Data Protection Act
The Isle of Man Data Protection Act 2002 came into operation on the 1st of April 2003. This section of the web-site aims to explain the Data Protection Act, its principles and the rights of the individual.
EXPRESSIONS
The Data Protection Act 2002 introduces a number of new expressions. They are:-
-
Data ControllerA Data Controller is a person, business or organisation who decides for what purposes and how personal information will be used. A Data Controller is obliged to follow the provisions of the Act. This obligation applies irrespective of whether the Data Controller is exempt from the notification regulations under the Act or has not notified (registered) in accordance with the Act.
- Data ProcessorA Data Processor is a person, business or organisation (other than an employee of the Data Controller) that carries out processing of personal information on behalf of a Data Controller. A typical example of a Data Processor may be a business that processes a payroll on behalf of another business. It is important to appreciate that a Data Controller remains fully responsible for the actions of the Data Processor under the Act.
- Personal DataThe definition of personal data means any information held in whatever forms that can identify, or more importantly could identify a living individual when combined with other information. The Act applies to personal data held in any form including paper, recordings, CCTV images as well as data held on Computer.
- ProcessingIt is important to appreciate that the definition of processing is so wide that it is difficult to envisage any action involving personal data that does not amount to processing within this definition.
- Data SubjectThe person to whom the personal data relates. This definition is important when the rights of the Data Subject are considered.
PRINCIPLES
The Data Protection Act 2002 applies to personal information about a living individual. Any organisation or business (Data Controller), which uses personal information (data) in any form, including paper, must do so in a manner that is compliant with the Act and, in particular, the eight Data Protection principles:-
-
Personal data must be:-
- Used fairly and lawfully.
- Used for specific and lawful purposes, in a manner that is compatible with those purposes.
- Adequate, relevant and not excessive.
- Accurate and where necessary kept up to date.
- Kept for no longer than necessary.
- Used in accordance with the rights of individuals under the Act.
- Kept secure to avoid unauthorised or unlawful use and accidental loss, destruction, or damage.
- Personal data must NOT be transferred to another country unless that country has an adequate level of protection.
- Fair and lawful processing
Personal data must be processed lawfully and fairly. This means that an organisation should be open and honest with the individual and explain why the information is required and what it will be used for. The basic requirements of fair processing are that when an organisation obtains personal data form an individual it must ensure that the individual knows:-
- The identity of the organisation.
- The purpose for which the organisation intends to process the information.
- Other information which is necessary (e.g. if the organisation also intends to use the information for direct marketing it must inform the individual).
For the processing to be lawful, it must meet one or more of the following conditions:-
- with the consent of the individual;
- for the performance of a contract with the individual;
- to comply with a legal obligation;
- to protect the vital interests of the individual;
- for the administration of justice, or the exercise of any statutory function;
- for the legitimate interests of the organisation, unless the interests of the individual would be prejudiced.
It is a common misconception that an individual must consent to the use of their personal information. While an organisation must always use personal information fairly and lawfully, provided the organisation can satisfy at least one of the other conditions listed above then the consent of an individual is not required.
“Sensitive Personal Data” means personal data consisting of information as to:-
- the racial or ethnic origin of the data subject;
- his/her political opinions;
- his/her religious beliefs or other beliefs of a similar nature;
- whether he/she is a member of a trade union;
- his/her physical or mental health or condition;
- his/her sexual life;
- the commission or alleged commission by him/her of any offence;
- any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings.
If an organisation uses Sensitive Personal Data then, in an addition to the above conditions, one or more of the following conditions must also be met:-
- with the explicit consent of the individual ;
- to perform any right or obligation under employment law;
- to protect the vital interests of the data subject or another person;
- for the legitimate interests of a not-for-profit organisation;
- where the data have been made public by the individual;
- in connection with legal proceedings;
- for the administration of justice, or the exercise of any statutory function;
- for medical purposes;
- for equal opportunity monitoring;
- for any other purposes specified by Order by the Council of Ministers.
- Purpose for which data are obtained & processed
An organisation must inform the Data Protection Supervisor of the organisation’s purposes for using personal information. Personal information can only be used for the purposes that have been defined. If you intend to pass personal information to another organisation (disclosure), you must be satisfied that this disclosure will be fair and lawful. You need to consider the following:-
- Is the individual aware that their personal information is to be passed to another organisation?
- Is the disclosure compatible with the purpose for which the personal information was obtained?
- Does the disclosure of the information satisfy one or more of the conditions set out in the First Principle?
