracted. Verifying the identity of the person making the request (see Identifying The Individual). Where insufficient information is supplied, the user division should return the subject access request to the DPU which will ask the data subject for additional information which is required. Locating the relevant data and producing a copy (liaising with the BSU as necessary). Ensuring that data for the right person have been produced, checking the accuracy of the output, editing out where necessary third party data (see Information relating to another individual) and explaining any unintelligible terms. Send the validated data to the Data Protection Unit for issue. Identifying The Individual User divisions are responsible for verifying the identity of the data subject making the request. The means of such verification will vary but in most cases a comparison of the signature on the request with that held on branch records will be sufficient. In cases of reasonable doubt, user divisions might instruct the Data Protection Unit (DPU) to: • • • ask the data subject for additional personal identification details; ask the data subject for information which he or she might be expected to know about the nature of the data held; ask for the data subject’s signature to be witnessed by another person who is over 18 and not a relative. Details of the occupation, full name and address of the witness should be provided. The DPU will not treat the 40 day period for responding to a subject access request as having started until such necessary additional information/confirmation has been received. Information relating to another individual A particular problem arises for user divisions who may find that in complying with a subject access request they will disclose information relating to an individual other than the data subject who can be identified from that information, including the situation where the information enables that other individual to be identified as the source of the information. The Act recognises this problem and sets out only two circumstances in which the data controller is obliged to comply with the subject access request in such circumstances, namely:• • where the other individual has consented to the disclosure of the information, or where it is reasonable in all the circumstances to comply with the request without the consent of the other individual. The Act assists in interpreting whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned. In deciding this question regard shall be had, in particular, to:• • • • any duty of confidentiality owed to the other individual, any steps taken by the data controller with a view to seeking the consent of the other individual, whether the other individual is capable of giving consent, and any express refusal of consent by the other individual. If a user division is satisfied that the data subject will not be able to identify the other individual from the information, taking into account any other information which, in the reasonable belief of the user division, is likely to be in (or to come into) the possession of the data subject, then the information must be provided. Form of Reply All the information which forms any such personal data should be provided (but see guidance above on third party information). This information must be supplied in permanent form by way of a copy, except where the supply of such a copy is not possible or would involve disproportionate effort or the data subject agrees otherwise. The information provided must be intelligible to the data subject. This means that any codes must be explained. This can be done in several ways, e.g. by arranging for the codes to be translated as part of the computer processing, by providing a separate explanation of the specific codes contained in the personal data, or by providing a code list from which the data subject can interpret the relevant entries for him or herself. Errors in the Personal Data If errors are found, they should not be amended before the personal data are made available to the data subject. The DPU should nevertheless be notified of any such errors, and should in turn advise the data subject that the errors have been or will be corrected Fair Processing Code The First Data Protection Principle requires that data controllers have at least one lawful basis for processing personal data. Data controllers however also have to ensure that such processing is fair and the Act sets out how this requirement should be met. The Office of the Information Commissioner has called this important requirement of the Act the "Fair Processing Code". The Fair Processing Code provides that the manner in which personal data is obtained will be one of the factors, which will determine whether or not processing is fair. The validity of consents from data subjects to the processing of their personal data or indeed the basis for processing such data may be brought into question if data subjects have not been properly informed of the purpose for which their personal data is to be processed. Compliance with the Fair Processing Code does not in itself ensure fair processing but processing will in such circumstances be treated as having been done fairly unless there is evidence to the contrary. There are two specified cases where data will always be treated as having been fairly obtained. These are when data consist of information obtained from a person who is either (i) Authorised to supply it by or under any enactment; or (ii) Required to supply it by or under any enactment. The provisions of the Fair Processing Code are set out in Part II of Schedule 1 of the Data Protection Act 1998. The following summarises these requirements: Information to be provided to Data Subjects (data obtained from data subject) When personal data is obtained from the data subject the data subject should be provided with the following information • • • The identity of the Data Controller i.e. the Scottish Executive The purpose or purposes for which the data are intended to be processed Any further information, which is necessary, taking into account the specific circumstances in which the data is, or will be processed. The first two requirements are self-explanatory. The third requirement needs