The business implications for solicitors as the Data Protection Act comes into substantially full force and effect
The Data Protection Act 1998 (the “Act”) came into force on 1st March 2000. It has been widely ignored. Business compliance rates are running at about 65%. This is fast becoming the norm with E –business legislation, the current “record” being held by the Distance Selling Regulations, which 82% of web designers seem either not to know about or wilfully ignore, according to the most recent survey.
Now the Data Protection Act’s Transitional Provisions are about to end, so that solicitors and their clients are faced with a further raft of regulation. This article looks at matters from the solicitors’ perspective, in the hope that our profession can rise to the challenge and stay out of trouble.
The majority of legal firms were already processing personal data when the 1998 Act came into force. They have been able to take advantage of the Act’s transitional provisions for existing clients. You all knew that, of course… The transitional provisions, which have allowed firms to delay the implementation of their compliance procedures, expire on the 24th October 2001. This means that the Act will be fully in force from this date. The following is offered as a guide to ensure that law firms, as Data Controllers, comply with the provisions of the Act.
What is Data Protection?
The Act prevents the processing of Personal Data unless that processing can be justified under one of the conditions set out in the Act. The personal data can be in electronic or manual form: your paper files are caught by the Act.
Some Important Definitions
The Act contains four basic terms that will be used throughout this guide. Although the definitions in the Act are complex, these are generally as follows:
Data Controller - anyone who controls the processing of personal data. Basically all legal firms will be data controllers.
Personal Data is information that identifies a living individual. This includes names and addresses of employees and clients, e-mail addresses, CCTV images etc.
A Data Subject is a living individual who is the subject of personal data.
Processing is any activity that can be carried out on personal data from collecting through to archiving and destruction.
A Brief Overview of the Act
The three important practical points are these. First, all data controllers are required to register their processing of personal data with the Commissioner, unless they benefit from an exemption (“Notification”). Has your firm and its clients done so? Second, data controllers are obliged to comply with the eight data protection principles set out in the Act. Third, data subjects – your employees and clients - also have far wider rights in relation to the processing of their personal data, the most important being the right of access to their personal data (“Subject Access Rights”).
Data controllers must register all processing activities with the Office of the Information Commissioner. Notification can be done on-line at www.dataprotection.gov.uk. For general enquiries the telephone number is 01625 545 745. An annual fee of £35 is payable for the notification.
All partners of a firm are deemed to be data controllers jointly or in common for data used by the partnership. This means that a list of all partners must be notified to the Commissioner, including any changes to the partnership, as it is an offence not to keep the registration up-to-date. In addition to the name, address and contact information, the data controller will be expected to make a general statement about the types of processing undertaken and whether or not personal data are sent outside the European Economic Area (the “EEA”, which includes the Member States, Norway, Iceland and Liechtenstein).
The general statement includes information on the purposes of the processing, the data subjects whose information is being processed (for example, staff, clients, agents), the classes of the data being processed (for example, personal details, employment details, family circumstances) and the third parties to whom the data may be disclosed.
A typical law firm is likely to register for the following purposes:
- Personnel/Employee Administration – for example, recruitment, employee assessment and training, or analyses for management purposes.
- Marketing and Selling (including direct marketing to individual clients or contacts within a company) – for example, the distribution of marketing or promotional material by mail or e-mail.
- Purchase/Supplier Administration – for example, recording and processing goods received and payments.
- Legal Services
- Customer/Client Administration
Some data controllers may book foreign hotel rooms or airline tickets for their employees. As personal data may be available on their web site, this availability will effectively be a transfer outside the EEA. If personal data are transferred outside the EEA, then the notification must reflect this fact. The USA has introduced a “Safe Harbor” agreement but as yet only a handful of companies have signed up.
Data controllers will also be required to make a security statement, which consists of a series of questions to which the answer will be “yes” or “no”. Data controllers should be aware that if answers to the questions are “no”, they may be in breach of the seventh data protection principle.