- Has the organisation to which the disclosure will be made notified the Supervisor of their purpose for using the personal information?
- Adequacy and relevance of data
Organisations, which use personal information, must monitor the amount of personal information held to ensure that neither too much nor too little personal information is used, and that the personal information is relevant for a specified purpose. There may be occasions when an organisation wishes to use personal information that is not necessary for a specified purpose. Provided the individual has been made aware that this additional information is “optional” and has freely consented then it is acceptable for this additional information to be used.
- Accuracy of data
An organisation must take reasonable steps to ensure that information is accurate and, where necessary, kept up to date. It is not necessary for all information to be kept up to date, for example, if the information is only used as an historical record, then it is not necessary for that information to be kept to date Cases may arise when an individual states that the information held is inaccurate but the organisation disagrees. In such cases, a note to this effect must be attached to the information.
- Time for keeping data
Organisations should develop a data retention policy and in accordance with that policy review the personal data held and remove any data which is no longer required for their purposes. The data retention policy must consider any statutory obligations with regard to the retention of data and ensure that the retention policy accords with the minimum statutory retention periods. Organisations may consider the value of the information for historical purposes. The Act permits personal data processed for historical, statistical purposes to be kept indefinitely.
- Rights of data subjects
Personal data must be processed in accordance with the rights of individuals (data subjects). See the “Rights of the Individual” section below.
- Measures against misuse and loss of data
Organisations must ensure that they provide adequate security for any personal data they use taking into account the nature and sensitivity of the information. In particular, organisations must consider the harm that could arise from unauthorised disclosure or loss of data. Adequate security will be dependent upon the size of an organisation and the scale of its operation. Matters that need to be considered include:-
- Does the Organisation have a Security policy?
- Is access to the information controlled?
- Are staff properly trained and aware of their responsibilities?
- Do procedures exist for detecting breaches?
- Where an organisation uses a third party (data processor) to process information; is this processing carried out under contract to ensure the third party only processes information in accordance with the organisation’s instruction and does the third party have adequate security measures in place?
- Transfer of data abroad
Before personal information can be transferred outside the Island an organisation must ensure that adequate protection exists for the information in the receiving country. Countries within the European Economic Area, that is, European Union member states plus Norway, Iceland and Liechtenstein are deemed to have adequate protection. In addition, the European Commission has made adequacy findings for other countries, including Argentina, Guernsey, Hungary, Switzerland and Canada, and US companies that have “signed up” to the Safe Harbor provisions. On the 28th April 2004, the European Commission formally decided that the Isle of Man has adequate data protection legislation. There are cases where the eighth principle does not apply these include:-
- Where consent of the individual has been given
- Is necessary for a contract with the individual
- For reasons of substantial public interest
- Where legal proceedings are involved
- To protect the vital interests of the individual
- Where the information is on a public register
RIGHTS OF THE INDIVIDUAL
The Act gives rights to individuals in respect of personal data held about them. These rights are:-
- Right of Access to Personal Information
- Right to Prevent Processing likely to cause damage or distress
- Right to prevent processing for the purposes of direct marketing
- Rights in relation to automated decision making
- Right to seek compensation for any damage or distress caused by the failure of a Data Controller to comply with the requirements of the Act
- Right to take action to rectify, block, erase or destroy inaccurate data
ACCESS
You have the right to know what personal information is processed about you and you can exercise your right by writing to the data controller. This is usually referred to as a “Subject Access Request” and you are entitled to a copy of the information held about you, both on computer and as part of a relevant filing system. You also have the right to receive a description of why your information is processed, anyone it may be disclosed to, and any information available to you about the source of the data.
Although the Data Protection Supervisor has sample letters that an individual may use they are not required to do so. A letter requesting a data subject access does not need to mention the Data Protection Act 2002 – it may just say something as simple as “I want to see what you hold about me”.
If a data controller receives a written subject access request, it must deal with it promptly and in any case within 40 days from the date of receipt. It may be that it needs further information from the person making the request to help it to locate the data. It may also require further information in order to satisfy it as to the identity of the person making the request or to assist it in locating the information being sought.
A data controller is entitled to ask for a fee of not more than £10 (£50 for Health Records) and the 40 days does not begin until this is received. However it must not delay informing the individual that a fee is required and must endeavour to respond to the request as soon as possible.
A data controller may send the information as a computer printout, in a letter, or on a form. However, it should be easy to understand and any codes should be explained.
