Courtney Bailey | Understanding data protection standards (Part 2)
OP-ED CONTRIBUTION: DATA LAW
In an earlier article, we considered the first data protection standard established under the recently passed Data Protection Act 2020, the DPA. This article, the second of a three-part series, will provide a basic explanation of the next four data protection standards.
“The second standard is that personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes,” Section 25(1) of the DPA states.
This standard seeks to ensure that personal data is only processed in accordance with the purposes specified, which must be lawful. To comply with this standard, data controllers must specify upfront what the personal data will be used for and limit processing to only what is necessary to meet that purpose.
Section 25(2) indicates that the purposes for which personal data are processed may be specified by the data controller in: information provided to the data subject at the time of first processing or seeking the personal data; or in particulars given to the information commissioner at the time of registration to process personal data in accordance with sections 15 and 16 of the DPA.
Data controllers will generally inform data subjects of the purposes for processing personal data by use of privacy notices, terms and conditions, and consent forms. These should provide the data subject with explicit and unambiguous advice about the extent of processing that will take place, and the actual processing that takes place should match this advice.
A data controller would contravene the second standard in any circumstances in which personal data are processed for purposes other than what was specified.
For example, a supermarket would breach the second standard if it collected customer shopping information on the basis of offering reward points as part of a loyalty programme, but also used that information for an affiliate to make targeted offers to customers based on spending patterns. Similarly, an employer who receives CVs or resumes in relation to applications for a specific job offer would be in breach if it passed that information on to another company for consideration, without first obtaining the data subject’s consent.
“The third standard is that personal data shall be adequate, relevant, and limited to what is necessary for the purposes for which they are processed,” Section 26 states.
This standard seeks to prevent data controllers from holding more data than is strictly required. Data controllers should obtain, hold and process only such data as is: adequate, that is, sufficient to meet the purposes for which they are to be processed; relevant, that is, directly related to the specified purposes for processing; and is not excessive, in that it does not exceed what is absolutely required to satisfy the specified purposes for which the data is to be processed.
Data controllers will need to strike a balance by obtaining enough information to ensure their data processing results in correct outcomes, while at the same time not obtaining more information about the data subject than is needed. This means that many firms will need to re-examine standard forms which they presently use to collect personal data, to see if all the information requested is actually needed to satisfy the purposes specified for collecting the data.
By way of example, a recruitment agency that places workers in a variety of jobs may send workers a general questionnaire. If the questionnaire includes specific health questions that are only relevant to manual jobs, it would be considered irrelevant and excessive to administer these questions to persons applying only for office jobs.
“The fourth standard is that personal data shall be accurate and where necessary, kept up to date,” as stated in Section 27(1) of the DPA.
This standard protects against risks from inaccurate information, such as identity theft, which can result from delivery of sensitive documents to an old or inaccurate address. It also ensures any automated profiling decisions that are made in relation to data subjects are based on accurate data.
Data controllers will want to build into their regular business processes systems for maintaining the currency of personal data to ensure accuracy. This could include a monthly process to identify out-of-date or incorrect data by, for example, automated requests to data subjects to provide accurate information, such as by regular emails to data subjects requesting that they log in to customer databases to check and update information.
Significantly, the DPA provides that the fourth standard is not contravened where the inaccuracy is derived from information supplied to the data controller by the data subject or a third party, and the data controller has taken reasonable steps to ensure the accuracy of the personal data.
The fifth standard is that personal data shall not be kept for longer than is necessary to accomplish the purpose of its processing. The DPA also provides that personal data is to be disposed of in accordance with specific regulations, which are eventually to be made by the minister.
This standard requires data controllers to determine whether they still require personal data that they have collected, and if not, to dispose of it. Since the DPA’s definition of processing personal information includes storing that information, a data controller will be considered as processing it until it is deleted.
The best practice is for data controllers to enshrine their approach to storage limitation in a data retention policy with supporting procedures, which consider legal and contractual requirements for retention periods.
Courtney Bailey is an attorney in the Kingston office of law firm DunnCox.