This week we look at the last topic in our series of “back to data privacy basics”: individual rights.
Rights of individuals at the heart of data protection
As we have seen over this series, the protection of the privacy of individuals is placed at the heart of current data protection law. Organisations are permitted to process individuals’ data only under certain conditions, and in most circumstances individuals enjoy the right to information about what processing is taking place, and varying degrees of control over that processing.
These core principles of information and control pervade the current legislation in various ways: the fair processing requirements; data controller notification; and many of the gateway conditions which legitimise processing.
The rights which individuals enjoy under the current law has been brought into sharper relief as a result of the recent Google Court of Justice of the EU decision around a “right to be forgotten”. See our alert [ http://www.dentons.com/en/insights/alerts/2014/may/29/google-court-decision-the-right-to-be-forgotten ] for more on this.
However, even with the benefit of judicial intervention, specific individuals’ rights are very clearly enshrined in Part II of the Data Protection Act 1998 (DPA): The rights of data subjects and others. These specific protections cover the following:
Subject access: the right for a person to access a copy of his/her personal data;
Stop processing: the right to prevent processing likely to cause damage or distress;
Direct marketing: the right to prevent processing for the purposes of direct marketing;
Automated decisions: the right to prevent certain “significant” decisions being taken about them by purely automated decision-taking processes;
Compensation: the right to claim compensation for certain breaches of data protection law which cause damage or damage and distress.
Rectification, blocking, erasure and destruction: where data is inaccurate.
Rights in practice
In practice, the exercise by individuals of these rights has been quite varied, but one theme they all have in common, is that their exercise has been surprisingly infrequent given their potential scope and power.
The most frequently used exercised right is that of subject access. This right can be very important for individuals to understand what processing has taken place about them, and if necessary, exercise further rights. It is important that organisations have systems and processes in place to enable them to spot when a subject access request is made and deal with it in a compliant manner.
Perhaps, however, one of the most surprising features of the current regime has been the relative lack of claims for compensation for breach of the DPA. And in the limited number of cases where there have been claims, the compensation awarded by the courts has been relatively low. Part of the reason for this low take up is undoubtedly due to lack of knowledge among individuals that compensation is available. But an equally important factor may be the relative lack of ease of access to the Courts for exercise of this remedy.
The regulations build upon the existing rights of data subjects and look to introduce several new ones. The most eye catching of these are:
the right of “data portability”: this is the right for individuals to receive copies of their personal data in a common format such that the individual can use or pass on that information to a third party;
the right to “be forgotten”: a more extensive requirement for personal data to be deleted where requested by an individual; and
a right to object to “profiling”: for example where personal data is used for analytics.
All 3 of these rights have been hotly debated by different players in the information ecosystem, especially those significantly involved in big data. However, the current European Parliament draft of 12 March 2014 [see: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402] contains reference to all of them in varying degrees, and it looks likely that the final regulations will provide for at least the majority of them.
Practical advice for now and the future
Organisations need to make sure they can spot when individuals are exercising their rights and give effect to them in a compliant manner. One of the surest ways to invite an ICO investigation is for an organisation to repeatedly ignore legitimate attempts by data subjects to exercise their rights. This, on most occasions, tends to be as a result of simple failure on the part of organisations to spot a valid request, rather than deliberately ignoring them.
Against this background, one of the most important things an organisation can do is to ensure its staff are adequately trained to be able to spot when a request is being made, and to know what to do with it. This training should be supported by appropriate systems and processes, and written policies where appropriate.
Organisations should therefore make sure that they get this right now, ahead of implementation of the Regulations which will only build upon the current regime.
As to the future, whilst the exact final shape of the Regulations remains to be seen, it is clear that some important new rights will be introduced. Organisations should factor in the possibility of rights such as the right to be forgotten and data portability into any systems which are currently being designed or implemented in order to avoid the threat of considerable additional expense in the future.
This posting marks the end of our “Back to Privacy Basics” series. We hope you enjoyed it!