consideration of whether or not the data subjects are likely to understand the following: • • • The purposes for which their personal data are going to be processed The likely consequences of such processing; and More particularly whether particular disclosures can reasonably be envisaged. In essence the data subject should be provided with enough information so that they are fully aware of the ways in which their personal data may be processed including details of disclosures which may be made of the data. Information to be provided to data subjects (where the data is obtained from a third party) The same information as described above should be provided to data subjects when someone else has supplied their data. There is however some instances where the fair processing code need not be followed: - • • Where providing the information would involve disproportionate effort; The term "disproportionate" is not defined in the Act and has to be determined on a case by case basis. A number of factors should be taken into account including the costs, length of time and how easy or difficult it is to provide the information. These factors should however be considered against the data subjects’ rights and whether the withholding of the fair processing information may be prejudicial to the data subject. Where the recording or disclosure of information contained in any data received from a third party is necessary to comply with any legal obligation to which the data controller is subject (other than an obligation imposed by contract) For these exceptions to be applied no notice in writing should have been received from the data subject requesting information under the fair processing code. When should fair processing information be provided to data subjects The Office of the Information Commissioner advise that in the case of data obtained direct from data subjects the fair processing information should be provided to the data subject when the data is obtained. With regard to data obtained from third parties the information should be provided to the data subject before the data is processed or disclosed to a third party NB Even if no disclosures of such data are envisaged and no processing is carried out (apart from holding the material) the data subject must receive the fair processing information within a reasonable period of time after the data was first received. Exemptions There are a number of exemptions from various provisions of the Act. NB Careful consideration must be given before any use of the exemptions. In most cases legal advice should be sought on whether an exemption is appropriate to the personal data in question . There are two types of exemptions namely "the primary exemptions", and "the miscellaneous exemptions". In general, the primary exemptions are the ones which are either more likely to be claimed or which are more wide-ranging in terms of the scope of the exemption available. The exemptions cannot easily be categorised into classes which enjoy the same type of exemption. However, a number of categories of exemption consist of, or include, an exemption from one or other of the following categories of provisions:"the subject information provisions", which are defined as:• • that part of the first Data Protection Principle which requires compliance with paragraph 2 of Part II of Schedule 1 of the Act (which require data controllers to inform data subjects of various matters ) Section 7 of the Act (subject access). "the non-disclosure provisions", which are defined as:- • • • the first Data Protection Principle, except where it requires compliance with the conditions in Schedules 2 and 3 of the Act (the conditions for processing and conditions for processing sensitive data), the second, third, fourth and fifth Data Protection Principles, and Sections 10 (right to prevent processing likely to cause damage or distress) and 14(1) to (3) (rectification, blocking, erasure and destruction) of the Act to the extent to which they are inconsistent with the disclosure in question. The Primary Exemptions National Security If required for the purpose of safeguarding national security, personal data are exempt from any of the provisions of:• • • the Data Protection Principles, Part II (individuals' rights), Part III (notification) and Part IV (enforcement) of the Act, and Section 55 of the Act (which prohibits the unlawful obtaining of personal data ) A certificate of exemption, signed by a Minister of the Crown, is conclusive evidence of the requirements of the exemption having been met. Such a certificate may identify the personal data by describing it in general terms and may have effect at a time in the future. Crime and Taxation There are four categories of exemption which may be claimed under this heading. The first three all refer to what shall be referred to as "the crime and taxation purposes", namely:• • • the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature. The first category Personal data processed for any of the crime and taxation purposes are exempt from:• • the first Data Protection Principle except that part which requires compliance with the conditions for processing and the conditions for processing sensitive data, and subject access to the extent to which the application of those provisions to the data would be likely to prejudice any of the crime and taxation purposes. The second category Personal data which :• are processed for the purpose of discharging statutory functions, and, • consist of information obtained for such a purpose from a person who had it in their possession for any of the crime and taxation purposes, are exempt from the subject information provisions to the extent to which the application of the subject information provisions to the data would be likely to prejudice any of the crime and taxation purposes. The third category Personal data are exempt from the non-disclosure provisions in any case where the disclosure is for any of the crime and taxation purposes and where the application of those provisions in relation to the disclosure would be likely to prejudice any of the crime and taxation purposes. The fourth category This exemption can only be claimed where personal data are processed for any of the crime and taxation