What is personal data?
According to the UK Data protection Act (DPA) personal data is defined as:
“(…) data which relate to a living individual who can be identified - a) from those data or, b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expressions of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual” (Section 1 (1) of the DPA).
This provision represents a unique position among countries who have implemented the 95/46/EC Directive as it defines data as personal only if the data controller can identify the data subject (Privireal 2005). The provision is controversial as it differs from the definition of personal data provided in the Directive (article 2 (a)), which can be understood as referring to data as personal if anyone can identify the data subject directly or indirectly (Beyleveld et al. 2004: 408).
What is sensitive personal data?
In Section 1 (2) of the DPA, sensitive personal data includes information regarding:
a) racial or ethnic origin of the data subject,
b) political opinions,
c) beliefs or other beliefs of a similar nature,
d) membership in a trade union,
e) physical or mental health or condition,
f) sexual life,
g) commission or alleged commission by him of any offence, or
h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings .
In contrast to Article 8 (1) in the Directive, information about commission, alleged commission and any offence committed or alleged to be committed is added to what is considered sensitive personal data in the DPA (cf. Article 2, item g and h).
Conditions for processing of personal data
The conditions for processing personal data are set out in Schedule 2 and 3 of the DPA. Unless a relevant exemption applies, at least one of the stated conditions must be met, for instance that the data subject has consented to the processing.
Moreover, there are eight principles that found the basis for the requirements for the processing of personal data (cf. Schedule 1 part 1):
1. Personal data shall be processed fairly and lawfully, and shall not be processed unless:
a. At least one of the conditions in Schedule 2 is met (e.g. consent), and
b. In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met (e.g. consent),
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be processed in any manner incompatible with that or those purposes,
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose of the processing,
4. Personal data shall be accurate and, where necessary, kept up to date,
5. Personal data should not be kept for longer than is necessary for the purpose of the processing,
6. Personal data shall be processed in accordance with the rights of the data subjects under the Act (e.g. right to access to personal data, preventing processing likely to cause damage or distress, the right to correct inaccurate personal data),
7. Appropriate information security measures shall be taken against unauthorised and unlawful processing of personal data,
8. Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Obligation to notify the supervisory authority
Under Section 18 and 19 of the DPA, every data controller that processes personal data is obliged to notify the Information Commissioner’s Office (ICO), with some exemptions. This is the process known by the term notification. The ICO uses these details to make an entry in a statutory register which is available to the public for inspection. If any changes are made to the processing of personal data, it is required to report and amend the existing ICO registration. Failure to notify is considered a criminal offence (cf. Section 21).
The ICO is the UK’s independent supervisory public authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals (ICO-about). The ICO is responsible for data protection in England, Scotland, Wales and Northern Ireland, and enforces and oversees the following legislation:
The preliminary notification to the ICO should contain information about at least the following:
a) the name and address of the data controller,
b) the name and address of the representative if the data controller has nominated a representative,
c) a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate,
d) a description of the purpose or purposes for which the data are being or are to be processed,
e) a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data,
f) the names, or a description of, any countries or territories outside the European Economic Area to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data (cf. Section 16 of the DPA).
According to the DPA, it is an offence to process personal data:
- Without notifying the ICO (cf. Section 17 (1)),
- That contravene the notification regulations (cf. the Data Protection Regulations 2000),
- That contravene carrying out assessable processing (cf. Section 22 (5))
- That do not provide the information specified in Section 16 (1) within 21 days to any person who requests this in writing when Section 24 (1) applies (Beyleveld et. al.: 424).
Data Protection Officer
There is no requirement in the UK for organisations to appoint a data protection officer. However, many Universities have assigned their own data protection officers to oversee the processing of personal data being conducted by staff and student.
Case 1: University of Durham:
University of Durham sends an annual notification to the ICO of its personal data processing activities. The notification process includes informing the ICO of the following:
· The purposes for which the University processes personal data,
· To whom the personal data relates (data subjects),
· To whom this personal data is disclosed,
· To which countries or territories outside of the EEA, if any, the personal data is transferred (Durham University 2010: 7).
The current notification of University of Durham can be viewed here:
Staff and students are only allowed to process personal data for the purposes listed in the ICO notification of the University. If they wish to process personal data for any other purpose, they must discuss their proposals with the University’s Data Protection Officer so that the notification to the ICO can be amended appropriately. Any processing that is undertaken outside of the University’s notification to the ICO is unlawful (Op.cit.: 6-7).
Researchers are advised, wherever possible, to use anonymised data in order to safeguard individual privacy. Researchers and supervisors must ensure that they are familiar with the Data Protection Principles, and should consult the University’s Data Protection Officer if further advice is required (Op.cit.: 8-9).
Exemptions from the notification obligation
The non-automated processing of personal data is exempted from the obligation to notify (ICO 2007: 2). Additionally, there are exemptions from the DPA set out to accommodate specific circumstances, as for instance the use of personal data in research. Entitlement to an exemption depends on the purpose for the processing of personal data. If an exemption applies, then (depending on the circumstances) the processing will be exempt from the following requirements of the DPA:
- to register with the ICO; and/or
- to grant subject access to personal data; and/or
- to give privacy notices; and/or
- not to disclose personal data to third parties (ICO b)).
