1. Then and now
We have seen significant changes in the law and practice of data protection between 1998 and 2008. In 1998, it is probably fair to say that data protection was seen as a mundane and administrative task: principally equating to a need to register with the Data Protection Registrar, completing a tedious form and paying for a 3 year registration certificate. Cases and guidance at that point related mainly to host mailing or other direct marketing practices1. Data protection would hardly have featured on the agenda of board meetings or been a subject of government reviews and guidance.
Data protection is now seen as requiring end to end compliance throughout an organisation and, through various means, has climbed up the agenda: data protection (and privacy) is considered by the Cabinet Office2, within major businesses3 and in our newspapers4. Ministers and chief executive officers now concern themselves with data protection compliance.
So what has changed over the last 10 years? In this article we look at some, but not all, of the major issues in data protection now and consider how these have changed since 1998.
2. What is personal data?
To those outside the data protection world it must seem incredible that we are still debating the central issue in data protection: what are we trying to protect? In 1998 we were still operating under the Data Protection Act 1984 (the 1984 Act): it was not until 1 March 2000 that the Data Protection Act 1998 (the 1998 Act) came into force (in its most significant parts). The 1998 Act implemented the Data Protection Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Directive).
Although the change from the 1984 Act to the 1998 Act did result in differences in the scope of the definition of “personal data”, these have not, with one exception, been subject to any subsequent debate. The major differences in this definition between the two Acts can be summarised as follows:
- First, the definition of “data” was expanded in the 1998 Act to include information recorded with the intention that the information should either be processed automatically or should form part of a relevant filing system. Therefore, the new definition catches recorded information which is not yet in a processable form.
- Second, data which relate to a living individual who can be identified from information likely to come into the possession of the data controller is included in the 1998 Act definition.
- Third, expressions of opinion about the individual, which were expressly excluded under the 1984 Act, are included in the 1998 Act definition. The second of these changes is the most significant. The inclusion of a likelihood test in the definition causes problems in practice for data controllers. It has often caused debate in data protection circles leading to detailed and complex guidance from the Information Commissioner’s Office5 (the data protection authority in the UK) and the Article 29 Working Party6 (a EU data protection “think tank” composed of representatives of the Member States’ data protection authorities).
Apart from this detailed and complex guidance on the issue of what is personal data, the UK courts have opined on the question. To make matters more complex, the courts and the data protection regulators have taken divergent views.
In Durant v FSA7 the Court of Appeal considered the definition of personal data and gave judgment on two elements, first, the phrase “relates to” and second, the definition of a relevant filing system8. The court’s comments on the phrase “relate to” have been the most controversial. Mr Justice Auld set the tone of the judgement by stating that: “Mere mention of the [individual] in a document held by [an organisation] does not necessarily amount to his personal data.”
In its judgment the court gave two relevant considerations when looking at the phrase “relating to”:
“Whether the information is biographical in a significant sense, that is, going beyond the recording of the [individual’s] involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised”; and
“The information should have [the individual] as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated”.
In summary, the court viewed this type of information as “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”
The case related to a Barclays Bank customer, Mr Durant, who had been involved in unsuccessful litigation against the bank. Mr Durant made a request to the FSA to attempt to access files held by the FSA relating to its investigations into Barclays Bank. Mr Durant had hoped that those files would assist him in pursuing his complaint against Barclays. The Court of Appeal held that the information being sought by Mr Durant did not “relate to” him.
This case was held up by data controllers as a significant and useful decision limiting the previously expansive view of personal data. Prior to this case it was generally understood that any mention of an individual would, in practice, be their personal data. This case appeared to turn that view on its head.
Subsequent cases followed the same approach as in Durant. Johnson v MDU9 related to a request by a surgeon, Mr Johnson, for information held by the Medical Defence Union in connection with his own membership and therefore his professional negligence insurance. In this case, Laddie J. held that not all the files held amounted to his personal data. Again Laddie J. in Smith v Lloyds TSB10 decided that information held by Lloyds TSB related to a company, rather than the managing director and controlling shareholder. Mr Smith had attempted to access information about his company which was held by Lloyds TSB by using his personal rights under the 1998 Act.
