Chapter 11: Data Protection

Chapter objectives

In this chapter we shall:

Explain your obligations under the Data Protection Act 1998.
Explode some of the myths about the Data Protection legislation.
Provide some practical pointers on how to comply.

Data Protection - the basics

The Data Protection Act 1998 is concerned with “Personal Data”, i.e. information about living, identifiable individuals. This need not be particularly sensitive information and can be as little as name and address. The Act confers certain rights upon individuals and certain obligations upon those who record and use personal information. The legislation exists to protect individuals from the misuse of personal information that organisations hold about them.

The purposes of the legislation are as follows:

An organisation that wishes to hold personal information should be entered into a data protection register.
The uses that the organisation intends to make of such information should be defined and declared in advance.
The information should not be used for illegal or immoral poses.
The person whom the information is about should be aware and should have consented to the purpose to which the information is being put.
That person should have the right to full access to the information held on them (the organisation is permitted to charge a nominal fee for supplying such information).
The information should be correct, up to date and should not be excessive.

Eight Data Protection Principles are set out in Schedule 1 of the 1998 Act and are set out in Table 13.1 below.

Table 11.1 Data Protection Principles

Principle Number	The Principle
1	The actual collection of data should be fair and lawful
2	Data should be obtained for specific lawful purposes and should not be processed for other incompatible reasons
3	The data that is collection should be relevant to the purpose for which it is being collected and the quantity collected should be appropriate
4	Personal data should be accurate and up to date
5	Data should not be kept for longer than is necessary for the processing purpose
6	The person whom the information is about has certain basic rights and the information should be processed in accordance with those rights
7	Data should be appropriately secured
8	Data should only be transferred outside the European Economic Area where similar standards of care apply in those other territories

The Data Protection Act 1998 and key dates for compliance

The Data Protection Principles of the Data Protection Act 1998, although stated for the first time in the new Act, are similar in effect to the preceding legislation (the 1984 Act). The new act is somewhat more stringent and is harmonising the UK legislation with the EU Data Protection Directive (05/46/EC). The Data Protection Commissioner (previously the Data Protection Registrar) is an independent officer appointed by the Queen who reports directly to Parliament. The key extension to the law is that the new Act applies to manual records “forming part of a relevant filing system” (i.e. any structured information such as a card index of names and addresses) as well as computerised records. The new Act can be enforced even against organisations which are exempt from notification if they are in breach of the principles and a person adversely affected by a breach of the principals, and a person adversely affected by a breach of the Act can claim compensation for damages. There are several other extensions to the legislation.

The new Act came into force from 1 March 2000. However, automated data which is subject to processing already under way (or forming part of an “accessible file” that existed) before 24 October 1998 will be exempt from most of the additional requirements of the new Act until 23 October 2001. Manual data forming part of a relevant filing system will, subject to certain conditions, be exempt from the new Act until 23 October 2001 and will enjoy limited exemption from some of the principles until 2007. Despite these limited exemptions, it is good practice to start working wholly within the requirements of the new Act as soon as possible. It is hard to imagine a not-for-profit organisation which would fall outside the scope of this legislation.

Conditions under Schedule 2 of the 1998 Act

Schedule 2 of the 1998 Act provides that processing may only be carried out where at least one of the following conditions has been satisfied:

The individual has consented to the processing.
The processing is necessary for the performance of a contract with the individual.
The processing is required under a legal obligation.
The processing is necessary to protect the vital interests of the individual.
The processing is needed to carry out public functions.
The processing is necessary in order to pursue the legitimate interests of the data controller or certain third parties (unless prejudicial to the interests of the individual).

Stricter conditions apply to the processing of sensitive data. This category includes information relating to racial or ethnic origin, political opinions, religious or other beliefs, trades union membership, health, sex life and criminal convictions. Data held by not-for-profit organisations commonly falls within this stricter category. Where such data is being processed, not only must the controller meet the requirements of the principles and Schedule 2, but processing is prohibited unless at least one of the conditions of Schedule 3 can be satisfied.

