Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management In what circumstances can personal data be collected, stored and processed? Broadly, collection, storage and processing can occur where a data controller has satisfied all of the principles in the Data Protection Act 1998. The principles are fluid and can interact but, for simplicity, can be largely categorised as follows.
|Principles||Personal data shall|
|Collection||2 + 3||
|Storage||5 + 7||
|Processing||1, 4, 6 + 8||
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records? The Fifth Principle of the Data Protection Act 1998 states that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. The act does not, therefore, provide for a specific retention period for personal data.
If enacted, the Investigatory Powers Bill currently going through Parliament will oblige communications companies to store personal data for up to 12 months for use by the security services.
Do individuals have a right to access personal information about them that is held by an organisation? Yes. Section 7 of the Data Protection Act 1998 entitles a data subject to access copies of the information about him or her which an organisation holds. This is commonly referred to as a ‘subject access request’ and must be made in writing. The data subject has the right to be informed as to whether the controller is processing his or her personal data. If so, the data controller must provide:
- a description of the personal data of which that individual is the data subject, the purposes for processing and the recipients to which it has been or may be disclosed;
- a copy of the data; and
- the source of the data.
Data controllers that receive a subject access request must respond to the request within 40 days of receipt.
Do individuals have a right to request deletion of their data? Yes. Section 14 of the Data Protection Act 1998 gives data subjects the right to apply to the court to rectify, block, erase or destroy inaccurate data. Data subjects will usually direct their requests to the data controller and, if the data controller maintains that the data is accurate, the subject can lodge a complaint with the Information Commissioner's Office. The burden of proof rests with the data subject to prove that data is inaccurate. If the data subject is not satisfied with the outcome of the complaint, he or she may issue proceedings.
Consent obligations Is consent required before processing personal data? Not necessarily. Schedule 2 of the Data Protection Act 1998 sets out the conditions that must be met before personal data can be processed. The consent of the data subject is listed in Schedule 2. The data controller can process personal data so long as one of the conditions listed in Schedule 2 is satisfied; there is no hierarchy of preference.
If consent is not provided, are there other circumstances in which data processing is permitted? If consent is not provided, personal data may also be processed where:
- the processing is necessary for the performance of a contract to which the data subject is party;
- the processing is necessary for compliance with a legal obligation to which the data controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject;
- the processing is necessary for:
- the administration of justice;
- the exercise of any functions of either house of Parliament;
- the exercise of any functions conferred on any person by or under any enactment;
- the exercise of any functions of the crown, a minister of the crown or a government department; or
- the exercise of any other functions of a public nature exercised in the public interest by any person; or
- the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to which the data is disclosed.
What information must be provided to individuals when personal data is collected? The First Principle of the Data Protection Act 1998 provides that personal data shall be processed fairly and lawfully. Schedule 1, Part 2 makes clear that data is not to be treated as processed fairly unless the following information is provided to the data subject:
- the identity of the data controller;
- the identity of any representative (if nominated by the data controller for the purposes of the Data Protection Act);
- the purposes for which the data is intended to be processed; and
- any further information which is necessary to enable processing to be fair, having regard to the specific circumstances.
With regard to the specific circumstances referred to above, the Information Commissioner's Office's Privacy Notices Code of Practice encourages data controllers to consider the reasonable expectations of the data subjects.
The above information should be provided when the data controller first processes the data or, where data is not provided directly by the data subject, as soon as practicable after processing.
Data transfer and third parties
Cross-border data transfer What rules govern the transfer of data outside your jurisdiction? The Eighth Principle of the Data Protection Act 1998 provides that personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Schedule 4 of the Data Protection Act outlines a number of cases to which the Eighth Principle does not apply. These include the following:
- The data subject has given his or her consent to the transfer;
- The transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject which is either entered into at the request of the data subject or in the interests of the data subject; and
- The transfer has been authorised by the Information Commissioner’s Office as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
Are there restrictions on the geographic transfer of data? Personal data may be transferred to other jurisdictions within the European Economic Area (EEA) without restriction.
If none of the exemptions in Schedule 4 of the Data Protection Act 1998 apply, personal data may not be transferred to jurisdictions outside the EEA unless:
- the European Commission has made a decision recognising the adequacy of the jurisdiction. The commission has the authority, under Article 25(6) of Directive 95/46/EC, to determine whether a third country ensures an adequate level of protection by reason of its domestic law or the international commitments that it has entered into. The commission has recognised the following jurisdictions as adequate: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay;
- the data controller enters into standard contractual clauses with the data processor or controller that receives the data. Standard contractual clauses are data transfer agreements approved by the European Commission as providing adequate protection;
- the data controller drafts its own contract after a risk assessment to ensure adequacy; or
- the data controller is part of a multinational organisation transferring information outside the EEA but within its group of entities and has adopted binding corporate rules which provide individuals with legally enforceable rights. The rules must be approved by all relevant European data protection authorities, which will cooperate with each other in assessing the rules.
Third parties Do any specific requirements apply to data owners where personal data is transferred to a third party for processing? The Seventh Principle of the Data Protection Act 1998 obliges data controllers to ensure that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In order to ensure compliance with this principle where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must:
- choose a processor that provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and
- take reasonable steps to ensure compliance with those measures.
Click here to view the full article.