UK Business Information / Data Protection

The Data Protection Directive is European Union legislation which has to be complied with by all Eurpopean Union member states.  The UK has implemented the directive through the Data Protection Act 1998 (“DPA”) and other European Union member states will have their own similar regime.  It is important therefore for a company operating in the UK to be aware of how it will be affected by the DPA.

Processing of Data

The DPA applies to “data controllers” i.e. any person (legal or natural) who either alone or jointly (with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.  The DPA will apply to a company if it is "established" in the UK[1] and it processes automated personal data, i.e. by the use of computer, however, the scope of the DPA does stretch to some paper/manual records.

Almost anything a company does with personal data will be “processing”.  If a company collects or holds information about an identifiable living individual, or uses, discloses, retains or destroys such information, the company is likely to be processing personal data.  Personal data can include names, addresses (real or electronic), telephone numbers, job titles and dates of birth.  The information does not have to be confidential.  A simple list of clients on a computer will constitute personal data and even a telephone extension number may qualify as personal data where an individual can be identified from that number.

Scope of Data Protection

The scope of the DPA is very wide as it applies to nearly everything an organisation may do with an individuals’ personal details.  This means that any organisation operating in the UK which holds information about individuals, whether employees, customers or anyone else, is affected by the DPA.

There are broad obligations on those who collect personal data and broad rights given to individuals about whom data is collected.  Breach of data protection laws can result in criminal and civil liability, as well as giving an organisation adverse publicity. The Information Commissioner’s Office (“ICO”)[2] can also impose monetary penalties up top £500,000 for serious breaches of the DPA.

Notifications to ICO

Unless a company is exempt (i.e. it is processing personal data solely for staff administration, payroll, marketing and public relations) a company that is processing personal data must notify the ICO and provide the information required under the DPA which includes amongst other things:

•   a description of the personal data being processed;
•   a description of the purposes the data is being processed; and
•   a description of any recipients to whom data is to be disclosed.

For those companies who notify the ICO, the ICO keeps a public register describing the processing of personal data done by that company. Notifications must be renewed annually and attract a fee dependant on the size and turnover of a company.  Each company in a corporate group is required to notify the ICO and can not rely upon a single notification from its parent company.  Failure to notify where required to do so under the DPA is a criminal offence.

Obligations

Whether or not a company is required to notify the ICO, there are a number of obligations on companies who process personal data.  The 8 main principles are as follows:

• personal data must be processed fairly and lawfully (e.g. the individual concerned must be informed that their data may be used for direct marketing purposes or sold/transferred to third parties and consent to their data being used in such a way);
• personal data must be obtained only for one or more specified and lawful purposes and shall not be further processed in a manner which is incompatible with those purposes;
• personal data must be adequate, relevant and not excessive in relation to the purposes for which it is processed;
• personal data must be accurate and, where necessary, kept up to date;
• personal data must not be kept for longer than is necessary;
• personal data must be processed in accordance with the rights of the individuals concerned under the Data Protection Act 1998;
• appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or destruction or damage to personal data; and
• personal data must not be transferred outside the European Economic Area (EEA) unless the destination country ensures an adequate level of protection for the rights of the individual concerned in relation to the processing of personal data.

 Stricter rules apply to processing sensitive personal data which includes data relating to race, political opinions, health, religious and other beliefs, trade union membership and criminal records.  In particular, explicit consent must be obtained to process this information.

Rights of Individuals

The DPA gives rights to individuals in relation to data held on them by a company.  For example, an individual has the following rights:

•   access to their data;
•   information on what is being done with their data;
•   details of who the data has been given to;
•   rights to damages;
•   to rectify, block or erase inaccurate personal data; and
•   limited right to prevent processing of data where it is likely to cause substantial damage or distress.

 Transfer of Personal Data

Following the setting up a company in the UK, some functions of the UK company may be moved to group subsidiaries or suppliers outside the UK (e.g. billing, direct marketing, support, payroll and recruitment).  Transfers of personal data can be made without additional restrictions within the European Economic Area (“EEA”)[3], however, the transfer of personal data outside the EEA is only allowed where the country or territory in question ensures an adequate level of protection for the personal data, if the person consents or the transfer is subject to standard conditions drafted by the ICO ensuring adequate safeguards.  Breaching these rules is not a criminal offence but enforcement notices can be issued which will usually require compliance with the relevant laws.  Failure to comply with an enforcement notice is a criminal offence. Companies and directors can also face fines and prosecution for failure to comply with data protection laws.

Processing Personal Data on Behalf of Another

Where a third party processes data on behalf of a company, the company must be aware that it:

• is responsible for compliance with the DPA;
• must have a written agreement with the third party;
• is responsible for ensuring appropriate data security measures have been taken by the third party; and
• must have the right to monitor the third party.

Codes of Good Practice/Other Considerations

There are numerous Codes of Practice for various industries in relation to data protection which help keep companies compliant with the DPA.  For example, the DPA is applicable where website operators collect personal information via the internet and a code of good practice published by the ICO recommends that a company should provide the individual with certain fair processing information.  This includes informing the individuals with details of the personal data that will be held by the company and what it will be used for.

Appropriate legal advice should always be sought if a company has any concerns about compliance with the DPA and whether they are required to make any notification to the Information Commissioner’s Office (“ICO”)[4].

This guidance is intended to provide certain information which may be of interest to an overseas company wishing to set up in the UK.  It is not intended to be a full and comprehensive guide, nor to provide any specific legal advice and it does not discuss the special rules or regulatory requirements which apply to certain special types of companies in the UK.  Professional advice should always be sought in relation to any specific situation.

Copyright SGH Martineau LLP

November 2010