The First Data Protection Principle
"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."
Ensuring fairness in everything you do with people's personal details is central to complying with a data controller's duties under the Act. This includes circumstances where you are considering sharing personal data with another organisation - you should carefully consider what the recipient will do with the information and what effect it will have on the individual concerned.
In practice it means that you must:
- have legitimate reasons for collecting and using, including sharing, personal data
- not use the data in ways that have unjustified adverse effects on the individuals concerned
- be open and honest about how you intend to use the information
- give appropriate 'privacy policies' or 'fair processing notices' when collecting information
- ensure that people are not misled or deceived about the use of their information
- handle people's information only in ways they would reasonably expect
- make sure you do not do anything unlawful with the information
What is a 'fair processing notice'
Whilst the Act says that you can specify your purposes for processing in "a notification given to the Supervisor", in reality few people actually know this, or know how to make such a check. To ensure transparency about your processing it is preferable that individuals are provided with a fair processing notice , or privacy notice.
A fair processing notice, or privacy notice, is a statement that individuals should be given when information about them is collected. It must state the identity of the data controller, for example name and address of the organisation, what the organisation intends to use the information for, and anything else necessary in the circumstances to make the processing fair.
Where personal data are obtained directly from the individual then a fair processing notice must be given or made available to the individual either before the data are obtained, or at the time of collection. When data are obtained from a third party then a notice must generally be given to the individual when the data are first processed or as soon as reasonably practicable thereafter.
Organisations may take a layered approach to providing fair processing information - for example, providing brief information on a form, or sign, with directions for seeking further information if the person requires it. Additional fair processing information may then be provided by other means, for example on a website or in a booklet .
The UK Information Commissioner's Office has published a "Privacy Notices Code of Practice" which is designed to help organisations draft clear privacy notices to ensure that they collect information about people in a transparent and fair way.
Other websites carry advice that may assist in the drafting of privacy notices or data protection policies. The following, whilst not endorsed by the Supervisor, do provide such advice:
Please see our guidance note for further information about fair processing.
The Act prohibits any processing of personal data by a data controller unless there is lawful justification.
To be lawful the processing must be generally lawful, i.e. in accordance with the law, referring to statute and common law, whether that is civil or criminal. This applies to public and private sector organisations.
If processing personal information involves committing a criminal offence, the processing will obviously be unlawful.
However processing may also be unlawful if it results in, for example
- an organisation exceeding its legal powers or exercising those powers improperly
- a breach of the Human Rights Act 2001
- a breach of a duty of confidentiality
- an infringement of copyright
- a breach of an enforceable contractual agreement
- a breach of industry-specific legislation or regulations
To ensure lawfulness, the processing must also meet one of the conditions set out in Schedule 2 of the Act.
Many of these conditions relate to the purpose or purposes for which you intend to use the information, and take into account the nature of the information in question.
These conditions are:
- The data subject consents to the processing (please see our advice below on consent)
- the processing is NECESSARY
- in relation to a contract which the individual has entered into
- because the individual has asked for something to be done so they can enter into a contract
- because of a legal obligation that applies to the organisation (except an obligation imposed by contract)
- to protect an individual's "vital interests" i.e. life and death circumstances
- in the legitimate interests of the organisation so long as the rights and freedoms of the data subjects are not prejudiced;
- where the processing is necessary for the administration of justice;
- for the exercise of any functions of Tynwald, the Council or the Keys;
- for the exercise of functions conferred by or under a statutory provision;
- for the exercise of any functions of the Crown, a Department or Statutory Board
- for the exercise of any other functions of a public nature exercised in the public interest.
Therefore it would be a breach of the first principle to collect and process someone's personal data without meeting at least one of the conditions.
Sensitive Personal Data
In the case of sensitive personal data at least one of the conditions in Schedule 3 of the Act must also be met. These conditions are more exacting, but if you have a legitimate reason to process personal data and are doing this fairly, then it will be relatively straightforward to identify which condition for processing is met.
The following is a summary of the conditions for processing sensitive personal data. However, it is only intended as a basic guide and any data controller who processes sensitive personal data should refer directly to Schedule 3 of the Act for a full description of all the conditions.
A selection of the conditions for processing 'Sensitive Personal Data'
Sensitive personal data should only be processed if one or more of the following conditions have been met:
- the individual has given their explicit consent
- to comply with employment law
- to protect vital interests of
- the individual (in a case where the individual's consent cannot be given or reasonably obtained)
- another person (in a case where the individual's consent has been unreasonable withheld)
- where the data have been made public by the individual
- in connection with legal proceedings, or for obtaining legal advice
- for medical purposes and the processing is undertaken by a health professional or by an individual who owes an equivalent duty of confidentiality
- for the administration of justice / statutory functions including Tynwald, Council or the Keys
- any other purposes specified by Council of Ministers
One of the conditions for processing both personal data and sensitive personal data is consent.
The definition of consent is derived from the Article 2(h) of the European Data Protection Directive 95/46/EC which states:
the data subject's consent shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
Consent can be achieved if it has been freely given for a specific purpose and to which the individual, having been informed of the purpose, signifies agreement. In relation to sensitive personal data, consent must also be explicit and absolutely clear.
Some form of active communication is required. Consent cannot be inferred from a non-response.
Consent can be obtained by the use of a fair processing notice coupled with an appropriate response.
This Office has issued an advice note regarding consent which can be found at the end of this page.
To download these documents you will need the Adobe Acrobat Reader. This is available free of charge from Adobe by using the following link:
|Title||File Size||Format||Document Title|
|Consent||(44 kb)||Acrobat PDF File||The requirements for valid consent (2013)|
Material on the Data Protection Supervisor's site is independent of that hosted by the Isle of Man Government and is protected by copyright. The copyright owner is the Isle of Man Data Protection Supervisor. You may not make alterations or additions to the material on this site, or sell it or misappropriate it. Material may be downloaded or copied for personal use. However, appropriate acknowledgement of the copyright owner is required if material is re-published in any format.