It is a criminal offence to process personal data if not registered, or if changes to the registration are not notified to the Commissioner.
The Data Protection Principles
Data controllers must comply with the eight data protection principles. The Act provides that contravention of any of the principles enables the Commissioner to serve an enforcement notice on the offending data controller. Non-compliance within a specified period of time would mean incurring financial penalties, as this constitutes an offence under the Act. Enforcement notices may be appealed to the Data Protection Tribunal that might find them to be in order, vary them or cancel them altogether. A data subject may also sue a data controller for compensation if he has suffered damage as a result of the breach.
The eight data protection principles are set out below.
The first principle
The first data protection principle requires personal data to be processed fairly and lawfully. To do so, processing must be justified under one of the condition in Schedule 2 of the Act. The relevant Schedule 2 conditions enabling legal firms to process personal data are where:
- the data subject has given his consent to the processing;
- the processing is necessary for the performance of a contract to which the data subject is a party, or with the view to entering into a contract with the data subject, for example, for the provision of services; or
- the processing is necessary for compliance with any legal obligation to which the data controller is subject, for example, in order to comply with health and safety requirements a data controller may need to process personal data relating to accidents at work involving the data subject.
In addition, if a data controller is processing sensitive personal data (see box), a data controller must also justify that processing under one of the conditions in Schedule 3. The most relevant are:
- the data subject has given his explicit consent to the processing of personal data. In order for consent to be “explicit”, a data subject must be informed, in detail, of the purposes for the processing and the type of information that is to be processed;
- the processing is necessary for the purposes of exercising or performing any right or obligation that is conferred or imposed by law on the data controller in connection with employment; or
- the processing is necessary for the purposes of, or in connection with, any legal proceedings (including prospective legal proceedings), or is necessary for the purposes of establishing, exercising or defending legal rights.
In addition, the first principle requires that certain information be given to individuals about the processing of their personal data (“Data Protection Notices”).
The second principle
Personal data must only be obtained for the purposes specified in the data protection notice. Once the personal data is obtained, they must not be used for any purposes that exceed the original purposes.
The third principle
A data controller must only process personal data that are adequate, relevant and not excessive for its purposes.
The fourth principle
Personal data must be accurate and, where necessary, kept up-to-date.
The fifth principle
The general rule is that data should not be retained longer than is necessary. This is a potential “trap” for unwary law firms. Certain types of data have specified minimum periods of retention, such as personal data held in cases of personal injury, which should be retained for at least three years, and in contractual disputes, data should be held for at least six years. An exemption from this rule is that data held for research purposes may be held indefinitely, subject to compliance with certain conditions. The Law Society Guidelines prescribe that certain information should be retained for specified periods of time, sometimes up to a period of ten years after completion of the file, and this is acceptable in terms of the Act, but strictly each file must be evaluated on its merits and treated accordingly.
The sixth principle
Data subjects are given a number of rights under the Act. This principle imposes upon the data controller an obligation to ensure that it processes personal data in accordance with those rights.
Data subject rights are:
- The right of access to personal data (Subject Access Rights)
- The right to prevent processing that is likely to cause damage or distress
- The right to prevent processing for the purposes of direct marketing
- The right to object to automated decisions being taken in respect of important matters relating to the data subject
The seventh principle and ISO17799
The seventh principle requires that all data processing must be undertaken in a secure environment. This requires appropriate security measures to be adopted to ensure that unauthorised processing does not occur, and that data are not accidentally lost, stolen or destroyed. Do you know what ISO17799 is? If not – find out! It is a security standard for which Douglas Alexander, the e-commerce Minister, has voiced support upon the basis that it will “ bring risk assessment and security control closer to the heart of business processes.”
The eighth principle
This principle imposes a prohibition on the transfer of any personal data to a country outside the EEA that does not provide an adequate level of protection. The exceptions to this rule include those countries that have adequate data protection legislation and where consent to the export has been obtained from the data subject. Your firm’s T & C’s of engagement should take account of this.
