Practical implications of the Data Protection Bill By John Robinson Data Protection Co-Ordinator South Bucks NHS Trust

Introduction New Act must be interpreted in the light of the EU Directive on data protection Must come into force on or before 24 October 1998 What should the Trust be doing to prepare?

Some things for data controllers to consider... Is processing legitimate? Data Protection Audit Data Protection Officer Changes to systems

Some things for data controllers to consider... Notification Manual data files Data processors Fair collection and fair processing

Is processing legitimate? Cannot process unless one of the conditions in Schedule 2 is met and In the case of sensitive data, one of the conditions in Schedule 3 is met In both cases processing has to be “necessary”

Data Protection Audit What type of data are processed? Does processing comply with data protection law, general law and best practice? Distribute questionnaires to named individuals

Data Protection Audit The Audit should ask about –collection –storage –processing and disclosure –subject information procedures –data quality –security –destruction –archiving

Data Protection Co-ordinator The Data Protection Co-ordinator will –ensure compliance with the Data Protection Act –manage the Data Protection Audit –train staff and raise awareness –draft the data protection policy

Data Protection Supervisor Subject to order being made Will independently monitor the data controller’s processing activities to ensure compliance with the 1998 Act Appointment = exempt from requirement to notify

Changes to systems Wider subject access information means that information regarding sources and recipients (including own employees) will need to be disclosed Archived data and back up data This will have cost implications

Notification Notification will involve: –notifying the registrable particulars and –providing a description of security measures taken to comply with the seventh principle Currently waiting for notification regulations to be made 10

Notification Some processing will be exempt from notification Notification regulations may exempt processing for the purposes of: –payroll –personnel & work planning administration –purchase and sales administration –advertising, marketing and PR –general administration

Notification The Bill exempts innocuous manual processing (including processing of accessible records) from notification But must have a statement of processing

Notification Should a data controller voluntarily register manual processing? Consider: –do you process data both manually and automatically? –if so can you differentiate easily between the two?

Notification Registration will be on a yearly basis Data controllers will remain registered provided pay the annual renewal fee No longer have to re-submit all details of processing every three years - only have to notify changes when these occur.

Notification What can an organisation do in the meantime?

Notification Update your register entry NOW Registrations will be converted to notifications by the Commissioner Notification regulations are expected during the autumn Data users registered under the 1984 Act are exempt from notification until registration has expired

Processing of manual data Organisations must review their manual data - do they fall within the ambit of the new Act? What is meant by “manual data”?

Processing of manual data Manual data are data recorded as part of a “relevant filing system” What is a “relevant filing system?”

Relevant filing system Defined in the Bill as any set of information relating to individuals to the extent that the set is structured either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

Relevant filing system “Specific information” means: –distinct information within the file –which can be distinguished from other information in the file and –can be separately accessed 20

Relevant filing system Three views: –Home Office –Data Protection Registrar –Government and personnel officers

Relevant filing system Home Office: –narrow interpretation –card index –file with dividers/pro formas –file arranged in chronological order –must allow easy access –must be “specific information”

Relevant filing system Registrar’s view: –wider interpretation –alphabetical arrangement - eg filing system organised alphabetically by doctors’ names and which contains patient information –size of file is a factor to consider

Relevant filing system Government and personnel officers Personnel files likely to be the most common manual files Manual data - although structured - should not be caught if relate to personnel files

Relevant filing system Data controller caught in the middle Commissioner is to enforce the provisions of the new Act

Data processor No registration requirement Not an employee of the data controller Anyone instructed to do any operation in relation to the personal data New requirements under the seventh principle

Data processors Contract in writing Guarantees in respect of “technical and organisational” security measures Only act in accordance with instructions No disclosure except as instructed May not use personal data for processor’s own purposes

Data processors Record all information accurately and ensure that it is kept up to date No defamatory statements No other information to be kept in the records Assistance with subject information requests

Fair collection notices These enable data to be obtained fairly and lawfully, and specify the purposes for which the data are to be used. Any non-obvious uses must be clearly specified.

Fair collection notices Review fair collection notices and consider: –how are they given? –what information do they contain? –is the data subject’s consent obtained? Ensure they are as broad as possible 30

Fair collection notices Where information is obtained about a data subject from a third party: must have procedures to allow Article 11 notices to be given must ensure that consent was obtained initially to enable you to process those data now

Fair processing Must process fairly and lawfully Compliance with Schedule 2 and (for sensitive data) Schedule 3 Breach of confidentiality makes processing unlawful Comply with Schedule 1, Part II which imposes additional obligations

Schedule 2 Consent Performance of a contract Compliance with a legal obligation Vital interests Administration of justice Legitimate interests

Sensitive data Sensitive data are: –racial or ethnic origin –political opinions –religious beliefs –trade union membership –physical or mental health –sexual life –commission of offences –criminal offences

Schedule 3 Explicit consent Employment Vital interests Political, philosophical, religious or trade union purposes Information is made public by the data subject

Schedule 3 Establishing, exercising or defending legal rights Administration of justice Medical purposes Monitoring of equality of opportunity Circumstances specified by order

Fair processing Personal data will not be processed fairly unless: –an Article 10 notice is given where the data are obtained from the data subject –an Article 11 notice is given where the data are obtained from a third party

