- Privacy & Data Protection Logo -
Privacy & Data Protection

 

 

The Ultimate Guide to the Data Protection Act 1998

Part V
 

The First Principle

Generally, unless a relevant exemption applies, all processing of personal data must comply with eight rules (see Part I of the Ultimate Guide for definitions of personal data and processing).  The Eight Data Protection Principles, as the rules are known, are set out in Schedule 1 to the Data Protection Act—a substantially similar set of rules applies to all personal data processing carried out in all Member States of the European Union.

This edition of the Ultimate Guide analyses the significance, for organisations, of the First Data Protection Principle.

 

The First Principle Defined

The Principles are set out in Schedule 1 to the Act.  The First Principle provides as follows:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

The First Principle therefore requires three things:

  • that personal data be processed fairly;
  • that personal data be processed lawfully; and
  • that at least one of a set of conditions applies to all personal data processing.

When processing sensitive personal data (see below), an organisation must additionally be able to show that it benefits from one of a set of further legitimising conditions.

 

Fair Processing

In determining whether any processing of personal data is 'fair', the Act requires that particular regard must be paid to the method by which the data were obtained.  Part II of Schedule 1 to the Act indicates that it is likely that processing will not be fair where the person from whom data are obtained is 'deceived or misled' as to the purposes of processing.

Further, personal data are not to be regarded as having been obtained fairly unless, at the time of the obtaining, or very soon afterwards, the relevant data subject is provided with information as to the identity of the data controller, the purposes of processing and 'any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair' (the 'information requirement').

The information requirement applies whether or not the data were obtained from the data subject. However, where the data were obtained from someone other than the data subject, e.g. by way of list rental, there is an exemption from the need to provide the information where to do so would constitute 'disproportionate effort'.

The Commissioner has indicated that all circumstances will be taken into account in determining what is 'disproportionate' in the context, including the nature of the personal data, the likely duration of their retention and the cost to the data controller involved in making the information available.

The information requirements will not apply where the data controller received personal data from another data controller, and that other data controller had informed the data subject of the transfer and of all the relevant information about the new data controller before the transfer took place.

 

Lawful Processing

To process personal data in compliance with the First Principle, the data controller must process the data 'lawfully'.  This means that a data controller must observe general legal obligations - both statutory and common law.

Of particular relevance will be the laws of confidence (especially that arising between the data subject and the data controller), ultra vires (where an action, e.g. by a local authority, is taken which is outside the scope of the organisation's powers) and Article 8 of the European Convention on Human Rights (the requirement for respect for privacy).

 

Legitimising Conditions

Unless there is a relevant exemption from the application of the First Data Protection Principle, personal data processing (including the obtaining and transferring of personal data) is unlawful unless one of the following six legitimising conditions exists:

The data subject has given his consent to the processing (see below);

The processing is necessary –

(a) for the performance of a contract to which the data subject is a party; or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

The processing is necessary in order to protect the vital interests of the data subject.

The processing is necessary –

(a) for the administration of justice;

(b) for the exercise of any functions conferred by or under any enactment;

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department;

(d) for the exercise of any other functions of a public nature exercised in the public interest.

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject.

The Information Commissioner (the body responsible for enforcing the legislation) takes a wide view of the legitimate interests condition and recommends that two tests be applied to establish whether this condition may be appropriate in any particular case - both tests must be satisfied. The first is the establishment of the legitimacy of the interests pursued by the data controller or the third party to whom the data are to be disclosed.  The second is whether the processing is unwarranted in the particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.  The latter balancing test is weighted in favour of the data subject by the fact that, due to the protective nature of the legislation, the interests of a data subject will usually override those of the data controller.

 

Consent

The first, and most controversial, of the legitimising conditions is consent.  Consent is not defined in the Act, but the European Directive, upon which the Act is based, states that it means:

"…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed".

The word 'signify' indicates the need for some active communication between the parties and means that the non-response to a communication from a data controller cannot constitute consent.

Nevertheless, consent may be obtained by a number of methods.  Use of an opt-out clause is particularly popular with commercial organisations.  An example of such a clause is: 'Please put a tick in the box if you do not wish to be contacted in the future about products/services that we feel may be useful to you'.  It is important that such a clause is drafted to take account of all the anticipated uses of the personal data by the organisation concerned.  It may be for example that an organisation wishes only to send marketing information concerning its own products or services to its customers.  On the other hand, the organisation may wish to transfer copies of its customer database to 'carefully chosen' third parties.

Consent should be viewed as a last resort, not least because the Commissioner has indicated that she is not keen on organisations relying on consent generally.  Further, it must be borne in mind that it is inherent in the nature of consent that it can usually be withdrawn by the data subject at any time.

 

Sensitive Personal Data

There is a general ban on the processing of sensitive personal data, defined as information as to a person's religious beliefs or beliefs of a similar nature, racial or ethnic origin, membership of a trade union, political opinions, physical or mental health, sexual life or criminal convictions.

Schedule 3 to the Act contains a set of exceptions to the ban on the processing of sensitive personal data.  Examples of such exemptions (or legitimising conditions) include the 'explicit consent' of the data subject, compliance with employment law obligations, equal opportunities monitoring and the vital interests of the data subject.  Member States are permitted to create further exemptions - the UK has created a further ten such exemptions in the form of secondary legislation.  Organisations should (as part of a data protection audit or otherwise) ensure that they are aware of all the types of sensitive personal data that they process.  Any processing of sensitive personal data which is not needed for the proper or desired operation of the organisation should cease.

As with non-sensitive personal data, organisations should try to find a legitimising condition other than consent.  If explicit consent is the only likely candidate, then it must be borne in mind that 'explicit' in this context means fully informed and freely given consent.  This may require specific detail being given to the data subject on the precise uses for the data and any disclosures of the data that may be made by the data controller.

A full list of the exemptions from the sensitive personal data processing ban appears in the box.  Readers wishing to obtain further detail on the scope of the exemptions are directed to Schedule 3 of the Act, the Data Protection (Processing of Sensitive Personal Data) Order 2000 and Guidance from the Information Commissioner.

 

Exemptions to the First Data Protection Principle

Although none are of general applicability to commercial organisations, there are a number of exemptions from the need to comply with some or all of the First Data Protection Principle.

The exemptions that remove the need for relevant processing to comply with the First Principle in its entirety are as follows:

  • National security
  • Crime and taxation
  • Journalism, literature and art
  • Domestic purposes

There is an exemption from the 'fair' and 'lawful' processing requirements in the First Principle where the processing is for:

  • Public inspection
  • Disclosures required by law
  • Legal proceedings

Exemptions from the 'information requirements' contained in the First Principle are available for the following types of processing:

  • Health
  • Education
  • Social work
  • Regulatory activity
  • Public inspection
  • Corporate finance
  • Armed forces
  • Judicial appointments an honours
  • Crown or ministerial appointments
  • Management forecasts
  • Negotiations
  • Legal professional privilege

 

Conclusion

The First Data Protection Principle is arguably the most problematic for organisations in terms of data protection compliance. The First Principle not only requires that information be supplied to the data subject at the point of acquisition, but also that all processing comply with appropriate conditions.

 

-

Homepage    © Privacy & Data Protection Limited, 2002

Text version

 

All Rights Reserved   |   Legal Notice   |   Privacy Policy   |   Site Comments?  Email webmaster