The 15th Annual International Privacy Laws & Business Conference was held once again, at
Some of the Conference was split into parallel sessions, largely divided into those considering UK issues and those considering International ones, and certainly for myself, the choices on which sessions to attend were acutely difficult.
For a
· Criminal Records Bureau: What progress has been made on this and when will its services come fully into action?
· Freedom of Information Act 2000: What is needed from public authorities (itself a wide and unclear term), as the deadlines for approval by the Information Commissioner of Publication Schemes looms? Are Publication Schemes of help to anyone, anyway?
· New e-Communications Directive. What does the latest version say and what will its likely effects be?
· Litigants and the DPA. What is the position if a potential litigant uses the Data Protection Act for example to enhance disclosure?
· Anonymous data. To what extent is anonymous data truly anonymous and should the process of making data anonymous be governed by special rules or the standard Data Protection regime?
Overseas / International overview
The interests of overseas delegates or those from multi-national organisations were also covered by a range of expert speakers, the highlight being M. Michael Gentot, President of the CNIL (the French Data Protection authority) speaking on
Other topics and themes
The Conference also held a number of sessions on particular ‘Sector’ themes:- Basic DP Training; Training and Communications for DP awareness; Financial Services and Data Sharing across the Public Services in the
Criminal Records Bureau
The Criminal Records Bureau (CRB) came into force in 1998 to take the burden off the police of checking the criminal records of applicants and holders of certain jobs, and incidentally of, hopefully removing the scourge of enforced subject access where job applicants or visa applicants are invited (= forced) to apply to the police for details of their own criminal record in order to produce documentary proof in order to satisfy a prospective employer or embassy that they indeed have no criminal record.
According to Chris Cadman of the CRB, under the current arrangements there are c1 million checks per year run by the 43 police forces in England and Wales, and these only cover a relatively narrow range of posts in the statutory sector – for example where children and vulnerable adults may be at risk. Currently, there are no checks for GPs, hospital doctors, nurses, scout/guide leaders, most volunteers or sports coaches.
The CRB is now, for
Freedom of Information Act 2000
Graham Smith, Deputy Information Commissioner, told us that the Freedom of Information Act 2000 (FOI Act) requires that all Public Authorities produce publication schemes and get them approved by the Information Commissioner. A publication scheme is a document which details all the Public Authority’s information that is automatically available (and where or how it can be found) and for which a specific FOI request is therefore unnecessary.
The Lord Chancellor’s Department has produced a rolling timetable for this. What could be easier? Firstly, despite the long list of Public Authorities in Schedule 1 to the FOI Act, there is no official list of Public Authorities. The Office of the Information Commissioner (IC) has started compiling a database of them, and so far has reached a total of 87,000 and the total is still rising. Many of the Public Authorities named in FOI Schedule 1 have merged, been dissolved or changed their name so the situation is very fluid. The deadline months published by the Lord Chancellor’s Office relate to the time limit by which the publication schemes are supposed to be approved, so inevitably they need to be submitted to IC some two to five months before, to allow time for the approval process. If the IC can approve model or sector schemes this will speed up the process, but they in turn need to be submitted even earlier.
Secondly, there is still great uncertainty about the nature and format of a Publication Scheme. The IC will shortly produce (and self-approve) its own publication scheme, which hopefully will also be a model for others to follow.
The rights of individuals to request information continue under the previously existing Codes of Practice and are not being phased in, as are publication schemes, until the FOI Act is brought fully into force in November 2005. David Flaherty (formerly Information and Privacy Commissioner for
E-Communications Directive
This draft Directive has undergone many revisions and the latest, and it is hoped final, revision was accepted by the European Parliament on
· there will be a harmonised EC approach to unsolicited commercial email (rather than the free-for-all previously envisaged) and that opt-in will be required in all cases
· that coverage will include . “email, SMS and other electronic messages received on any mobile or fixed terminal”
· There will be an exception to this for existing customers: “Where a potential customer has supplied details of his email address and [or?] mobile telecommunications number to a particular company in the context of a particular purchase, that company can send marketing e-mails and SMS messages for its own products and services to such customers.” but an opt-out opportunity must be still provided on each such occasion.
· The use of privacy sensitive location data giving the location of mobile users, will be subject to the explicit consent of the mobile user.
· Cookies [and other invisible tracking devices] will not now need prior consent (at which the Internet and marketing industries heaved a big sigh) but . “may only be employed if the user is provided with adequate information about the purposes of such devices, and (also) has the possibility to reject them.”
The above proposals were adopted by the EC Council of Ministers on
Using the Data Protection Act 1998 as a weapon in litigation
Daniel Pavin, a Solicitor with Taylor Joynson Garrett, UK, took us through the disclosure requirements (and some exemptions) of the Data Protection Act 1998 (DPA) and to the disclosure rules (especially Rule 31) contained in the Civil Procedure Rules (CPR) and associated case law. There is an overlap in that:
· some items fall within CPR 31.16 (relates to the proceedings but may or may not relate to the individual)
· some items fall within the scope of a DPA subject access request (relates to an individual but may or may not relate to the proceedings).
What are the key pressure points where (potential) litigants may fall foul of one or other?
· The 40-day time limit for DPA subject access disclosure may well often be difficult to comply with (fully) in a complex case. Civil disclosure often takes many ’rounds’ of negotiation.
· Back-up data may well fall with the scope of a DPA subject access request – especially if data has been ‘deleted’. If this is likely, a specific request for access to (specified) back-up data should be made so that such back-ups as are necessary are retained and not destroyed in the ‘normal processing cycle’.