Stricter conditions under Schedule 3 of the 1998 Act and myths about them

There is a great deal of myth about this stricter category, the most common of which is that you must have explicit consent from the data subject in order to process sensitive data. In fact, there are several acceptable reasons for holding sensitive data (many of which often apply to data held by not-for-profit organisations). For this reason, we have set out a comprehensive list of Schedule 3 conditions below, to enable you to decide whether or not your organisation's holding of sensitive data is justified.

Schedule 3 of the new Act, which relates to sensitive personal data, provides that processing may only be carried out where at least one of the Schedule 2 conditions and at least one of the following conditions has been satisfied:

The data subject has given their explicit consent to the processing of the personal data.
The processing is necessary for the purposes of exercising or performing any right or obligation, which is conferred or imposed by law on the data controller in connection with employment.
The processing is necessary in order to protect the vital interests of the data subject or another person, in a case where:
- consent cannot be given by or on behalf of the data subject, or
- the data controller cannot reasonably be expected to obtain the consent of the data subject, or
- the vital interests of another person need to be protected, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
The processing:
- is carried out in the course of its legitimate activities by any body or association which exists for political, philosophical, religious or trades union purposes and which is not established or conducted for profit
- is carried out with appropriate safeguards for the rights and freedoms of data subjects
- relates only to individuals who are either members of the body or association or who have regular contact with it in connection with its purposes
- does not involve disclosure of the personal data to a third party without the consent of the data subject.
The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
The processing:
- is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), is necessary for the purpose of obtaining legal advice
- is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
The processing is necessary:
- for the administration of justice
- for the exercise of any functions conferred by or under any enactment, or
- for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
The processing is necessary for medical purposes (including the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services) and is undertaken by:
- a health professional (as defined in the Act)
- a person who owes a duty of confidentiality, which is equivalent to that which would arise if that person were a health professional.
The processing:
- is of sensitive personal data consisting of information as to racial or ethnic origin
- is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained
- is carried out with appropriate safeguards for the rights and freedoms of data subjects.
The personal data are processed in circumstances specified in an order made by the Secretary of State.

A helpful guide to compliance

The following checklist and comments should help you to identify the main aspects that require attention and should help you to comply. The nature and extent of actions required are relative and depend on your specific organisation and the purposes for which you are using data. However, if you answer no to any of the questions, you need to do something about it.

Checklist 11.2.1 Data Protection Checklist - Awareness

Question	Yes / no	Notes and comments
Are you aware of the current Data Protection legislation and its implications for your organisation?		The text contained in this book should be sufficient for most not-for-profit organisations, but if, for example, your work with sensitive data is "borderline" you might need further detail and guidance on the implications for you
Have you formally assigned the responsibilities of Data Protection Officer to an individual in your organisation?		In small not-for-profit organisations, this might often come down to you, dear reader.
Is your Data Protection Officer aware of the requirements of the current Data Protection legislation?		In small not-for-profit organisations, this might often come down to you, dear reader.
Are you aware of all the purposes for which personal data is being used within your organisation, and of all the data collection methods used within your organisation?		Not-for-profit organisations often have a myriad of small databases, many of which need to be brought in to the Data Protection regime. A Data Protection Audit can be a good entrée to eliminating duplication and harmonising your work with personal data Bear in mind that spreadsheets and word processing tables with personal data in them fall within the scope of relevant data under the legislation, as do structured manual records
Have you conducted a Data Protection Audit to ensure that you are aware of all aspects of your work which should be notified to the Data Protection Commissioner?		Not-for-profit organisations often have a myriad of small databases, many of which need to be brought in to the Data Protection regime. A Data Protection Audit can be a good entrée to eliminating duplication and harmonising your work with personal data Bear in mind that spreadsheets and word processing tables with personal data in them fall within the scope of relevant data under the legislation, as do structured manual records
Have you ensured that all relevant staff are trained and/or made aware of the Data Protection requirements of their work		You should also ensure that appropriate volunteers are trained and made aware. You also need mechanisms in place to ensure that new staff are trained and made aware

