ILM Factsheet Dealing with data under the Data Protection Act 1998

Transcription

1 Prepared for ILM by Lester Aldridge Introduction Key issues for Charity Legacy Departments The Data Protection Act 1. What sort of information is protected by the Data Protection Act? 2. Is my charity processing data for the purposes of the Data Protection Act? 3. Is my charity a data controller? Complying with the Data Protection Act 1. The Data Protection Principles 2. The First Principle 3. The Second Principle 4. The Third to Eighth Principles 5. The Notification procedures 6. Requests for information under the Data Protection Act 7. Other legal requirements in respect of information 8. Best practice for legacy managers handling data 9. Some practical examples Introduction This is a guide to following the requirements of the Data Protection Act The Data Protection Act aims to promote high standards in the handling of personal information, balancing the rights of individuals to privacy and the ability of organisations to collect and process data for the purposes of their business. The Data Protection Act applies to firms holding information about living individuals in electronic format and, in some cases, on paper. However, it does not apply to information relating to deceased persons. When holding information about living individuals, organisations must follow the eight data protection principles of good information handling. These are that personal information must be: Fairly and lawfully processed Processed for specified purposes Adequate, relevant and not excessive Accurate and, where necessary, kept up to date Not kept for longer than is necessary Processed in line with the rights of the individual Kept secure Not transferred to countries outside the European Economic Area unless the information is adequately protected This guide covers the type of data protected by the Data Protection Act in more detail, what you need to do to comply with the Data Protection Act if you handle this sort of data, requests for information under the Data Protection Act and some best practice for handling data in legacy management. For more information see the Information Commissioner s website:

2 Lester Aldridge would be pleased to assist with any information handling and compliance issues. Please contact Rosemary Collins at These notes do not constitute a definitive or complete statement of the law, and are not intended to constitute advice in any specific situation. You should take legal advice in specific situations. Key issues for Charity Legacy Departments 1. Any information held on a computer, processed automatically or in a relevant filing system that relates to a living individual, and from which the individual could be identified, is protected by the Data Protection Act. This includes any personal data relating to executors or other beneficiaries of their estates. 2. Information relating to deceased supporters is not caught within the ambit of the Data Protection Act. 3. A data controller is any person who accesses personal data relating to a living individual held by the organisation for certain purposes and decides why and how to use that data. 4. Any person who holds, deals with or destroys personal data relating to living individuals will be processing data for the purposes of the Data Protection Act. 5. To comply with the Data Protection Act, a data controller must comply with the eight Principles of Data Protection (as outlined in more detail below). 6. Preferably an organisation should establish its own Data Protection policy which ensures that personal data relating to living individuals is processed in accordance with the eight Principles of Data Protection. 7. A Data Protection policy should include provisions which ensure that all processing of data is fair and lawful, the purposes for which data will be processed are specified, only relevant data is stored and maintained, data is kept accurate and up-to-date and data is destroyed once it is no longer required. 8. The organisation must ensure they are registered with the Information Commissioner, who maintains a register of data controllers and the purposes for which they use personal data. 9. Individuals have a right to a copy of any data you hold relating to them, and such requests must be dealt with within 40 days of receiving them. The Data Protection Act 1. What sort of information is protected by the Data Protection Act? Essentially personal data is protected by the Data Protection Act.

