Tuesday, December 9, 2008

Data protection act and online businesses

In the UK the collection and use of personal data is governed by the Data Protection Act 1998 (DPA), the act and its accompanying legislation came into force on 01 March 2000. The DPA was implemented in order to satisfy the EC Directive on the protection of individuals with regards to the processing of personal data and the free movement of such data (95/46/EEC) and it replaced the previous Data Protection Act of 1984.

Data Protection issues have hit the headlines in recent years as a variety of businesses and organisations lose data, provide third parties with personal data and in some of the most well known instances refuse to provide seemingly legitimate parties with data that they require . Because of this it is an important and often overlooked consideration for any business, and especially for a business that is looking to establish itself online as a number of additional data protection issues arise.

The majority of online businesses will collect non-sensitive personal data such as: name, contact details, credit card details mostly for the purpose of supplying goods or services to users of the site or for contacting users with direct marketing. Under the DPA privacy policies are not a requirement for websites but they can be a useful method of insuring compliance with certain aspects of the DPA. Non-compliance with the DPA is a serious matter that can lead to criminal sanctions with directors and other such company officials potentially being made personally liable, the company will also be liable for damages and potentially a great deal of negative publicity.

Personal data consists of data that relates to a living individual who can be identified from that data or from that and other information that the data user has or is likely to come into the possession of . This brings up the question what is data? Under the DPA 1998 data includes information processed by computers, contained in relevant filing systems and accessible records. Relevant filing systems are defined in S(1) of the DPA 1998 as a set of information that is:

"Structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily available"

The idea of 'accessible records' was introduced following the Gaskin case in which the Court held that some records fall under the heading of 'private and family life' and as such come under the remit of Article 8 of the European Convention on Human Rights, examples of the records that fall within the Gaskin remit can be found in Section 68 and Schedule 12 of the DPA 1998 . On top of this already slightly confusing definition of 'data' the Freedom of Information Act 2000 has added information recorded by a 'public authority' that doesnÕt fall under any of the other categories . Although of course this is unlikely to affect a company moving online.

Before I go in to too much detail about how the DPA 1998 will affect an online business we finally need to look at the three main categories of persons that are defined under it:

  • 'Data subjects': the individuals who are the subject of the personal data.
  • 'Data controllers': the person (or persons) who "determines the purposes for which and the manner in which" the data is processed .
  • 'Data processor': third parties that process the personal data on behalf of the data controller but do not control the contents or use of the data.

A key concept of the DPA 1998 is that for the processing of the majority of personal data consent must be given by the data subject (processing being defined under S1 DPA ). But under Schedule 2 of the DPA data controllers can process certain data without the data subjects consent, the most relevant provision of which is where the performance of a contract is subject to the processing of said data. For a company looking to start an online business they will be able to rely on Schedule 2 if their data processing is for example to process an online transaction. But the majority of businesses will opt for the 'consent' route as this provides the safest option, such consent must be "freely given, specific and informed" . It remains unclear as to exactly what this contains although it is widely believed that not clicking 'opt out' boxes for example is not sufficient to show implied consent. Academics identify the lack of clarification in the DPA 1998, this position has been defended by the Government:

"The Government are content for the issue of whether consent has been validly given to be determined by the courts in the normal wayÉ.It is better for the courts to decide according to ordinary principles of law than for the Act to contain specific consent provisions"

This absence of clarification will allow the data controller a greater deal of flexibility as to how they deal with the issue of consent, but the most sure method would be to include a clear 'agree' or 'accept' button directly on the page of the privacy policy (the privacy policy being the established way of including data protection terms on a website).

The DPA applies only to data controllers who are established in the UK, this is determined as follows :

  • UK registered companies.
  • Those who maintain an office, branch or agency in the UK.
  • Individuals who are ordinarily resident in the UK.

Needless to say there has been considerable trouble regarding online businesses who arguably have a worldwide presence due to the worldwide nature of the internet. A company looking to start an online business will have to consider for example the whereabouts of their servers as these would be covered under the DPA .

