National Smartcard Project Work Package 8 – Information Law Report
Format of report: Executive summary Introduction Main body of report (15 sections) Appendix 1: Glossary Appendix 2: Overview of main areas of law Appendix 3: Sources Appendix 4: Data processor agreements Appendix 5: Data protection notice toolkit Information Law Report
Executive Summary The Executive Summary sets out: What is considered in the Information Law Report: i.e. the information law issues connected with a Smartcard Scheme including data protection, human rights, administrative law and freedom of information. A summary of the conclusions reached in each section of the Information Law Report.
Introduction The Introduction explains: the purpose of the report; the parameters of the report; the assumptions that have been made in order to draft the Information Law Report. Please note that the report should be read in conjunction with the Introductory Report and appropriate sections of the Card Governance Report.
Lawfulness for processing data and vires Human Rights Act 1998 Requirement to comply with Article 8 ECHR – “Everyone has the right to respect for his private and family life, his home and correspondence” Principle 1 Data Protection Act Requirement for lawfulness –a Card Issuer must act within its statutory powers What powers do Card Issuers have? A question of administrative law Powers may be express or implied Examples of implied powers: Local Government Act 1972 Local Government Act 2000
Status of the parties for data protection purposes Data Controllers Control the purposes for and manner of the processing Data Processors Process on behalf of a Data Controller
Status of the parties for data protection purposes Consider: Card Issuers Secondary Service Providers Joint Card Issuers Card Suppliers Other Card Issuers and other Secondary Service Providers External Project Manager/Consultants Contractors and Sub-contractors Employees Data Subjects/Card Users Ensure changes to status are taken into account
Data involved in the Smartcard Scheme Personal Data Includes manual and computerised Data Sensitive Personal Data E.g. health/disability Requires a higher level of protection Consider whether this is necessary Anonymous Data and non-Personal Data Is this truly anonymous? Consider treating everything as Personal Data to ensure DPA and HRA compliance
Grounds for processing Personal Data Data Controllers must have a schedule 2 Data Protection Act grounds In particular Necessary for the exercise of any function conferred on any person by or under enactment Necessary for the exercise of any other function of a public nature exercised in the public interest by any person
Grounds for processing Personal Data What is “necessary”? “encompasses matters which are “reasonably required or legally ancillary to” the accomplishment of the specified purposes”. Does not have to be “absolutely essential” – DCA Is it proportionate to the aim pursued?
Grounds for processing Personal Data Data Controllers must have a schedule 3 Data Protection Act grounds for Sensitive Personal Data In particular Necessary for the exercise of any function conferred on any person by or under an enactment Is it necessary to process Sensitive Personal Data?
Information for Data Subjects Data Subjects must be told or have readily available to them: Identity of the Data Controller Purposes for the processing (NB including non- obvious purposes) Any other information necessary in the circumstances to make the processing fair How to make this information available? Data protection notice/privacy statement
Information for Data Subjects DCA consultation suggests: Public services trust guarantee Service specific statement Code of practice Management guidance Complaints procedure Data sharing protocols
Use of Personal Data for Marketing Data Protection Act requirements Fairness and compliance with the principles Absolute right to object to direct marketing Privacy and Electronic Communications (EC Directive) Regulations 2003 Cover marketing by , SMS, MMS, telephone, fax and automated calling systems Regulate “cookies” Consider: Joint notices Where to provide notices Accessibility issues Whether consent should be obtained at the same time
Use of any Smartcard Number General Identifiers Currently none prescribed but beware of this if any prescribed in the future Use of certain numbers restricted e.g. NHS Number, Pupil Identification Number, NI Number – do not use these in a Smartcard Scheme unless purpose is authorised. Use of a unique Smartcard number Will be Personal Data therefore comply with the DPA
Data Sharing Involves consideration of: Administrative law Human Rights Act 1998 Data Protection Act 1998 Confidentiality
Data Sharing Practical Issues for a Smartcard Scheme What does the Card Issuer want to do and why? Does it have the power to do this? Who does it want to do this with? Does that organisation have the power to do this? How will it be done? Impact on the individual? Can impact by minimised? DPA, HRA and confidentiality considered? Data Sharing protocols Take into account the DCA toolkit on data sharing
Disclosures Non-disclosure exemptions in the DPA: Section 29 Data Protection Act Gives a discretion to disclose for the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty Section 35 Data Protection Act Allows for mandatory disclosures where required by or under enactment or court order. Allows for disclosures in connection with legal proceedings, obtaining legal advice or where necessary for establishing, defending or exercising legal rights. Card Issuer should have disclosure policies in place
Data Matching Requirement for lawfulness Requirement for fairness Ensure that there is a power to cross match and that the law is complied with
Security Principle 7 Data Protection Act Technical and organisational measures must be in place to protect Personal Data Consider: Access and segregation Employees Data Processors Segregation for data sharing and Reader purposes Reader Security Data sharing Disclosures Identity of Card Users Loss or theft Biometrics
Subject Access and Individual Rights Subject access to Smartcard Data Comply with the DPA in providing access (40 day timescale) Consider how access can be provided within a shorter timescale (e-Envoy policy framework) Consider how to provide access in a joint scheme Consider policy for providing access to children directly and to others on behalf of a child Other individual rights Right to object to direct marketing Automated decision making Processing likely to cause damage or distress Inaccuracy
Compliance with other Data Protection Principles Principle 1 Fairness generally – e.g. how are the Data obtained? Principle 2 Specified, lawful and, when further processing, compatible purposes Principle 3 Adequate, relevant and not excessive Principle 4 Accurate and, where necessary, up to date Principle 5 Kept no longer than necessary Principle 8 Adequate protection for transfers outside the European Economic Area
Notification Requirement to notify Information Commissioner Criminal offence to fail to notify and to keep notification up to date Ensure that notification covers Smartcard purposes
Freedom of Information Consider: Status for freedom of information purposes Freedom of information at the tender stage Freedom of information at the contract stage Freedom of information and Personal Data Policies
Appendices 1-3 Appendix 1 Glossary of terms specific to the Information Law Report Appendix 2 Overview of main areas of law: a brief summary of the Data Protection Act 1998, Article 8 of the Human Rights Act, Freedom of Information Act 2000 and common law confidentiality Appendix 3 A list of primary and secondary source materials
Appendix 4 Processor Agreements Guidance for completion Data Processor Contract Letter A Data Processor Contract Letter B Data Processor Contract Clauses Full Data Processor Agreement
Appendix 5 Data Protection Notice Toolkit Guidance notes Sample notice