The Data Protection Act requires you to process personal data fairly and lawfully. This section explains how to comply with this requirement, and gives examples of good practice in handling personal data.
The requirement to process personal data fairly and lawfully is set out in the first data protection principle and is one of eight such principles at the heart of data protection. The main purpose of these principles is to protect the interests of the individuals whose personal data is being processed. They apply to everything you do with personal data, except where you are entitled to an exemption.
So the key to complying with the Data Protection Act is to follow the eight data protection principles.
Later sections of the Guide deal with the other data protection principles in more detail.
In brief – what does the Data Protection Act say about handling personal data fairly and lawfully?
The Data Protection Act says that:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
This is the first data protection principle. In practice, it means that you must:
- have legitimate grounds for collecting and using the personal data;
- not use the data in ways that have unjustified adverse effects on the individuals concerned;
- be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
- handle people’s personal data only in ways they would reasonably expect; and
- make sure you do not do anything unlawful with the data.
In more detail…
What are the “conditions for processing”?
The conditions set out in Schedules 2 and 3 to the Data Protection Act are known as the “conditions for processing”. Organisations processing personal data need to be able to satisfy one or more of these conditions. This will not, on its own, guarantee that the processing is fair and lawful – fairness and lawfulness must still be looked at separately.
The conditions for processing are more exacting when sensitive personal data is involved, such as information about an individual’s health or criminal record.
For further information, please read the section about the conditions for processing, with an explanation of what they mean in practice.
What does fair processing mean?
Processing personal data must above all else be fair, as well as satisfying the relevant conditions for processing. “Processing” broadly means collecting, using, disclosing, retaining or disposing of personal data, and if any aspect of processing is unfair, there will be a breach of the first data protection principle – even if you can show that you have met one or more of the conditions for processing.
Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with you. If individuals know at the outset what their information will be used for, they will be able to make an informed decision about whether to enter into a relationship, or perhaps to try to renegotiate the terms of that relationship. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.
The Data Protection Act says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised, or required, to provide it.
Personal data will be obtained fairly by the tax authorities if it is obtained from an employer who is under a legal duty to provide details of an employee’s pay, whether or not the employee consents to, or is aware of, this.
However, to assess whether or not personal data is processed fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually. If the information has been obtained and used fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will be a breach of the first data protection principle.
Personal data may sometimes be used in a manner that causes some detriment to (negatively affects) an individual without this necessarily being unfair. What matters is whether or not such detriment is justified.
Where personal data is collected to assess tax liability or to impose a fine for breaking the speed limit, the information is being used in a way that may cause detriment to the individuals concerned, but the proper use of personal data for these purposes will not be unfair.
Some organisations share personal data with other organisations. For example, charities working in the same field may wish to use or share supporters’ information to allow reciprocal mailings. Some companies even trade in personal data, selling or renting the information. The individuals concerned must still be treated fairly. They should be told that their information may be shared, so they can choose whether or not to enter into a relationship with the organisation sharing it.
Why and how personal data is collected and used will be relevant in assessing fairness. Fairness requires you to:
- be open and honest about your identity;
- tell people how you intend to use any personal data you collect about them (unless this is obvious);
- usually handle their personal data only in ways they would reasonably expect; and
- above all, not use their information in ways that unjustifiably have a negative effect on them.
Is it possible to use or disclose personal data for a new purpose?
It depends on whether it would be fair to do so. You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will be able to use their personal data for the new purpose if it is fair to do so.
A mail-order book and record seller has had some customers for many years and has regularly sent them catalogues of books and records. After a while the company also started selling audio tapes, CDs and DVDs. It is likely to be fair to start sending catalogues advertising DVDs to long-established customers, who are unlikely to be surprised that the company has diversified. However, customers are less likely to consider it reasonable if the company uses the interests they have shown by their purchases to promote another company’s themed holidays (for example, holidays in Salzburg for opera buffs). Passing details of customers and their interests to other companies for marketing is likely to be unfair unless they have agreed to this.
A bank records information about some of the individuals who are shareholders of its corporate account holders. It collects and holds this information to comply with its duties under anti-money laundering regulations. Unless the bank had obtained their prior consent, it would be unfair to use this information to send marketing material to the individuals concerned inviting them to open personal accounts with the bank.
As you develop the goods and services you offer, you should think about whether your customers are likely to reasonably expect you to use their personal data to offer them these products. If you are unsure about this, you should explain your intentions and, at the very least, give your existing customers an easy way to opt out. If you intend to make a significant change, such as proposing to disclose customer information to others, you will usually need to get your customers’ consent.
Is it ever acceptable to disclose personal data to other organisations for them to use for their own purposes?
It depends. You may be approached by a third party seeking personal data about one of your employees or customers. For example, the police may want information in connection with an investigation, or an individual may want information to pursue legal action. In such cases, you may choose to disclose the information if the conditions of a relevant exemption are satisfied.