The DPA 1998 continues with the principles set out in the 1984 act, in basis these are intended to be good practices that data controllers should comply with in order to protect the data that they control. But the DPA 1998 renumbers these principles and dictates that the data controller has a duty to comply with the principles unless an exemption applies . The principles and their affect on online businesses are detailed below:

  1. The first principle requires fair and lawful processing, this refers back to Schedule 2 and 3 of the DPA 1998 and the issue of consent. i.e. where no explicit consent has been given the processing of personal data must be 'necessary' , in the event of any dispute the burden of proof is on the data controller. 'Fair' processing was determined under the Innovation (Mail Order) Limited case and also under the Data Protection Directive . In basis it requires the data controller to provide the data subject with information regarding why the data is being collected and what it is to be used for, except where the data subject already has such information. The data controller is though exempt where a third party has collected the data and it is a 'disproportionate effort' for the data controller to provide the information.
  2. Under the second principle the data controller must obtain data only for specified and lawful purposes and must not carry out any further processing which is incompatible with these purposes. For example if an online business obtains data for the purpose of processing a transaction and uses the data for marketing purposes without prior consent.
  3. The third principle requires that the data controller holds only personal data that is 'adequate, relevant and not excessive in relation to that purpose or those purposes'. For the purpose of an online business it should be made clear if there is optional information, for example if the website is supplying an online quote then there will probably be no need to obtain a customers name or gender etc, whilst it is fine to collect this information it should be marked as optional in order to show that the site is complying with the DPA.
  4. Principle four requires that all personal data 'shall be accurate and, where necessary, kept up to date.
  5. The fifth principle states that personal data 'shall not be kept for longer than is necessary for that purpose or those purposes'. So when the use for which the data was collected has ended such data should be destroyed, so an online business which receives enquiries should ensure that they only keep such data for the time it is used to process the enquiry after such it should be destroyed. A large number of such sites include as part of their privacy policy a term stating that such data will be destroyed after six months if the quote has not been taken any further.
  6. Under the sixth principle data must be processed in accordance with the rights of the data subject under the Act. (Please see below for more detail about a data subjects rights).
  7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. In order to adhere to this principle an online business should ensure that both employees and any data processors have written contractual obligations to ensure that they do not process data outside of such a remit. They should also ensure that technological measures are taken to protect the data i.e. firewalls on machines with such data, frequent password changes, virus protection etc and from an organisational sense the business should ensure that only those people who need to access data can access such data. It can prove especially difficult with online business that have a need to operate 24 hours a day and thus employees are remotely connected at all times, so all mobile equipment must have adequate encryption software especially since the Inland Revenue lost over 25 million peoples data .
  8. The eighth principle is perhaps the most pertinent to online businesses, it states: Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Ideally an online business would include such data transfers in their privacy policy this would ensure consent. Otherwise what is considered as a transfer is quite wide see the case of Lindqvist where placing personal data on a website that can be accessed from overseas was considered as a 'transfer' and thus would come under the eighth principle.
  9. Before a data controller can process data they must register with the Information Commissioner there is a fee of £30 applicable for this. Data subjects themselves must be given information regarding the purpose of the processing. More often than not this is provided in the form of a data protection notice which can frequently be found in application forms, terms and conditions etc. The information must be set out in a data protection notice and must include a description of:

    • Data Controller details.
    • Purpose of the processing.
    • Recipients' details of who they are and what their purposes are.
    • Opt Out/In to any marketing as appropriate.
    • Contact - a description of the methods to be used for contracting individuals for marketing purposes.
    • Information - any further information necessary to make the processing fair.

    As mentioned in principle 6 data controllers must give rights to the data subjects as follows:

    • The right of access to his/her personal data.
    • The right to object to certain processing causing substantial damage or stress.
    • The right to object to automated decision making, and
    • The right to object to direct marketing.

No comments:

Post a Comment