What is Privacy?
There are often said to be 3 elements to privacy:
Information privacy involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records.
Bodily Privacy: protection of people's physical selves against invasive procedures such as genetic tests, drug testing and cavity searches.
Location Privacy: carrying a device which can be tracked.
Privacy of Communications: security and privacy of mail, telephones, email, etc
Territorial Privacy: setting limits on intrusion into the domestic and other environments such as the workplace or public space including searches, video surveillance and ID checks.
What is Processing?
You need to justify your processing
What is Personal Data Category (a)?
Being processed by means of equipment operating automatically in response to instructions given for that purpose e.g.
- - on computer
- - DIP systems
- - audio, video, digitalised images, CCTV
- - swipe cards/oysters
What is Personal Data Category (b)?
Is recorded with the intention that it should be processed by means of such equipment as described in category (a) e.g.
- - surveys
- - questionnaires
- - notebooks
- - interview notes
What is Personal Data Category (c)?
Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system e.g.
- - paper or card
- - relevant filing system
- - structure by reference to individuals
- - readily accessible
(refer to Durant)
What is Personal Data Category (d)?
Does not fall within category (a), (b) or (c) but forms part of an accessible record as defined by Section 68 of FOI e.g.
- - medical records
- - social work records
- - housing records
- - education records
FOI 2008 modifies DPA to cover unstructured data (but only for Public Bodies) and exempts some types of data (2 access regimes to data)
What is Personal Data Category (e)?
FOI 2008 Sections 68-70 modifies DPA to cover unstructured data (but only for Public Bodies) and exempts some types of data (2 access regimes to data) introducing a new category of personal data (e):
Recorded information held by a public authority which does not fall within any of the existing paragraphs (a) - (d)
Category (e) data can be:
- - relatively structured (DPA legislation)
- - relatively unstructured (FOI legislation but must be expressly described by the data subject)
Data in this category is exempt from Principles 1,2,3,5,7 and parts of 6. Just keep it up to date and accurate.
Category (e) does not apply to unstructured personnel data
Also exempt from various other sections
What is a data subject?
An individual who is the subject of personal data
The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
What is a Data Controller?
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
A data controller must be a “person” recognised in law, that is to say:
- organisations; and
- other corporate and unincorporated bodies of persons.
- Data controllers will usually be organisations, but can be individuals, for example self-employed consultants.
Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller.
In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other.
Data controllers must ensure that any processing of personal data for which they are responsible complies with the Act. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.
What is a Data Processor?
Means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data processors are not directly subject to the Act. However, most data processors, if not all, will be data controllers in their own right for the processing they do for their own administrative purposes, such as employee administration or sales.
Data controllers remain responsible for ensuring their processing complies with the Act, whether they do it in-house or engage a data processor. Where roles and responsibilities are unclear, they will need to be clarified to ensure that personal data is processed in accordance with the data protection principles. For these reasons organisations should choose data processors carefully and have in place effective means of monitoring, reviewing and auditing their processing.
- Who determines the “purpose and manner” of processing?
- A person is only a data controller if, alone or with others, they “determine the purposes for which and the manner in which any personal data are processed”. In essence, this means that the data controller is the person who decides how and why personal data is processed. However, we take the view that having some discretion about the smaller details of implementing data processing (ie the manner of processing) does not make a person a data controller.
What is a Recipient?
In relation to personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.
What is a Third Party?
- Any person other than –
- (a) the data subject,
- (b) the data controller, or
- (c) any data processor or other person authorised to process data for the data controller or processor.
The term “third party” is used in the Data Protection Act relating to accuracy; to “fair processing”; and in two of the conditions for processing.
What are Special Purposes?
- Any one or more of the following—
- (a)the purposes of journalism,
- (b)artistic purposes, and
- (c)literary purposes.
What is Consent?
Consent is not defined in the DPA 98 although it is defined in the Directive 95/46/EC as:
Any freely given, specific and informed indication of the data subject's wishes.
Consent can be implied from relevant behaviour but cannot be imposed by assuming consent.
Consent and knowledge are not the same thing so the data controller should give information and get consent.
In what circumstances is consent required/relevant?
Schedule 2: legitimate grounds for processing personal data includes consent
Schedule 3: legitimate grounds for processing sensitive personal data includes explicit consent
Schedule 4: grounds for making transfers outside the EEA in the absence of adequate protection includes consent.
A person cannot object to processing causing damage or distress if they have consented to that processing.
Consent is important in subject access - when disclosing to third parties should consider if consent has been given
Audits can only be done with the consent of the data controller
Consent or reasonable belief in consent is a defence against a prosecution for unlawful procuring under Section 55