purposes, albeit limited to offences concerning fraudulent use of public funds, in addition to the assessment/collection of any tax/duty. Further, it can only be claimed:• • when the data controller is a relevant authority: i.e. a government department, a local authority, or any other authority administering housing benefit or council tax benefit, and where the personal data consist of a classification applied to the data subject as part of a system of risk assessment which is operated for the crime and taxation purposes (as limited). Where the exemption applies, personal data are exempt from subject access to the extent to which such exemption is required in the interests of the operation of the system. Health, Education and Social Work Orders made under section 30 of the Act exempt in certain circumstances personal data consisting of information as to the physical or mental health of the data subject from the subject information provisions. Regulatory Activity Section 31 of the Act provides an exemption from the subject information provisions for the processing of personal data by reference to numerous different categories of regulatory function exercised by public "watch-dogs" which are all variously concerned with the protection of members of the public, charities or fair competition in business. Again, this is not a blanket exemption from the subject information provisions and is only available, in any case, to the extent that the application of any or all of such provisions would be likely to prejudice the proper discharge of those functions Research, History and Statistics Section 33 of the Act provides for various exemptions in respect of the processing (or further processing) of personal data for research purposes (including statistical or historical purposes) provided that the processing (or further processing) is exclusively for those purposes and, also, that the following conditions are met:• • that the data are not processed to support measures or decisions relating to particular individuals, and that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject. Where the exemption applies:• the further processing of personal data will not be considered incompatible with the purposes for which they were obtained [It is important to note that the exemption does not excuse the data controller from complying with that part of the second Data Protection Principle which states that personal data shall be obtained only for one or more specified and lawful purposes.] • • personal data may be kept indefinitely despite the fifth Data Protection Principle, and subject access does not have to be given provided that the results of the research or any resulting statistics are not made available in a form which identifies data subjects. The exemption will not be lost just because the data are disclosed:a) to any person, for research purposes only; b) to the data subject or someone acting on their behalf; c) at the request, or with the consent, of the data subject or someone acting on their behalf; d) where the person making the disclosure has reasonable grounds for believing the disclosure falls within (a), (b) or (c) above. Information made available to the public by or under enactment Section 34 of the Act provides that when data consist of information which the data controller is obliged by or under any enactment to make available to the public, personal data are exempt from:• • • • • the subject information provisions, the fourth Data Protection Principle (accuracy), Section 12A of the Act (applicable to exempt manual data during transitional periods Section 14, sub-sections (1) to (3) of the Act (rectification, blocking, erasure and destruction); and the non-disclosure provisions In addition, there is no requirement to notify where the sole purpose of any processing is the maintenance of a public register Disclosures required by law Where the disclosure is required by or under any enactment, by any rule of law or by the order of a court, personal data are exempt from the non-disclosure provisions. Disclosures made in connection with legal proceedings Where the disclosure is necessary:• • • for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights, personal data are exempt from the non-disclosure provisions. The Miscellaneous Exemptions Confidential references given by the data controller Personal data which consist of a confidential reference given or to be given by the data controller for specified purposes (education, training or employment, appointment to office or provision of any service) are exempt from subject access. This exemption is not available for such references where they are received by the data controller. Judicial Appointments and Honours Personal data processed for three specific purposes:• • • assessing suitability for judicial office, assessing suitability for the office of Queen's Counsel, or the conferring of any honour are exempt from the subject information provisions. Crown employment and Crown or Ministerial appointments The Act provides for exemption from the subject information provisions, subject to an order being made by the Secretary of State, in the case of personal data processed for the purposes of assessing suitability for employment by the Crown or Ministerial appointments. Legal professional privilege If personal data consist of information in respect of which a claim to confidentiality as between client and professional legal adviser could be maintained in legal proceedings, the personal data are exempt from the subject information provisions. Self incrimination If by complying with any subject access request or order under Section 7 of the Act a person would reveal evidence of the commission of any offence, other than an offence under the Act, exposing them to proceedings for that offence, that person need not comply with a subject access request or order. If in complying with any subject access request or order under Section 7 of the Act a person discloses information which is proposed to be used in evidence against them in proceedings for an offence under the Act then such information shall not be admissible in evidence against them. Criminal Liability The Scottish Executive Under Section 63 of the Data Protection Act 1998 the Scottish