The duties of data controllers
Data Protection imposes three basic duties upon data controllers:
- Firstly, a data controller may only process data where such processing is in accordance with the ‘criteria of legitimate data processing.
- Secondly, all data processing must be in accordance the principals of data protection.
- Finally, stricter rules are imposed upon the processing of what are termed ‘sensitive categories of personal data.
Each of these duties is discussed in further detail below.
The criteria for legitimate data processing
This is often thought of as the requirement that data can only be processed with the consent of the subject. The difficulty with consent is that it must be ‘freely given’, which means that it can be revoked at any time. As a result sensible EU data controllers prefer to process data on an irrevocable basis, such as in fulfilment t of a contract made with the data subject or in discharge of a statutory function. These criteria are set out in section 2A of the Data Protection Acts. There are 9 such criteria, namely:
- Performance of a contract;
- Compliance with a legal duty;
- To avoid an injury being caused to the data subject, serious damage to his property or to protect another of his vital interests;
- The administration of justice,
- Statutory functions,
- Government or ministerial functions;
- any other function of a public nature performed in the public interest by a person,
- In the controllers legitimate interests, so long as there is no unwarranted interference in the rights of data subjects.
Section 2A goes onto provide that the Minister for Justice may set out the conditions under which the last of these criteria is to be satisfied. Whether he can in fact do so would seem to be an open to question following the decision of the European Court of Justice in the
Whilst it is the criterion most commonly thought of, ‘consent’ is the weakest of the above criteria. The meaning of ‘consent’ has been analysed in detail by Europe’s Data Protection Commissioners. Article 2(h) of the Data Protection Directive requires that consent be a ‘freely given specific and informed indication’ of the subject’s wishes. Article 7(a) goes onto state that such consent must be ‘unambiguous’ Given these limitations it is thought better to rely upon another criterion such as a contractual obligation or statutory power, since these are comparatively irrevocable. So an employer would be better to say that he processed his employees data to fulfil obligations under the contract of employment or statute than on the basis of consent, since given the nature of the employment relationship an employee may not be able to ‘freely give’ his consent.
The Principles of Data Protection
Once a data controller has established that he has a legitimate basis for processing personal data he must ensure that his processing is in accordance with the principles of Data Protection. This means that processing must be:
- For a specified and legitimate purpose;
- Not incompatible with that purpose;
- Adequate, relevant but not excessive;
- Not for longer than is necessary for that purpose;
Processing will only be deemed fair if the subject is informed of it in accordance with section 2D of the Data Protection Acts. The obligation to secure data is further defined by section 2C. Critically data can only be processed for a specific purpose, one which has been disclosed to the data subject in advance. The specific purpose requirement probably that which imposes the greatest burden upon data controllers. Gather data for one purpose, say processing a phone bill, and you cannot use it for another, say marketing.
Categories of special or sensitive data
Finally, there are a range of specific requirements for specific forms of data. Special controls are placed upon the processing of what are termed special or sensitive categories of personal data. The Data Protection Actsdefine such data being that which reveals:
- Racial or ethic origin;
- Political opinions;
- Philosphical or religious beliefs;
- Trade union membership;
- Physical or mental health;
- Sexual life;
- Offences committed or alleged to have been committed
- Prosecutions taken, convictions obtained and punishment imposed.
Section 2B of the Data Protection Actsgoes onto provide that such processing may only take place only on the following bases.
- Explicit consent;
- Specific obligations under employment law;
- In the vital interests of the data subject, where the subject’s consent cannot be given;
- Processing is undertaken in pursuit of the legitimate interests of an organisation or institution of which the subject is a member or with whom the subject is in regular contact;
- Processing relates to data manifestly made public by the subject.