Personal protection

modern organisations rely on vast amounts of data. Much of this data contains information identifying individuals and will be considered “personal data” within the scope of the European Data Protection Directive. This is implemented into various national laws, for example in the UK by the Data Protection Act 1998.

Data used by organisations can be broken down into three generic areas: customer/client data, human resources data, and marketing data.

The Data Protection Directive (95/46/EEC) defines personal data as “any information in relation to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physiological, mental, economic, cultural or social identity.”

This definition is extremely wide and covers any data collected by organisations from which an individual can, or may, be identified.

The directive as implemented in national law requires that all organisations which “process” personal data must register with the national data protection authorities and abide by the data protection principles. In the UK, organisations are required to register with the Information Commissioner.

The definition of “processing” applies to both electronic and manual records and is also very wide. It means “any operation or sub-operation performed upon personal data, whether or not by automatic means such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise, making available blocking or erasure or destruction”.

The directive also sets out that the data controller is the organisation which specifies the purpose for which data is being processed and accordingly controls such data. The data controller bears liability for all violations of the data protection legislation. The data subject is the individual about whom personal data is being processed.

The most effective way of complying with the directive is to ensure that a data subject consents to their data being used at the point of collection. Such consent must be informed and unambiguous (for example, silence or acquiescence) does not equal consent, and obtained in relation to a specified purpose. Consent can be gained in a number of ways, for example if a person completes an application form in the UK for a credit card, under the Data Protection Act 1998, they may be asked on the form whether or not they wish to receive marketing materials from the organisation and if they do not wish to do so to tick an opt-out box. If they do not tick the opt-out box their consent to receipt of such materials will be implied. However, it is important that such implicit consent, in fulfilment of the requirement of non-acquiescence, must have been seen by the organisation.

But in jurisdictions such as Germany, the consent must be evidenced by a positive act of ticking the box which states that the data subject does wish to receive marketing materials.

The directive sets out eight data protection principles, with which a data controller must comply. The above criteria, in relation to consent, can be used to meet the first principle which sets out that personal data should be fairly and lawfully obtained. It can also be used to meet the second data principle which states that personal data must be collected for specific purposes and used only in relation to such purposes.

The third principle requires that all data collected must be adequate, relevant and not excessive in relation to the purpose for which it is being processed. For example, if you were to collect data from an individual in relation to an insurance contract it is unlikely that you would need data pertaining to their religion and such data may be considered excessive.

Data should be accurate and where necessary kept up-to-date. Organisations should not be using data which is out-of-date (such as superseded employment details and addresses).

Data should be kept in a form which permits identification of individuals for no longer than the purpose for which it is being processed. For instance, if data is being processed for the sole purpose of selling an individual a rail ticket then that data should not be kept after the journey has been completed or after the credit card details have been processed, whichever happens later.

The directive also makes provision for data to be outsourced to data processors. This would be the case where a data controller were to outsource payroll details to a third party for processing. To ensure that any personal data provided to a data processor is processed in accordance with the data protection legislation, a written contract should be in place between the data controller and the data processor. Such a contract must have suitable data protection obligations subject to the local data protection laws placed upon the data processor, including that it must maintain adequate levels of data security in accordance with the seventh data protection principle.

Many organisations also process sensitive data which is data relating to a data subject's racial or ethnic origin, political opinion, religious beliefs, trade union membership, health or sex life. Such data cannot be processed unless the data subject has given their explicit and unambiguous consent. In the context of human resources data where sensitive data is processed for the purpose of employment records the company must tell its employees why the data is being processed and get their express written consent to the processing.

Data protection is an extremely grey area of law. There is little to no guidance on the implementation of the directive. In the UK there is some guidance on the Data Protection Act but this is not definitive. The directive is intended to create a harmonised internal market throughout the EU, but it is implemented in different ways in each member state.

This creates particular problems for organisations dealing on a cross-border basis within the EU. For example, sending unsolicited commercial communications in Germany is an offence under Section 1 of the German Unfair Competition Act. So if a consumer in Germany accesses a UK website which uses the opt-out system and the German/consumer does not tick the opt-out box, they will then be sent a direct marketing email. Under German law this would be a criminal offence as the email would be regarded as unsolicited.