Data Protection Notice
Data protection notices are notices containing certain information that data controllers must give to data subjects. If data controllers do not give the required data protection notice, they will not be processing personal data fairly in terms of the first principle. In order to justify certain types of processing under the first principle, the notice can also be used to obtain the consent of the data subject.
Data Protection Notices must include certain information as follows:
- a description of the data controller;
- a description of the information to be processed by the data controller;
- a description of the purposes for which the data controller will use the information;
- a description of the method the data controller will use to contact the data subject;
- a description of the parties to whom the data controller intends to disclose the information;
- a description of the purposes for which these third parties may use the data disclosed;
- an opportunity to object to being contacted for marketing purposes; and
- any other information that is necessary to make the processing fair, for example the right of data subjects to access their personal data and the right to rectify any inaccuracies in those data.
A data controller must ensure that a data subject has the information contained in the notice unless the information is so obvious that the data controller believes the data subject already has the information. For example, if a data controller only intends to use the personal data to process legal advice for a client, then clearly a data controller does not have to provide the information because it will be obvious to the data subject. However, if the data controller plans to send legal updates and other marketing material, then the data subject should be provided with the data subject notice. Think about the reasons for capturing data from your clients – indeed, think of the data as “their” data!
The data protection notice must also be given at the time of collection of the personal data. For example, a data controller with a website that collects customer information for marketing purposes should have a data protection notice displayed prior to the individual entering his information. Make sure your web designer/ webmaster is aware of the law’s scope.
Subject Access Rights
The most significant right available to a data subject is the right to gain access to the data held about them by a data controller. Unless an exemption applies, a data controller should grant access to the data when requested to do so. A small fee can be charged (the statutory maximum is £10), if the right to charge has been previously brought to the data subject’s attention on the data protection notice. If the request has been received in writing, enough information provided to identify the information, and the fee paid (if required), then a data controller has 40 days within which to comply with a request.
From 24 October 2001, all paper-based records that form part of a “relevant filing system” will be included in the ambit of a data subject access request. A “relevant filing system” is any set of information relating to individuals that is structured either by reference to individuals or by criteria relating to individuals in such a way that specific information relating to particular individuals is readily accessible. In other words, client files and virtually everything in them. Are your e-mails to your colleagues always complimentary about clients or your workmates? Many a harassment claim these days is e-mail based.
Subject Access - Exemptions
The data subject must be provided with a description of his personal data and a copy of those data, the purposes for which the data are being processed, the recipients to whom the data are disclosed and the sources of those data. There is a difference of opinion as to whether a full copy of the file must be handed over. Section 8(2) provides a “get out” if copying the relevant entries would involve disproportionate effort.
A data controller does not have to comply with a subject access request if an exemption applies, or to do so would disclose the identity of another individual.
The most important exemptions are:
- Confidential references – a data controller does not have to give access to a confidential reference that it has provided in respect of the data subject for employment purposes. However, the exemption does not extend to confidential references that the data controller has received from a previous employer although access may be withheld if giving access would disclose the identity of the person who gave the reference.
- Management forecasts
- Legal Professional Privilege - certain information obtained by law firms pertaining to individuals may not be disclosed. The concept of legal professional privilege applies to information passing between a client and his solicitor or advocate (the purpose of legal professional privilege is to secure the proper pursuit of justice, and not for the protection of privacy).
- Legal Advice or Legal Proceedings - personal data does not have to be disclosed in response to a subject access request in any case in which the disclosure is made for the purpose of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.
The Office of the Information Commissioner is likely to ratchet up the enforcement of the Act after the transitional period ends. Managing Partners and HR departments should be carefully considering its impact.
For further advice, contact Paul Motion, Ledingham Chalmers paul.motion@LedinghamChalmers.com, or Emily Wiewiorka, Boyds email@example.com, or a member of the E-Commerce Committee of The Law Society of Scotland.