Guidance
Watch Schemes and The Data Protection Act 1998
February 2001
Contents:
INTRODUCTION
The Data Protection Act 1998 came into force on 1st March 2000. It sets rules for processing personal data and applies to paper records as well as those held on computers. The 1998 Act supersedes the 1984 Act.
It is vital that organisations that collect and use personal data (data controllers) maintain the confidence of those (data subjects) who are asked to provide it by complying with the requirements of the Act.
The Act is concerned with the processing of personal data.
Personal data means data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of or is likely to come into the possession of the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Processing in relation to information means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.
The first point you need to establish is whether you are processing personal data. If the answer is 'yes' then you will need to comply with the requirements of the Data Protection Act 1998 i.e. requirements to notify and compliance with the Data Protection Principles.
NOTIFICATION
The Data Protection Act 1998 requires every data controller who is processing personal data to notify unless they are exempt. Failure to notify is a criminal offence.
The Act provides an exemption from notification for some data controllers. The following is a brief summary of the exemptions.
Exemptions are possible for:
individuals who process data for personal, family or household affairs
data controllers who only process personal data for maintenance of a public register
data controllers who do not process personal data on computer
some not for profit organisations (this exemption mainly applies to small charities and organisations which are not established for profit)
data controllers who only process personal data for any one or all of the following purposes:
- staff administration
- advertising, marketing and public relations
- accounts and records
More detailed guidance about notification exemptions can be found in the Information Commissioner's (ICO) publication "Notification Handbook - A Complete Guide to Notification"
Any data controller who believes they may be exempt from notification must refer to this guidance and not rely on the brief summary given above. It is up to data controllers to judge whether they can take advantage of any exemptions from notification.
The Home Office encourages the formation of Watch Schemes as do the Police, however as neither feel that the scheme could, in real sense, be said to be a part of their own organisation, if a watch scheme processes personal data then it cannot be covered by the Home Office or Police notifications.
It is possible that some Watch Schemes may be able to claim not for profit exemption and may not need to notify but they would still need to comply with the Act. In order to decide if you can claim not for profit exemption please see the attached sheet which explains exemption for non profit making organisations.
All data controllers irrespective of whether they are required to notify must comply with the requirements of the eight legally enforceable Data Protection Principles contained within the Data Protection Act.
DATA PROTECTION PRINCIPLES
The eight enforceable principles require that data must be:
fairly and lawfully processed
processed for limited purposes and not in any manner incompatible with those purposes
adequate, relevant and not excessive
accurate
not kept for longer than necessary
processed in line with data subjects rights
secure
not transferred to countries outside the European Economic Area without adequate protection
The First Data Protection Principle of the 1998 Act introduces the requirement that as a requisite of fair and lawful processing personal data shall not be processed unless certain conditions are met. In the case of processing of all personal data at least one of the following conditions (Schedule 2 conditions) must be met:
the data subject has given their consent to processing
the processing is necessary for performance of a contract with the data subject
the processing is necessary to comply with a legal obligation
the processing is necessary to protect the vital interests of the data subject
the processing is necessary to carry out public functions
the processing is necessary in order to pursue legitimate interests of the data controller or third parties (unless it could prejudice the interests of the individuals)
The Act makes special provisions for processing of sensitive personal data.
Sensitive personal data is defined by the Act (section 2) as being that relating to:
racial or ethnic origin
political opinions
religious or other beliefs
trade union membership
health
sex life
criminal proceedings, convictions, and alleged offences.
When processing sensitive personal data in addition to one of the conditions for processing personal data at least one of the Schedule 3 conditions must also be met to make the processing lawful in accordance with the First Principle. The following are most likely to be relevant:
having explicit consent of the data subject
being required by law to process the data for employment purposes
needing to process the information in order to protect the vital interests of the data subject
dealing with the administration of justice or legal proceedings
processed in circumstances specified in an order made by the Secretary of State
The most significant of these orders for the purposes of processing by Watch Schemes is where the processing is:
in the substantial public interest;
necessary for the purposes of the prevention and detection of any unlawful act, where seeking the consent of the data subject to the processing would prejudice those purposes and the processing;
necessary for discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service.
As well as requiring data controllers to ensure that their processing of personal data satisfies at least one of the Schedule 2 (and where necessary Schedule 3) conditions above the First Principle also requires data controllers to ensure that the processing is "fair" in a general sense.