Conditions for exemption for research purposes
According to Section 33 of the DPA, there are exemptions from the requirements of the DPA if personal data are processed only for research purposes which include statistical or historical purposes (cf. 33 (1)). Personal data processed for such purposes may be exempt from some of the eight data protection principles provided that all of the following conditions apply:
- that the personal data is used exclusively for research purposes (including statistical and research purposes),
- that the personal data is not being used to support measures or decisions relating to any identifiable living individual,
- that the personal data is not processed in such a way that it causes substantial damage and distress to the data subject, and
- that the results of the research activity, or any resulting statistics, must not be made available in a form that identifies the data subject (University of Bristol 2014a).
(Egen overskrift for historical research?)
Moreover, there is also an exemption for automated data which are processed only for the purpose of historical research, and the processing is in compliance with the relevant conditions, and is not processed with reference to any data subject. Provided that these conditions are followed, such data are also exempt from the provisions referred to in the 1st – 5th data protection principle except the principle referring to personal data being processed fairly (cf. Schedule 8, Part IV, paragraph 17 (1)).
Although what is defined as “historical research” is not clear in the DPA, it must be distinguished from research for historical purposes to which the general less extensive exemption for research, history and statistics of Section 33 applies (Beyleveld et al. 2004: 427).
This provision includes historical research, and not medical research. Otherwise, there are no special provisions for notification regarding medical research (unless the data are anonymised, in which case the data are no longer considered personal data) (Op.cit.:420).
Although there is exemption for historical research, the DPA provides a narrower exemption for processing for historical research than the EC Directive 94/95 (cf. Article 32 (3)), which permits Member States to exempt processing for the sole purpose of historical research from the whole of the first data protection principle, and the provisions of Schedule 1 part II paragraph 2.
Cf, first data protection principle : http://en.wikipedia.org/wiki/Data_Protection_Act_1998#Data_protection_principles
The DPA does not specify any specific security measures to adopt and implement for the processing of personal data (cf. Schedule 1, part I (7)). However, the ICO recommends the following procedures to be undertaken:
- To design and organise security measures to fit the processing of the personal data and the harm that may result from a security breach;
- To be clear about who is responsible for ensuring information security;
- To make sure the right physical and technical security is undertaken, backed up by robust policies and procedures and reliable, well-trained staff; and
- To be ready to respond to any breach of security swiftly and effectively (ICO a)).
Moreover, the ICO recommends that international standards for information security management are adopted, such as ISO 27001 (ibid.).
The DPA contains special requirements for the use of data processors to process personal data on behalf of the data controller (cf. the 7th data protection principle). The Act states that the data controller must:
- choose a data processor that provides sufficient guarantees in respect of the technical and organisational security measures;
- take reasonable steps to check that those security measures are being put into practice; and
- sign a written contract setting out what the data processor is allowed to do with the personal data. The contract must also require the data processor to take the same security measures you would have to take if you were processing the data yourself (cf. Schedule 1 part II (11 and 12)).
The ICO refers to a model data processing contract which? has been published by the European Committee for Standardisation (ICO a)):
The UK Data Protection Act 1998:
The 95/46/EC Directive:
Information Commissioner’s Office:
Beyleveld, D., Grubb, A. Townend, D., Morgan, R. and Wrigh, J. 2004. “The UK’s Implementation of Directive 95/46/EC”, Beyleveld, D, Townend, D., Rouille-Mirza, S. and Wright, J. (eds.). Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Aldershot: Ashgate, pp. 403-428.
Durham University, 2010. Data Protection Policy [Internet], University of Durham. Available at: https://www.dur.ac.uk/resources/data.protection/dataprotectionpolicy.pdf, [accessed on June 19 2014.]
ICO, 2007. Notification Exemptions: A self-assessment guide [Internet], Information Commissioner’s Office. Available at: http://ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Forms/notification_exemptions_-_self-assessment_guide.ashx, [accessed on June 19 2014.]
ICO a). Information Security (Principle 7) [Internet], Information Commissioner’s Office (ICO). Available at: http://ico.org.uk/for_organisations/data_protection/the_guide/principle_7, [accessed on June 20 2014.]
ICO b). Are there any exemptions from the Data Protection Act? [Internet], Information Commissioner’s Office (ICO). Available at: http://ico.org.uk/for_organisations/data_protection/the_guide/exemptions#notification, [accessed on June 19 2014.]
Privireal, 2005. UK- Data Protection [Internet], Privireal: privacy in Research Ethics and Law. Available at: http://www.privireal.org/content/dp/uk.php, [accessed on June 19 2014.]
University of Bristol 2014a. Research Guidelines: section 33 exemption [Internet], University of Bristol. Available at: http://www.bris.ac.uk/secretary/dataprotection/research/guidelines.html, [accessed on June 19 2014.]