KNOWLEDGE BASE Data Protection Regulations In the UK
The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure to verify any regulations, statistics, guidelines, or other information that are important to your efforts.
October 30th, 2019 Update: On March 29, 2017, UK Prime Minister Theresa May triggered Article 50, which formally started the process whereby the UK will leave the European Union. The original plan was for the UK to leave the EU on March 29th, 2019 but the process has proven to be very complicated and dates and outcomes have continued to shift. On October 28th, 2019, the EU agreed to push the extension deadline to January 31, 2020.
We will continue to update this bulletin as information is provided.
Data Protection Regulations In the UK
In the business world today, the collection, use, and disclosure of personal data by a company is an integral part of its functioning and success. Data collection, use, and disclosure activities have many risks for both consumers and companies. For consumers, the unauthorized access and use of their personal data could mean identity theft, which can affect every aspect of their lives for many years. For companies, big, medium, and small, a data breach can be ruinous. For a security breach, companies face criminal prosecution, civil penalties, audit, lawsuit liability, extreme expense to notify customers, to investigate the breach, to compensation customers, and update the system to prevent another such breach, and a loss of profits from a decrease in consumer confidence and a negative reputation.
What laws and regulations apply?
Many countries place a huge importance and strict obligations on companies’ collection, use, and disclosure of personal data, the UK has a comprehensive data protection regime in place, which includes the Data Protection Act (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations (PECR).
Data Protection Act
To whom and what does the Data Protection Act apply?
The Data Protection Act requires that data controllers ensure that any processing of personal data for which they are responsible complies with the Act. You will be considered a data controller if you, either alone or jointly, determine the purpose for which and the manner in which any personal data are, or are to be, processed. This applies to “persons” recognized by law, which includes individuals, organisations, and corporations, whether incorporated or not.
Data controllers will usually be organisations or corporations, but can be individuals, e.g., self employed individuals. Even if the responsibility is placed on an individual within your organisation or corporation, that individual will be acting on behalf of the organisation, and your organisation will be considered the data controller.
A data processor is any person, other than an employee of the data controller, who processes data on behalf of the data controller. Data processors are not directly subject to the Act. As a data controller, you remain responsible for ensuring all data processing complies with the Act, whether you process personal data in-house or hire or engage a data processor. If processing personal data is required by law, the person required to process the data is considered the data controller.
Most, if not all, data processors will also be data controllers, because of the processing they do for their own administrative purposes.
The DPA only applies to information defined as personal data. In general, determining what information is considered data under the DPA is relatively straight forward; it is 1) information processed, or intended to be processed, wholly or partially by automatic means, e.g., a computer, or 2) information processed by means other than automatic that forms part of, or is intended to form part of, a relevant filing system, e.g., manual information in a filing system. Data is considered personal if it relates to an identified or identifiable individual.
The DPA applies to the processing of personal data. Processing means obtaining, recording, or holding information or data or carrying out any operation or set of operations on the information or data, including: organisation, adaptation, alteration, retrieval, consultation, or use of the information or data, disclosure by transmission, dissemination, or otherwise making the information or data available, or alignment, combination, blocking, erasure, or destruction of the information or data.
The definition of processing is so broad, it is difficult to think of anything an organisation might do with information or data that would not be considered processing.
How do I comply with the Data Protection Act?
Schedule 1 to the DPA lists the following 8 data protection principles:
personal data must be processed fairly and lawfully;
personal data must be obtained only for one or more specified and lawful purposes and must only be processed in a manner compatible with said purpose(s);
personal data must be adequate, relevant, and not excessive in relation to the purpose(s) for which they are processed;
personal data must be accurate, and when necessary, kept up to date;
personal data must not be kept for longer than necessary for the given the purpose(s);
personal data must be processed in accordance with the rights of data subjects under this Act;
appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
personal data is prohibited from being transferred to another country or territory
In practice . . .
The first data principle requires that you:
have legitimate grounds for collecting and using personal data;
not use data in ways that have unjustified adverse effects on the individuals concerned;
be transparent about how you intend to use the data and provide sufficient privacy notices to individuals when collecting the data;
handle people’s personal data only in a way they would reasonably expect; and
make sure you do not do anything unlawful with the data.
The second data principle requires that you:
are clear from the outset about why you are collecting the personal data and what you intend to do with it;
comply with the Act’s fair processing requirements—your duty to give privacy notices;
comply with the requirements on notifying the Information Commissioner; and
ensure that if you choose to use or disclose personal data for a different or new purpose, the new use or disclosure is fair.
The third data principle requires that you:
hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to the individual; and
do not hold more information than necessary for that purpose.
The fourth data principle requires that you:
take reasonable steps to ensure the accuracy of the personal data you obtain;
ensure the source of the data is clear;
carefully consider any challenges to the accuracy of the information; and
consider whether and when it is necessary to update the information.
