Developing Successful Privacy Relationships

April 30, 1998

The 15th Annual International Privacy Laws & Business Conference was held once again, at St. John’s College, Cambridge over three full days in early July 2002. Over 200 delegates represented the legal profession, industry, academia, as well as Data Protection and Privacy regulators both from the UK and world-wide. The speakers, likewise, represented an authoritative array of privacy and data protection professionals.

Some of the Conference was split into parallel sessions, largely divided into those considering UK issues and those considering International ones, and certainly for myself, the choices on which sessions to attend were acutely difficult.

UK Overview

For a UK audience, some of the main or most interesting issues were, I felt:

· Criminal Records Bureau: What progress has been made on this and when will its services come fully into action?

· Freedom of Information Act 2000: What is needed from public authorities (itself a wide and unclear term), as the deadlines for approval by the Information Commissioner of Publication Schemes looms? Are Publication Schemes of help to anyone, anyway?

· New e-Communications Directive. What does the latest version say and what will its likely effects be?

· Litigants and the DPA. What is the position if a potential litigant uses the Data Protection Act for example to enhance disclosure?

· Anonymous data. To what extent is anonymous data truly anonymous and should the process of making data anonymous be governed by special rules or the standard Data Protection regime?

Overseas / International overview

The interests of overseas delegates or those from multi-national organisations were also covered by a range of expert speakers, the highlight being M. Michael Gentot, President of the CNIL (the French Data Protection authority) speaking on France‘s new Data Protection Bill. There was also a session in the long running debate about ways of ensuring adequacy in the transfer of personal data to non EEA countries.

Other topics and themes

The Conference also held a number of sessions on particular ‘Sector’ themes:- Basic DP Training; Training and Communications for DP awareness; Financial Services and Data Sharing across the Public Services in the UK. This latter is especially topical and relevant following the Cabinet Office’s recent paper on that subject and, of course, the recently inspired ‘public debate’ on the new Entitlement Cards (which to many Privacy professionals is indistinguishable in form and substance from previous Identity Card proposals). There was also a session giving Microsoft’s views on their privacy enabling technologies, where Microsoft was encouraging us to let them store our passwords for many of our other services, on their secure Password service. Their message was “Trust us; we’re Microsoft”.

Criminal Records Bureau

The Criminal Records Bureau (CRB) came into force in 1998 to take the burden off the police of checking the criminal records of applicants and holders of certain jobs, and incidentally of, hopefully removing the scourge of enforced subject access where job applicants or visa applicants are invited (= forced) to apply to the police for details of their own criminal record in order to produce documentary proof in order to satisfy a prospective employer or embassy that they indeed have no criminal record.

According to Chris Cadman of the CRB, under the current arrangements there are c1 million checks per year run by the 43 police forces in England and Wales, and these only cover a relatively narrow range of posts in the statutory sector – for example where children and vulnerable adults may be at risk. Currently, there are no checks for GPs, hospital doctors, nurses, scout/guide leaders, most volunteers or sports coaches.

The CRB is now, for England and Wales, providing Enhanced and Standard disclosure certificates, demand for which is expected to run at 3 million enquiries per annum. When the lowest level of check, the Basic disclosure certificate, comes on stream later, demand is expected to rise sharply. The CRB’s performance to date in responding to requests has been below the expected standard, partly from teething troubles and partly because the system was planned for the majority of enquiries to be placed through call centres, whereas in practice, the majority of enquiries have been made using a paper based approach, which is inherently slower and more resource intensive. The progress of setting up the Scottish CRB is lagging behind that for England and Wales, and the Government has so far published no proposals at all for setting up the equivalent body for Northern Ireland. So it is likely that enforced subject access may continue, regrettably, to be with us for some time to come, especially in those jurisdictions.

Freedom of Information Act 2000

Graham Smith, Deputy Information Commissioner, told us that the Freedom of Information Act 2000 (FOI Act) requires that all Public Authorities produce publication schemes and get them approved by the Information Commissioner. A publication scheme is a document which details all the Public Authority’s information that is automatically available (and where or how it can be found) and for which a specific FOI request is therefore unnecessary.

The Lord Chancellor’s Department has produced a rolling timetable for this. What could be easier? Firstly, despite the long list of Public Authorities in Schedule 1 to the FOI Act, there is no official list of Public Authorities. The Office of the Information Commissioner (IC) has started compiling a database of them, and so far has reached a total of 87,000 and the total is still rising. Many of the Public Authorities named in FOI Schedule 1 have merged, been dissolved or changed their name so the situation is very fluid. The deadline months published by the Lord Chancellor’s Office relate to the time limit by which the publication schemes are supposed to be approved, so inevitably they need to be submitted to IC some two to five months before, to allow time for the approval process. If the IC can approve model or sector schemes this will speed up the process, but they in turn need to be submitted even earlier.