3 Data broadly is any information which is held on a computer, processed automatically or in a relevant filing system. A relevant filing system is any set of information relating to an individual which (although not processed automatically) is structured, either by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible. A relevant filing system might be any system of manual filing e.g. paper files, index cards, rolodex, non-automated microfiches, etc. where it is fairly easy to locate and extract information about a particular individual because the information is divided into categories. The Information Commissioner s guidance demonstrates that what is a relevant filing system will be interpreted quite broadly. The guidance states that sets of information: need not necessarily be grouped together in a file or files. They may be grouped together in some other way, for example, by prefix codes, or by attaching an identifying sticker within a file or files. Similarly, the information does not necessarily have to be grouped together in the same drawer of the filing cabinet or the same filing cabinet; nor does it necessarily have to be maintained centrally by an organisation [it] might be dispersed over different locations within the organisation, for example, different departments, branch offices, or via home workers. The case of Durant v FSA also considered what a relevant filing system is. The court held that manual filing would only be a relevant filing system if they were of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system. Any manual filing system: which, for example, requires the searcher to leaf through files to see what and whether information qualifying as personal data of the person who has made the request is to be found there, would bear no resemblance to a computerised search. A filing system containing files about individuals, or topics about individuals, where the content of each file is structured purely in chronological order will not be a relevant filing system as the files are not appropriately structured, indexed, divided or referenced to allow the retrieval of personal data without leafing through the file. In order to determine whether manual filing is a relevant filing system or not it might be helpful to consider whether a temp could find the information quickly. Following the case of Durant it is likely that legacy files consistent primarily of correspondence filed in date order will not be covered by the provisions of the Data Protection Act. However, files with separate sections of financial information or contact information could be covered. Rather than decide whether each separate file in your control would be covered by the Data Protection Act, we recommend that you have a data collection, retention, review and destruction policy that covers all your data as a matter of good organisation and professional practice. The sort of data protected by the Data Protection Act is personal data. This is any data which relates to a living individual and from which the individual could be identified (on its own or if combined with other information which is in the possession of, or likely to come into the possession of, the data controller). This may include:

4 Name Address date of birth opinions about the individual indication of the intentions of the data controller in respect of the individual indication of the intentions of another person in respect of the individual other information from which the individual can be identified Again, the Information Commissioner interprets this quite widely. The Information Commissioner s guidance states that data does not have to relate solely to one individual, for instance, where a number of individuals share one telephone number that number is personal information in respect of each of them. Some business information can be personal information. For example, information concerning a sole trader, relating to one specific partner in a partnership or relating to one individual in a department of a company. However, the information must focus on the individual, so that information which focuses on a property or a company department, is not personal information unless it goes further than recording the individual s involvement and could be said to compromise the individual s privacy. Also, data may constitute personal information which is capable of identifying an individual even if the name and/or address of that individual is not known. The Information Commissioner s guidance states that for information to be capable of identifying an individual it is sufficient if the data are capable of being processed by the data controller to distinguish the data subject from any other individual. Examples of this are CCTV footage, addresses, internet tracking, etc. Broadly speaking, you will be holding data protected by the Data Protection Act if you hold any information which relates to a living individual: On a computer; or In a manual filing system where the information is categorised (by individual or category, etc) and is relatively easily accessible. 2. Is my charity processing data for the purposes of the Data Protection Act? Processing for the purposes of the Data Protection Act broadly encompasses obtaining, disclosing, recording, holding, using, erasing or destroying personal information. Processing is probably without limit (Elizabeth France, first Data Protection Commissioner). A data processor is anyone who processes data i.e. obtains, holds, deals with or destroys data (unless they are an employee of a data controller see below). 3. Is my charity a data controller? A data controller is a person (generally an individual or a company) who determines the purposes for which and the manner in which any personal data are to be processed. The definition of data controller is very wide. In most cases where you are involved in processing data, you, or the organisation you are employed by, will be a data controller. In some cases you might both be data controllers, for example, if you access data held by the organisation for certain purposes and you decide why and how to use that data.

5 If you obtain, hold, deal with or destroy personal data you will be processing data for the purposes of the Data Protection Act. If you also decide why and how to use personal data, you are a data controller and must comply with the Data Protection Act. If you do not decide why and how to use personal data, your employer is likely to be a data controller and your employer must ensure that you comply with the Data Protection Act. Complying with the Data Protection Act 1. The Data Protection Principles Compliance with the Data Protection Act means complying with the eight Principles of Data Protection. The Principles are that personal information must be: Fairly and lawfully processed, and not processed unless: o one of the Schedule 2 conditions is met; and o one of the Schedule 3 conditions is also met where the data is sensitive personal data Processed for specified purposes Adequate, relevant and not excessive Accurate and, where necessary, kept up to date Not kept for longer than is necessary Processed in line with the rights of the individual Kept secure Not transferred to countries outside the European Economic Area unless the information is adequately protected 2. The First Principle It is important to note that simply meeting one of the Schedule 2 conditions (and one of the Schedule 3 conditions where sensitive personal data is involved) does not, on its own constitute compliance with the First Principle. The processing must still be fair and lawful. Sensitive personal data is information as to: The racial or ethnic origin of the individual The political opinions of the individual The religious beliefs and other similar beliefs of the individual Whether the individual is a member of a trade union The physical or mental health or condition of the individual The sexual life of the individual The commission or alleged commission of any offence by the individual Any proceedings for any offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court is such proceedings In practice, it is not likely to be difficult to satisfy one of these conditions. You may, however, like to give some thought to having a system of requesting consent from individuals you deal with to the processing of their data. This would avoid the need to meet the criteria of one of the other conditions, which may be more difficult. The Schedule 3 conditions are much less likely to apply and particular care must be taken when dealing with sensitive personal data. In particular, obtaining explicit consent is much more difficult to achieve than consent under the Schedule 2 conditions.