This narrow version of personal data has now been followed in freedom of information cases. For example, in the Information Tribunal decision, Harcup v ICO and Yorkshire Forward11 , the Tribunal referred to the Durant case and held that the names and organisations of those attending corporate hospitality events did not constitute personal data. However, the names and organisations would have to remain unconnected to fall outside the definition of personal data.
But this is not the end of the story. The Article 29 Working Party produced a paper on the concept of “personal data”12. This text is of course a compromise document. It has been produced by representatives from the data protection authorities of all the members of the EU and as a consequence reflects a divergent set of views of what is “personal data”. That said, the document is clearly written and takes a logical and analytical approach to the definition of personal data in the Data Protection Directive. The opinion breaks down the definition into four key elements:
- any information;
- relating to;
- identified or identifiable;
- natural person.
In summary, the Article 29 Working Party takes a wide notion of personal data but places a purposive construction on that definition. The aim behind having a definition of “personal data” is to protect fundamental rights and it should not be applied mechanistically. The phrase “relating to” is considered with 3 tests:
- Content: information can relate to a person where its content clearly relates to that person.
- Purpose: information can relate to a person where the data are used to evaluate or treat a person in a certain way or influence the status or behaviour of an individual.
- Result: information can relate to a person when the use of the information is likely to have an impact on a person’s rights and interests. This does not necessarily require a major impact – it is sufficient that the individual may be treated differently from others.
The phrase identified or identifiable is also reviewed. Identified means when, within a group, a person is distinguished from all other members of the group. A person can be directly or indirectly identified. It is important to note that the Article 29 Working Party does not think that a name is necessary: it is simply the case that a set of information about an individual can be distinguished from information about others. The Working Party specifically states that a merely hypothetical possibility to single out an individual is not enough. That would not be identifiable. Therefore, it should be possible to put in place technical or possibly legal means to prevent identification. This would allow information to be anonymised effectively and data protection obligations would not apply.
The ICO produced guidance13 on 21 August 2007 to follow on from the Article 29 Working Party’s opinion. However, the ICO suffered from the problem of having to balance the UK caselaw (principally the Durant decision) with the Article 29 Working Party views. This has led to a difficult piece of ICO guidance. The guidance suggests that biographical significance and focus (the two considerations from Durant) are only important in non-obvious cases of relevance.
The latest and most significant decision in this area is the CSA v Scottish Information Commissioner14. Again, this is a case from the freedom of information world. A request was made to access information on childhood leukaemia in a particular ward in Scotland. Therefore the request was made under the Freedom of Information (Scotland) Act 2002 (FOISA). The request was rejected on the basis that, even if anonymised, the number of incidents of leukaemia was so low that it would be possible, in combination with other information, to identify individuals who were suffering from leukaemia. A possible solution would be to use the statistical method of barnardisation, which involves manipulation of numbers so that the overall figures are accurate but that individual cells are each changed such that it is not possible to identify individuals.
In this case the House of Lords noted that there is no presumption in favour of the release of personal data in response to the general obligation under FOISA. It considered the Durant decision and in particular comments by Auld LJ that mere mention of the individual in a document did not necessarily amount to his personal data. The House of Lords held that the observations in Durant did not have any relevance to the definition of personal data in this case. The answer to the issue was to be found in the wording of the 1998 Act’s definition and the Data Protection Directive.
So, 10 years on and the definition of personal data is more clouded now than it was in 1998. In fact, perhaps we now have two definitions of “personal data”: one for general use and one for dealing with cases where an individual requests his/her own personal data (i.e. subject access cases).
3. Data protection compliance and red tape
Under the 1984 Act data protection was predominantly seen as an administrative task, mainly requiring registration with the Data Protection Registrar and careful handling of information when carrying out direct marketing.
