Data Protection Update

Rosemary Jay is a Senior Consultant atMasons (Manchester) and was formerly Legal Adviser to the Data ProtectionRegistrar. She may be contacted at rosemary.jay@masons.com

Proposed Orders

The Home Office has published a further seven draftorders under the Data Protection Act 1998 (DPA 98) which are available on itsWeb site at www.homeoffice.gov.uk/ccpd. The proposed orders relate to

• consumer credit notices
• subject access to health data
• proceedings of the Data Protection Tribunal
• the corporate finance exemption
• additional grounds for processing sensitive data
• the circumstances in which the third party notice requirements can be avoided.

All were made available on 9 November 1999. Theproposed notification regulations were added on 20 January.

Of those added in November, the first three largelyre-enact earlier provisions or embody proposals which had been publishedpreviously.

The draft sensitive data order proposes to add afurther 10 grounds on which sensitive data may be processed. Different groundsare subject to different safeguards and conditions but in outline cover:

• processing for the prevention or detection of unlawful acts
• processing for the protection of the public from incompetence or mismanagement in certain fields
• certain disclosures for journalistic, literary or artistic purposes
• processing to provide confidential counselling or advice
• processing for certain pension schemes
• processing in some insurance contexts
• processing of data for ethnic monitoring
• processing of political opinion data by political parties
• processing for archival purpose
• processing by police constables in the exercise of their common-law powers.

The draft third-party notice order will apply where adata controller has obtained personal data about the subject from a third partywithout the data subject’s knowledge and the provision of the usualinformation to the subject would involve disproportionate effort. The datacontroller can avoid the provision of information to the data subject if thedata subject has not lodged a prior written request to be supplied with suchinformation and the controller logs his reason for believing thatdisproportionate effort would be involved.

Only the first condition applies to data controllerswhose recording or disclosure of data is in compliance with a legal obligation.

It has only been possible to conduct an initial reviewof the proposed notification order before going to print, however the followingpoints are worth noting.

1. There will be some staggering of the transition from registration to notification. It is however unclear whether it will still have to be completed by 24 October 2001. Data users could continue to register or renew existing registration under the 1984 Act until the end of February 2000. Registrations under the 1984 Act last for three years. Thus a large number of registrations which have been renewed or started since October 1998 are all due to expire on 24 October 2001. An amendment to the DPA 98 appears in the Freedom of Information Bill. Taken together with the provisions in the draft notification regulations, this appears to allow some staggering of implementation but all registrations will still have become notifications by 24 October 2001. However it is understood from the Registrar’s office that the Home Office intend to provide for registrations to last until February 2003, or even August 2003 for those who registered six months in advance.

2. The details of purposes, data subjects, classes or other particulars are not specified in the draft regulations. These are to be decided by the Commissioner.

3. Exemptions are proposed which cover processing for staff administration purposes; advertising, marketing and public relations; accounts and records and non-profit making organisations. In each case there are limits on the data which may be held and the uses and disclosures which may be made. There is no specific small business exemption.

4. Partnerships and schools are to be allowed to notify jointly but there is no general provision for shared notifications.

5. The additional information to be included with the entry is very limited and largely reproduces what is found on an existing entry.

6. The obligations to notify the Commissioner of changes to the processing and other particulars is specified in more detail.

7. The annual fee for notification has been set at »35 per annum irrespective of the size or nature of the organisation.

8. The time limits for responses by the Commissioner have been set at 10 days to respond and inform a data controller if the Commissioner considers that the notified processing includes assessable processing and 28 days after entry into the register in other cases.

9. There is a provision having equivalent effect to the ‘deemed’ registration provisions of the 1984 Act so that a data controller who lodges an application for notification is protected from prosecution while it is pending.

Overall the effect is largely to repeat the currentregistration scheme.

Freedom of Information

The Freedom of Information Bill was introduced to theHouse of Commons on 18 November 1999. The Bill was little changed from the draftwhich had been considered in Committees of both Houses earlier in the year. Theinterface between data protection and access to information, which was mentionedin the last column as having attracted concerned comments from the Registrar,has not been changed. The Bill is currently being considered in CommonsCommittee.

Recent Guidance issued by the Registrar

The Registrar’s office has prepared a summary ofadvice on transborder data flows (be warned that the summary runs to 12 pages)which should be available on the Web site by the time this is printed. Thisprovides some useful examples.

A draft code on the use of CCTV has also been placed onthe Web site for consultation.

Other Legislation

The data protection regime has also been affected bytwo other pieces of legislation: the Unfair Terms in Consumer ContractsRegulations 1999 (UTCCR 1999) and the Contracts (Rights of Third Parties) Act1999 (CRTPA 1999).

UTCCR 1999

The UTCCR 1999 replaced the UTCCR 1994. The originalRegulations had been passed to implement EC Directive 93/13/EEC however, underthe enforcement regime imposed by those Regulations, only the Director Generalof Fair Trading was able to take action where breaches of the Regulationsoccurred. This did not reflect the enforcement requirements of the Directive sothe Regulations have been re-enacted providing for a wider range of enforcementauthorities. Where an unfair term occurs, action can now be taken by the utilityregulators, local authority weights and measures authorities, the DataProtection Registrar and, with some limitations, the Consumers Association. TheRegulations are in other significant respects unchanged. An unfair term is onewhich, contrary to the requirement of good faith, causes a significant imbalancein the parties’ rights and obligations arising under the contract, to thedetriment of the consumer. Where such a term occurs the regulator can seek aninjunction to stop the trader using it. In most cases injunctions have not beennecessary and cases have been dealt with by appropriate undertakings.

