Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Trends and climate Would you consider your national data protection laws to be ahead or behind of the international curve? While the United Kingdom remains part of the European Union – and in particular during the period which will commence when the General Data Protection Regulation takes effect in the United Kingdom (May 25 2018) and run until the date on which the United Kingdom exits the European Union – a claim that it is ahead of the international data protection curve would seem fair. Thereafter, the position at the time of writing appears very uncertain and remains to be seen. Were a law which mirrors the General Data Protection Regulation to be adopted post-Brexit, a claim to be on or ahead of the curve would remain. The alternative would see the adequacy of UK laws very likely coming under scrutiny, in particular in the context of personal data transfers made from the European Union to the United Kingdom.
Are any changes to existing data protection legislation proposed or expected in the near future? The General Data Protection Regulation will take effect on May 25 2018 in the United Kingdom. The United Kingdom will also have to decide whether to implement laws which give effect to other EU data and security derived legislation, such as the EU Network and Information Security Directive, which must also be implemented by EU member states by May 2018 (ie, before Brexit is likely to have taken effect). Also, the United Kingdom will likely finalise its Investigatory Powers Act at some point in 2016 or 2017 which will regulate law enforcement access to communications data.
The General Data Protection Regulation will also apply to organisations located outside the European Union which process personal data in the course of selling to or monitoring EU residents. So even after the Brexit, many UK companies – such as those selling online to EU-based customers – will remain subject to its provisions.
Legislation What legislation governs the collection, storage and use of personal data? The Data Protection Act 1998 gives effect to the EU Data Protection Directive (95/46/EC) and is the main statute that governs the collection, storage and use of personal data. The Data Protection Act outlines eight principles with which non-exempted data controllers must comply. Data controllers must ensure that data are:
- processed fairly and lawfully;
- obtained for one or more specified and lawful purposes;
- adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- accurate and kept up to date;
- kept for no longer than is necessary;
- processed in accordance with the data subject's rights under the DPA
- kept safe by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage; and
- not transferred outside the European Economic Area without adequate protection.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 govern the protection of privacy in the electronic communications sector, covering such areas as direct marketing, location data and cookies.
The Regulation of Investigatory Powers Act 2000 regulates the access to and interception of communications data by public bodies.
Scope and jurisdiction Who falls within the scope of the legislation? The Data Protection Act 1998 imposes obligations on data controllers. The act defines ‘data controllers’ as those who alone, jointly or with others determine the purposes for which and the manner in which any personal data is processed.
The act also contains provisions of general application, such as the criminal offence under Section 55 of unlawfully procuring or disclosing personal data.
What kind of data falls within the scope of the legislation? The Data Protection Act 1998 regulates ‘personal data’.
The act makes clear that ‘data’ is information held, or intended to be held, on a computer as part of a relevant filing system. A ‘relevant filing system’ refers to non-automated records that are structured in such a way that specific information relating to a particular individual is readily accessible.
Information may still be classified as data even if it does not satisfy this definition, where:
- it forms part of an accessible record; or
- it is recorded information held by a public authority.
‘Accessible record’ includes:
- health records that consist of information relating to the physical or mental health or condition of an individual, made by or on behalf of a health professional;
- educational records; and
- information held by public authorities.
The act defines ‘personal data’ as data which relates to a living individual who can be identified:
- from that data; or
- from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
The definition includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Personal data which falls within the definition of ‘sensitive personal data’ must meet higher processing standards. The definition covers information such as information about an individual's mental or physical state of health, racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, sexual life, criminal offences committed or proceedings brought.
Are data owners required to register with the relevant authority before processing data? Yes. The Data Protection Act 1998 requires every data controller who processes personal information to register with the Information Commissioner's Office (ICO), unless they are exempt. The registration describes, in general terms, the personal data being processed by the data controller and will include the type/classes of information processed and purposes for processing. Data controllers can also choose to include the details of a point of contact so that members of the public can ask questions about the data protection practices of the organisation and request information held about them.
The Data Protection Act provides exemptions to the requirement to register with the ICO for:
- organisations that process personal data only for staff administration (including payroll), business-related advertising/marketing and accounts;
- some not-for-profit organisations;
- organisations that process personal data only for maintaining a public register; and
- organisations that do not process personal information on a computer.
Currently, if an organisation has 250 or more staff and a turnover of at least £25.9 million in the United Kingdom, the ICO registration fee is £500. All other organisations pay £35.
