1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Europe under Review: Part 3 of 8 – Accuracy and Proportionality

As the next in our series of “back to privacy basics”, we look at the rules regarding accuracy and proportionality in the processing of personal data.

As we will do throughout this series, we take a look at the current position and what is best practice for an organisation.  We will also briefly consider what the new Data Protection Regulation may mean in this area.

Accuracy and proportionality

Data protection law requires the data controller to ensure personal data is accurate and up-to-date. In practice this means an organisation should:

  • try to ensure personal data it collects is accurate;
  • keep a record of the source of any personal data;
  • assess the risks of personal data being, or becoming, inaccurate; and
  • consider how it will ensure the information stays up-to-date.

Data protection law also requires that personal data collected is not excessive for the purpose for which it was collected. In practice this means organisations should not hold more information about the individual than it needs.

Best Practice

Organisations should consider these simple steps for keeping data up to date:

  • Before adding information to your database, ask the individual to confirm it is accurate. For example, in call centre scripts, ensure the operator reads the information back to the individual and confirms it is correct.
  • Ask the individual to confirm the data remains accurate on a periodic basis. For example, once a year when an individual logs into their account, you could present their information to them and ask them to amend it, or tick a box to confirm it is accurate.
  • If you replace IT, securely delete personal data from legacy systems. If the database is not maintained, get rid of it!

Similarly, procedures should be put in place to ensure you are not collecting excessive data:

  • Review your databases regularly and ask yourself if you need all of the information you are collecting. If not, stop collecting it!
  • Don’t hold personal data on the off-chance that it might be useful in the future – you must know the purpose for collecting it first!
  • It’s ok to hold information, even if you never  need to use it, as long as you are holding it for a legitimate purpose – for example, emergency contact details.
  • Identify information that is insufficient for its intended purpose – for example, CCTV images that are poor quality so  they are not able to achieve their purpose.

Position under draft Data Protection Regulation

The draft Data Protection Regulation raises the bar:

  • It requires that “every reasonable step” must be taken to ensure that inaccurate personal data are erased, or corrected, without delay.
  • Only “the minimum necessary” information may be collected and may only be processed if processing non-personal information could not fulfil the purposes. So regulators are likely to expect anonymisation of data where de-personalised data could achieve the same purpose.

It remains to be seen what will be considered as sufficient to comply with the new requirements of the Regulation. However, the good practice steps identified above are a good starting point. Next up in our series is the topic of data retention.

Europe under Review: Part 3 of 8 – Accuracy and Proportionality

Europe under Review : Part 2 of 8 – Data Collection

As the next in our series of “back to privacy basics”, we look the rules regarding collection and processing of personal data.

As we will do throughout this series, we take a look at the current position and what is current best practice for an organisation.  We will also briefly consider what the new Data Protection Regulation may mean in this area.

Data Collection

Data protection law requires all processing of personal data to be fair and lawful. Translating from data protection jargon this means ‘transparency’ and ‘legitimacy’.

For the processing to be “fair” or “transparent”, companies should ensure that certain, clear information is provided to individuals in advance of processing it.  Specifically, data controllers need to ensure that individuals are, so far as practicable, told:

  • who the data controller is
  • why the personal information is being processed
  • any further information which is necessary, having regard to the specific circumstances, to enable the processing in respect of the relevant individual, to be fair.

In practice this means clear and specific information being provided in privacy policies, marketing consents, employee handbooks, online policies etc.

In terms of ‘legitimacy’ (or “lawfulness”) the purpose for which the information is collected is key.  Data protection law will only permit its collection and subsequent processing if organisations can demonstrate the processing is for one of a defined list of conditions for processing.  This aims to ensure that personal data is only used for legitimate reasons.

For many organisations, the key purposes that it will be able to rely upon or are those for which it has collected the individual’s consent; where the processing is necessary in connection with contracted goods / services provided to the individual; and where required by law.

Organisations may also collect and process information where it is in the organisation’s “legitimate interests” to do so.  But this is a balancing act.  The collection and processing will not be permitted where the individual’s fundamental rights under data protection law override the interests of the organisation.

Best Practice

Organisations should ensure that sufficient notices are given to individuals whose personal information is collected.  This will involve employees, customers, business contacts, and any other correspondents.  And don’t forget about the information requirements for the use of cookies on websites.

Before undertaking any data collection, or embarking on a product development that will involve significant data collection, conduct a Privacy Readiness Assessment or Privacy Impact Assessment to identify personal data being collected and establish legitimate grounds for collection and processing.

Position under draft Data Protection Regulation

One of the real bug-bears of privacy regulators is the practice of treating privacy notices as “small print”, burying away details of processing.  Privacy notices should be seen as a way of being upfront and assuring customers of an organisation’s good privacy practices.

Expect this trend to continue should the draft Regulation pass into law in its current state.  The draft Regulation places a greater emphasis on enhanced transparency and requires that a much more extensive privacy notice is given to individuals.  The proposal is that a standard ‘privacy graphic’ is used with organisations being required to specify details of where the processing varies from the norm.

The well known conditions for processing will, fundamentally, remain the same.  This is definitely a case of ‘no news is good news’ for many organisations who rely on ‘legitimate interests’ (or private sector organisations anyway).  However, privacy notices will likely need to specify the legitimate interests in advance so this is an extra overhead.

The bad news for public authorities is that they will no longer be able to rely on this ground.

Next up in our series is the topic of data accuracy and proportionality.

Europe under Review : Part 2 of 8 – Data Collection

European Court of Justice declares Data Retention Directive invalid

The Data Retention Directive requires public electronic communications providers to retain certain communications data (essentially traffic data) to help in the fight against serious crime.  It applies to telcos and ISPs and came into force in 2006 after a number of terrorist attacks in mainland Europe added impetus to efforts to harmonise EU member state laws.  However, in  a ruling published yesterday, the ECJ has concluded that the Directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and declared it invalid.