These new powers may enable the Registrar/Commissionerto take a stronger line in cases where the subject is asked to consent to wideinformation use terms as part of a contract. The OFT appear to have been willingto take a robust stance on contract terms which attempted to give data usersunfettered rights to use and disclose personal data. Last year Sony agreed withthe OFT that they would not continue to use such a term. The Regulations cameinto force on 1 October 1999.

CRTPA 1999

The CRTPA 1999 received Royal Assent on 11 November1999 and will come fully into force on 11 May 2000. It will not apply tocontracts made before November 1999; for contracts made between November 1999and May 2000 it will apply only if the contract specifically includes it; forcontracts made after May 2000 it will apply unless excluded. In the dataprotection context it has the potential to overcome some of the objections tothe contractual solutions proposed to deal with the problems of transborder datatransfers. Principle 7 bans the transfer of personal data overseas unless‘adequate protection’ is provided for the data subject. Adequate protectionhas been taken as requiring that the individual has equivalent enforceablerights in the overseas jurisdiction as in the home state. This poses a problemfor those exporting personal data to countries which do not have data protectionlaws. One solution is for the data exporter to enter a contract with the dataimporter under which the importer agrees to provide the subjects with remediesequivalent to those available in the exporting state. This is referred to as‘the contractual solution’.

The English doctrine of privity of contract, by which athird party could not take the benefit of a contract term, has meant that thecontractual solution has had limited appeal to the Registrar. As the datasubject could have no legal redress for breach of a contract term, the contractcould not be said to provide equivalent protection, however well-intentioned thecontracting parties.

Under the CRTPA 1999 a contract may be enforced by athird party where either it is provided by the contract that he may do so orwhere the contract purports to confer a benefit on the third party and itis intended by the parties that the third party should be capable of enforcingthe terms of the contract. Unless the contract specifically provides otherwise,the third party may then have the power to influence whether the contract cansubsequently be varied or rescinded. The third party is entitled to the sameremedies as an original party to the contract – including damages, injunctionand specific performance.

Case Law

The last few months have also seen the reporting of twocases which will be of interest to those dealing with information law. The Houseof Lords decision in R v Bow Street Metropolitan Stipendiary Magistrate andAnother ex parte Government of the United States of America [1999] 4 All ER1 overruled DPP v Bignell [1998] 1 Cr App R 1 on the meaning of‘unauthorised access’ in the Computer Misuse Act 1990. This is good news fordata users seeking to reinforce their security and data discipline on employees.In this case an employee in a credit card company was able to access allcustomer accounts but was authorised to access only those which were assigned toher. It was alleged that, as part of a conspiracy to defraud the company, sheaccessed various other accounts. In DPP v Bignell the court had held thatbecause the defendant had a particular level of access to the system she did notcommit an offence of ‘causing a computer to perform a function with intent tosecure unauthorised access to any program or data held in the computer’ aslong as she accessed data only at that level. This was despite the fact that shehad accessed data which it was outside the scope of her job to handle. In theBow Street case the court did not accept the argument that such authority meantthat access to all data at that level was authorised.

In R v Department of Health ex parte SourceInformatics Ltd judgment was delivered on 21 December. In this case theCourt of Appeal considered whether a pharmacist who disclosed anonymised dataabout patients, derived from GP’s prescription forms with the consent of theGPs, was in breach of his duty of confidence to the patient. The case hasprovoked a great deal of interest since the decision of Latham J in May(reported at [1999] 4 All ER 185) in which he held that the pharmacist would bebreaching his obligation of confidence in those circumstances if he actedwithout the consent of the patient. The case arose because Source wanted to buyanonymised data from pharmacists to build up pictures of the prescribing habitsof GPs and use the information to target marketing of drugs to GPs. TheDepartment of Health issued guidance to GPs and pharmacists that it would breachthe obligations of confidence to individual patients to follow this course asthe patients did not know of and had not consented to the use of the data bySource nor could they be taken to have implicitly consented to the use. Sourcesought judicial review of this guidance.

After the decision in the High Court a number ofinterested parties sought to intervene in the proceedings. The General MedicalCouncil, the Medical Research Council, the Association of the BritishPharmaceutical Industry and the National Pharmaceutical Association Ltd wereallowed to intervene.

The court considered whether a use of confidentialpersonal information for a purpose other then the one for which it had beenobtained without a disclosure of the data to a third party amounts to a breachof confidence. They held that the scope of the obligation of confidence owed bythe pharmacist in this situation did not preclude the use of the data either toanonymise it or to pass on the anonymised personal data. The court distinguishedcases dealing with trade secrets, in which they said it would often beappropriate to restrain unauthorised uses of data, from those dealing withpersonal privacy, in which the interest of the individual confidee was theprotection of his privacy and which would usually only be threatened bydisclosure. They also considered arguments on the application of the DataProtection Directive to the question of whether the processing of sensitive datato render it anonymous amounted to an act of processing for which the controllerrequired a basis in law. In Source the anonymised information was freed fromrestrictions imposed by both confidentiality and data protection restrictions.

The argument made by the Department of Health in thiscontext appears to be that the process of anonymising the data fell within thedefinition of ‘processing’ and thus had to comply with the Directive and theAct. In this case the processing involved sensitive data; accordingly one of thegrounds for processing such data had to be found before it could be carried out,and no such ground was available. (In fact the research ground in the draftsensitive data order would not apply either as that requires that the researchbe in the ‘substantial public interest’ and it was accepted that no publicinterest issue arose here.) If this argument was correct then anonymisation ofdata for research purposes would require consent. The court appeared torecognise that a black letter interpretation of the Directive left them with aproblem so they adopted a purposive approach and sought support from Recital 26in doing so. They decided that the Directive did not restrict the anonymisationof sensitive data.