DLA Piper Intelligence

Data Protection
Laws of the World

Law

United Kingdom
United Kingdom

As a member of the European Union, the United Kingdom implemented the EU Data Protection Directive 95/46/EC in March 2000 through the Data Protection Act 1998 (‘Act’). Enforcement is through the Information Commissioner’s Office (‘ICO’). 

In common with the rest of the European Union, the United Kingdom will adopt the General Data Protection Regulation ("GDPR") from May 2018.  When the United Kingdom leaves the European Union it will, in theory, be free to adopt its own data protection laws.  Whilst it is widely expected that the United Kingdom will remain close to the standard set by the GDPR, it is currently too early to predict with any degree of certainty the extent to which future UK data protection laws will diverge from those of the European Union.

Last modified 26 Jan 2017
Law
United Kingdom

As a member of the European Union, the United Kingdom implemented the EU Data Protection Directive 95/46/EC in March 2000 through the Data Protection Act 1998 (‘Act’). Enforcement is through the Information Commissioner’s Office (‘ICO’). 

In common with the rest of the European Union, the United Kingdom will adopt the General Data Protection Regulation ("GDPR") from May 2018.  When the United Kingdom leaves the European Union it will, in theory, be free to adopt its own data protection laws.  Whilst it is widely expected that the United Kingdom will remain close to the standard set by the GDPR, it is currently too early to predict with any degree of certainty the extent to which future UK data protection laws will diverge from those of the European Union.

Last modified 26 Jan 2017
Definitions

Definition of personal data

’Personal data’ is defined under the Act as data relating to living individuals who can be identified:

  • from the data, or
  • from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Definition of sensitive personal data

’Sensitive personal data’ means personal data consisting of information as to:

  • the racial or ethnic origin of the data subject
  • his political opinions
  • his religious beliefs or other beliefs of a similar nature
  • whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
  • his physical or mental health or condition 
  • his sexual life
  • the commission or alleged commission by him of any offence, or 
  • any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Last modified 26 Jan 2017
Authority

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

T +0303 123 1113 (or +44 1625 545745 if calling from overseas)
F 01625 524510

www.ico.org.uk

Last modified 26 Jan 2017
Registration

Data controllers who process personal data must inform the Information Commissioner so that their processing of personal data may be registered and made public in the register of data controllers, unless an exemption applies.

The registration is made via a simple online form and the ICO allows data controllers to use standard form sector specific descriptions of their processing when registering. These description set out in very broad terms

  • what data is being collected
  • why the data will be processed
  • the categories of data subject data is collected from, and
  • whether the data will be transferred either within or outside the European Economic Area.

However, data controllers can also provide their own specific description of the their processing or tailor the standard form sector specific descriptions if they wish.

Last modified 26 Jan 2017
Data Protection Officers

There is no requirement in the UK for organisations to appoint a data protection officer.

Last modified 26 Jan 2017
Collection & Processing

Data controllers may collect and process personal data when any of the following conditions are met:

  • the data subject consents 
  • the data controller needs to process the data to enter into or carry out a contract to which the data subject is a party
  • the processing satisfies the data controller’s legal obligation
  • the processing protects the data controller’s vital interests 
  • the processing is required by an enactment, the Crown or the government
  • the processing is required to perform a public function in the public interest, or to administer justice, or
  • the data controller has a legitimate reason for the processing, except if the processing would damage the data subject’s rights, freedoms or other legitimate interests.

Where sensitive personal data is processed, one of the above conditions must be met plus one of a further list of more stringent conditions.

Whichever of the above conditions is relied upon, the data controller must provide the data subject with fair processing information. This includes the identity of the data controller, the purposes of processing and any other information needed under the circumstances to ensure that the processing is fair.

Last modified 26 Jan 2017
Transfer

Data controllers may transfer personal data out of the European Economic Area if any of the following conditions are met:

  • the data subject consents.
  • the transfer is essential to a contract to which the data subject is party.
  • the transfer is needed to carry out a contract between the data controller and a third party if the contract serves the data subject’s interests.
  • the transfer is legally required or essential to an important public interest.
  • the transfer protects the data subject’s vital interests, or
  • the data is public.

Transfers of personal data to jurisdictions outside of the European Economic Area are allowed if the jurisdiction provides ‘adequate protection’ for the security of the data, or if the transfer is covered by ‘standard contractual clauses’ approved by the European Commission, or subject to an organisation’s Binding Corporate Rules. There is no requirement in the UK to notify the ICO of the use of the standard contractual clauses or to file these with the ICO.

For transfer of data to the United States, compliance with the US - EU Privacy Shield framework can satisfy the requirements of the UK’s transfer restrictions.