Executive is subject to the same obligations and liabilities as any other organisation, but under Section 63(5) it is not liable to prosecution. Although the Scottish Executive is not liable to prosecution, it should be noted that the Information Commissioner is under a duty to report annually to Parliament and her report could refer to a department which had not been complying with the Act. Employees of the Scottish Executive Under Section 63(5) of the Act an employee of the Scottish Executive may be prosecuted for certain offences; these are described below. • • • Offence Of Unlawful Obtaining Of Personal Data Offence Of Unlawful Selling Of Personal Data Offences Relating To The Commissioner’s Power Of Entry And Inspection Offence Of Unlawful Obtaining Of Personal Data It is an offence for a person, without the consent of the data controller, knowingly or recklessly, to:• • obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data. The Act provides specific exceptions to liability for this offence where the person can show:that the obtaining, disclosing or procuring:• • was necessary to prevent or detect crime, or was required or authorised by law, that they acted in the reasonable belief that they had the legal right to obtain, disclose or procure the disclosure; that they acted in the reasonable belief that the data controller would have consented to the obtaining, disclosing or procuring if the data controller had known, that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest. Where personal data are subject to the national security exemption the offence does not apply. Offence Of Unlawful Selling Of Personal Data It is an offence to sell or offer to sell personal data which has been unlawfully obtained. It is also an offence to offer to sell personal data which is subsequently unlawfully obtained. An advertisement indicating that personal data are or may be for sale is an offer to sell the data. For the purposes of these offences "Personal data" includes information extracted from personal data. "Personal data" does not include personal data which are exempt by virtue of the national security exemption Offences Relating To The Commissioner’s Power Of Entry And Inspection The Act gives the Information Commissioner the right to apply to the sheriff for a warrant to enter premises if she is satisfied that an offence has been or is being committed or that any of the data protection principles are being contravened. Under paragraph 12 of Schedule 9 of the Act It it is a criminal offence for an employee of the Scottish Executive to • • intentionally obstruct a person executing a warrant, or fail without reasonable excuse to help a person executing a warrant. Personal Data Contained In E -Mails Introduction Personal data contained in e-mails are subject to the provisions of the Data Protection Act 1998. Specific issues arise in relation to personal data held in e-mails. In particular the matters of the retention, holding or sending of e-mails containing personal data have to be considered in the light of the Data Protection legislation, the Scottish Executive’s policy on records management and IT Code of Conduct as discussed below. In general e-mails containing personal data should not be held for longer than required and care should be taken not to unlawfully disclose such information when sending an e-mail outwith the Scottish Executive. Data Protection: The fifth data protection principle of the Data Protection Act 1998 states that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. It would be difficult to envisage a situation whereby the retention or holding of e-mails containing personal data for an indefinite period of time would be justified in terms of the fifth data protection principle. In addition the seventh data protection principle places upon the data controller (The Scottish Executive) responsibility for ensuring that personal data is securely held and that there is no unauthorised or unlawful processing of such data. If personal data is indiscriminately held in e-mails there is a danger given the less formal nature of this electronic medium that personal data would be processed in contravention of the provisions of the Data Protection Act 1998. It is important to note that such personal data would now be caught by Subject Access Requests made under the Act. Records Management: Paragraph 3.6 of the Records Management Manual states that electronic documents that would have been placed in a paper file had they been received or created in paper form should continue to be placed in such a file. If it is necessary therefore to retain personal data held in e-mails the message should be printed off, deleted and the paper copy placed in a paper file. IT Code of Conduct: The Code contains the following advice. "Personal data as defined in the Data Protection Act, should not be included in any proposed Internet Web page, or other Internet entry, and care should be taken not to supply such information inadvertently if replying through e-mail". The Data Protection Act requires that data controllers have at least one lawful basis for processing personal data and that such processing is fair. The definition of the term processing includes disclosure of personal data and it is important therefore that any disclosure of personal data is made within the terms of the Act. Summary • • • Regularly review all e-mails containing personal data: Do not hold or retain such emails if there is no need or purpose for holding or retaining the data; If there is a need for the information to be held or retained print off and delete the email and place the copy in a paper file; Be careful when sending e-mails outwith the Scottish Executive not to unlawfully disclose personal data. Further Advice Detailed guidance on the Act is regularly published by the Office of the Information Commissioner and is available from http://www.dataprotection.gov.uk. Any queries about this guidance should be made to: • • • Mike Neale LPS-CPS-FOI, 4th Floor South-West, St Andrews House (ext 44613) (for general questions about the Act) Ken Glasgow CISD - Records Management, J Spur, Saughton House (ext 43728) (for questions about notification/subject access requests). Legal and Parliamentary Services