Secondly, there is still great uncertainty about the nature and format of a Publication Scheme. The IC will shortly produce (and self-approve) its own publication scheme, which hopefully will also be a model for others to follow.

The rights of individuals to request information continue under the previously existing Codes of Practice and are not being phased in, as are publication schemes, until the FOI Act is brought fully into force in November 2005. David Flaherty (formerly Information and Privacy Commissioner for British Columbia, Canada) made the point that, with 87,000 schemes to approve, the IC’s inspection was likely to be cursory and nobody would look at them afterwards. People would always request information in ways logical to themselves and not in line with a pre-determined set of guidelines.

E-Communications Directive

This draft Directive has undergone many revisions and the latest, and it is hoped final, revision was accepted by the European Parliament on 30 May 2002. Susan Singleton, a solicitor with much experience in this area, brought us the latest news that:

· there will be a harmonised EC approach to unsolicited commercial email (rather than the free-for-all previously envisaged) and that opt-in will be required in all cases

· that coverage will include . “email, SMS and other electronic messages received on any mobile or fixed terminal”

· There will be an exception to this for existing customers: “Where a potential customer has supplied details of his email address and [or?] mobile telecommunications number to a particular company in the context of a particular purchase, that company can send marketing e-mails and SMS messages for its own products and services to such customers.” but an opt-out opportunity must be still provided on each such occasion.

· The use of privacy sensitive location data giving the location of mobile users, will be subject to the explicit consent of the mobile user.

· Cookies [and other invisible tracking devices] will not now need prior consent (at which the Internet and marketing industries heaved a big sigh) but . “may only be employed if the user is provided with adequate information about the purposes of such devices, and (also) has the possibility to reject them.”

The above proposals were adopted by the EC Council of Ministers on 25 June 2002, and are expected to be published shortly for implementation by about October 2003.

Using the Data Protection Act 1998 as a weapon in litigation

Daniel Pavin, a Solicitor with Taylor Joynson Garrett, UK, took us through the disclosure requirements (and some exemptions) of the Data Protection Act 1998 (DPA) and to the disclosure rules (especially Rule 31) contained in the Civil Procedure Rules (CPR) and associated case law. There is an overlap in that:

· some items fall within CPR 31.16 (relates to the proceedings but may or may not relate to the individual)

· some items fall within the scope of a DPA subject access request (relates to an individual but may or may not relate to the proceedings).

What are the key pressure points where (potential) litigants may fall foul of one or other?

· The 40-day time limit for DPA subject access disclosure may well often be difficult to comply with (fully) in a complex case. Civil disclosure often takes many ’rounds’ of negotiation.

· Back-up data may well fall with the scope of a DPA subject access request – especially if data has been ‘deleted’. If this is likely, a specific request for access to (specified) back-up data should be made so that such back-ups as are necessary are retained and not destroyed in the ‘normal processing cycle’.

· Manual data may be difficult to search and/or retrieve under either set of rules.

· Under DPA there is no restriction of the use that may be made of the personal data.

· There are some exemptions to DPA subject access rights, but their extent is not always clear.

What can be done by individuals to minimise such a DPA ‘fishing’ expedition?

· get systems in place and document those systems

· delete old data (but not just because a subject access request has been made!)

· train staff to deal with subject access requests, liaising with relevant departments, archiving and deleting data, and not creating liability-inducing records.

On a broader scene it might be helpful for an organisation to have a vexatious requestor list analogous to a vexations litigant’s list but this itself would need extremely careful handling, documentation and procedures, especially as the data subject would have, via a DPA subject access request, access to their own name being on it!

Clear guidelines from the Information Commissioner and/or the courts cannot come too soon. We have had years to build up established case law on disclosure but much less time for data protection. Perhaps there ought to be an implied undertaking with a Data Protection Act subject access request similar to CPR 31.22 preventing the DPA being used for fishing trips.

Might there be a special regime for back-ups? At present a data controller is worse off with these than for subject access for manual files which enjoy certain exemptions.

Anonymous data and the anonymising process

It is accepted that data which is anonymous is outside the scope of the Data Protection Act 19898 (DPA). Ian Walden discussed two key issues and generated a lively exchange of divergent views with representatives of the UK Information Commissioner’s office. This issue has come to the fore particularly with cases where medical researchers wish to use anonymised patient, clinical or drugs data and was brought to a head with the Source Informatics case (R v Secretary of State for Health, ex parte Source Informatics Ltd [2000] 1 All ER 786, 21 December 1999).