6 As noted above, meeting one of the relevant conditions does not, on its own, constitute compliance with the First Principle. In addition, the data must be processed fairly and lawfully in general. The Data Protection Act gives further detail in regard to dealing with personal data fairly: 1. The way in which the data is obtained will be considered i.e. it is important not to deceive or mislead an individual as to the purposes for which the personal data is to be processed. 2. The data controller is obliged to provide the following information ( the fair processing information ) to data subjects when collecting their personal data: The identity of the data controller (and any representative); The purpose or purposes for which the data are to be processed; and Any further information which is necessary, taking into account the specific circumstances in which the data are or are to be processed, to enable the processing in respect of the data subject to be fair. Even where these requirements are complied with this will not ensure that the processing of any personal data is fair where there are other factors which would make the processing unfair. 3. The Second Principle The Data Protection Act provides guidance on the interpretation of the Second Principle. There are two ways a data controller may specify the purposes for which personal data is obtained: 1. In a notice given by the data controller to the data subject in accordance with the fair processing requirements (see above); or 2. By notifying the purposes on a data controller s Data Protection Register entry, through the Notification procedures The Third to Eighth Principles The Third Principle is much easier to interpret. Data controllers should identify the minimum amount of information they require for their purpose. If additional information is required in some cases the information should not be obtained routinely, but only in those cases. Some points to consider may be: the number of individuals on whom information is held the number of individuals for whom it is used the nature of personal data the length of time it is held the way it was obtained the possible consequences for individuals of the holding or erasure of the data the way in which it is used the purpose for which it is held Procedures should be in place to ensure that personal data is kept up to date and is not misleading or incorrect. A data controller should consider: recording when data is recorded or last updated, training or policies requiring employees to update data on certain events or

7 at certain intervals of time, whether out of date information is likely to cause distress or damage to the data subject, etc. Data controllers need to review personal data held regularly and delete information which is no longer required for their purposes. It may well be necessary to retain information after a matter has been concluded, for example, to defend future legal claims. If this applies, the information should be deleted after a reasonable time and once the possibility of requiring the information for this purpose no longer exists. Data controllers should develop their own retention policy in relation to the deletion of such information. You must ensure you have a policy of reviewing files and diarizing destruction dates (which you must be able to justify as being no longer than necessary). This Principle will be contravened if the data controller fails to: supply information requested by the data subject (see below) comply with notices given under the Data Protection Act The data controller must take reasonable steps to ensure the reliability of staff having access to personal data, to implement measures or policies with respect to dealing with personal data, to conduct risk assessments, to consider privacy enhancing techniques and technology, etc. If you are involved in transferring personal data outside the EEA, we recommend that you take further advice on the level of protection afforded by the country or territory you are dealing with. 5. The Notification procedures The Information Commissioner maintains a register of certain data controllers and the purposes for which they use personal information. Joining the register is called notification. Most large charities need to be registered because of fundraising activities, legal activities and trading or sharing personal information they are involved in. However, smaller charities may not need to be registered. In order to notify, a form must be completed (which is available from the Information Commissioner s website), signed and returned to the Information Commissioner. There are a number of templates which detail the purposes and processing that certain types of business carry out and these can be amended as required. Notification must be renewed annually and there is currently a 35 fee for notification. Requests for information under the Data Protection Act Under section 7 of the Data Protection Act, an individual has the right to get a copy from you of the data you hold relating to them. This is known as the right of subject access. An individual may make a request in writing (which includes ) to be told whether the data controller or someone else on the data controller s behalf is processing their personal data. This is known as a subject access request.