 

Last modified 26 Jan 2017
Security

Data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. The measures taken must ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as mentioned above, and appropriate to the nature of the data.

The Act does not specify specific security measures to adopt and implement. However, the ICO recommends that organisations should adopt best practice methodologies such as ISO 27001.

Last modified 26 Jan 2017
Breach Notification

There is no mandatory requirement in the Act to report data security breaches or losses to the ICO or to data subjects. However, ICO guidance indicates that if a large number of people are affected or the consequences of the breach are particularly serious, the ICO should be informed.

Sector specific regulations/guidance do impose obligations to notify the relevant regulator and data subjects in the event of a security breach (eg the Financial Conduct Authority).

Mandatory breach notification

None contained in the Act. However, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PEC Regulations’), as amended, require providers of a public electronic communications service to notify the ICO (and in some cases subscribers) in the event of a personal data breach.

Failure to notify can result in a fine of GBP 1,000 and negative publicity.

Last modified 26 Jan 2017
Enforcement

In the UK the ICO is responsible for the enforcement of the Act. If the ICO becomes aware that a data controller is in breach of the Act, he can serve an enforcement notice requiring the data controller to rectify the position. Failure to comply with an enforcement notice is a criminal offence and can be punished with fines of up to GBP 5,000 in the Magistrates’ Court or with unlimited fines in the Crown Court.

The ICO can impose fines of up to GBP 500,000 for serious breaches of the Act. This penalty, introduced in April 2010, can be imposed in respect of breaches of the data protection principles which are:

  • serious, and
  • likely to cause substantial damage or distress and either
    • the contravention was deliberate, or
    • the data controller knew or ought to have known that there was a risk that the breach would occur and would be likely to cause substantial damage or distress, but failed to take reasonable steps to prevent the breach.

Financial services firms regulated by the Financial Conduct Authority (FCA) may find that a breach of the Act may also give rise to enforcement action by the FCA in respect of a breach of the FCA Principles for Business.  The FCA enforcement powers are extensive and can include unlimited fines.

Last modified 26 Jan 2017
Electronic Marketing

The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (eg an email address is likely to be ‘personal data’ for the purposes of the Act). The Act does not prohibit the use of personal data for the purposes of electronic marketing but provides individuals with the right to prevent the processing of their personal data (eg a right to ‘opt-out’) for direct marketing purposes.

There are a number of different opt-out schemes/preference registers for different media types. Individuals (and, in some cases, corporate subscribers) can contact these schemes and ask to be registered as not wishing to receive direct marketing material. If advertising materials are sent to a person on the list, sanctions can be levied by the ICO using his powers under the Act.

The PEC Regulations prohibit the use of automated calling systems without the consent of the recipient.  The PEC Regulations also prohibit unsolicited electronic communications (ie by email or SMS text) for direct marketing purposes without prior consent from the consumer unless:

  • the consumer has provided their relevant contact details in the course of purchasing a product or service from the person proposing to undertake the marketing
  • the marketing relates to offering a similar product or service, and
  • the consumer was given a means to readily 'opt out' of use for direct marketing purposes both at the original point where their details were collected and in each subsequent marketing communication.

Each direct marketing communication must not disguise or conceal the identity of the sender and include the 'unsubscribe' feature referred to above. 

The restrictions on marketing by email / SMS only applies in relation to individuals and not where marketing to corporate subscribers.

Last modified 26 Jan 2017
Online Privacy

The PEC Regulations (as amended) deal with the collection of location and traffic data by public electronic communications services providers ('CSPs') and use of cookies (and similar technologies).

Traffic Data

Traffic Data held by a CSP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication.

However, Traffic Data can be retained if:

  • it is being used to provide a value added service, and

  • consent has been given for the retention of the Traffic Data. 

Traffic Data can also be processed by a CSP to the extent necessary for:

  • the management of billing or traffic
  • dealing with customer enquiries
  • the prevention of fraud, or
  • the provision of a value added service.

Cookie Compliance

The use and storage of cookies and similar technologies requires:

  • clear and comprehensive information, and
  • consent of the website user.

The ICO has confirmed that consent can be implied where a user proceeds to use a site after being provided with clear notice (eg by way of a pop-up or banner) that use of site will involve installation of a cookie. 

Consent is not required for cookies that are:

  • used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or

  • strictly necessary for the provision of a service requested by the user.

Enforcement of a breach of the PEC Regulations is dealt with by the ICO and sanctions for breach are the same as set out in the enforcement section above.

Last modified 26 Jan 2017
Contacts
Andrew Dyson
Andrew Dyson
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +44 (0)113 369 2403
Ross McKean
Ross McKean
Partner
T +44 (0) 20 7796 6077
Last modified 26 Jan 2017