Subject access should be handled in the light of an on-going relationship with the data subject. Routine requests for limited information, which would in any case form part of normal transactions, should continue to be processed in that way. It is also possible that by simply providing access to inspect and make copies of any files would satisfy the person making the request.
In replying to a Subject Access request there are certain exemptions from disclosure which may apply:-
-
Where the disclosure is likely to prejudice:-
- National security;
- Crime prevention, detection and prosecution;
- Assessment or collection of tax or duty;
- Health education and social work;
- Regulatory activity.
- Journalism, literature and art;
- Public information;
- As specified by Order.
Tynwald has approved further exemptions in the following Orders:-
- Data Protection (Subject Access Modification) (Health) Order 2003
- Data Protection (Subject Access Modification) (Social Work) Order 2003
- Data Protection (Subject Access Modification) (Education) Order 2003
- Data Protection (Subject Access Exemptions) (Adoption Etc.) Order 2003
- Data Protection (Corporate Finance Exemption) Order 2003
- Data Protection (Crown Appointments) Order 2003
If a data controller relies on an exemption, it is not obliged to inform the Data Subject that an exemption has been applied.
Sometimes, giving full access to personal data cannot be done without revealing information about others. Third party information should not normally be disclosed without the consent of the individuals concerned.
When a data controller decides that information about other individuals must be excluded, there is still an obligation to supply as much information to the data subject as possible. A data controller should not remove information about other individuals if it is clear that consent is not required, either because the data subject already knows the information, or is given by professionals as part of their normal duties (e.g. a medical practitioner). A data controller should blank out information about others so as to protect their identity. This edited response can then be provided to the data subject and if he/she is satisfied then the data controller need take no further steps to seek consent from third parties.
If a Data Controller fails to comply with a subject access request then the individual may apply to the High Court. The Court may:-
- Order the Data Controller to Comply with the request;
- Impose a fine up to £5,000.
An individual may also seek compensation for distress (alone) where a failure to comply with a request has occurred.
- Damage or distress
You have the right to object to any processing of your personal data that is causing or would cause unwarranted substantial damage or distress either to you or another person. However this right does not apply when the processing is performed:-
- with the consent of the individual ;
- for the performance of a contract with the individual;
- to comply with a legal obligation;
- to protect the vital interests of the individual;
- as specified by Order.
- Direct Marketing
You are entitled to require a data controller to cease, or not to start, processing your personal data for the purpose of direct marketing. This right applies even if you had previously consented. You can exercise this right by writing to the data controller, who must comply as soon as possible. If a data controller fails to comply, then you may apply to the Court for an Order
There are other actions you can take to prevent personalised “Junk Mail” and unsolicited phone calls or faxes.
When collecting data from members of the public, the data controller should give them the opportunity to let them know whether or not they wish to receive marketing material from it. If they do not wish to receive the data controller’s promotional materials, it must ensure that it can suppress their details on any mailing lists it uses.
If the data controller intends to pass personal data to other companies, including companies in the same group, for direct marketing purposes, again it must first inform the individuals concerned and receive their consent. This should be done when it first collects the data, perhaps on an application form. It must not pass on the details of anyone who objects to their details being used in this way.
If the data controller has not previously sent out marketing material or passed on details to third parties for marketing, it should obtain the consent of existing customers before beginning to process their data for either of those purposes.
- Automated decision-making
You have the right, by notice in writing, to require a data controller to ensure that no decision that significantly affects you is based solely on the processing by automatic means of personal data.
Although not exhaustive, specific examples are provided in the Act, such as performance at work. Another example may be a web site where a credit decision is based solely upon information provided by you in response to questions asked.
A data controller must inform you if a decision was based solely upon processing by automatic means as soon as reasonably practical. Once a data controller has replied, you have a further 21 days in which to write to the data controller to require the data controller to reconsider the decision or to take a new decision on a different basis.
The data controller has a further 21 days to write to you and explain what steps will be taken. There are decisions that are exempt from this right. An exemption would apply if the following conditions were met:-
- The decision was taken either with
- a view to entering into a contract with the individual; or
- for the performance of a contract with the individual; or
- to comply with a legal obligation;
and:-
- the effect of the decision must be to grant a request of the individual; or
- steps have been taken to safeguard the interests of the individual, such as allowing the individual to make representations.
If a data controller fails to comply, then you may apply to the Court. The Court may order the decision to be reconsidered or to take a new decision, provided the Court is satisfied that the data controller has failed to comply.
