Data Protection – Regulatory Powers and Code of Practice

Please note the Law may have changed since publication of article.

We live in a world where our personal details are beknown to an ever-increasing number of people. Just look at the amount of mailshots that land on your doormat every day. Much of this information is obtained and/or used illegally being contrary to the Data Protection Act 1998 (“the Act”). The data protection regime is administered by the Information Commissioner and based upon 8 principles set out in the Act. Obviously, complete confidentiality is an unrealistic goal but there must be limits on what use can be made of our personal details and by whom. In this article, we will consider employers and regulatory authorities, two categories of entities who, subject to certain limits are entitled to ascertain, retain and use certain personal data.

Employers’ Rights

The Information Commissioner is issuing guidance on the Data Protection Act by way of codes of practice (“the Codes”). Part of the Codes has already been issued and some is in draft format. The Codes regulate employers’ rights and practices in relation to the personal data which they hold relating to their personnel. Employers must ensure that monitoring of employees complies with the principles set out in the Act.
In brief, any surveillance of employees’ activities in the workplace must fall into one of the approved categories and, ideally, should have been accepted, in advance, by the employee by way of signature of an email and internet use policy issued by the employer. Monitoring must be for a specific purpose, be “fair and lawful” and not involve the retention of more data than is appropriate. The employer must not retain the data for a period in excess of that necessary to serve the purpose and must do its best to ensure that the data is accurate.

The fifth Principle of the Data Protection Act 1998 states that “Personal data shall not be kept for longer than is necessary”. Earlier this year, the Information Commissioner published part 1 of her Codes catchily entitled “Information Commissioner’s Employment Practices Data Protection Code Part 1”. The guidance notes considers the question of retention of records in the context of Employment situations but does not specify a fixed period after which data must be destroyed. This, obviously only deals with employee data.

Employers would be well advised to make sure that their internet and email policy closely follows the various codes issued by the Information Commissioner. Any departure from the Act and codes may infringe the employee’s right to privacy (including correspondence in the workplace) under Article 8 of the Human Rights Act or otherwise expose the employer to various claims, the most common of which are usually based on alleged discriminatory conduct or, if the employee is dismissed, unfair dismissal.

Employers should remember that where the activities of their employees are illegal, it is nearly always the case that, as employers, they are responsible for the acts and omissions of their employees even if the employees are not acting in accordance with the specific instructions of their employers.

Regulatory Surveillance

A. S.22(4)of the Regulation of Investigatory Powers Act 2000, empowers “designated persons” to demand communications data from network or postal operators. The fundamental aim of this is to obtain data which may assist to stop organised crime. An important distinction has been drawn between the interception of communications data and communications content. Access to Communications Data is carried out under an exception to the Data Protection Act 1998. “Communications Data” is defined very broadly as “any traffic data comprised in or attached to a communication …..” Access to this data is not limited to law enforcement or intelligence agencies but will also be available, for example, to the Inland Revenue, Customs & Excise, the DSS.

Communications data is also known as “traffic data”. There is no specific definition but it can include information such as:

• senders and addressees of emails
• file size of emails and attachments
• times and duration of phone calls
• location data on mobile phone users
• URL’s of websites visited
• newsgroups accessed; and
• phone no.’s sending and receiving faxes.

Although the National Criminal Intelligence Services wished for up to 7 years of communications data to be retained by Communications Service Providers, the Government’s official position was that mandatory traffic data retention for periods longer than those required for business purposes would not be introduced in the UK. However, the Government’s publicly stated position was belied by its efforts in Brussels to remove privacy protection in the review of the Telecoms Data Protection Directive when the UK government fought against the Directive’s ban on blanket data protection. In any event, the directive effectively allows for long-term retention in cases involving national or public security and the investigation of serious crime. After September 11, the Home Office announced that it would introduce a voluntary code of practice for Communications Service Providers to retain all communications data for up to 12 months with a veiled threat that if this were unsuccessful a mandatory scheme would be introduced.

© This article on data protection is copyright Simon Halberstam  2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.