Is information regarding registered data owners publicly available? Yes. All data controllers who register with the Information Commissioner's Office will be included on the online public register.
Is there a requirement to appoint a data protection officer? No. The Data Protection Act 1998 does not require data controllers to appoint a data protection officer.
However, under the General Data Protection Regulation, there is an obligation for both controllers and processors to appoint a data protection officer in certain circumstances. Such circumstances include where the core activities of an organisation involve regular and systematic monitoring of data subjects on a large scale, or processing of special categories of data such as health data.
Enforcement Which body is responsible for enforcing data protection legislation and what are its powers? The Information Commissioner's Office (ICO) is the United Kingdom's independent body set up to promote good practice among data controllers. The ICO must perform its functions under the Data Protection Act 1998 so as to ensure that data controllers observe the requirements of the act.
The powers of the ICO are wide ranging and include the ability to fine organisations for non-compliance with the act.
Collection and storage of data
Collection and management In what circumstances can personal data be collected, stored and processed? Broadly, collection, storage and processing can occur where a data controller has satisfied all of the principles in the Data Protection Act 1998. The principles are fluid and can interact but, for simplicity, can be largely categorised as follows.
|Principles||Personal data shall:|
|Collection||2 + 3||
|Storage||5 + 7||
|Processing||1, 4, 6 + 8||
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The Fifth Principle of the Data Protection Act 1998 states that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. The act does not, therefore, provide for a specific retention period for personal data.
If enacted, the Investigatory Powers Bill currently going through Parliament will oblige communications companies to store personal data for up to 12 months for use by the security services.
Do individuals have a right to access personal information about them that is held by an organisation? Yes. Section 7 of the Data Protection Act 1998 entitles a data subject to access copies of the information about him or her which an organisation holds. This is commonly referred to as a ‘subject access request’ and must be made in writing. The data subject has the right to be informed as to whether the controller is processing his or her personal data. If so, the data controller must provide:
- a description of the personal data of which that individual is the data subject, the purposes for processing and the recipients to which it has been or may be disclosed;
- a copy of the data; and
- the source of the data.
Data controllers that receive a subject access request must respond to the request within 40 days of receipt.
Do individuals have a right to request deletion of their data? Yes. Section 14 of the Data Protection Act 1998 gives data subjects the right to apply to the court to rectify, block, erase or destroy inaccurate data. Data subjects will usually direct their requests to the data controller and, if the data controller maintains that the data is accurate, the subject can lodge a complaint with the Information Commissioner's Office. The burden of proof rests with the data subject to prove that data is inaccurate. If the data subject is not satisfied with the outcome of the complaint, he or she may issue proceedings.
Consent obligations Is consent required before processing personal data? Not necessarily. Schedule 2 of the Data Protection Act 1998 sets out the conditions that must be met before personal data can be processed. The consent of the data subject is listed in Schedule 2. The data controller can process personal data so long as one of the conditions listed in Schedule 2 is satisfied; there is no hierarchy of preference.
If consent is not provided, are there other circumstances in which data processing is permitted? If consent is not provided, personal data may also be processed where:
- the processing is necessary for the performance of a contract to which the data subject is party;
- the processing is necessary for compliance with a legal obligation to which the data controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject;
- the processing is necessary for:
- the administration of justice;
- the exercise of any functions of either house of Parliament;
- the exercise of any functions conferred on any person by or under any enactment;
- the exercise of any functions of the crown, a minister of the crown or a government department; or
- the exercise of any other functions of a public nature exercised in the public interest by any person; or
- the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to which the data is disclosed.
What information must be provided to individuals when personal data is collected? The First Principle of the Data Protection Act 1998 provides that personal data shall be processed fairly and lawfully. Schedule 1, Part 2 makes clear that data is not to be treated as processed fairly unless the following information is provided to the data subject:
- the identity of the data controller;
- the identity of any representative (if nominated by the data controller for the purposes of the Data Protection Act);
- the purposes for which the data is intended to be processed; and
- any further information which is necessary to enable processing to be fair, having regard to the specific circumstances.
With regard to the specific circumstances referred to above, the Information Commissioner's Office's Privacy Notices Code of Practice encourages data controllers to consider the reasonable expectations of the data subjects.
The above information should be provided when the data controller first processes the data or, where data is not provided directly by the data subject, as soon as practicable after processing.