How has this come about?

This is not the first time that the Directive has come under scrutiny.  The European Commission looked at the Directive in 2011 and had a number of criticisms (particularly as to the balance between the privacy of individuals and security).

In this latest development, the ECJ was asked to consider whether the Directive complied with the EU Charter of Fundamental Rights which sets out individuals’ rights to a private life and the protection of personal data.  The request came from the Irish and Austrian national courts which have before them a number of actions disputing the validity of corresponding national measures (as the Directive was implemented in EU member states through national laws).

What were the Court’s concerns?

The ECJ is of the view that, whilst the content of communications is not retained, the data that is retained could reveal potentially precise information about individuals’ private lives, and that the use of their data (when they have not been informed of that use) is “likely to generate in the persons concerned a feeling that their private lives are subject to constant surveillance“.

Therefore, the ECJ concluded that, although, data retention is appropriate in the fight against serious crime, the Directive is disproportionate.  The ECJ was particularly concerned at:

  1. The generality of the Directive – it covers all individuals and electronic communications without exception
  2. The lack of objective criteria for, and procedures regulating, access to and use of the data,
  3. The minimum data retention period of 6 months not taking into account the type of data or its usefulness
  4. Data retention being permitted for up to 2 years when there are no objective criteria to determine what data retention period is necessary in the circumstances
  5. The insufficient safeguards against possible abuse,  and unlawful access or use, of data
  6. The absence of a requirement to keep the data in the EU so that compliance with the rules can be ensured.

So what does this mean?

Well, in view of the continuing Snowden revelations and increased focus on protecting personal information, we can be sure that this will add fuel to the fire of the on-going surveillance v privacy debate.  It would also seem to suggest that surveillance for security purposes will have to move in the direction of more targeted action and stringent controls to be acceptable. So we expect big changes in the practical steps telcos and ISPs are required to take to retain communications data and make it available to law enforcement agencies.

However, in the short term, the ruling is likely to have little practical effect.  The ECJ has suspended the effect of the ruling until measures to remedy the invalidity are adopted, which, as the new Data Protection Regulation shows, could take some time!  So, things are likely to continue as they are for now.  In the meantime, the British Government and European Commission have both already said that they are assessing the impact of the ruling. Telcos and ISPs hang fire for now.

European Court of Justice declares Data Retention Directive invalid

Europe under Review: Part 1 of 8 – Registration

Over the next few weeks we will be going back to data privacy basics in our eight part “Europe under Review” blog series. We will be comparing current data privacy laws and best practice in the UK with the proposed new state of play under the draft Data Protection Regulation. We kick off our first blog in the series with the topic of registration.

Current position

In the UK, there is a general obligation on data controllers to register details about their processing of personal information with the Information Commissioner’s Office (ICO).  This is also known as “notification” and is a public register. Failure to register with the ICO, or processing personal data outside the scope of a registration, is a criminal offence. Certain organisations are exempt.  For example, not-for-profit organisations and organisations that only process personal data for staff administration, for their own advertising, marketing and public relations and running their accounts don’t have to register. The registration process with the ICO has recently changed with a new simpler format. The new format consists of template “nature of work” descriptions, which can be chosen by an organisation when doing their filing.

The rules in other EU member states vary significantly. So registrations are generally required in France and Spain but not in Germany provided a data protection officer has been appointed.

Best Practice

Keep your registration with the ICO under review and make any necessary amendments as soon as possible. An organisation that has a presence in various EU member states should ensure that it has in place all local data protection registrations where required. Best practice is to ensure that someone within the organisation takes ownership of managing the local registrations.  This is usually best handled centrally.

Position under draft Data Protection Regulation

Under the draft Regulation there will be no requirement to register or notify with a data protection supervisory authority anywhere in the EU. Instead, organisations will be required to maintain certain documentation internally (this will be discussed in more detail under the “Privacy Governance” blog piece later in this series).

Clearly, removing the requirement to register is good news for organisations.  Let’s admit it: registration serves little purpose in practice!  So does this also reduce the administrative burden?  Not really!  Given the other proposed changes, the overall effect is to “internalise” the bureaucracy in that organisations will in future need to maintain new detailed documentation and records of all their processing ready for regulatory inspection.  So the overhead is likely to go up in net terms.  This is also bad news for data protection supervisory authorities (such as the ICO), as they will lose a major revenue stream (the registration fees). As a consequence, data protection authorities may be further stretched in resource, unless funding is made available from elsewhere.

Keep an eye out next week for Part 2 of “Europe under Review” on the topic of data collection…

Europe under Review: Part 1 of 8 – Registration

Europe Under Review

Over the next few weeks we will be going back to data privacy basics. We will be comparing current data privacy laws and best practice in the EU with the proposed new state of play under the draft Data Protection Regulation.

The draft Regulation, which has received a lot of publicity already, is likely to transform data privacy in Europe. The aim of the draft Regulation is to create a future proofed and harmonised set of privacy rules across all European member states. Since the first draft of the Regulation, the content has been under much scrutiny; with lobbyists, national data protection authorities and parliamentary committees suggesting countless changes. With the final detail still to be determined, it seems that the Regulation is here to stay. Certainly it is time to check on progress. See our blog post of 12 March below for the latest developments.

In our eight-part “Europe Under Review” blog posts, we will cover topics such as registration, data collection, accuracy and proportionality, data retention, data security, international data transfers, privacy governance and individual rights.

Keep an eye out for our first “Europe under Review” blog post on the topic of registration this week.

Europe Under Review