Weblaw.co.uk» Data Protection Act

Data Protection and the workplace

jonkal — Sun, 06 Sep 2009 08:28:21 +0000

Data Protection – Regulatory Powers and Code of Practice

Please note the Law may have changed since publication of article.

We live in a world where our personal details are beknown to an ever-increasing number of people. Just look at the amount of mailshots that land on your doormat every day. Much of this information is obtained and/or used illegally being contrary to the Data Protection Act 1998 (”the Act”). The data protection regime is administered by the Information Commissioner and based upon 8 principles set out in the Act. Obviously, complete confidentiality is an unrealistic goal but there must be limits on what use can be made of our personal details and by whom. In this article, we will consider employers and regulatory authorities, two categories of entities who, subject to certain limits are entitled to ascertain, retain and use certain personal data.

Employers’ Rights

The Information Commissioner is issuing guidance on the Data Protection Act by way of codes of practice (”the Codes”). Part of the Codes has already been issued and some is in draft format. The Codes regulate employers’ rights and practices in relation to the personal data which they hold relating to their personnel. Employers must ensure that monitoring of employees complies with the principles set out in the Act.
In brief, any surveillance of employees’ activities in the workplace must fall into one of the approved categories and, ideally, should have been accepted, in advance, by the employee by way of signature of an email and internet use policy issued by the employer. Monitoring must be for a specific purpose, be “fair and lawful” and not involve the retention of more data than is appropriate. The employer must not retain the data for a period in excess of that necessary to serve the purpose and must do its best to ensure that the data is accurate.

The fifth Principle of the Data Protection Act 1998 states that “Personal data shall not be kept for longer than is necessary”. Earlier this year, the Information Commissioner published part 1 of her Codes catchily entitled “Information Commissioner’s Employment Practices Data Protection Code Part 1″. The guidance notes considers the question of retention of records in the context of Employment situations but does not specify a fixed period after which data must be destroyed. This, obviously only deals with employee data.

Employers would be well advised to make sure that their internet and email policy closely follows the various codes issued by the Information Commissioner. Any departure from the Act and codes may infringe the employee’s right to privacy (including correspondence in the workplace) under Article 8 of the Human Rights Act or otherwise expose the employer to various claims, the most common of which are usually based on alleged discriminatory conduct or, if the employee is dismissed, unfair dismissal.

Employers should remember that where the activities of their employees are illegal, it is nearly always the case that, as employers, they are responsible for the acts and omissions of their employees even if the employees are not acting in accordance with the specific instructions of their employers.

Regulatory Surveillance

A. S.22(4)of the Regulation of Investigatory Powers Act 2000, empowers “designated persons” to demand communications data from network or postal operators. The fundamental aim of this is to obtain data which may assist to stop organised crime. An important distinction has been drawn between the interception of communications data and communications content. Access to Communications Data is carried out under an exception to the Data Protection Act 1998. “Communications Data” is defined very broadly as “any traffic data comprised in or attached to a communication …..” Access to this data is not limited to law enforcement or intelligence agencies but will also be available, for example, to the Inland Revenue, Customs & Excise, the DSS.

Communications data is also known as “traffic data”. There is no specific definition but it can include information such as:

senders and addressees of emails
file size of emails and attachments
times and duration of phone calls
location data on mobile phone users
URL’s of websites visited
newsgroups accessed; and
phone no.’s sending and receiving faxes.

Although the National Criminal Intelligence Services wished for up to 7 years of communications data to be retained by Communications Service Providers, the Government’s official position was that mandatory traffic data retention for periods longer than those required for business purposes would not be introduced in the UK. However, the Government’s publicly stated position was belied by its efforts in Brussels to remove privacy protection in the review of the Telecoms Data Protection Directive when the UK government fought against the Directive’s ban on blanket data protection. In any event, the directive effectively allows for long-term retention in cases involving national or public security and the investigation of serious crime. After September 11, the Home Office announced that it would introduce a voluntary code of practice for Communications Service Providers to retain all communications data for up to 12 months with a veiled threat that if this were unsuccessful a mandatory scheme would be introduced.