· Manual data may be difficult to search and/or retrieve under either set of rules.
· Under DPA there is no restriction of the use that may be made of the personal data.
· There are some exemptions to DPA subject access rights, but their extent is not always clear.
What can be done by individuals to minimise such a DPA ‘fishing’ expedition?
· get systems in place and document those systems
· delete old data (but not just because a subject access request has been made!)
· train staff to deal with subject access requests, liaising with relevant departments, archiving and deleting data, and not creating liability-inducing records.
On a broader scene it might be helpful for an organisation to have a vexatious requestor list analogous to a vexations litigant’s list but this itself would need extremely careful handling, documentation and procedures, especially as the data subject would have, via a DPA subject access request, access to their own name being on it!
Clear guidelines from the Information Commissioner and/or the courts cannot come too soon. We have had years to build up established case law on disclosure but much less time for data protection. Perhaps there ought to be an implied undertaking with a Data Protection Act subject access request similar to CPR 31.22 preventing the DPA being used for fishing trips.
Might there be a special regime for back-ups? At present a data controller is worse off with these than for subject access for manual files which enjoy certain exemptions.
Anonymous data and the anonymising process
It is accepted that data which is anonymous is outside the scope of the Data Protection Act 19898 (DPA). Ian Walden discussed two key issues and generated a lively exchange of divergent views with representatives of the UK Information Commissioner’s office. This issue has come to the fore particularly with cases where medical researchers wish to use anonymised patient, clinical or drugs data and was brought to a head with the Source Informatics case (R v Secretary of State for Health, ex parte Source Informatics Ltd [2000] 1 All ER 786, 21 December 1999).
One issue was the exact definition of anonymous, which varies somewhat between jurisdictions. In the
The other, even more contentious, issue was whether the process of processing for anonymisation was itself a process that needed, for example, to be specifically notified to the data subject, or whether, since privacy enhancing technologies were to be encouraged, it needed to be subject to a lighter regulatory touch. Ian Walden put forward various ways in which this could be achieved. The IC’s office stuck resolutely to the view that there was no problem since anonymising personal data was just another way, in effect, of destroying data, a processing operation already routinely covered by data protection law.
The New French Data Protection Law
It was against this background that M. Michael Gentot, President of the CNIL, France’s Data Protection supervisory body, addressed the conference on the new French Data Protection Bill, passed by the National Assembly on 30 January 2002, and likely to go before Senate in September 2002. This Bill will not change the title of the previous Act (of 1978) but will introduce some ‘modernisation’.
The Bill sets out the various categories, associated with the risks involved, where prior authorisation, notification or simplified notification may be applicable, and this now applies equally to both public and private sectors.
The CNIL will have greater powers of sanction and greater power to carry out unannounced audits of an organisation’s data protection practices. The CNIL can now levy fines directly (not via the courts) of up to 150,000 € (proportionate to the offence) or, in the case of a subsequent offence, a fine up to 300,000 € or 5% of a company’s turnover. These are significant sums, particularly compared with the average fine in the
Finally the CNIL will have the authority to award a ‘seal of approval’ to products and procedures that comply with its data protection laws.
Transfer of Personal Data outside the EEA: Model Contracts vs.
Professor Joel Reidenburg contrasted two approaches to the safe transfer of personal data to countries outside the EEA, (or those whose data protection laws have already been deemed ‘adequate’ by the EC) in the absence of the possibility of achieving specific informed data subject consent. Two such approaches were set out and compared.
The first, the Safe Harbor (as set out in the EU’s decision 2000/520/EC), is a route available for US companies only, is (loosely) policed by the US Dept. of Commerce and theoretically satisfies the EC Directive’s adequacy requirements. It is a largely self-policed standard supported by several checklists. Although several hundred US companies have signed up to this now, many have only done so for some of their personal data (eg for HR data only). Enforcement of its provisions moves into uncharted territory and is problematical.
The second mechanism for safe transfers is the set of model contracts as approved under Article 26(2) and EC Decision 2001/497/EC (for transfers to third party data controllers) and Decision 2002/16/EC (for transfer to third country data processors).
This could be used in any country and organisation sector and they can provide a greater level of compliance and protection – although not without the risks of any contractual solution which deals with different jurisdictions.
Conclusion
Once again, this was a most useful and well organised conference with authoritative speakers, who also answered questions. I found it very useful, and 200+ other attendees, both ‘first time’ and ‘seasoned veterans’, also appeared to. I look forward to the next one.
Useful URLs:
The Information Commissioner : . http://www.informationcommissioner.gov.uk/
Information Commissioner’s Notification website: http://www.dpr.gov.uk/
Lord Chancellor’s Department (ex-Home Office) – Freedom of Information:
http://www.lcd.gov.uk/foi/foidpunit.htm
Lord Chancellor’s Dep’t. (ex-Home Office) – DPA 98 subordinate legislation:
http://www.lcd.gov.uk/ccpd/dpsubleg.htm
EC Commission’s standard clauses for ensuring adequacy
http://europa.eu.int/comm/internal_market/en/dataprot/news
US Dept. of Commerce Safe Harbor rules: http://www.export.gov/safeharbor
EC Consultation on Implementation of EC Data Protection Directive
http://europa.eu.int/yourvoice/index_en.htm
OECD Privacy statement generator for web sites
http://cs3-hq.oecd.org/scripts/pwv3/pwhome.htm
Criminal Records Bureau . . http://www.crb.gov.uk/
Privacy Laws & Business: . . http://www.privacylaws.com/