8 If you receive a subject access request you must deal with it promptly and in any case within 40 days of receiving it (and the fee if there is one). You should send the individual: a copy of the personal information you hold on them (in permanent form, unless this would involve disproportionate effort); any details available to the data controller as to the source of the data; details of the purposes for which it is being processed; and details of those to whom the personal information is or may be disclosed. The information must be in a form that the individual can understand, for example, it must be in a language they understand, or if coded they must be provided with the key to the code. You are entitled to charge a fee, currently up to a maximum of 10. Identifying other individuals Where it is not possible to comply with a subject access request without disclosing information relating to another individual who can be identified from that information, you are not obliged to comply with the request unless: the other individual has consented to the disclosure of the information to the person making the request, or it is reasonable in all the circumstances to comply with the request without the consent of the other individual. Where the individual who can be identified is the source of the information, the data controller must disclose as much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise. Other legal requirements in respect of information Confidentiality You may have obligations of confidentiality to persons you hold information about. This may, unlike the Data Protection Act regime, include organisations who are also beneficiaries. Ultra vires / Excess of delegated powers You or your charity may be restricted by your, or your charity s power or authority to do certain acts in relation to information. Legitimate expectation You must have regard to any legitimate expectations of persons as to how you will use any information concerning them. Human Rights Act 1998 You must have regard to Article 8 of the European Convention on Human Rights, which affords individuals the right to respect for private and family life, home and correspondence.

9 Freedom of Information Act 2000 If you disclose any information to a public authority (including local authorities, schools, universities, etc) the public authority may not be able to keep that information confidential. Under the Freedom of Information Act 2000, there is a general right of access to all recorded information held by public authorities. Best practice for legacy managers handling data Whether the Data Protection Act applies to your activities or not, compliance with Data Protection Act compliant procedures will be beneficial to your working practices. For example: Sending mail to incorrect addresses and generally out of date records wastes time and money and damages public relations. Good information handling improves your reputation and increases confidence in you. Good information handling reduces the risks of claims being made against you. The Information Commissioner has produced the following checklist which should assist you in improving information handling. Following the points does not guarantee compliance with the Data Protection Act, but it should stimulate you to think about your approach to information handling. Some practical examples Example 1 Dave is a legacy manager for a large charitable organisation, the Westcombe Nature Reserve Trust ( the Trust ). The Trust pursues a lot of different activities including fundraising, advertising, staff administration and it also gives legal advice relating to environmental laws and prosecutes breaches of environmental law. In order to deal effectively with the administration of legacies received each year from the supporters of the Trust, Dave has a computer database which lists the contact details of various lay executors. The Trust is a data controller, and because of the activities it pursues it must notify the Information Commissioner of what processing of personal information it conducts and the purposes it processes that data for. Dave s database is information which is protected by the Data Protection Act. The Trust and its employees can process the contact details it holds for the lay executors because it does not hold sensitive personal data and it processes the information necessarily in pursuit of a legitimate interest of the Trust (Schedule 2 condition 6). The Trust must comply with the Data Protection Act and so it would be wise for the Trust to have a policy for dealing with Dave s database to ensure that the eight Data Protection Principles are adhered to by Dave and anyone else using the database. This may mean restricting access by only giving passwords to those staff who really need to use the database, and diarising review dates to purge old information. For example, executor s details are unlikely to be needed for long after the administration of an estate has been completed and the executors have been released from their liability. Example 2

10 Reginald is a legacy manager for a small organisation, the National Benevolence Fund for Hindu Sadhus ( the Fund ). The Fund does not have any computers and Reginald conducts his work using paper files which contain correspondence filed in date order. Reginald has a number of files which are contested and on these matters he tends to hold information about various individuals religious views due to the nature of the Fund. Reginald s files will not constitute a relevant filing system covered by the Data Protection Act unless they are divided or indexed in some way so that information relating to an individual can be located quickly. However, Reginald should consider data protection issues so that he can be more efficient, reduce waste, maintain confidentiality, present a professional image, and inspire confidence. Reginald should consider the conditions to guide him as whether his use of personal data is necessary. Schedule 2 condition 6 and Schedule 3 condition 4, 5 or 6 are likely to cover his activity. Reginald should have a system by which he ensures that the information he holds is up to date, accurate and relevant and he should ensure his files are destroyed when they are no longer needed probably when any period for a potential appeal against court decisions to be lodged has expired. Reginald should also consider the security of the information, for example, keeping his files locked away when he is not using them rather than leaving them out on his desk for anyone to access.