Article 10 notice Must give the data subject the following information: –the identity of the data controller –the identity of its nominated representative –the purposes for which the data are being processed –any further information (eg identities or categories of recipient, right of access to personal data)

Article 11 notice Must give the data subject the following information: the information for an Article 10 notice given at the “relevant time” which means (i) the time when data are first processed by the data controller or (ii) where disclosed to a third party, the time when first disclosed to that party

Article 11 notice unless provision of the information would be a “disproportionate effort” or the data are recorded or disclosed in order for the data controller to meet a legal obligation 40

Other data subject rights Data subject rights have been extended For example: –access to manual data –access to the logic of any computerised decision making process –right to prevent certain processing –rights in relation to automated decision taking

Subject access rights Request in writing and payment of fee Right to be informed: –whether personal data are being processed and if so –to be given a description of the personal data and the purposes for the processing

Subject access rights also, right to have communicated to him in an intelligible form –the sources of those data –the recipients of those data (which includes employees and data processors) –the logic of a decision (if taken by solely automatic means)

Preventing processing An individual can require the data controller to cease processing his personal data if –the processing is causing substantial damage or distress and –that damage or distress is unwarranted

Preventing processing The right does not apply: –if individual has given his consent –for performance of a contract –compliance with a legal obligation –to protect the vital interests of the individual

Rectification, blocking, erasure and destruction Application to the court for an order The court may also order notification to third parties Where inaccurate data have been obtained from the data subject, the court may order a statement of the true facts to be added to the data

Compensation A data subject who suffers damage because of the data controller’s breach is entitled to compensation He may claim compensation for distress if he has also suffered damage or the breach is in respect of the special purposes

Enforcement Assessment Information Notice Warrant Enforcement notice

Transitional provisions New automatic processing of data and new processing of manual data must comply with the 1998 Act immediately

Transitional provisions - manual data - Manual data which are subject to processing already under way before 24 October 1998 are exempt from: –the data protection principles –Part II (rights of data subjects) –Part III (notification) until 24 October

Transitional provisons - manual data - What is meant by “processing already under way”? New file inserted into an existing database will form part of “processing already under way”

Transitional provisions - manual data - manual data which form part of an “accessible record” (ie a health record which consists of information relating to the physical or mental health of an individual and has been made by a health professional)

Transitional provisions - manual data - are exempt from : –the data protection principles –Part II (rights of data subjects) –Part III (notification except that accessible records are not exempt from s7 (rights of access to personal data)

Transitional provisions - manual data - this exemption applies irrespective of whether the data were subject to processing which was already under way before 24 October 1998 until 24 October 2001

Transitional provisions - manual data - In other words... from 24 October 1998, data subjects must be given rights of access to manual data that form part of an accessible record, but not to any other type of manual data

Transitional provisions - automatically processed data - Automatically processed data which are subject to processing already under way on 24 October 1998 are exempt from the new provisions of the Act Until 24 October 2001 Such processing remains subject to the 1984 Act

Transitional provisions - from 24 October As from 24 October 2001, manual data, including accessible records will be exempt from: –the first data protection principle, except to the extent it requires compliance with paragraph 2, of Part II of Schedule 1 –the 2nd, 3rd, 4th and 5th principles –section 14(1) to (3)

Transitional provisions - from 24 October In other words... from 24 October 2001, data subjects will have rights of access to manual data and accessible records they will be able to request the rectification, erasure or blocking of the manual data (but not apply for a court order)

Transitional provisions - from 24 October Automatically processed data has no further exemption after 24 October They must conform with the new Act.

Final thoughts Don’t be misled because a new provision looks familiar - it may have very different consequences under the new Act. If in doubt, look to the Directive for guidance 60

Exemptions Crime and taxation Personal data processed for the purposes of the: –prevention or detection of crime –apprehension or prosecution of offenders –or assessment or collection of tax or duty are exempt from the first principle and s7 if the application of those provisions would be likely to prejudice any of those matters

Crime and taxation What do you do if your organisation is approached by the police to disclose information?

Crime and taxation Consider confidentiality obligations (may only be able to disclose under a court order) Obtain a statement in writing signed by a senior police officer stating that in his opinion the situation described in the statement is one to which s28 applies

Crime and taxation What about other disclosures of information not requested by the police?

Crime and taxation Confidentiality obligations Will have to rely on this exemption Must consider each request on a case by case basis Must have in place procedures or a policy stating what situations will fall within a s28 disclosure

Research, history and statistics Processing for these purposes in compliance with the relevant conditions means that a data controller: –can keep the data indefinitely (irrespective of the fifth principle) –does not have to give individuals access to the data under s7

Research, history and statistics The relevant conditions are: –the data are not processed to support decisions in respect of particular individuals –and the data are not processed in such a way that substantial damage or distress is caused to any individual

Confidential references Personal data are exempt from s7 if they consist of a reference given in confidence by the data controller for the purposes of: –education, training, employment of the data subject –appointment of the data subject to office –provision by the data subject of any service

Management forecasts and negotiations Personal data processed for the purposes of management forecasting or management planning are exempt from the subject information provisions

Management forecasts and negotiations Personal data consisting of records of the data controller’s intentions in relation to any negotiations with the data subject are exempt from the subject information provisions

Legal professional privilege Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings

Final thoughts Don’t be misled because a new provision looks familiar - it may have very different consequences under the new Act. If in doubt, look to the Directive for guidance