However, there have been some organisations where data protection compliance has been a barrier to good practice. For example, in 2003 British Gas quoted compliance with the 1998 Act as the reason why they had not notified the relevant authorities of a vulnerable retired couple who had been cut off from gas supply. The couple subsequently died, one from hypothermia and the other from a heart attack15. More recently, Marks & Spencer blamed the 1998 Act when a Marks & Spencer employee told the mother of a 7 year old that they could not talk to her about the delivery of her son’s Superman suit because it would infringe his data protection rights.16
The ICO has urged organisations not to use data protection as a “duck out”17. A press release from 1 September 2008 lists a number of common myths and contrasts them with the reality. For example, on 30 September 2005 the Daily Telegraph stated that priests within the Roman Catholic Church were told to stop praying for sick parishioners by name, for fear that they would be prosecuted under the Data Protection Act. (In reality, the 1998 Act would not apply unless the details were recorded in some way, by tape or in writing, and on computer or in a filing system. In any event, as the ICO points out, most parishioners would be happy to have their name given out in these circumstances!)
The ICO continues to battle against the view of data protection as red tape and a barrier to good practice. Recent data protection losses have led to the heightened awareness of data protection as an issue and the need to ensure end to end data protection compliance in any business or organisation. In the government sector the National Audit Office and the Cabinet Office have produced guidance on information handling ensuring that as an issue this is much more prominent.18
4. Security of personal data
No article in 2008 on the topic of data protection would be complete without a reference to the issue of security. As Richard Thomas, the Information Commissioner, said in 2007, there has been a “frankly horrifying” list of breaches19 over recent years. Again in 2008, reflecting on more data losses, Richard Thomas referred to the “toxic liability” which exists in information and requires organisations to take proper care of records20.
A large number of these losses have been in the public sector, with HMRC losing 25 million records on 2 discs and the MoD losing 1 million records on a stolen laptop. The ICO has investigated and issued enforcement notices in both these cases21. In the financial services sector, the Financial Services Authority has investigated and fined organisations for loss of customer information and poor security procedures22. Nationwide Building Society received a fine of £980,000 for poor security procedures after a laptop was lost and it took 3 weeks for the organisation to determine the data on the laptop. Norwich Union Life was fined £1.3 million after it transpired that poor call centre security enabled fraudsters to cash in life assurance policies. There have been breaches outside government and the financial sectors, for example, in September 2008, the ICO found Virgin Media Ltd in breach of data protection following the loss of an unencrypted CD containing personal details of over 3,000 customers23.
The 1998 Act does not contain any specific security obligations. Unlike other jurisdictions such as Spain, the security obligations in the 1998 Act are of a general level, requiring an organisation to take “appropriate technical and organisational measures …… against unauthorised or unlawful processing … and … accidental loss … destruction … or damage to personal data”. In doing so, organisations must have regard to “the state of technological development … the cost of implementing any measures … the harm that might result [from the breach] … the nature of the breach to be protected”. (See the 7th data protection principle in the 1998 Act).24
This is a general statement of obligations not limited by listed technologies or standards and can therefore change over time. On the down side it is not specific and therefore can cause much confusion and difficulty for organisations trying to determine what their true obligations are. However, it has the advantage that the flexibility in drafting allows the level of security to vary depending on the information which is being protected and the risk which may result from disclosure.
The 1998 Act contains some further statutory interpretation of these obligations including the requirement for an organisation to take reasonable steps to ensure the reliability of employees with access to personal data. In addition, an organisation appointing a processor must choose one who can provide sufficient security guarantees and take reasonable steps to ensure compliance. In practice, this means that organisations should be carrying out audits or at least have the ability to audit compliance. Organisations must have a specific written contract stating that a processor will act only on the instructions of the organisation and will adhere to security obligations referred to above.
The ICO’s security guidance has, in the past, been very general, advising organisations to control access to information, so that only those who need to see it do actually see it, and take care in staff selection and training25.
More recently, following the data losses, the ICO has issued new guidance. Early in 2008, the ICO issued a view26 stating that encryption would be assumed on any laptops carrying personal data and that organisations should follow ISO27001 for their security policy and encrypt to FIPS140-2 standard or equivalent. If encrypted, the loss of a laptop would not need to be notified to the ICO, since it would be assumed that the information on the laptop would be protected.