One issue was the exact definition of anonymous, which varies somewhat between jurisdictions. In the UK, for instance, it is data that cannot identify the individual either itself or by reference to other information held by the data controller. Thus if it is possible, even with extreme cost and difficulty, to retro-engineer the ‘anonymised’ data back to match up with the original, then, it could be said under the UK’s definition, not to be properly anonymised.

The other, even more contentious, issue was whether the process of processing for anonymisation was itself a process that needed, for example, to be specifically notified to the data subject, or whether, since privacy enhancing technologies were to be encouraged, it needed to be subject to a lighter regulatory touch. Ian Walden put forward various ways in which this could be achieved. The IC’s office stuck resolutely to the view that there was no problem since anonymising personal data was just another way, in effect, of destroying data, a processing operation already routinely covered by data protection law.

The New French Data Protection Law

France is one of the three EC countries which have not yet brought in new data protection legislation to transpose the EC Data Protection Directive (EC/95/46) into national law. However, unlike the other two countries, it has certified to the EC that its existing law already substantially meets the requirements of the EC Directive and has thus avoided the fines that are likely to be levied on the other (very) late adopters.

It was against this background that M. Michael Gentot, President of the CNIL, France’s Data Protection supervisory body, addressed the conference on the new French Data Protection Bill, passed by the National Assembly on 30 January 2002, and likely to go before Senate in September 2002. This Bill will not change the title of the previous Act (of 1978) but will introduce some ‘modernisation’.

The Bill sets out the various categories, associated with the risks involved, where prior authorisation, notification or simplified notification may be applicable, and this now applies equally to both public and private sectors.

The CNIL will have greater powers of sanction and greater power to carry out unannounced audits of an organisation’s data protection practices. The CNIL can now levy fines directly (not via the courts) of up to 150,000 € (proportionate to the offence) or, in the case of a subsequent offence, a fine up to 300,000 € or 5% of a company’s turnover. These are significant sums, particularly compared with the average fine in the UK courts.

Finally the CNIL will have the authority to award a ‘seal of approval’ to products and procedures that comply with its data protection laws.

Transfer of Personal Data outside the EEA: Model Contracts vs. Safe Harbor?

Professor Joel Reidenburg contrasted two approaches to the safe transfer of personal data to countries outside the EEA, (or those whose data protection laws have already been deemed ‘adequate’ by the EC) in the absence of the possibility of achieving specific informed data subject consent. Two such approaches were set out and compared.

The first, the Safe Harbor (as set out in the EU’s decision 2000/520/EC), is a route available for US companies only, is (loosely) policed by the US Dept. of Commerce and theoretically satisfies the EC Directive’s adequacy requirements. It is a largely self-policed standard supported by several checklists. Although several hundred US companies have signed up to this now, many have only done so for some of their personal data (eg for HR data only). Enforcement of its provisions moves into uncharted territory and is problematical.

The second mechanism for safe transfers is the set of model contracts as approved under Article 26(2) and EC Decision 2001/497/EC (for transfers to third party data controllers) and Decision 2002/16/EC (for transfer to third country data processors).

This could be used in any country and organisation sector and they can provide a greater level of compliance and protection – although not without the risks of any contractual solution which deals with different jurisdictions.

Conclusion

Once again, this was a most useful and well organised conference with authoritative speakers, who also answered questions. I found it very useful, and 200+ other attendees, both ‘first time’ and ‘seasoned veterans’, also appeared to. I look forward to the next one.

Useful URLs:

(Note: URLs have been checked as at 9 July 2002 but cannot be guaranteed for continued accuracy)

The Information Commissioner : . http://www.informationcommissioner.gov.uk/

Information Commissioner’s Notification website: http://www.dpr.gov.uk/

Lord Chancellor’s Department (ex-Home Office) – Freedom of Information:
http://www.lcd.gov.uk/foi/foidpunit.htm

Lord Chancellor’s Dep’t. (ex-Home Office) – DPA 98 subordinate legislation:
http://www.lcd.gov.uk/ccpd/dpsubleg.htm

EC Commission’s standard clauses for ensuring adequacy

http://europa.eu.int/comm/internal_market/en/dataprot/news

US Dept. of Commerce Safe Harbor rules: http://www.export.gov/safeharbor

EC Consultation on Implementation of EC Data Protection Directive

http://europa.eu.int/yourvoice/index_en.htm

OECD Privacy statement generator for web sites

http://cs3-hq.oecd.org/scripts/pwv3/pwhome.htm

Criminal Records Bureau . . http://www.crb.gov.uk/

Privacy Laws & Business: . . http://www.privacylaws.com/