Checklist 11.2.2 Data Protection Checklist - Data Collection

Question	Yes / no	Notes and comments
Are you informing data subjects of the purposes for which the required data is held, the identity of your Data Controller and any data transfer to a third party?		Not-for-profit organisations that have, for example, bought and/or sold donor or membership lists, should think carefully about meeting the legal requirements in this area
Are you obtaining all your personal data in a lawful manner?		Not-for-profit organisations that have, for example, bought and/or sold donor or membership lists, should think carefully about meeting the legal requirements in this area
Are you sure that the personal data your organisation collects is adequate, relevant and not excessive?		Just because it is appropriate for you to hold an item of data for some individuals does not mean that it appropriate for you to keep that data item for all individuals - this is especially relevant for not-for-profit organisations involved in diverse activities
Are your data collection people reliable in their collection of data - i.e. honest, discreet, professional and security conscious?
Do you have security measures in place to enable you to monitor the activities of your Data Collection people?
Where Data Collection is undertaken on your behalf by a third party, do you have signed agreements in place requiring that third party to comply with your data protection measures?		Many not-for-profit organisations use third parties for this purpose - you should ensure that you are nevertheless fulfilling your Data Protection responsibilities, albeit through an third party
Do people handling personal data sign confidentiality agreements or equivalent?

Checklist 11.2.3 Data Protection Checklist - Data Processing and Storage

Question	Yes / no	Notes and comments
Where Data Processing and/or storage is undertaken on your behalf by a third party, do you have signed agreements in place requiring that third party to comply with your data protection measures?		Many not-for-profit organisations use third parties for this purpose - you should ensure that you are nevertheless fulfilling your Data Protection responsibilities, albeit through an third party
Are you sure your data is only used for the purposes covered by your Data Protection notification and those purposes specified to each data subject?
If you use an automated system for decision making (e.g. skills scoring for potential recruits), would you be able to explain the logic of this system to Data Subjects?		Rarely used by not-for-profit organisations at present, but this is a defined right for Data Subjects if you are using such a system
If a Data Subject insists on not being subject to an automated process, do you have alternative non-automated processes available?		Rarely used by not-for-profit organisations at present, but this is a defined right for Data Subjects if you are using such a system
Do you have a process in place which enables you to provide a data subject with the personal data you hold about them?
Do you have a process in place which enables you to prevent processing likely to cause a data subject damage or distress?
Do you have processes in place which enables you to prevent a data subject's information being used for direct marketing?
Do you make reasonable efforts to ensure the accuracy of the information on your system?
Do you have a process in place to correct erroneous data?
Do you inform relevant third parties when incorrect data is corrected?
Do you only hold data for as long as it is required?		Regardless of the legislation, not-for-profit organisations should have such policies in place for good practice, especially where the data is sensitive
Do you have policies for archiving and cleaning up your data to ensure that only current data is maintained?		Regardless of the legislation, not-for-profit organisations should have such policies in place for good practice, especially where the data is sensitive
Do you have adequate security to ensure that it is not possible for unauthorised people to gain access to your data?		The level of security should be appropriate for the nature of personal data held. Although the Data Protection Act does not mandate security standards, it suggests that BS 7799 , the Information Security Management standard, is an acceptable standard (see chapter "Information Security").

Checklist 11.2.4 Data Protection Checklist - Data Transfers

Question	Yes / no	Notes and commments
Do you conduct all your data transactions within the European Economic Area (EEA)?
If you obtain, process or transfer data outside the EEA, do you know what form of data protection and information security is used in those countries?		This requirement is relevant for some charities, e.g. those who are active in developing countries

Checklist 11.2.5 Data Protection Checklist - Notification

Question	Yes / no	Notes and comments
Have you notified the Data Protection Commissioner of personal data held and its purposes?		Formerly known as Data Protection Registration
Was your last notification done within the past three years?
Have your systems, processes and data requirements remained unchanged since your last notification?
If you have identified changes in notified information, have you notified such changes to the Data Protection Commissioner?
Do you have procedures in place for dealing with formal complaints should such be lodged with the Commissioner?
Do your systems development and maintenance procedures include the requirements of the notification process?

Summary

Data Protection requirements under the 1998 Act are more onerous than the previous legislation.
Almost all not-for-profit organisations have obligations under this legislation, so if you haven't yet made sure that you comply with the new rules, it's time to get on with it.
The obligations and conditions are mostly sensible, despite the many myths one hears to the contrary.
The details and checklists in this book should be sufficient to help most not-for-profit organisations to comply, but if your circumstances are complex or sensitive you would do well to seek expert guidance where in doubt.