In most of the USA there are state laws requiring notification of any losses of personally identifiable information. Such security breach notification laws do not exist in the UK. The ICO has issued guidance on security breach procedures and when notification to the ICO would be recommended27. The ICO recommends a good practice notification of significant data loss events, such as the loss of information on 1,000 plus individuals or the loss of particularly sensitive information. At this stage, the ICO has not recommended security breach notification laws, since they question the benefits which would accrue28.
It is possible to glean some useful lessons from the recent reports into government data losses. Cabinet Office Data Handling Report29 recommends, within government, strong governance work and notification of incidents in departmental accounts. This has no doubt contributed to the heightened awareness of data protection compliance within government. Government departments are reviewing contracts and procedures, NHS trusts are required to notify breaches in their annual reports and this will lead to greater awareness of the need to comply. Sir Edward Burton’s report30 into the lost MoD laptop highlights the need for data minimisation: the recruiting officer using the laptop only needed a few records in order to carry out his job. However, due to the IT procedures followed the laptop had over 1 million records downloaded to it. Data minimisation is a particular theme being promoted by the ICO at present31.
The HMRC loss was investigated by Kieran Poynter of PWC32. The Poynter report highlighted the need for improved staff training and accountability for information. The use of physical media such as disks should be phased out and encrypted electronic transfers should be used instead. The report also recommended the segregation of data, i.e. the disaggregation and removal of non-key elements so that only the essential items were available for any particular transaction of processing.
5. Prohibition on transfers of personal data outside the EEA
One of the most significant changes in the 1998 Act was, after a reshuffling of the 8 data protection principles in the 1984 Act, the insertion of a new 8th principle. This new principle prevented the transfer of personal data outside the EEA33 unless adequate protection was shown for that transfer. At the time, there were debates34 that this would result in a trade war with the US and have a significant impact on global business. In the end a number of compromises were reached and implemented to enable the transfers to continue. It is probably fair to say that a large number of organisations ignored this prohibition for years as it was so difficult to comply. However, most if not all, organisations should now be aware of it and be using one of the compromise solutions.
The solution most frequently used is that of an EU approved model contract35. These contracts permit the transfer of personal data outside the EEA where the parties sending and receiving the information sign up to the approved terms. There are two sets for the transfers between data controllers and one set for the transfer from a data controller to a data processor36. However, these contracts suffer from a number of problems. First, there is the complexity of use where there are multiple transfers, perhaps within a set of group companies. This would potentially require a contract for each transfer. In addition, in some jurisdictions inside the EU, local registration and/or notification and approval of the contract is required. In the UK there is no need to register, notify or obtain approval and therefore it is relatively simple. Finally, the terms of the contract are, in some cases, un-commercial, requiring a form of joint and several liability between the sender and the recipient of the information.
Certain countries are approved as having an adequate set of local laws or procedures to protect information and consequently transfers to these countries can be made without any further compliance steps37. However, the list of countries is extremely small being: Argentina, Canada38, Guernsey, Jersey, Isle of Man and Switzerland. Transfers to the USA are permitted provided that the recipient is a member of the Safe Harbor arrangement39. US organisations which are regulated by the Federal Trade Commission (FTC) can promise to adhere to the Safe Harbor principles which, together with a set of frequently asked questions, are designed to ensure an equivalent level of data protection to that within the EU. Organisations are required to register their adherence to the Safe Harbor principles and carry out self regulation, backed up by enforcement by the FTC. With 1,619 organisations on the list as at the start of November 2008, this has been a great improvement on the early days when only a few hundred organisations were on the Safe Harbor list. Questions still exist over the effectiveness of Safe Harbor and the EU in particular has concerns that there have never been any investigations or enforcement relating to Safe Harbor compliance.40
Organisations in some cases try to rely on some of the exemptions set out in Schedule 4 to the 1998 Act. These permit transfer where there is valid consent from the individual or where it is necessary for compliance with a contract either with the individual or at the instruction of the individual. Generally data protection regulators do not approve of the use of consent in these circumstances, since they would prefer a set of processes which protect the information whilst outside the EU, rather than obtaining the consent of the individual to the processing of the information without any protection41.