The fifth data principle requires that you:
review the length of time you keep personal data;
consider the purpose(s) you hold the information for in determining whether and for how long to retain it;
securely delete personal data that is no longer necessary for the purpose(s);
update, archive, and securely delete personal data that goes out of date.
The sixth data principle requires that you comply with the following right of data subjects:
right of access to a copy of the personal data you have on the individual;
right to object to any processing that is likely to cause or is causing damage or distress;
right to prevent processing for direct marketing purposes;
right to object to decisions taken by automated means;
right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased, or destroyed; and
right to claim compensation for damages caused by a breach of the Act.
The seventh data principle requires that you:
design and organise your security to fit the nature of the personal data you hold and the harm that could result from a security breach;
be clear about who in your organisation is responsible for ensuring information security;
ensure you have the right physical and technical security, backed up by robust policies and procedures and a reliable, well-trained staff; and
are ready to respond to a breach.
The Data Sharing Code of Practice is a statutory code that provides advice to organisations that share data, either on an on-going basis, e.g., data sharing arrangement, or an ad hoc basis, e.g., single request for data.
As an employer, you are responsible for the protection of your employees’ personal data. The Employment Practices Code and the Quick Guide to the Employment Practices Code provide guidance to keep you within the law.
What are the risks of noncompliance?
The Information Commissioner’s Office (ICO) is tasked with compliance of the DPA. The ICO has a variety of enforcement mechanisms, which include: a notice of non-compliance, audits, monetary penalties of up to £500,000 for the most serious breaches, and criminal prosecution. The ICO published a Guide on how it deals with complaints and a Data Protection Regulatory Action Policy. The ICO also publishes quarterly data breach trends.
Privacy and Electronic Communications (EC Directive) Regulations
The Privacy and Electronic Communications (EC Directive) Regulations complement the existing data protection regime and set out more specific privacy rights on electronic communications. PECR was derived from European law, it implemented the European Directive, 2002/58/EC. PECR has been updated twice, the 2004 Amendment changed rules on marketing calls to companies and the 2011 Amendment changed rules on cookies, reporting security breaches, and the Information Commissioner's Office’s enforcement powers.
To whom and what do the Privacy and Electronic Communications Regulations apply?
The PECR applies if you:
market by phone, text, email, or fax;
compile a telephone (or similar public) directory.
The PECR apply to all cookies, including personal and anonymous. If cookie data is not anonymous, compliance with the Data Protection Act is also required. The PECR also apply to and affect mobile applications. Many applications store data on smart devices and some may also access data on a device, e.g., photos, contacts, etc. Clear information should be provided to users before users click to install an application. More information about about privacy in mobile applications can be found in this Guide for app developers.
What are the important terms to understand?
What is a cookie? - Cookies, also known as browser cookies or tracking cookies, are small, often encrypted, text files that are downloaded onto the ‘terminal equipment’ (e.g., a computer or smartphone) when a user accesses a website. Cookies allow a website to recognize a user’s device and store information about the user’s preferences and past actions. Cookies are not just created by the website the user is browsing, often called first party cookies, but also, by other websites that run ads, widgets, or other elements being loaded on the page, often called third party cookies. Cookies can expire at the end of a session or they can be stored for longer. Session cookies expire after a browser session. Session cookies can be used to remember what a user has put in a cart or shopping basket or for security reasons when accessing internet banking or webmail. Persistent cookies are stored on a user's’ device in between browsing sessions and can be used to remember a user’s preferences and choices or for targeted advertising.
How do I comply with the PECR?
Regulation 6 prohibits a person from storing or gaining access to information stored in the terminal equipment of a user unless that user:
is provided with clear and comprehensive information about the purposes of the storage of or access to that information; and
has given his or her consent.
Essentially, a person setting cookies must:
tell people that cookies are being used
tell people what the cookies are doing
obtain consent to store cookies on a user’s device
There are only a few narrowly construed exceptions to Regulation 6.
Activities likely to fall within the exception include:
A cookie used to remember the goods a user wishes to buy when he proceeds to checkout or adds goods to his shopping cart.
Cookies that provide security that is necessary to comply with the security requirements of the seventh data protection principle for an activity that a user requested, like online banking.
Cookies that ensure the contents of your page load quickly and effectively by distributing the workload across multiple computers.
Activities unlikely to fall within the exception include:
Cookies used for analytical purposes, e.g., to count the number of unique visits to a website.
First and third party advertising.
Cookies used to recognize a user when they return to a website so that the greeting they received can be tailored.
What are the risks of noncompliance?
The Information Commissioner’s Office is tasked with the enforcement of the PECR. Enforcement can be in the form of a notice to compel an organisation to come into compliance with the PECR and failure to comply with this notice can be a criminal offense. The ICO can also impose monetary penalties in its discretion up to £500,000. The ICO cookie enforcement information can be found on the ICO website.
KNOWLEDGE BASE Data Protection Regulations In the UK