Data security and breach notification
Security obligations Are there specific security obligations that must be complied with? The Seventh Principle of the Data Protection Act 1998 provides that appropriate technical and organisational measures should be taken in relation to personal data processing. Data controllers should consider the state of technological development and the cost of implementing any measure, ensuring that the level of security is appropriate to:
- the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage; and
- the nature of the data.
A key element in achieving compliance with this obligation is ensuring that a written contract is in place with all data processors engaged by a data controller which confirms the processor's commitment to meet Seventh Principle standards. Data controllers must also adopt measures to ensure that they select data processors which comply with the Seventh Principle and take reasonable steps to ensure compliance – for instance, via audits and contractual commitments.
The Information Commissioner's Office often takes enforcement action against data controllers that fail to satisfy the Seventh Principle.
Breach notification Are data owners/processors required to notify individuals in the event of a breach? There is currently no legal obligation under the Data Protection Act 1998 to report breaches of security to the individual. However, the Information Commissioner's Office (ICO) recommends that a data controller make a breach public where it is “clearly in the interests of the individuals concerned”. It suggests that controllers consider:
- whether notification can assist in their meeting security obligations;
- whether notification can assist the individuals because of actions they could take; and
- the dangers of ‘over-notifying’, as not every incident will warrant notification.
There is no guidance on what form such notification should take.
Regulation 5A(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 provides that if a data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider shall, without undue delay, notify that breach to the subscriber or user concerned. Whether the breach is likely to adversely affect individuals is primarily a decision for the service provider, based on the circumstances of the case, including:
- the nature and content of the personal data;
- whether it includes sensitive personal data as defined in the Data Protection Act;
- what harm could be caused to the individual; and
- who now has access to the data, to the extent that is known.
A service provider need not, however, notify customers if the ICO confirms that it is satisfied that the information was properly encrypted when the breach occurred.
Are data owners/processors required to notify the regulator in the event of a breach? There is currently no legal obligation under the Data Protection Act 1998 to report breaches of security to the Information Commissioner's Office (ICO). However, the ICO has issued guidance advising that serious breaches should be reported. While ‘serious breach’ is not defined, data controllers should consider the following factors when assessing the severity of the breach:
- potential detriment to data subjects;
- volume of personal data lost/released/corrupted; and
- sensitivity of the data lost/released/corrupted.
Certain companies do have notification obligations. For example, under the Privacy and Electronic Communications (EC Directive) Regulations 2003, electronic communication service providers must notify certain data breaches to the ICO. Financial service sector specific regulations also include breach notification obligations.
Electronic marketing and internet use
Electronic marketing Are there rules specifically governing unsolicited electronic marketing (spam)? Yes. Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 states that unsolicited communications for the purposes of direct marketing should not be sent unless the recipient has consented to such communications being sent by the sender.
Where consent has not been contained, electronic mail can be sent for the purposes of direct marketing where the following conditions are satisfied:
- The sender has obtained the recipient's contact details in the course of the sale of a product or service to that recipient and the direct marketing is in respect of similar products and services only;
- The recipient was given a free method, at the time his or her contact details were initially collected, to refuse the use of his or her contact details for the purposes of such direct marketing; and
- The recipient is given the right to refuse to use his or her contact details for direct marketing in each subsequent communication.
‘Electronic mail’ in this context means any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient, and includes messages sent using a short message service. This includes emails, texts, picture/video messages, voicemails, social media messages or any similar message that is stored electronically.
- the user is provided with clear and comprehensive information about the purposes for which the cookie is stored and will be accessed; and
- the user gives his or her consent.
This process need be done the first time cookies are set only. The Article 29 Working Party identified four characteristics of effective consent in the context of cookies:
- Specific information should be given to data subjects;
- Consent should be obtained before processing begins;
- Consent must be unambiguous and result from a positive action; and
- Consent must be freely given.
Data transfer and third parties
Cross-border data transfer What rules govern the transfer of data outside your jurisdiction? The Eighth Principle of the Data Protection Act 1998 provides that personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Schedule 4 of the Data Protection Act outlines a number of cases to which the Eighth Principle does not apply. These include the following:
- The data subject has given his or her consent to the transfer;
- The transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject which is either entered into at the request of the data subject or in the interests of the data subject; and
- The transfer has been authorised by the Information Commissioner’s Office as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
Are there restrictions on the geographic transfer of data? Personal data may be transferred to other jurisdictions within the European Economic Area (EEA) without restriction.