Where data are obtained from the data subject the data controller must therefore ensure so far as practicable, that the data subject is provided with the identity of the data controller, the purpose or purposes for which the data are intended to be processed and any further information which is necessary to enable processing in respect of that data subject to be fair. In deciding what information is necessary for this requirement the data controllers should consider what processing of personal data they shall be carrying out once the data are obtained and consider whether or not the data subject are likely to understand the following:
- the purposes for which their personal data are to be processed
- the likely consequences of such processing
- whether any particular disclosures can be reasonably be envisaged.
The more unforeseen the consequences of processing the more likely it is that the data controllers will be expected to provide further information. This is known as the "fair processing code". Where information is obtained from someone other that the data subject the fair processing information should also be provided to the data subject either when the data controller first processes the data or at the time of the disclosure to a third party.
In practical terms what it means is that in addition to having legitimate basis for processing personal data, if any flow of personal data relating to a data subject is to take place (for example to any other volunteers of the scheme, victim support or subject to some exceptions, even the Police) then it is normally important that from the outset the individual understands it and is given an opportunity to object to any disclosure. Similarly, anyone disclosing personal data to the Watch Scheme will have to address similar considerations, for example, the Police may sometimes need to find out victims wishes before their details are passed on to a scheme.
In addition it is important that the processing of personal data is "lawful" in a general sense. Therefore, if the processing would contravene any statutory or common law obligation outside the scope of the Data Protection Act, then it will normally not be compliant with the First Principle.
You should be aware, however, that there is an exemption from parts of the First Principle where complying with them would prejudice the prevention or detention of crime, or the apprehension or prosecution of offenders, This is contained in sextion 29(1) of the Act, and means that you do not have to tell people what you are doing with their personal data or that you are holding it (i.e. comply with the general "fairness" requirement) where doing so would be harmful. You must always however comply with Schedule 2 of the Act and where necessary Schedule 3: there is no exemption from this.
The Second Data Protection Principle requires that personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
In order to ascertain if data controllers can comply with this Principle it is essential that they are clear about the purpose(s) for which the personal data are processed. It is essential that when making disclosures of personal data to any third party regard is given to the purpose(s) for which the third party may process the data.
The Third, Fourth, Fifth and the Seventh Principles requires data controllers to ensure that they only process the necessary amount of information about each individual which is required in order to properly fulfil their purpose, that personal data they hold are accurate and where necessary kept up to date, not hold personal data for any longer than is necessary, and make sure appropriate security measures are in place against unauthorised or unlawful processing of personal data taking into account the sensitivity of the data.
The Sixth Principle requires that processing is in accordance with the rights of the data subjects. The 1998 Act gives rights to data subjects in respect of personal data held about them by others. Amongst others, one such right is the right of subject access. This right allows individuals to have access to personal data held about them on computer and in paper records. The data controller must respond to a subject access request within 40 days and can charge a maximum fee of up to £10.
The Eighth Principle places limitation on the ability to transfer personal data to countries outside the EEA. It is highly unlikely that Watch Schemes would want, in general, to make such transfers but if you do then in order to ensure that this Principle is not breached you should consider the provisions of Schedule 4 of the 1998 Act.
If you need any further information then please visit the ICO website or telephone 01625 545754
SOME FREQUENTLY ASKED QUESTIONS
If the scheme has been set up as a partnership with the Police, a local council and the public do we need to notify or will the Police/Local Authority notification cover our processing?
Each data controller needs to notify in his or her own right. The notification of the Police or the Council will not cover your scheme's activities. Therefore if your scheme is are not exempt from notification it should notify.
Will we be able to claim not for profit exemption for a Watch Scheme?
The exemption is very narrow in terms of data subjects, classes and disclosures and only applies to processing carried out by a data controller which is a body or association which is not established for profit. The exemption applies to processing which is for the purposes of establishing or maintaining membership of or support for a body or association, for providing or administering activities for individual who are either members of the body or association or have regular contact with it. The ICO cannot decide whether a data controller can take advantage of the exemption. It is up to the data controller to judge that or seek legal advice.
Do we have to notify if we send newsletters to members?
The first question is whether or not the newsletters are addressed personally to the members.
If they are sent to "The Occupier" or "The Householder" then the Act will not apply.
