IMPACT®

Processing
“Processing” is very broadly defined to include obtaining, recording, holding, using, disclosing or erasing data. Any activity involving personal data will fall within the definition of processing.

Personal data
The DPA defines “personal data” as data which relates to a living individual who can be identified:

• From the data; or
• From the data and other information which is in the possession of, or is likely to come into the possession of, the data controller

Personal data includes any expression of opinion about the individual and any indication of the intentions of you or any other person in respect of the individual.

Court cases about the DPA have helped clarify what is and isn't personal data:

1.  “Personal Data” should be interpreted to mean data that:

• Affects an individual’s privacy in their personal, family, business or professional life
• Tells us something about them
• Goes beyond simply recording their involvement in something, unless there are also personal references about them
• Focuses on that individual rather than someone else

2. “Personal Data” is not:

• Just a reference to the individual’s name
• Personal data if it doesn’t affect the individual's privacy

An example

• A member of staff sends an email to Personnel complaining about their salary review (no figures given). This is not personal data – the focus of the data is on the salary review not the individual
• Personnel emails the staff member’s boss to inform him of the complaint (and nothing more). This is not personal data – the focus of the data is on the salary review not the individual
• The boss then emails Personnel saying why the salary review was low by referring to the staff member’s personality and overall conduct in the previous 12 months. This is personal data - the focus of the data is on the individual

ICO guidance
The ICO has issued a technical guidance document on what is personal data.

Data held in manual filing systems
Where data about individuals is held in a manual filing system, to be personal data the data must be held in a relevant filing system.

A manual filing system is:

• Typically something like a card file or a filing cabinet
• Not automated like a computer database

To be a relevant filing system, someone must be able to retrieve information about a specific person from the system. The ICO has issued a detailed FAQ on relevant filing systems that you should read if you are in any doubt about whether your manual system is subject to the DPA.

The data protection principles
The DPA sets out a number of "data protection principles" that govern how personal data must be processed. These are that:

• Personal data must be processed fairly and lawfully
• Personal data must be obtained only for specified lawful purposes and not further processed in a manner which is incompatible with those purposes. "Processing" includes disclosure so that, for example, discussing the contents of a database with a third party may infringe this principle
• Personal data must be adequate, relevant and not excessive in relation to the purposes for which they are processed
• Personal data must be accurate and, where necessary, kept up to date
• Personal data must not be kept for longer than is necessary
• Personal data must be processed in accordance with the rights of data subjects under the DPA.
• Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data
• Personal data must not be transferred outside the EEA unless the destination country ensures an adequate level of protection for the rights of the individual whose data is being processed

Sensitive personal data
The DPA defines sensitive personal data as including:

• Racial or ethnic origin
• Political opinions
• Religious or other beliefs
• Trade union membership
• Physical or mental health condition
• Sex life
• Criminal proceedings or convictions.

For sensitive personal data personal data to be fairly processed (and therefore for you to comply with the DPA), you must meet at least one of several extra conditions. These conditions include:

• Obtaining the explicit consent of the individual to the process
• Being required by law to process the information for employment purposes
• Needing to process the information in order to protect the vital interests of the individual or another person

How to make your business comply with the DPA
There is no simple way for a business to comply with the DPA. The steps a business must take depend on factors such as:

• The size of the business
• The nature of the business. A direct marketing business with lists of individuals that it targets with emails is likely to have to do more than a small design agency working solely for businesses, simply because the direct marketing business handles more personal data

We recommend the following steps as a starting point:

• Consider how to make your business comply with the data protection principles
• Notify the Information Commissioner of your processing (discussed below)
• Respond to individuals who request data about themselves (discussed below)

The Information Commissioner has a guide to DPA compliance for new businesses which is work a look.

You should also consider the following steps to manage compliance with the DPA:

• Performing a data protection review or audit to assess how well your business complies with the principles and what it should do to improve its compliance. The Information Commissioner has produced a guide to auditing
• Drafting a data protection policy. The policy sets out how a business goes about complying with the DPA by detailing practical procedures such as data retention periods and how personal data is checked for accuracy
• Appointing a data protection officer (“DPO”). The DPO is usually responsible for formulating and implementing a data protection policy, and for responding to data subject access requests

The Information Commissioner has produced guidelines on how to apply the principles in specific situations:

• Use of CCTV
• Employers
• Marketing

Notifying the Information Commissioner of your processing
The DPA requires you to "notify" the Information Commissioner before you process personal data. Failure to notify is a criminal offence. You notify the Information Commissioner of the general sorts of “processing” that you perform. The information to be provided in the notification includes:

• The data controller’s contact details
• A description of the personal data being (or to be processed) by the data controller, and of the categories of data subject to which they relate
• A description of the purposes for which the data are being (or are to be) processed
• A description of any recipients to whom the data controller intends or may wish to disclose the data
• The names of any countries or territories outside the EEA to which the data controller directly or indirectly transfers the data
• A general description of the data controller’s security measures.

Once you have notified, the Information Commissioner places the details of your notification on the Register of Data Controllers, a public record available online.

Notification currently costs £35 per year. You can complete the notification form online but must complete the process by posting the signed form (and fee) to the Information Commissioner.

As well as notifying in the first place, you must also keep your notification up to date; it must correspond with how you actually process data. It is a criminal offence to fail to update register entries within 28 days of any changes occurring to the notified details.

Dealing with requests for information
The DPA gives individuals the right to access personal information held about them by an organisation. An individual does this by making a “subject access request” to the organisation. The key points are:

• You are obliged to respond to the subject access request within 40 days
• You do not have to respond to a request unless it is in writing
• You are entitled to charge a fee of up to £10 for dealing with the subject access request. If the individual has not sent you this fee, you can write to ask for the fee. The 40 day time limit will only begin running when you have received the fee
• You are only obliged to respond about information that constitutes “personal data” as defined by the DPA, not any other information
• Your obligation is to confirm whether you hold personal data about the individual and if so to:

• provide a description of the data
• inform of the purposes the data is processed for; and
• inform of the recipients or the classes of recipients to whom the data may have been disclosed;
• provide a copy of the information and explain any unintelligible terms;
• provide any information you have about the source of the data;
• explain how any automated decisions taken about the individual have been made and (if the individual has specifically requested it) the logic involved in any automated decisions.

• You must respond by supplying the information held about the individual in “permanent form” (e.g. letter or computer print out) unless

• to do so is not possible; or
• to do so would involve “disproportionate effort”; or
• the individual agrees that you do not have to.

• You do not have to disclose information where to do so would disclose information about another individual unless

• You have obtained consent from that individual to disclose the information; or
• It is reasonable “in all the circumstances” do disclose it without obtaining the individual’s consent. We do not recommend that you rely on this exception without first obtaining legal advice.