If none of the exemptions in Schedule 4 of the Data Protection Act 1998 apply, personal data may not be transferred to jurisdictions outside the EEA unless:
- the European Commission has made a decision recognising the adequacy of the jurisdiction. The commission has the authority, under Article 25(6) of Directive 95/46/EC, to determine whether a third country ensures an adequate level of protection by reason of its domestic law or the international commitments that it has entered into. The commission has recognised the following jurisdictions as adequate: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay;
- the data controller enters into standard contractual clauses with the data processor or controller that receives the data. Standard contractual clauses are data transfer agreements approved by the European Commission as providing adequate protection;
- the data controller drafts its own contract after a risk assessment to ensure adequacy; or
- the data controller is part of a multinational organisation transferring information outside the EEA but within its group of entities and has adopted binding corporate rules which provide individuals with legally enforceable rights. The rules must be approved by all relevant European data protection authorities, which will cooperate with each other in assessing the rules.
Third parties Do any specific requirements apply to data owners where personal data is transferred to a third party for processing? The Seventh Principle of the Data Protection Act 1998 obliges data controllers to ensure that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In order to ensure compliance with this principle where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must:
- choose a processor that provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and
- take reasonable steps to ensure compliance with those measures.
Penalties and compensation
Penalties What are the potential penalties for non-compliance with data protection provisions? The Information Commissioner's Office (ICO) can issue several possible sanctions against organisations which are found to be non-compliant with data protection provisions. Examples include:
- information notices obliging organisations to provide specific information to the ICO;
- undertakings committing an organisation to carry out certain actions in order to remedy its non-compliance; and
- monetary penalty notices requiring organisations to pay up to a maximum of £500,000 for serious data breaches.
The measures are not mutually exclusive and can be used in tandem. Enforcement action that the ICO has taken against organisations is detailed on its website.
The Data Protection Act 1998 also creates a number of criminal offences. The most relevant are:
- Section 17, which prohibits the processing of personal data without registration with the ICO (unless an exemption applies);
- Section 55(1), which makes it an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller. There are exceptions, such as where disclosure is necessary for the purposes of crime prevention; and
- Sections 55(4) and 55(5), which make it an offence to sell personal data that have been obtained in contravention of Section 55(1).
There are currently no infringements of the Data Protection Act that can result in imprisonment. Most offences are punishable by way of a fine.
Compensation Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner? Section 13 of the Data Protection Act 1998 provides for compensation for an individual who suffers damage due to a failure of the data controller to comply with the requirements of the Data Protection Act. In the past, this has been available only where there has been a direct financial loss as a result of the breach. In practice, a direct financial loss is rare and actions have seldom been brought under this section.
In Google Inc v Vidal-Hall , the Court of Appeal held that the misuse of personal information is a tort and that a claim can be made under Section 13 for distress alone. Google Inc was awarded leave to appeal the decision of the Court of Appeal, but crucially, not in relation to the question of whether the misuse of personal information is a tort. Therefore, it is clear that potential claimants no longer need to establish financial loss in order to claim for damages for the misuse of personal information; distress alone is sufficient to bring an action.
Cybersecurity legislation, regulation and enforcement Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity? At present, the sole legislative obligation expressly written in relation to cybercrime and/or cybersecurity can be found in Section 105A of the Communications Act 2003 (as amended). Section 105A was added to give effect to the Better Regulation Directive 2009. The act regulates telecommunications companies and internet service providers.
The Information Commissioner's Office has interpreted the Seventh Principle of the Data Protection Act 1998 to include cyber space and a duty for cybersecurity, which is to protect personal data from cybersecurity vulnerabilities and cybercrime.
The Computer Misuse Act 1990 is commonly used in connection with cybersecurity enforcement.
It is possible to interpret the common law duty of negligence in England and Wales in such a way as to require that confidential information be protected by cybersecurity (see B v A County Council  for more information).
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
The Information Commissioner's Office frequently refers to ISO/IEC 27001:2013 in its enforcement notices. This international standard “specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of [an] organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of [an] organisation. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature”.
Which cyber activities are criminalised in your jurisdiction?
The Computer Misuse Act 1990, as amended by Part 5 of the Police and Justice Act 2006 and by Part 2 of the Serious Crime Act 2015, specifies those cyber-specific activities that are criminalised in the United Kingdom. Sections 1-3, 35-38, 41-47 and Schedules 1 and 4 of the Computer Misuse Act set out a range of cyber-specific criminal activities, including:
- unauthorised access to computer material;
- unauthorised modification of computer material; and
- unauthorised acts causing, or creating risk of, serious damage.