Unless one of these specific exemptions applies, individuals should generally be able to choose whether or not their personal data is disclosed to another organisation. If your intention to disclose information in this way was not made absolutely clear at the outset, at a time when the individual had the option not to proceed in their business relationship with you, then you will usually have to get the individual’s consent before making such disclosures.
A decision to share personal data with another organisation does not take away your duty to treat individuals fairly. So before sharing personal data, you should consider carefully what the recipient will do with it, and what the effect on individuals is likely to be. It is good practice to obtain an assurance about this, for example in the form of a written contract.
What about disclosures that are in the best interests of the individual concerned?
In some circumstances disclosure to another organisation may be justified in the individual’s best interests but where none of the statutory exemptions apply.
A representative of a utility company calls at a property to cut off the electricity or gas. He finds that the property has been burgled and is not secure. The householder is out (and cannot be contacted). He therefore telephones the police. This is likely to involve disclosing the fact that the householder’s electricity or gas is being cut off for non-payment. In such circumstances, it is reasonable to assume that, even if the householder may be embarrassed that others will know they have not paid their bills, they would be concerned about the burglary and about the protection of their property.
However, such circumstances will be exceptional and will only arise where you have good reasons to believe that disclosure is justified. It is not acceptable to seek to justify disclosing customer information without consent to another organisation for marketing on the grounds that it is in the interests of customers to receive useful offers.
What about “privacy notices”?
The Data Protection Act does not define fair processing. But it does say that, unless a relevant exemption applies, personal data will be processed fairly only if certain information is given to the individual or individuals concerned. It is clear that the law gives organisations some discretion in how they provide fair processing information – ranging from actively communicating it to making it readily available.
The oral or written statement that individuals are given when information about them is collected is often called a “fair processing notice”, although our recent guidance uses “privacy notice” instead. However, it is probably helpful to avoid technical language altogether. Some of the most accessible notices for the public use phrasing such as “how we use your information”.
In general terms, a privacy notice should state:
- your identity and, if you are not based in the UK, the identity of your nominated UK representative;
- the purpose or purposes for which you intend to process the information; and
- any extra information you need to give individuals in the circumstances to enable you to process the information fairly.
The last of these requirements is vague. However, because the Data Protection Act covers all sorts of processing, it is hard to be prescriptive. When deciding whether you should give any other information in the interests of fairness, you have to take into account the nature of the personal data and what the individuals concerned are likely to expect. For example, if you intend to disclose information to another organisation, fairness requires that you tell the individuals concerned unless they are likely to expect such disclosures. It is also good practice to tell people how they can access the information you hold about them, as this may help them spot inaccuracies or omissions in their records.
When deciding how to draft and communicate a privacy notice, try to put yourself in the position of the people you are collecting information about. Ask yourself:
- do they already know who is collecting the information and what it will be used for?
- is there anything they would find deceptive, misleading, unexpected or objectionable?
- are the consequences of providing the information, or not providing it, clear to them?
We have issued a Privacy Notices Code of Practice to help organisations draft clear privacy notices and to ensure they collect information about people fairly and transparently. The Code explains that the duty to give a privacy notice is strongest when the information is likely to be used in an unexpected, objectionable or controversial way, or when the information is confidential or particularly sensitive. It also says there is no point telling people the obvious when it is already clear what their information will be used for.
When an individual enters into a mobile phone contract, they know the mobile phone company will keep their name and address details for billing purposes. This does not need to be spelt out. However, if the company wants to use the information for another purpose, perhaps to enable a sister company to make holiday offers, then this would not be obvious to the individual customer and should be explained to them.
What is meant by “lawful”?
This is another term that the Data Protection Act does not define. However, “lawful” refers to statute and to common law, whether criminal or civil. An unlawful act may be committed by a public or private-sector organisation.
If processing personal data involves committing a criminal offence, the processing will obviously be unlawful. However, processing may also be unlawful if it results in:
- a breach of a duty of confidence. Such a duty may be stated, or it may be implied by the content of the information or because it was collected in circumstances where confidentiality is expected – medical or banking information, for example;
- your organisation exceeding its legal powers or exercising those powers improperly;
- an infringement of copyright;
- a breach of an enforceable contractual agreement;
- a breach of industry-specific legislation or regulations;
- a breach of the Human Rights Act 1998. The Act implements the European Convention on Human Rights which, among other things, gives individuals the right to respect for private and family life, home and correspondence.
However, although processing personal data in breach of copyright (for example) will involve unlawful processing, this does not mean that the ICO will pursue allegations of breach of copyright (or any other law) as this would go beyond the remit of the Data Protection Act. Many areas of law are complex, and the ICO is not and cannot be expected to be expert in all of them.