|
Rights of Individuals
- In the last edition
we considered the right of data subjects to gain access to their
personal data held by data controllers. This time we examine
data subjects' remaining rights under the Act.
In addition to the
data subject access right, individuals have five further rights under
the legislation. This article examines the nature of these rights.
It
should be remembered that UK businesses are under an obligation to
process data in such a way as to be compatible with these rights.
The
Sixth Data Protection Principle provides:
'Personal data shall
be processed in accordance with the rights of data subjects under this
Act'.
The rights of
individuals are central to the operation of the Act, which itself is
based on a Directive that has as its main aim the protection of the
privacy rights of individuals. The rights of data subjects are all
contained in Part II of the Act.
Many of the rights are
exercisable by giving 'notice in writing' to the data controller.
Such
a method would cover letter, fax and email.
In many cases, the
rights will not come fully into effect until 24th October 2001.
Cessation of
Processing
Under s.10 of the Act,
any data subject can request any data controller to cease or not begin
processing of personal data of which he is the data subject on the
ground that: '(a) the processing of those data is likely to cause
substantial damage or substantial distress to him or another, and (b)
that damage or distress is or would be unwarranted'.
However, the right to
request the cessation of processing is substantially limited by
s.10(2) - it does not apply where the processing being undertaken is
with the consent of the data subject, necessary for the performance of
a contract with the data subject, necessary for compliance with a
legal obligation or to protect the vital interests of the data
subject.
Once a data controller
receives a request for the cessation of processing, it must respond to
the data subject in writing within 21 days. The response must either
outline the data controller's intention to comply with the request or
explain why the request is unjustified.
The right to cessation
of processing is enforceable by court order where the data controller
refuses to comply.
Direct Marketing
Direct marketing ('the
communication of any advertising or marketing material which is
directed to particular individuals') is an increasingly common method
used by businesses to promote their products and services. It takes
many familiar forms such as 'junk mail', commercial emails, and cold
calling. It also includes advertising online which has been
specifically targeted to a particular individual e.g. banner
advertisements on websites that appear only to certain specifically
chosen surfers.
The Act recognises a
need for individuals to be able to refuse to receive direct marketing
material. In section 11 it gives an absolute right to individuals to
require any UK business to stop sending direct marketing materials.
The right must be exercised in writing to the data controller and is
enforceable by court order where the data controller fails to comply.
Automated Decisions
There are two main
rights in respect of 'automated decisions' (those decisions that are
taken based solely on processing which has been undertaken by
automated means and which substantially affect the data subject).
The first is the right
of an individual to request that no automated decisions are taken
about him for the purpose of evaluating matters relating to him.
Such
matters might, for example, be credit worthiness (automated credit
scoring), reliability (automated time recording systems) or
performance at work (automated performance indicators).
The second right is
that an individual is entitled to be informed when an automated
decision has been taken. This right applies only in the absence of any
request having been received by a data controller for the cessation of
automated decision taking. Any data controller that takes an automated
decision must inform the relevant individual that such a decision has
been taken as soon as reasonably practicable. The individual then has
21 days in which to require the data controller to re-take the
decision by alternative means (i.e. with some human intervention).
Where the individual
sends such a notice (known as a 'data subject notice') to the data
controller, a further period of 21 days arises during which the data
controller must write to the individual specifying the steps he
intends to take to comply with the notice.
Neither the right of
an individual to request that no automated decisions are taken
concerning him nor the obligation on a data controller to inform the
individual that an automated decision has been taken, apply to an ‘exempt
decision.’
An exempt decision is
one where one of the conditions from each of the following two lists
is present. The first list, contained in s.12(6), is the following:
(a) the decision is
taken in the course of steps taken for the purpose of considering
whether to enter into a contract with the data subject; or
(b) the decision is
taken in the course of steps taken with a view to entering into such a
contract; or
(c) the decision is
taken in the course of steps taken in the course of performing such a
contract; or
(d) the decision is
authorised or required by or under any enactment.
The second list, in
s.12(7), contains the following two alternatives:
(a) the effect of the
decision is to grant a request of the data subject; or
(b) steps have been
taken to safeguard the legitimate interests of the data subject (for
example, by allowing him to make representations).
As with the other
rights, the right to have a decision re-taken by non-automated means
is enforceable by court order.
It should be
remembered that where an individual makes a data subject access
request (see Volume 1, Issue
6), he is entitled to be informed of the
logic involved in automated decision-taking. In most cases, this will
require data controllers to explain, in general terms, how the
relevant software operates and what criteria are taken into account in
drawing any relevant conclusions.
Compensation
Section 13 of the Act
states that compensation may be claimed by any person who suffers
damage as a result of the contravention by the data controller of any
provision in the Act.
Compensation may also
be claimed where a person suffers distress as a result of the data
controller’s contravention of the Act. However, to obtain
compensation for distress, the data subject must show either that she
has suffered damage, or that the contravention in question relates to
processing for one of the following purposes:
-
journalism,
-
art, or
-
literature
In a court action for
compensation for damage and/or distress, it is a defence for the data
controller to show that all reasonable care was taken to comply with
the provision concerned.
Rectification,
Blocking, Erasure and Destruction
The rather confusing
terminology that comprises the right to 'rectification, blocking,
erasure or destruction' largely means that an individual is entitled
to have any inaccuracies put right in relation to data held by any
data controller.
Section 14 makes such
a right enforceable by court order. Usually a data subject would
become aware of inaccuracies in data either where he has received some
communication from a data controller, or where he has made a data
subject access request.
Where data held by a
data controller are inaccurate because they were supplied to the data
controller in that form, a court may order that a court-approved
statement of the true facts be supplemented for those data.
In some cases,
inaccurate data held by a data controller will have been passed on to
a third party by that data controller. If that happens the court may
make an order that the data controller must inform the third party of
the inaccuracy and of the need for rectification, blocking, erasure or
destruction.
Such an order may be
made by a court where the data subject is entitled to compensation for
damage as a result of the failure of the data controller to comply
with any provision of the Act, and there is a substantial risk of
further such failure.
To overcome the
financial difficulties that may be faced by data subjects wishing to
avail themselves of this right, the court costs may be met by the
Information Commissioner, but only in cases which involve matters of 'substantial public importance'.
Conclusion
Businesses must ensure
that their processing activities are carried out in compliance with
the rights of data subjects. An assessment should be undertaken to
determine whether any 'automated decisions' are made and there should
be a system in place whereby checks on the accuracy of data held are
made on a regular basis.
Businesses must ensure
that their customer and prospective customer databases are set up in
such a way that an individual's details can be suppressed from mailing
lists for direct marketing purposes where such an individual makes a
request for the cessation of direct marketing.
This article has not
dealt with the 'Request for Assessment' procedure contained in s.42 of
the Act - the ability to ask the Information Commissioner to
investigate the lawfulness of any given data controller’s
processing. A future article in the Ultimate Guide series will examine
Requests for Assessment.
-
|