© This article on data protection is copyright Simon Halberstam 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Call Centres and the Data Protection Act

jonkal — Sat, 08 Aug 2009 08:55:40 +0000

Some Legal Points to Note

Please note the Law may have changed since the publication of article.

Customers should be advised if their details are to be stored, by whom and for what purpose. So, if the call-centre is taking details on behalf of another company, the customer must be advised of the name of that company. The principle behind this is that a customer (a person who is a living individual and thus a “data subject” for the purposes of the Data Protection Act 1998) has the right to choose who they give data to.
If the call centre collects data for its own purposes, the customer has the right to choose not to have their data used and stored by the call centre.
A call centre can only use the data it has for the purposes it was collected. So, if a customer gives information in response to an “insurance survey”, those details cannot be shared with banks offering insurance products unless the customer has agreed to data about them being used and shared.
Data cannot be shared or transferred to third parties without the customers consent and may not be transferred to a party in a country outside the EU unless the country has laws which provide equivalent data protection laws or such laws have been deemed “adequate” by the Information Commissioner.
All EU countries have “adequate” protection as the DPA stems from a European Directive on data protection.
Data must only be stored for a reasonable length of time. Call centres must therefore ‘fillet’ their records periodically.
There has not been any data protection prosecutions so far, but the Commissioner has indicated that now the transitional phases are over, a tough stance will be taken against offenders.

All call centres should have a data protection policy in force and should ensure that the “legals” are read to customers at the beginning of the call so that the customer can choose whether to proceed. Some are still guilty of not doing this and of expecting customers to “opt-out” of having their details shared when in fact “opt-in” (i.e. a customer has to positively agree to have their details shared) is now the most legal approach. Call centres can also store data they collect from their clients and cross-seed the lists used for one “campaign” with another. Unless customers have agreed to this, such practices breach the DPA.

The “legals” used include giving the customer the choice of whether or not their details be retained and shared. Often the “legals” also include details of whether calls may be monitored and indeed if they are, customers must be made aware of this.

© This article is copyright Simon Halberstam 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

Spam – the legal position

jonkal — Sat, 08 Aug 2009 08:44:28 +0000

Please note the Law may have changed since the publication of article.

These days an average email inbox has more spam than a cold war bunker.

The Electronic Communications Privacy Directive reinforces the Data Protection Act 1998 (”DPA”) and prohibits the sending of email advertisements to individuals unless they have given their prior consent to be marketed to in that way.

The effect of the change is that an individual may only be marketed to by email if they have agreed to be marked to in this way – by “opt-in” to such mailshots. Previously a person plagued with spam would have had to reply on the DPA, the Interference With Goods Act 1977 (on the basis that a computer was “interfered with” by being used to receive spam and bulk mail) and in certain circumstances the Computer Misuse Act 1990, which carries criminal sanctions.

The Directive does permit businesses to be marketed to however if they have received emails previously on the same subject. This means a business must opt-out if it does not wish to receive further communications of that nature. No one in my firm admits to ever having bought Viagra, but I wonder whether the fact that everyone here is bombarded with several emails a day offering it at “unbelievable prices” or “excellent value”, would require us to opt out of receiving these and effectively let the spammer know the mail boxes they sent the mail to are active.

Of course new legislation is only as effective as the enforcement of it and bulk-mailers are notoriously difficult to catch. One of the main problems with spamming is establishing the source of it. If you have ever tried sending an “unsubscribe” message to such a ’service’ you will know that it often simply results in increased spam and junk mail. We shall have to wait and see the effect this new legislation has on spam received in the EU from computers located outside it and whether ISPs become more inclined to block service to people who spam for fear of being implicated under the Directive.