If the newsletters are personally addressed to the members and you are simply processing the data to send out newsletters marketing your own services then you may be able to rely on an exemption for advertising, marketing and public relations from notification. This exemption applies to data controllers who are advertising and marketing their own goods and services. If however with the mailings you intend to enclose details about services provided by a third party then the exemption will not apply.
Do I have to notify if I only have information on manual records?
No, but you can choose to notify voluntarily.
How do I notify?
By telephone (01625-545740) or by Internet (http://www.ico.gov.uk/what_we_cover/data_protection/notification.aspx)
What is the fee for notification?
The fee is £35 for one year.
Do we have to comply with the Principles even if we are exempt from notification requirements?
If you are processing personal data then you must comply with the requirements of the Data Protection Principles irrespective of whether you need to notify or not.
Are there any circumstances in which a Watch Scheme can disclose information which contains personal data to the Police without the individual's knowledge/consent?
Section 29 of the Act contains some exemptions which may be claimed for crime and taxation purposes. One such exemption relates to the prevention or detection of crime, or the apprehension or prosecution of offenders and will permit disclosures in some particular cases where it is likely to prejudice these purposes. However there is no blanket exemption and you will need to look at it on case-to-case basis.
Can the Police disclose personal data to Watch Schemes?
Like all data controllers, the Police have to comply with the obligations that the Act places on them. They too have to comply with the requirements of the Act and comply with the Principles when making any disclosures of personal data to a third party. However in some circumstances the Police can claim an exemption to disclosures to a third party if the disclosure is necessary for prevention or detection of crime or for apprehension or prosecution of offenders where making the data subject aware of this is likely to prejudice these purposes. The Police will need to make a judgement in each case.
NON PROFIT-MAKING ORGANISATIONS EXEMPTION
The ICO has received a number of queries concerning the scope of the above exemption.
The exemption can only apply to processing "carried out by a data controller which is a body or association which is not established for profit". An accounting dictionary defines a non profit-making organisation as one which exists for a purpose (e.g. charitable or social) other than making a commercial profit. Another defines such an organisation as one which operates under rules which require all income to be applied to future activities of the same type (usually charitable). Such an organisation may make profits for its own purposes but not in order to enrich others. Therefore, an organisation may raise funds from events or functions where the monies raised exceed the expenses as long as the money raised is devoted to the organisation's activities. Any organisation which is not sure whether or not it is a non profit-making organisation should seek appropriate advice, probably from their accountant or legal adviser.
The exemption applies to processing which "is for the purposes of establishing or maintaining membership of or support for the body or association, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it".
On the face of "providing or administering activities for individuals" would appear not to cover processing in connection with the provision of support, including advice, financial grants, equipment or accommodation, to individuals. On a strict interpretation, therefore, a charity processing in connection with the arrangement of rehabilitative exercises for land mine victims could take advantage of the exemption whereas one processing in connection with the provision of special accommodation could not. The ICO is prepared to accept, therefore, that "providing or administering activities" may legitimately be construed so as to include the provision of support. On this interpretation those providing advice, grants, equipment etc, may take advantage of this exemption providing they satisfy the other criteria.
No guidance is provided in the Statutory Instrument concerned on what amounts to "regular contact". The ICO takes the view that contact may be considered regular even if it is fairly infrequent. However, it is clear that the intention was to cover processing in connection with the activities of a membership organisation or those of a body which arranges activities for, or provides support or facilities to, a specific group of individuals. Therefore, a body that provides activities, on an ongoing basis, to the same individuals could fall within the exemption, whilst a body that, for example, runs a general drop-in advice centre, and which deals with a substantial number of clients on a one-off or isolated basis, would not. Incidentally, in the former case, a body that provides activities for, or support to, the same individuals over a period of time would not lose the exemption simply on the basis that they only have one-off contact in a limited number of cases if the in the great majority of cases contact is on-going.
It is up to data controllers themselves to judge whether they can take advantage of this exemption. The ICO cannot provide formal confirmation that any particular data controller can do so. In any event a data controller may choose to notify voluntarily. A data controller which has not notified is nevertheless obliged to respond to a written request to provide that information which would have been included on the public register if they had notified.
For further information, contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 01625 545745
Fax: 01625 524510
E-mail: mail@ico.gov.uk
Website: www.ico.gov.uk
Last update: Tuesday, September 02, 2008