DATA PROTECTION ACT 1998

Transcription

1 DATA PROTECTION ACT 1998 Guidance Notes These Notes are an edited version for parishes of the diocesan policy and Guidance Notes. References to procedures at diocesan level have been omitted as irrelevant. Introduction 1. The Data Protection Act 1998 affects Diocesan Officers, Boards and Committees, as well as those at parish level. These guidance notes are intended as a guide as these officers and bodies prepare for, and administer, the new requirements. Specific guidance is given wherever possible, although it must be stated at the outset that the legislation is rarely prescriptive and it is for each officer/body to take responsibility in each instance for compliance with the legislation. Separate advice covering child protection has been produced by the Legal Office at Church House. 2. This document sets out (a) the implications of the new legislation (para 3-6); (b) the means to identify who the relevant data controllers are (para 7-8); (c) whether and how to notify (register) (para 9-12); (d) what material to dispose of (para 13-19); (e) the implications for references written in the future and those already on file (para 20-23); (f) physical security measures which need to be taken (para 24); (g) how subject access requests will work (para 25); (h) a checklist of what to do now (para26); (i) the penalties/effect of non-compliance (para 27). (j) Conclusions (para 28). What are the main implications of the Act? 3. The 1998 Act extends data protection to all paper-based files held within structured filing systems (not just to information after a certain date). The Act lays down a new framework for registration (or notification, as it is now called). It introduces a new category of sensitive personal data (which includes all Church of England personal data since religious affiliation one of the specified categories of sensitive personal data is assumed). Greater care is required when handling sensitive personal data and also when any personal data is placed on the internet or passes beyond the European Union. The Act entitles individuals to be told what

2 information is held about them by each data controller, the purposes for which it is held, and to whom that data controller might disclose the information. 4. It is important to distinguish between the three main ways in which data protection may bite and to consider in any instance what might be required in the light of each. Notification: the process by which data controllers communicate to the Data Protection Commissioner what information they hold and for what purposes, for inclusion in a public register; data controllers are responsible for keeping this material up-top-date Fair processing: organisations must adhere to the principles set out in the Data Protection Act (see next paragraph) Subject access rights: under which individuals have the right from 24 October 2001 to have a copy of most of the material held about them (at present this right only extends to information on computer, but from 2001 it is extended to include paper-based records held in structured filing systems). 5. The data protection principles set out that personal data should be i. processed fairly and lawfully and only if certain conditions are met ii. processed only for specified lawful purposes in ways compatible with them iii. adequate, relevant and not excessive in relation to the purposes iv. accurate and up-to-date v. kept for no longer than necessary for the purpose vi. processed in accordance with the strengthened subject access rights vii. kept securely viii. not transferred to any country without adequate data protection. When do the provisions come into effect? 6. The 2001 Act came into effect on 1 March However, there are generous transitional periods which means that the extension to paperbased records and other principal new provisions will not apply until 24 October Who are data controllers? 7. These notes have already made reference to the data controller and it is important to be clear who is a data controller and for whose personal data they are responsible. A data controller is the legal entity who determines the purposes for which and the manner in which personal data will be

3 processed. He will be responsible for ensuring compliance with the Data Protection Act and for responding to subject access requests on behalf of all those who process that data. The Bishop, DBF, the Cathedral, incumbents and PCCs are each data controllers in their own right. 8. At diocesan level, the Bishop and the Diocesan Secretary are data controllers. Compliance will be addressed through the Compliance Officers, Mary Morris and Michael Bishop, under a policy agreed by the Bishop s Staff Meeting and the DBF, and they will be responsible for its implementation. Do I need to notify (register) and, if so, how do I do so? 9. Notification replaces the previous requirement for registration. If you are already registered you need do nothing until that registration is due for renewal, when you will be invited by the Data Protection Commissioner s Office to convert the registration into a notification. Thereafter, notification is an annual process which requires a payment of 35. Additionally, any substantial amendments to the categories of information that are held need to be communicated as and when they occur. Paper records may be ignored, even post-october 2001, in deciding whether or not you need to notify. 10. There are additionally certain exemptions from notification which should allow PCCs, for example, not to notify. However, the categories which trigger notification include legal services, education, research, administration of justice, consultancy and advisory services and pastoral care and if any records are held on computer under any of these categories it will be necessary to notify. If in doubt, you could telephone the Data Protection Commissioner s notification help line ( ) for advice. You may find it more helpful to look on the Web at www. dataprotection.gov.uk, and follow the on-line notification process. This will ask you a number of questions about the data you hold and what it is used for, which will tell you if you need to notify. If you don t, you can withdraw from the on-line notification process without completing it. 11. If you do not already have a registration/notification and need to have one, you should telephone the DPC s notification help line. You will be asked various questions and a draft notification form will be sent to you for further action. Again, you may find it easier to do this on-line. The questions asked and categories of data held have been substantially simplified but do include a short questionnaire on the physical and computer-based steps which you take to ensure the security of personal data which you hold.

