The Data Protection Act 1998 (the Act) provides protection for personal data and rights of access and control for data subjects. It is an area of law which is increasingly important as the retention of personal information in the cyber domain grows exponentially. In 2015 we saw some developments in legislation and case law and a long awaited confirmation of reform in 2016 on a European level.
Misuse of data subject access requests
We saw clarification in 2015 on the appropriate use of and appropriate response to data subject access requests (DSARs).
In relation to criminal convictions, employers are able to use the Disclosure and Barring Service to obtain details of convictions of existing or prospective employees but have been known to require job applicants to provide a full account of their criminal record (including spent convictions) by making a DSAR instead. Spent convictions are not a matter that should be taken into account in recruitment unless the applicant will be working in a protected area, e.g. with children or vulnerable people, in the financial services sector, etc. In March 2015, legislation was introduced that made this practice into a criminal offence. A job applicant or an existing employee cannot be required to produce a copy of their criminal record by means of a DSAR.
There was also case law in which the appropriate use of a data subject access request in relation to ongoing legal proceedings was examined. In Dawson-Damer v Taylor Wessing and others, D were beneficiaries under a Trust and made a DSAR to TW who were solicitors for the Trustee. TW provided some information but claimed the majority of the data requested was subject to legal professional privilege and exempt from the request. They also claimed that some information was held in unstructured manual files and therefore outside the scope of the Act.
D issued proceeding for a declaration that TW had failed to comply with the Act. The application failed. The main grounds for refusal were as follows:
- The Act permits recipients to refuse to provide copies of requested information if it is not possible or would involve disproportionate effect. In this case the judge decided the search for and identification of disclosable documents requested would be extremely costly and it was not reasonable or proportionate to undertake it.
- The purpose of the Act if to enable an individual to check whether the processing of his data unlawfully infringes his privacy and if so, the Act provides measures he can take to protect himself. It is not intended to be used to assist an individual to obtain early discovery of documents that may assist in complaints against a third party.
The reasoning in this case may be of assistance to employers facing potential claims by a disgruntled employee, who wish to refuse the DSAR.
US Safe Harbor framework: invalid
EU Data Protection Directive (no 95/46) prohibits the transfer of personal data from the EU to other countries unless those countries ensure an adequate level of protection for such data. In 2000 the European Commission approved a system whereby US companies could certify their commitment to a set of data protection principles known as the “Safe Harbor” framework, as being an adequate level of protection for personal data transferred to such companies. But following revelations that US intelligence agencies had been accessing personal data stored by companies in the US, an Austrian citizen (Schrems) brought proceedings in the European Court of Justice to prevent transfer of his personal data to the US by Facebook. The ECJ determined that as US national authorities had overridden the Safe Harbor framework agreements with private companies, the framework did not ensure an adequate level of protection for personal data transferred to the US.
For employers wishing to transfer employee personal data to countries outside of the UK, explicit consent of employees to such transfer should be obtained. Employers should also enter into direct contractual arrangements with parties in the US to whom personal data is to be transferred using EU model contracts that exist for this purpose, although these too may now be questionable in their effect, following the Schrems case. That is however, the best available alternative to Safe Harbor at the present time (other than specific consent by the data subject to data transfer) as the current EU position is that if used, the model contracts are “sufficient”. Note that position may change. The model contracts are available here
European data protection reform
The EU has since 2010 been discussing ways in which to strengthen European wide data protection further. In December 2015, political agreement on the scope of such reforms appears to have been reached. There now follows the process of legal enactment, which is intended to result in repeal of the existing data protection directive and to come into full force in 2018. Commentary on the reforms will follow in due course.
Much has been made in the media of the ECJ case of Barbulescu v Romania in which it was determined an employee was fairly dismissed for using his employer’s internet for personal matters at work, the employer having monitored personal messages to his fiancee and family using his work-related Yahoo Messenger account.
Contrary to popular belief, the case does not provide a licence to monitor employees’ communications at work. Employees are entitled to a reasonable expectation of privacy in their communications at work unless that is properly ousted by means of a contractual clause and/or policy document in which the employer makes the rules for private usage of its communications devices or systems clear to the employee and gives a warning that monitoring will occur to ensure these rules are complied with. Ideally, specific consent to monitoring of this nature should be obtained.
For further information on the issues raised in this article, please contact us on 020 7925 8080 or by email at firstname.lastname@example.org