- The decision was taken either with
- Compensation
You have the right to seek compensation through the Court for any damage suffered as a result of any contravention of the Act by a data controller. You may also seek compensation for distress if the contravention:-
- also caused damage, or
- relates to processing for the special purposes of Journalism, Literature or Art; or
- consists of a failure of a data controller to comply with a subject access request under section 5 of the Act.
It is a defence for a data controller to prove that he/she had taken all reasonable care to comply. Unless the matter is settled between the parties, an individual who wishes to seek compensation must apply to the Court. A claim for compensation may be made alone or combined with an application in respect of any breach of the Act.
Note: The Data Protection Supervisor has no power to award compensation, nor can the Supervisor assist with legal proceedings. Anyone considering legal action should always seek the advice of a qualified Manx Advocate.
- Inaccurate data
You have the right to apply to the Court for an order requiring the data controller to rectify, block, erase, or destroy such data relating to you as are inaccurate, including any expression of opinion contained in personal data relating to you which the Court finds inaccurate.
Under the Consumer Credit Act 1974 (an Act of the UK Parliament) you also have the right to have any incorrect information removed or amended.
The Credit Reference Regulations are complex and are currently under review. If you wish to exercise this right then the Data Protection Supervisor can provide further advice.
NOTIFICATION
Notification is the method by which a data controller informs the Supervisor of the purposes for processing personal data. The details provided by the data controller are then used by the Supervisor to make an entry describing this processing in the register, which is open to public inspection.
The registry entry contains the following information:-
- Contact Details
- Data Controller’s Name & Address
- Notification Number
- Expiry Date of the Notification
- Purposes. For each purpose the following is recorded:-
- A title
- A brief description
- Data subjects
- Data Classes
- Recipients
- Transfers
These are the “Purposes” which are relevant to criminal justice in the General Registry’s notification. These entries describe, in very general terms, the personal data being processed.
- Administration of justice
Purpose Description - Internal administration and management of courts of law (Civil, Family, Summary and High Court) or tribunals and discharge of court business.
Subjects are:-
- Complainants, correspondents and enquirers
- Relatives, guardians and associates of the data subject
- Advisers, consultants and other professional experts
- Offenders and suspected offenders
- Witnesses
Data Classes are:-
- Personal details
- Family, lifestyle and social circumstances
- Education and training details
- Employment details
- Financial details
- Racial or ethnic origin
- Physical or mental health or condition
- Sexual Life
- Offences (including alleged offences)
- Details of Civil, Family and Tribunal cases
Recipients are:-
- Data subjects themselves
- Employees and agents of the data controller
- Persons making an enquiry or complaint
- Police forces
- Ombudsmen and regulatory authorities
- Data Processors
- Prosecuting authorities, courts, tribunals
- Judges and Magistrates
- J. P.'s
- Coroners
Transfers are:-
- Worldwide
- Crime prevention and prosecution of offenders
Purpose Description - Crime prevention and detection and the apprehension and prosecution of offenders, excluding the use of Closed Circuit Television (CCTV) and Anti-Money Laundering Code Reporting (AMLCR).
This includes the provision of Court Facilities for the hearing of Trails and thereafter the preservation of and storage of case files.
Subjects are:-
- Staff including volunteers, agents, temporary and casual workers
- Customers and clients
- Complainants, correspondents and enquirers
- Relatives, guardians and associates of the data subject
- Advisers, consultants and other professional experts
- Offenders and suspected offenders
Data Classes are:-
- Personal details
- Family, lifestyle and social circumstances
- Education and training details
- Employment details
- Financial details
- Racial or ethnic origin
- Physical or mental health or condition
- Offences (including alleged offences)
- Criminal proceedings, outcomes and sentences
Recipients are:-
- Data subjects themselves
- Relatives, guardians or other persons associated with the data subject
- Healthcare, social and welfare advisers or practitioners
- Employees and agents of the data controller
- Persons making an enquiry or complaint
- Trade, employer associations and professional bodies
- Police forces
- Offices of central government, statutory boards/authorities, etc.
- Ombudsmen and regulatory authorities
- Prosecuting authorities, courts, tribunals
Transfers are:
- Worldwide
- CCTV - Crime prevention and prosecution of offenders
Purpose Description - Crime prevention and detection and the apprehension and prosecution of offenders using Closed Circuit Television (CCTV).
