home login contact about Finance Dublin Finance Jobs   Thursday, 18th April 2024     Home             Archive             Publications             Our Services             Finance Jobs             Events             Surveys & Awards              Data protection issues to loom larger Back   Institutions which control or process personal data cannot afford to ignore the provisions of the published Data Protection Directive which gives further protection to personal customers, write Orla O’Connor and Bob Clark. Even though implementing legislation may only be published this summer, the Directive is likely to have had direct effect in Ireland since October 1998. The key features of the EU provisions, particularly those which go beyond the 1998 Data Protection Act, must be understood and taken on board now. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data was adopted by the European Parliament on the 24th October 1995. Draft legislation is expected to be published by the end of the summer implementing the Directive, in the form of a Bill amending the Data Protection Act 1988. What constitutes personal data The Data Protection Directive extends the definition of personal data to include ‘any information relating to an identified or identifiable natural person’. A simple name and address is personal data. Furthermore, the Directive applies to the ‘processing of personal data’ which is defined to include ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means’. The 1988 Act applied only to computerised personal data and not to personal data maintained in hard copy form only. The Directive applies therefore to any processing of personal data whether manual, computerised or otherwise, so long as that personal data is part of a structured file. It can also include visual data (e.g. medical scans). Fair obtaining and processing Article 6 of the Directive sets out the principles which must be followed to ensure the quality of personal data processing. Article 6 provides that personal data must be:- • Processed fairly and lawfully. Processing covers all imaginable data captures, data uses and data disclosure. • Collected for a specified, explicit and legitimate purpose and not further processed in any way incompatible with that purpose. In a decision of the UK Data Protection Tribunal, British Gas Trading Limited and the Data Protection Registrar, the Data Protection Tribunal held that the disclosure by British Gas Trading Limited (‘BGTL’) of personal data collected by it relating to individual customers for the supply of gas, for the purposes of debt collection and tracing involved the unlawful disclosure of data. In that case the Tribunal upheld a decision of the Data Protection Registrar that personal data held by BGTL should not be processed to enable direct mail unrelated to gas supply to be sent to BGTL’s customers without their prior consent. • Adequate, relevant and not excessive having regards to the purposes for which it is collected and/or further processed. • Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it is collected and for which it is further processed, are erased or rectified. • Kept in a form which permits identification of the data subject for no longer than is necessary. Restrictions on the processing of personal data The Directive sets out various exceptions to the basic rule that personal data should not be processed. These include:- • the data subject has unambiguously given its consent; or • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or • processing is necessary for compliance with a legal obligation to which the controller is subject. The Directive defines ‘the data subject’s consent’ as ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’; this consent must be ‘unambiguously given’. The Directive also provides that when collecting personal data, the following information must be provided:- • the identity of the data controller and of his representative (if any); • the purposes for which the data will be processed; • the persons to whom the data will be disclosed and the purposes for which they will use the data; and • information such as (i) the recipients or categories of recipients of the data, (ii) whether replies to questions are voluntary or obligatory, as well as the consequences of failure to reply, and (iii) existence of the right of access to and the right to rectify data. The objectives of the Directive are similar to those of the Act, primarily that any consent is both transparent and informed. The Irish Data Protection Commissioner in his 1998 Annual Report considered whether a mail out by a retail company inviting the addressees to join a loyalty card scheme and enclosing a loyalty card, the use of which would automatically enroll the potential customers, was fair obtaining by the company of the customer’s personal data. The Commissioner concluded that the inclusion in the invitation letter of a prominent and clear statement, that if the customers used the loyalty card, their names and addresses would be recorded by the company as part of its loyalty club membership and that if a customer did not wish to become a member, the card should be destroyed, constituted a clear consent. The lesson here is to get the capture right at the outset of the relationship because getting subsequent consent will be expensive and difficult to achieve. Sensitive data The Data Protection Directive provides that, subject to certain exceptions based on contract and/or consent, Member States are obliged to prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life. These additional protections stem from the privacy/sensitive nature of this kind of personal data It should be noted note that there are no equivalent restrictions in the Act which merely requires that, where a data controller keeps personal data relating to these matters, it is obliged to register under the Act as a data controller and must demonstrate that it has taken appropriate security measures to prevent unauthorised access to the data. This provision has significant implications for the health and insurance sectors. Rights of access The Data Protection Directive guarantees certain rights of access for individuals which extend beyond the 1988 Act. The data controller must:- • confirm to a data subject on request whether data relating to him is being processed and the purpose of the processing, the categories of data concerned and the recipients to whom the data will be disclosed; • erase or block data, the processing of which does not comply with the provisions of the Directive, particularly incomplete or inaccurate data; • notify disclosees of any rectification, erasure or blocking. • With the exception of the ‘blocking’ mechanism, these provisions are very close to the existing law. Credit scoring and other automated individual decisions The Directive introduces a previously unknown concept into Irish law and grants the right to every person not to be subject to a decision which produces legal effects or which significantly affects him and which is based solely on the automated processing of data intended to evaluate certain personal aspects relating to him such as his performance at work, creditworthiness, reliability, etc. The Directive goes on to oblige Member States to provide that a person may be subject to an automated decision provided the decision (i) is taken in the course of entering into a contract provided the request for the entry into or performance of the contract was lodged by the data subject; or (ii) is authorised by law which lays down suitable measures to safeguard the data subject’s legitimate interests. The effect of this provision is that a Member State can permit automated credit scoring systems to be used provided there is provision for the data subject to put his point of view before the decision is implemented, or alternatively, he has requested the entry into or performance of a contract. This provision will therefore have significant implications for financial institutions or other credit providers who evaluate applicants using such systems. The shape of the Bill will have to be carefully monitored by financial institutions and others. Security measures The Data Protection Directive expands upon the ‘security’ requirements set out in the 1988 Act. In particular it provides that the data controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, disclosure or access, and against all other unlawful forms of processing. The measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Furthermore, the Directive provides that there must be a contract which provides that the processor may act only on the instructions of the controller and that adequate security measures are taken also. Registration It is not widely appreciated that the data controllers may not be required to register under the 1988 Act, but that the data protection principles in Section 2 of the Act must nonetheless be complied with. This situation carries over in the Directive but at this state it is not clear how the registration requirements will change. Conclusion Institutions are advised to ensure compliance with the Data Protection Directive because of the rights granted to individuals which can be relied on by individuals notwithstanding the absence of implementing legislation. Procedures will however need to be further reviewed once draft legislation is circulated and appropriate advice taken. Orla O’Connor is a senior associate with the Banking and Finance Group of Arthur Cox and Bob Clarke is a consultant on e-commerce and technology with the firm. Article appeared in the June 2000 issue. Home | About Us | Privacy Statement | Contact ©2024 Fintel Publications Ltd. All rights reserved.