Since none of these solutions are perfect, organisations have been seeking a practical solution for global businesses. Binding corporate rules (BCRs) were devised to meet this need. In this procedure, an organisation sets out the method by which it processes personal information and how it controls compliance by its employees and contractors. In effect, this is an internal data protection “law” within a group. An application is made to data protection regulators to approve the BCRs. If they are approved then transfers within the group and in accordance with the rules will be permitted. The process has been slow and there have been barely a handful of approved sets of rules42.
In October 2008 data protection regulators in 9 countries (France, Germany, Ireland, Italy, Latvia, Luxembourg, Netherlands, Spain & the UK) publicised a mutual recognition procedure. Under this procedure if any one of the listed countries receives a BCR application and approves it, the others are committed to endorsing that approval. Although it appears that there is still some disparity of view within this group of 9, with some countries completely committed to mutual recognition and others stating that they intend to “work towards” mutual recognition. It is hoped that this mutual recognition procedure will kick start the approval process and encourage organisations to use BCRs.
6. Enforcement and Compensation
Data protection enforcement in the EU varies greatly with some countries using criminal offences frequently and levying high fines and others taking a more “softly softly” approach. Traditionally, the ICO has tried to educate and encourage best practice, other than where the criminal offences of non-registration or the illegal sale of personal data have been committed43. More recently there has been a new enforcement strategy44 which indicated that the ICO intended to use selective enforcement, such that not every complaint would lead to enforcement. The ICO would co-operate with data controllers and other regulators and be prepared to “name and shame” defaulting organisations. The strategy listed a number of criteria for enforcement action such as the detriment being suffered, the number of people affected, the need to clarify the law and whether the remedial costs were proportionate.
The ICO has powers to issue an enforcement notice, effectively an order requiring compliance45. The ICO is not a large organisation and the costs of running a formal enforcement have been great. Therefore, the ICO has in the last eighteen months commenced a process of using written undertakings46. These undertakings are then published on the ICO’s website, using the “name and shame” principle. From the ICO’s perspective the undertakings have a benefit, in that they are easier, quicker and cheaper to obtain. Organisations on the receiving end of undertakings have some opportunity to negotiate the wording, but cannot prevent them being published.47 The legal effect of these undertakings is unclear, since they are not regulated or referred to in the 1998 Act. The duration of the undertakings appears to be unlimited. In practice, the ICO will probably use them as evidence for any future enforcement, since the organisation affected could not claim that it was not aware that it was in breach, and as a deterrent to other organisations.
The 1998 Act includes some criminal offences and sanctions. In the main, these relate to non-compliance with an enforcement notice or information notice, failure to notify or the deceitful obtaining of personal data. At present, the sanctions relate to an unlimited fine, community service or the possible personal liability of directors and officers48.
By the end of 2008 there will be a major addition to the ICO’s enforcement powers, which is likely to result in data protection compliance becoming even more important for UK organisations. Until now, the ICO has not had the power to fine or the power to carry out audits. As a result organisations might consider that the potential risks of data protection breaches are not material, when compared with the powers of the FSA or other regulators. However, by the end of the year Section 144 of the Criminal Justice and Immigration Act 2008 is likely to be in force. This section will amend the 1998 Act to enable the ICO to levy monetary penalties. The ICO has stated that they intend this to be a strong deterrent. We are presently waiting for implementing regulations and ICO guidance on how the penalties will be levied. The trigger for the penalties will be the deliberate or reckless breach of data protection principles which are serious and could cause substantial damage or distress.