Subjects are:-
- Staff including volunteers, agents, temporary and casual workers
- Customers and clients
- Offenders and suspected offenders
Data Classes are:-
- Personal details
Recipients are:-
- Employees and agents of the data controller
- Persons making an enquiry or complaint
- Police forces
- Data Processors
- Prosecuting authorities, courts, tribunals
Transfers are:
- None outside the EEA
- Education
Purpose Description - The provision of education or training as a primary function or as a business activity.
Setting of Advocates Examinations and training for the judiciary.
Subjects are:-
- Advisers, consultants and other professional experts
- Students and pupils
Data Classes are:-
- Personal details
- Education and training details
- Employment details
Recipients are:-
- Data subjects themselves
- Relatives, guardians or other persons associated with the data subject
- Current, past or prospective employers of the data subject
- Education, training establishments and examining bodies
- Employees and agents of the data controller
- Persons making an enquiry or complaint
- Trade, employer associations and professional bodies
- Offices of central government, statutory boards/authorities, etc.
Transfers are:
- None outside the EEA
- Government - Assessment and Collection of Taxes and Other Revenue
Purpose Description - Assessment and collection of taxes, duties, levies and other revenue. Fines levied by the Courts and assessment of legal aid and investigation of suspect claims.
Subjects are:-
- Customers and clients
- Complainants, correspondents and enquirers
- Relatives, guardians and associates of the data subject
Data Classes are:-
- Personal details
- Family, lifestyle and social circumstances
- Employment details
- Financial details
- Offences (including alleged offences)
- Criminal proceedings, outcomes and sentences
Recipients are:-
- Employees and agents of the data controller
- Persons making an enquiry or complaint
- Debt collection and tracing agencies
- Offices of central government, statutory boards/authorities, etc.
- Elected Representatives
- Ombudsmen and regulatory authorities
- UK Government
- Prosecuting authorities, courts, tribunals
Transfers are:
- Worldwide
- Licensing and registration
Purpose Description - The administration of licensing or maintenance of official registers.
Land Registration.
Subjects are:-
- Customers and clients
- Complainants, correspondents and enquirers
- Relatives, guardians and associates of the data subject
- Advisers, consultants and other professional experts
Data Classes are:-
- Personal details
- Financial details
Recipients are:-
- Data subjects themselves
- Business associates and other professional advisers
- Employees and agents of the data controller
- Persons making an enquiry or complaint
- Local Authorities and Commissioners
- Offices of central government, statutory boards/authorities, etc.
- Ombudsmen and regulatory authorities
Transfers are:
- Worldwide
- Security
Purpose Description - Measures taken to secure the data controller’s own business, activity, goods, services or property
Subjects are:-
- Staff including volunteers, agents, temporary and casual workers
- Customers and clients
- Suppliers
- Advisers, consultants and other professional experts
Data Classes are:-
- Personal details
- Employment details
- Goods or services provided
Recipients are:-
- Employees and agents of the data controller
- Police forces
- Prosecuting authorities, courts, tribunals
Transfers are:
- None outside the EEA
- Administration of justice - Tribunals
Purpose Description - Administration of Tribunals including the Rent and Rates Appeals, Social Security Benefit and National Insurance Contributions Appeals Tribunals.
Subjects are:-
- Staff including volunteers, agents, temporary and casual workers
- Customers and clients
- Suppliers
- Members
- Complainants, correspondents and enquirers
- Relatives, guardians and associates of the data subject
- Advisers, consultants and other professional experts
Data Classes are:-
- Personal details
- Family, lifestyle and social circumstances
- Employment details
- Financial details
- Goods or services provided
- Physical or mental health or condition
- Offences (including alleged offences)
- Criminal proceedings, outcomes and sentences
Recipients are:-
- Data subjects themselves
- Relatives, guardians or other persons associated with the data subject
- Current, past or prospective employers of the data subject
- Healthcare, social and welfare advisers or practitioners
- Business associates and other professional advisers
- Employees and agents of the data controller
- Persons making an enquiry or complaint
- Debt collection and tracing agencies
- Trade, employer associations and professional bodies
- Offices of central government, statutory boards/authorities, etc.
- Elected Representatives
- Ombudsmen and regulatory authorities
- The media
- Data Processors
- UK Government
- Prosecuting authorities, courts, tribunals
Transfers are:
- None outside the EEA
These notes are only intended as an outline of the Data Protection Act 2002 and are not intended as definitive legal advice. For more information you should contact the Information Commissioner (was the Office of the Data Protection Supervisor) or consult an advocate.