4 12. It is important to note that exemption from notification does not remove the obligation to comply with the rest of the Act, specifically with regard to the data principles and subject access requests for data including paper records. What material should I retain/dispose of? 13. Whether or not you are a data controller, if you are responsible for any personal data on computer or in structured paper records, you will need to undertake a weeding operation between now and October 2001 to ensure that, after that date, you hold only material which you are entitled to hold and which, if requested, you would be able to share with the individual concerned. This weeding operation will be particularly important and you will need to balance the reality of subject access requests (and the fact that some people will realise that that possibility is open to them from next year) with the need to keep material for archival purposes and to defend future legal actions. 14. It may be very important both for the protection of church and other vulnerable people and in order to defend the Church against claims for civil liability, to keep records of allegations and of how these were dealt with. However, you should bear in mind that unless it would be directly prejudicial to ongoing investigations to disclose material, subject access requests will still entitle the individual to see what is held on their file (although not necessarily who has written it). If it would be important to have on file what allegations were made, and what action was taken on them, but retention of the actual documents would cause difficulty, a summary note might present a way forward. 15. It is allowable to continue to hold material simply because it is expected that it will have an archival value although, again, there is no protection from subject access requests. 16. It is impossible to be categorical as to what should be destroyed and what should be retained and a pragmatic judgement must be taken in each case; it is therefore essential that the weeding operation is carried out by someone with sufficient knowledge and authority to make such decisions. The most sensitive material may prove to be the most important material to keep but perhaps also be the most likely to provoke objections from the individual to its retention and perhaps also be likely to provoke litigious action. As far as possible be consistent over what you weed. It would be helpful in responding to any subsequent challenges to note the dates on which a file has been weeded.

5 17. At a purely pragmatic level, for those pressing for a suggestion, you might wish to work on the basis that material which is more than 5 10 years old is retained only if there is a very good reason for doing so the material seems factual, defensible and not a matter of conjecture/prejudice or unsupported accusation (but watch child protection allegations) it has real significance to the person s future or is likely to have archival value. 18. The presumption for material within the past 5 10 years might be that it will be kept on the basis that it will be helpful in guiding the person s future but you will need to be conscious that particularly sensitive information, especially that which the individual in question would not want to remain on the file, must be broadly defensible in content and there must be sound reasons for continuing to hold it on file. In cases of doubt it would be reasonable to keep material provided it could be shared with the individual if necessary. 19. Material does need to be accurate and up-to-date under the data protection principles. You should take steps by October 2001, and periodically thereafter, to ensure that home addresses of individuals and other information held about them are as accurate as is reasonably possible. References 20. References are clearly and understandably a major cause of concern in the context of the new legislation. References received by a data controller may not be withheld from subject access requests but those given by him may be. However, in practice, of course any reference that is given is likely to be received by another data controller and so the individual would still be able to ascertain the information held within it by applying to that data controller. Therefore, you are strongly advised to ensure that all material held within references could, if necessary, be shared with the individual if he or she chose to make a subject access request. 21. It should be borne in mind that a referee has a dual duty of care both to the subject of the reference and to the organisation to which the reference is given. References do not need to be bland, and can and should still have negative points within them if appropriate, but they need to be justifiable and the content of references should not be a complete surprise to the individual about whom they are written.

6 22. Resorting to telephone calls does not necessarily remove the difficulty because as soon as a note is made of the telephone call a written record is created. In any case, the principle is that there should be openness with individuals, including about their strengths and weaknesses. 23. There is clearly a greater difficulty concerning references and other material written in the past. Much of this will have been written on the clear understanding that it was not to be shared with the individual concerned and so there are issues of breaking faith and of possible pastoral damage. There is no alternative but to review between now and October 2001 all such material and any material that either you could not justify holding or could not possibly be shared with the individual will need to be destroyed. What physical security measures do I need to take? 24. The seventh data protection principle sets out that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This effectively means that reasonable steps should be taken to ensure the security of information held in paper-based files and on computer. Data controllers are entitled to exercise reasonable judgements in the circumstances taking account of the likelihood of a breach of security, the harm that would be caused and the cost of implementing security measures. How will subject access requests work? 25. From 24 October 2001 individuals are entitled to ask a data controller for a copy of all (not just computer-based) information that is held about them and to receive this within 40 days on paying a fee of not more than 10. It is envisaged that a charge of 10 will be made towards the costs of meeting such requests (this is zero-rated for VAT purposes). You should not be weeding the files between receiving a request and responding to it. You are entitled, and indeed are required, to withhold information that identifies third parties unless their identity is already known to the data subject. What do I need to do now? 26. You will need to take steps now to ensure that the following occurs before 24 October 2001 in relation to any paper-based records falling within the Act. Go through all individuals files and remove from them any information that could not be disclosed to the individual or that you cannot justify still being held, being mindful of what might still be needed in the future and consulting the Registrar in cases of doubt.

7 Ensure that the writing of references and other correspondence takes account of the possibility of subject access requests from now onwards. What will I risk if I don t comply with the legislation? 27. The initiative may be taken by either the Data Protection Commissioner or by an individual complaining to the Commissioner if they believe you have not handled their personal data as required by the Act. In either case, the Commissioner s Office would then investigate and may require the data controller in question to comply. If they do not, an enforcement notice may be served and failure to comply with this is a criminal offence. In addition, it is a criminal offence not to notify (unless the data controller is exempt from the requirement to notify). An individual can also go to court to claim compensation for any damage they may have suffered from contravention of the Act. The damage incurred - in terms of both cost and adverse publicity - will, of course, be considerable if a case goes to court. However, the consequences of a simple subject access request may be equally damaging if information has to be divulged which damages pastoral relationships and causes acrimony. Conclusion 28. It will be appreciated that it has been difficult in a note of this kind to provide clear and definitive advice as every office will be organised in different ways in certain respects and as yet not even the Data Protection Commissioner s Office knows how the operation of the new Act will work in practice. Current information is available at However, it is hoped that these guidelines will provide an outline as to how offices, in conjunction with their staff and Registrar, might prepare for the new requirements. The Compliance Officers or the Bishop s Chaplain would be happy to offer any help if required.