In 2006 the ICO issued a report, entitled What Price Privacy?, on the illegal trade in personal information. There is now potential for the Secretary of State to pass an order to include imprisonment as a sanction applying to breaches of Section 55 of the 1998 Act (i.e. the unlawful obtaining of personal data). The order would increase the present sanction (of a fine) to 12 months on summary conviction (6 months in Northern Ireland) and on indictment two years imprisonment. Prior to making any order there would need to be a consultation with the ICO, media and any other relevant person. This has been stated to be the “last chance” for the media. The ICO has serious concerns over the large number of breaches of the 1998 Act by journalists (or on their behalf) when preparing articles or news reports. If there is no improvement in this practice then the ICO will push to have the imprisonment sanction enacted.
7. Where now for Data Protection?
The debate over enforcement powers is not over, as the ICO would very much like to have the power to audit without consent. At present, the ICO may only audit if an organisation agrees to this. The Thomas-Walport Report of July 200850 called for increased ICO powers, including the power to audit without consent. The Ministry of Justice have consulted on this issue (and related changes to the 1998 Act) in July 200851 and there is a possibility of the change being implemented in the Law Reform Bill 2008. There is also a proposal for tiered notification fees, so that larger organisations will pay more than the present £35. This is intended to increase ICO funding to enable it to be better placed for enforcement action.
The Data Retention Directive 2006/24/EC52 is due to be brought completely into force by 15 March 2009. We have already the regulations requiring the retention of data relating to calls (e.g. duration, phone numbers, phone service used, location of mobiles) for twelve months53. There are now proposals for a communications database in which all communications, including emails, would be retained by service providers for access by the Government54. The ICO is strongly against such a communications database55.
Finally, there is the continuing development of privacy law and its inter-relation with data protection. Curiously, the 1998 Act does not contain the word “privacy”. The right of privacy is encapsulated in Article 8 of the European Convention of Human Rights and this is brought into force in the UK by the Human Rights Act 1998. Under this Act courts, tribunals and other public bodies are required to act in a way that preserves and promotes this right (together with other fundamental rights)56. This has led to a series of decisions, mainly involving celebrities and the media, on the right of privacy. Often these decisions combine a claim for breach of privacy with a claim for a breach of the 1998 Act. The end result is therefore a merger of the two although frequently the privacy-related claim takes priority.
In the UK, we have now reached a point where there is a right of privacy, which has been created, in effect, by the development of the law of confidentiality into a right to prevent the misuse of private information. In Murray v Big Picture UK Limited57 the Court of Appeal made authoritative statements on the tort of the misuse of private information and the relevant considerations where there may be a breach of privacy. This case concerned photographs of J.K. Rowling’s son, David Murray, whilst he and his parents were in a public place. The court suggested that if publication of the photographs proved unlawful under Article 8 then this would also be automatically a breach of the 1998 Act. Sir Anthony Clarke, Master of the Rolls, gave an authoritative statement of the key principles relating to the right to informational privacy. He stated that: “although the origin of the cause of action relied upon is breach of confidence, since information about an individual’s private life would not, in ordinary usage, be called “confidential”, the more natural description of the position today is that such information is private and the essence of the tort is better encapsulated now as the misuse of private information” and “essentially the touchstone of private life is whether in respect of the disclosed facts the person in question had a reasonable expectation of privacy”.
In this case the Master of the Rolls also drew attention to the possibility that the interpretation of the word “damage” in Section 13(1) of the 1998 Act may have been incorrect, given the purpose of the 1998 Act was to enact the provisions of the Data Protection Directive. This issue will be considered when the matter is reheard. It is a significant issue since, at present, the generally held view is that only pecuniary loss is recoverable. If there is a change of the law here and claimants are able to recover damages for distress, without showing pecuniary loss, then we may see a large increase in legal claims for data protection breaches.
So, in closing, we should prepare ourselves for an interesting second decade of the 1998 Act, although we may see renewed legislation during this period. Despite the fact that the EC has decided it is not presently necessary to update the Data Protection Directive58, there are reviews by the ICO to promote changes to the Data Protection Directive59. Whatever happens to the 1998 Act, data protection compliance is now on the agenda for government, businesses and the media and set to stay that way.