Data Protection Update

April 30, 2002

Europe

The Council of Europe Convention for the protection of individuals with regard to the automatic processing of personal data (Treaty 108), which was the main impetus for the UK’s Data Protection Act 1984, has been extended by an additional protocol covering the powers of supervisory authorities and the rules for transborder data flows. The effect of the protocol is to bring the Convention broadly into line with EU standards in these areas.

The Council of Ministers of the European Union has agreed a common position on the revision of the data protection and telecommunications directive, now the proposed directive concerning the processing of personal data and the protection of privacy in the electronic communications sector. The common position was reached on 6/7 December. The revision was required because of a number of factors:

  • the different approaches that had been taken to e-mail marketing (opt-in/opt-out) in different Member States
  • the development of the technology to cover location data and the need to set standards for the use of such data
  • the pressure to allow some additional uses of subscriber data.

In many other respects the revised directive remains the same as the existing data protection and telecommunications directive 97/66/EC. The rules for call forwarding, security and confidentiality are unchanged. Once the directive has been adopted, it is proposed that Member States will have 15 months within which to amend their national laws to make them compliant. The UK’s Telecommunications (Data Protection and Privacy) Regulations 2000 will have to be revised to take account of the changes.

On 15 May 2001 the European Commission published a guide to data protection rights as part of its ‘Dialogue with Citizens and Business’ initiative. It provides citizens and businesses with information on their rights regarding the collection and use of personal data. It also provides practical advice as to what they can do if those rights are violated and a contact list for all the supervisory authorities in the Member States.

On 18 June 2001 the Commission approved a set of model contract clauses to be used where a data controller in an EEA country is sending personal data to a data controller in a non-EEA country which has an inadequate level of protection for personal data. The Commission decision took effect in September 2001. The clauses are not compulsory but where they are used Data Protection Commissioners in the EEA should accept that the transfer is being made on terms that provide adequate protection for the data subject.

On 21 December 2001 the UK Information Commissioner authorised transfers made using the model terms set out in the decision as being made in a manner which ensures adequate safeguards for the rights and freedoms of data subjects. The authorisation was made under paragraph 9 of Schedule 4 to the Data Protection Act 1998.

On the 27 December 2001 the Commission approved a set of model contract clauses to be used where a data controller in an EEA country is sending personal data to a data processor in a non-EEA country which has an inadequate level of protection for personal data.

On 15 January 2002 the Commission delivered a finding of adequacy of legal protection in respect of the Canadian privacy regime. The Canadian Personal Information Protection and Electronic Documents Act came into force on 1 January 2001. The Canadian Act does not cover personal data held by public bodies or that held by private organisations and used for non-commercial purposes. Where personal data are being transferred from the EU to Canada for such purpose, additional measures, such as contractual provisions, will be required to ensure adequacy.

On 18 January 2002 a report on the role of standardisation in achieving compliance with Directive 95/46EC was submitted to the Steering group for the Initiative for Privacy Standardisation in Europe (IPSE). The report was prepared by a group of experts to examine the role standards might play in assisting with achieving compliance.

Cases on data protection

On 2 October 2001, a superior court (the Cour de Cassation in France) made a decision on the monitoring and interception of employee e-mail in a case brought by an ex-employee against Nikon France. The employee in question had been dismissed and part of the case against him depended on evidence derived from monitoring of his e-mails. These included private matters, although he had been instructed only to use the e-mail for work-related matters. The court held that the employee had a right to privacy in the correspondence in his work_e-mails.

Guidance material

The Article 29 Data Protection Working Party, the independent EU Advisory Body on Data Protection and Privacy set up under the directive, has continued to produce useful materials. Of particular note is Opinion 8/2001 on the processing of personal data in the employment context adopted in September 2001.

These materials can be found on the Commission’s Web site http://www.europa.eu.int/comm/internal-market/en/dataprot/.

UK

The Office of the Information Commissioner (OIC) has continued to produce guidance and other material (all of the papers listed below are available on the Commissioner’s Web site at www.dataprotection.gov.uk).

  • The first Annual Report appeared in June 2001.
  • The audit manual was published in June 2001.
  • Revised legal guidance on the DPA 98 was published in October 2001, to coincide with the ending of the first set of transitional provisions.
  • A consultation on proposed guidance on the use and disclosure of medical data was launched by the OIC in May 2001. The consultation paper was followed by a conference in Manchester. No guidance has yet been issued although work is proceeding on it. The Department of Health is also working on a code of practice on medical information. A paper dealing with consent has been issued and is available form the DoH Web site.
  • A substantial amount of material has been issued on the Freedom of Information Act (FOIA). Apart from the overview of the FOIA, the material deals with publication schemes. Most recently a methodology for developing publication schemes, guidance on schemes and an approval schedule have been added to the Web site. No model schemes have been published but pilot schemes, developed with the co-operation of the OIC, are available from the Medicine Control Agency at mca.gov.uk, the Public Records Office at pro.gov.uk and the Department for International Development at dfid.gov.uk.
  • The first part of the Code of Practice on the use of personal data in employee/employer relations has been issued. This concerns the use of personal data in the recruitment and select process. A further three sections are awaited: on monitoring in the workplace, medical information and general records management. Consultation is continuing on the contents of these further sections.
  • The OIC has produced a Newsletter on the Web site which carries current news. The issues covered in the first edition include the growth of fraudulent data protection registration agencies which are demanding money from business for spurious registration and how to register notices of disassociation with the credit reference agencies.