Member states which use an opt-in system to various degrees are Austria, Finland, Denmark and Greece, but because of the differences in implementation of the directive between member states, internet-related data protection issues are unclear.

Also, there is a new draft directive on telecommunications and data protection that, if kept in its current form, will require prior consent to all direct marketing by email. This will effectively impose an opt-in system throughout the EU. This is particularly worrying as it may mean that historical databases which have been collected on the basis of the opt-out system cannot be used for email direct marketing. Organisations will not be able to contact their customers by email without having gained their explicit prior consent to do so.

Other problems with the directive relate to a transfer of data to countries outside the European economic area. In particular, the US is deemed not to have an adequate level of data protection. Explicit consent of the data subject is required for such a transfer, unless the transfer is necessary for the performance of a contract (at the request of the data subject) in the subject's interests.

Transfers to countries which are deemed not to have an adequate level of data protection are prohibited. However, in November 2000 the safe harbour agreement was adopted between the EU and the US authorities. The safe harbour agreement essentially gives US companies an opportunity to sign up to a self-regulatory system which is monitored by the Federal Trade Commission and the Federal Department of Transportation. If a US company signs up to safe harbour then data can be transferred freely from the EU. However, because of the respective confidences of the Federal Trade Commission and the Department of Transportation, the safe harbour agreement does not cover significant areas of commerce – many banks and financial services companies do not fall within the agreement.

Failing to comply with data protection legislation can cause significant damage to an organisation's brand image and equity. Not least because consumers are increasingly demanding their right to privacy. Moreover, it can have serious legal consequences. A breach of the data protection legislation can lead to criminal and civil liability for both the organisations and their directors. Violation of the data protection legislation is also arguably a violation of the right to privacy under Article 8 of the European Convention on Human Rights.

So how do organisations ensure that they are in compliance with the directive as implemented into national law? The best way of ensuring compliance is by undertaking a full data problems audit of an organisation's data flows, to assess the type of personal data being processed by the organisation and how the company limits its liability. The audit would also ensure that a data controller is accurately notified to the Information Commissioner.

Once an audit has been undertaken, organisations should then put in place a data protection compliance programme which will ensure that they have systems in place to deal with any breaches of the legislation. n

Usha Jagessar is a technology, media and communications assistant at DLA. Mike Pullen is a regulatory partner at DLA.

Jargon busting

Gateway: A point on a network that acts as an entrance to another network. The computers that control traffic within a company's network or at an Internet Service Provider (ISP) are called gateway nodes.

Geek: Originally a circus performer whose role in the sideshow was to bite off the heads of chickens or perform other bizarre feats. The term can also imply a particular skill in the use of technology.

GPRS (General Packet Radio Services): A packet-based wireless communication service that promises data rates from 56 up to 114 Kbps (kilo bits per second) and continuous connection to the internet for mobile phone and computer users. This so-called 2.5G technology has already been introduced by BT in preparation for even faster 3G technologies.

Gif (Graphics Interchange Format): One of the two most common file formats for graphic images on the World Wide Web. The other is the JPEG. The compression algorithm used in the Gif format is owned by Unisys. In practice, Unisys has not required users of Gif images to obtain a licence, although their licensing statement indicates that it is a requirement.

Gigabit: One billion bits. Commonly used for measuring the amount of data that is transferred in a second between two telecommunication points.

GNU: An operating system similar to Unix that comes with a source code that can be copied, modified and redistributed. The Linux operating system consists of GNU components and the kernel is developed by Linus.

Gnutella: A peer-to-peer system which enables individuals to exchange files over the internet directly without going through a website. Gnutella is often used as a way to download music files and has been an object of concern for the music publishing industry.

GSM (Global System for Mobile Communication): The standard digital mobile telephone system in Europe and widely used everywhere apart from the US. GSM has more than 120 million users worldwide and is available in 120 countries.

Gui (graphical user interface): Usually pronounced GOO-ee, a Gui is a graphical user interface to a computer. Rather than typing commands in at a prompt, a Gui-based system (such as Mac or Windows) allows the use of windows, draggable items, scroll bars etc.

Guid (global unique identifier): A term used by Microsoft for a number that is attached to documents created in its programmes. The author of a document could be traced by the Guid in the document. Microsoft has released a patch for Office 97 which disables the Guid function and a utility to remove Guids from existing documents.