Data Protection

The Data Protection principles

For personal data to be lawfully processed in the UK, a data controller has to ensure that all processing activities with respect to personal data comply with the eight Data Protection Principles. The Principles comprise a broad code of good processing practice which balances the legitimate need for organisations to process personal data in order to deliver goods and services, but which at the same time protects the privacy of the individuals to whom such data relates.

Schedule 1 of the Act sets out eight Data Protection Principles which require personal data to be:

• processed fairly and lawfully, and to be processed only under certain specified conditions;
• processed only for specified lawful purposes and not processed in any way incompatible with those purposes;
• adequate, relevant and not excessive in relation to the purpose (or purposes) for which personal data are processed;
• accurate and where necessary kept up-to-date;
• processed no longer than is necessary for the purpose or purposes;
• processed in accordance with the rights of the data subject, e.g. so that a copy can be made available to the individual concerned;
• protected by appropriate technical and organisational measures; and
• not be transferred to any country outside the European Economic Area unless that country ensures in relation to processing of personal data an "adequate level of protection" for rights and freedoms of data subjects acceptable to the EU.

Security and Data Processors

The seventh principle requires that all data controllers put in place appropriate technical and organisational measures to safeguard personal data against unauthorised or unlawful processing or accidental loss, destruction or damage. The interpretation section to this principle takes this requirement one step further by imposing upon all data controllers who use data processors certain additional obligations.

Data processors are defined in the Act as any person (other than an employee of the data controller) who processes personal data on behalf of the data controller. This is a very broad definition made more so by the wide meaning of "processing" which covers every processing operation imaginable from collection to destruction. A data processor is, therefore, any one who does anything with or to personal data. For example, IT consultants, statutory auditors, pension administrators, external payroll providers, mailing houses and even other companies within a group, are all potentially data processors.

The Act requires that a contract in writing must be put in place between the data controller and each of his data processors. The contract must:

• require the data processor to comply with obligations equivalent to those of the seventh principle. In fact, a data controller must not use a data processor who is unable to provide sufficient guarantees in respect of the technical and organisational security measures it will take in respect of the processing;
• grant to the data controller the right to audit the data processor at any time (this will enable the data controller to ascertain whether the data processor is complying with its contractual obligations); and
• specify that the data processor is to act only on instructions from the data controller.

It also makes sound commercial sense to ensure the contract specifies that under no circumstances will the data processor gain any rights in the personal data. The contract should also describe what is to happen upon termination (e.g. the return or irretrievable destruction of the personal data or it being held by the data processor subject to continuing obligations or confidentiality).

Many organisations have for many years transacted business with their data processors in such a way that the initial contract (if there ever was one) has long expired, and the parties conduct their business on the basis of a course of dealings. There is no doubt that this is a contract. However, the Act requires that contract to be in writing or at least evidenced in writing. Companies with group structures will also be affected and have to put in place inter-group processor contracts. For example, where one company deals with payroll for all the others and another handles the company car scheme for the group's employees. According to the European Commission, inter-group transfers may now also take place on the basis of "binding corporate rules" subject to strict conditions.