In addition to the cyber-specific activities set out in the Computer Misuse Act, criminal offences such as fraud, blackmail, harassment and hate crimes are prevalent on many online platforms. For example, an offender might post a racist comment on social media which is then reported to the police. This act may be treated as a criminal offence, notwithstanding the way in which the offence was committed or the medium used to commit that offence.
Which authorities are responsible for enforcing cybersecurity rules? According to the Communications Act 2003, Ofcom is the UK regulator tasked with enforcing cybersecurity rules. However, where personal data is concerned, the Information Commissioner's Office will likely claim responsibility.
Cybersecurity best practice and reporting Can companies obtain insurance for cybersecurity breaches and is it common to do so? Insurance is now readily available for cybersecurity breaches and in January 2016, Lloyd’s of London announced that a set of “common core data requirements for cyber risks” had been agreed through a ground-breaking collaboration with modelling firms AIR Worldwide and RMS/Cambridge Centre of Risk Studies. This collaboration will help standardise what is still a relatively new area of insurance.
According to the UK government, in 2014 “81% of large UK businesses and 60% of small companies suffered a cybersecurity breach”. Despite these significant figures and growing concern among companies of all sizes, a report published on March 23 2015 by the government and Marsh suggested that “less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place”. Therefore, not only would it seem to be fairly rare for companies to have insurance in place at present, but there would also seem to be widespread misunderstanding as to whether companies are in fact covered for cybersecurity breaches by their current policies.
Are companies required to keep records of cybercrime threats, attacks and breaches? Regulation 5A(8) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 provides that service providers (eg, telecommunications providers or internet service providers) in the United Kingdom must keep their own record of all personal data breaches in an inventory or log.
There is currently no legal obligation in the United Kingdom for companies or organisations that are not service providers to keep records of cybercrime threats, attacks or breaches.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities? Section 105B of the Communications Act 2003 provides that a network provider must notify Ofcom of a security breach which has a significant impact on the operation of a public electronic communications network, and of a reduction in the availability of a public electronic communications network which has a significant impact on the network.
In addition, a service provider must notify Ofcom of a breach of security which has a significant impact on the operation of a public electronic communications service. Major incidents or incidents that are likely to generate media or political interest should be reported within 24 hours of commencing. Other incidents should ideally be reported within a few days of the incident commencing, or in batches where a significant number of non-major incidents occur.
Regulation 5A(2) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 provides that if a personal data breach occurs, a service provider shall, without undue delay, notify that breach to the Information Commissioner’s Office (ICO). More recently, following the introduction of European Commission Regulation 611/2013, Article 2(2) of the notification regulation made it a requirement that a service provider shall notify the personal data breach to the competent national authority no later than 24 hours after detection of the personal data breach, where feasible.
As regards companies or organisations that are not network or service providers, there is currently no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data. However, the ICO believes that serious breaches should be brought to its attention. The nature of the breach or loss can then be considered together with whether the data controller is correctly meeting its responsibilities under the Data Protection Act 1998. 'Serious' breaches is not defined.
The forthcoming Network and Information Security Directive is also relevant here.
Are companies required to report cybercrime threats, attacks and breaches publicly? Section 105B of the Communications Act 2003 provides that Ofcom may require a network provider or service provider to inform the public of a breach of security, if it thinks that it is in the public interest to do so.
Criminal sanctions and penalties What are the potential criminal sanctions for cybercrime? The Computer Misuse Act 1990, as amended by Part 5 of the Police and Justice Act 2006 and by Part 2 of the Serious Crime Act 2015, specifies the potential criminal sanctions for cybercrimes in the United Kingdom. These range from fines to prison sentences of up to a maximum of 14 years.
What penalties may be imposed for failure to comply with cybersecurity regulations?
A number of tools are available to Ofcom for taking action to change the behaviour of companies or organisations which fail to comply with the Communications Act 2003. Sections 105C and 105D set out Ofcom’s main security and resilience enforcement powers. Under Section 105C, Ofcom can require a network or service provider to undergo an independent audit of its security and resilience arrangements, at the provider’s expense. Section 105D extends Ofcom's powers to enforce compliance with conditions that it has set, such as general conditions and significant market powers conditions, to the enforcement of Sections 105A to C. These enforcement powers include the ability to notify providers of contraventions, to issue directions suspending the entitlement to provide networks or services, and to impose fines of up to £2 million.
The Information Commissioner's Office may also take action.