Although FOI has taken much of the resource of the OIC over the last few months, it has launched a study of compliance with data protection by Web sites in the UK. The study is being carried out by a team from the University of Manchester Institute of Science and Technology (UMIST). The aim of the survey is to gain an overall view in order to direct compliance work more effectively. The researchers will contact Web site operators to interview them. The identities of those contacted will not be disclosed to the OIC by the researchers without their consent so the results of the work will not identify individual Web sites. The results will not be used as a basis for compliance action against those contacted.

UK prosecutions and tribunal decisions

On 18 December 2001 Academy Credit Services Ltd and two of its directors, Andrew Cole and Paul Slocombe, were found guilty at Crown Court of attempting unlawfully to procure personal data from government departments. The OIC had been conducting work with the Inland Revenue to detect and prosecute obtaining information from it by unlawful methods. The court imposed no penalty on Academy Credit Services Limited, which is now in liquidation. The two directors received conditional discharges but were ordered to pay costs of £1,000 each.

The Information Tribunal (National Security Appeals) issued its decision in the case of Norman Baker v Secretary of State for the Home Department on 1 October 2001. In this case the Home Secretary had issued a certificate under s28(2) of the DPA 1998 in broad terms to cover the work of the Security Services (MI5). When MP Norman Baker applied to the Security Service for access to the file on him under the subject access provisions of the DPA he received a ‘neither confirm nor deny’ (NCND) response. Mr Baker then challenged the breadth of the certificate which had been issued. The wording of the certificate was such that it covered any personal data processed by the Security Services in the performance of its statutory function irrespective of whether the exemption was necessary for the purpose of safeguarding national security. He was successful in his challenge, however it was success on a narrow point and will be easily cured by the issue of another certificate drawn in narrower terms.

DP caselaw Robertson v City of Wakefield and Secretary of State for the Home Department

In November the High Court held that the failure of Electoral Registration Officers to allow individuals to opt out of the use of the electoral roll for direct marketing and other commercial uses was a breach of Article 14 of the Data Protection Directive, and Articles 8 and 3 of the Human Rights Act 1998. Following the case, the OIC and the Electoral Commission issued guidance to Electoral Registration Officers advising them to stop selling copies of the rolls. The position left the credit reference and wider finance industry in a state of uncertainty as the roll is the basis for the records which are used for credit and other checks. Since November the industry has been awaiting new draft regulations from the Department for London Transport and the Regions on the acceptable used of the roll but these have not been forthcoming to date.

Privacy cases

The courts have continued to map out the relation between the right to private and family life, data protection and the existing UK law. In general terms the courts are developing the existing action for breach of confidence to cover the misuse or unfair disclosure of personal information. In effect this is the development of a right of privacy by another name but drawing strongly on the equitable basis of an action for breach of confidence. There have been a number of less important cases decided throughout the year but three cases which are important in mapping out the ground in this area have appeared in the last couple of months.

In Theakston v MGN Limited in February the judge held that sexual relations outside marriage were not necessarily of themselves confidential. In the particular case the encounter with a prostitute was not protected by confidentiality. In assessing whether the courts should restrain one party to a relationship from speaking, regard had to be had to that party’s right to freedom of expression.

In A v B and C the Court of Appeal laid down Guidelines for these cases which should be followed by the courts in future which it is hoped will restrain lawyers from excessive citation of authorities. The Court held in that case that a footballer, who had sought to keep information about his affairs with two women out of the newspapers, despite the wish of one of the women to speak publicly about the affair, would not be successful and his claim to confidentiality in the relationship was not made out.

In Naomi Campbell v MGM Newspapers Ltd the defendant brought an action for compensation for breach of confidence and breach of the DPA 1998. The court held that she had suffered distress by reason of the publication of photographs and material about her therapy for drug and alcohol abuse and awarded her compensation of £3,500. In this case the court was not dealing with a ‘kiss and tell’ story but with the obtaining and publication of personal information without the consent of the individual. It was not clear how the information about Miss Campbell’s attendance at a therapy session for drug abuse had been obtained, although it appears to have been by a ‘tip-off’. It is possible that there will be a further appeal to the Court of Appeal in the Campbell case, although, as the decision accords with that in A v B and C one might expect the same line to be maintained.

Pending issues in privacy protection

Although less immediately interesting than the relation between the tabloids and celebrities, possibly the most significant current issues in the area of privacy protection relates to the obtaining and retention of communications data, that is information arising from the use of telecommunications. As part of the bundle of measure to tackle terrorism, a new code of practice is to deal with the retention of information by telecommunications service providers and ISPs to set out the types of data to be retained, the lengths of retention and the access to it.

In future even if we are able to keep things private from the media it will be much more difficult to do so from the State.

Rosemary Jay is a solicitor with Masons and can be reached on rosemary.jay@masons.com. Masons produces a free Data Protection and Privacy Update which is sent out 3 or 4 times a year and contains details of cases and legal instruments dealing with DP, FOI, and information law. If you would like to receive this, contact Rosemary or Janet on 0161 234 8234.