What are Individual Rights?
- 1. Subject Access
- 2. Prevent Damaging Processing
- 3. Direct Marketing
- 4. Automated Decisions
- 5. Compensation/Rectification
- 6. To request an assessment
- 1. Whether personal data is being processed
- 2. Description of Data
- 3. Purpose of Processing
- 4. Rcipients/classes of recipients
- 5. Personal information itself
- 6. Source of information
- 7. Logic behind automated decisions
What must an individual provide as a minimum in order that you comply with a Subject Access Request?
- 1. Application in writing
- 2. Proof of identity
- 3. Fee (if requested)
- 4. Some direction (if large organisation some indication of what you are looking for or what department)
What are the Fees you are allowed to charge?
- 1. Normal Data: £10
- 2. Health Records: £50
- 3. Education Records: sliding scale
What is the Method of Disclosure?
Copy of Information in permanent form
- - not possible/disproportionate effort
- - subject agrees otherwise
When are you not obliged to comply?
- - subsequent identical or similar requests
- - unless reasonable interval elapsed
Third Party Data
- 1. Is it personal data?
- 2. Do you have consent to disclose?
- 3. Can you redact the file?
- Reasonable Factors
- Duty of Confidentiality
- Consent Sought
- Capable of giving consent
- Express refusal of consent
- Gaskin Judgement
- Removing third party data
- Remove identifying context
- Make no assumptions
When is it exempt from disclosure?
- - not personal data
- - legally privileged
- - already in subjects possession
- - may cause distress
- - third party data (maybe)
- - Section 30
What are the exemptions in Section 30?
- Health, Education and Social Work
- The Secretary of State may order exempt from the subject information provisions or modify those provisions in relation to information as to the physical or mental or health or condition of the subject
- - education
- - voluntary organisations
- - social work (but only if he considers that the application to the data would be likely to prejudice the carrying out of social work)
Subject Access and Children
The person requesting the access to the child's records must be seen to be acting in the interests of the child
Key facts of the Gillick case
- - Gillick v West Norfolk and Wisbech AHA 1985
- - Family Law Reform Act 1969 where a person reaches maturity for the purposes of consent to medical treatment at the age of 16 however the ability to give legally valid consent to medical treatment is not determined solely to age (a minor below 16 may be regarded as competent) and may be described as "Gillick Competent"
- - Mrs Gillick argued that doctors should not be permitted to offer contraceptive advice to children under 16 without parental consent
- - House of Lords held that the guidance was not unlawful
Key points of the Durant Case
- - Durant v FSA 2003
- - legal case against Barclays escalated to FSA to obtain records
- - purpose of SAR to check whether data controller's processing of it unlawfully infringes his privacy..to take such steps as the Act provides..to protect it
- - not an automatic key to any information readily accessible or not, of matters which he may be named or involved
- - not to obtain discovery of documents that may assist him in litigation or complaints against third partieds
- - the courts determined
- 1. What is personal data (just because a person is mentioned by name does not make it personal data - must be biographical and the focus therefore affecting their privacy directly)
- 2. What is a relevant filing system (information held manually must be easily accessible within a structured filing system similar to an electronic file and not be disproportionate in effort to comply within the 40 day limit and must be readily identifiable as personal data)
- 3. Section 7 (4-6) relating to third parties (balancing the rights of the subject with duty of confidentiality to third parties and the need for consent to disclose and ability to redact)
- 4. it's discretion under Section 7 (9) to order the Data Controller to comply (the court did not exercise their right to order disclosure)
- - courts declared that the information was no of value to Mr Durant as he did not want to protect his privacy or correct innacurate data
What is a Section 10 Notice?
An individual can serve a section 10 (DPA) notice on a data controller if the processing would cause substantial, unwarranted damage or distress
21 days to comply and requires a written notice to confirm if complying or not
- It does not apply if data meets first 4 sections of Schedule 1
- - is processed with consent
- - is subject to a contract
- - is processed because of a legal obligation
- - is processed to protect vital interests
Give an example of a Section 10 Notice
Paul Hutcheon, The Sunday Herald & Chief Constable of Central Scotland Polic
Request for the names of police officers who have had race-related complaints made against them, information withheld under section 38(1)b of FOI and decision upheld by Commissioner. The officers served the Section 10
What are the Preference Services?
- - Mailing Preference Service - code of conduct not statutory (£250 to purchase the list)
- - Telephone Preference Service - statutory (£10k to purchase the list)
- - Fax Preference Service - statutory (£10k to purchase list)
- - Email Preference Service - exists but not very good
- - there is no a SMS preference list
Fair Processing Notice and marketing
- - must describe any marketing purpose (including 3rd party)
- - should describe the right to object to marketing and how to do it (opt in/opt out)
- - all methods of marketing (post, email, fax, phone) should be described
- - consent can be obtained in a notice sent to a Data Subject who replies, or at the time of collection of the personal dat
- - under opt in/opt out the Data Subject accepts or rejects marketing by doing something positive
- - the absence of NO does not mean YES
What is the Privacy and Electronic Communications Regulations 2003
A law in the United Kingdom which made it unlawful to, amongst other things, transmit an automated recorded message for direct marketing purposes via a telephone, without prior consent of the subscriber.
One of the key points of this legislation is that it is unlawful to send someone direct marketing who has not specifically granted permission (via an opt-in agreement). Organisations cannot merely add peoples details to their marketing database and offer an opt out after they have started sending direct marketing. For this reason the regulations offer more consumer protection from direct marketing.
- It is possible to object to an automated decision
- You must object in writing and the Data Controller has 21 days to respond
- - commissioner doesn't order this
- - civil actions can result in awards
- - organisations can make an ex-gratia payment