United Kingdom of Big Brother? | Data Protection and Privacy
This week, our litigation department focuses on personal data and private information in light of the whistleblower Edward Snowden’s allegations of private information being handed over from large corporations to government bodies. It is important to be aware of how your individual data and private information can be stored and monitored as well as the fact that you are entitled to know what information about you is being held.
The right to privacy has been widely debated in British legal history. Peculiarly, the debate has often revolved around whether or not such a right exists in the United Kingdom in the absence of a written constitution or statute confirming that everyone has a right to privacy.
Technically speaking, if a citizen feels that their privacy has been violated, there are a number of legal remedies available in order to redress the invasion of privacy. These remedies may take the following forms which can be turned into civil actions in the Courts:
- Breach of Article 10 of the European Convention of Human Rights (as incorporated by the Human Rights Act 1998) which calls for the rights to respect private and family life;
- Claim in harassment pursuant to the Protection from Harassment Act 1997;
- Claim in trespass for unlawful and unauthorised entry into private property; and
- Breach of Data Protection Act 1998.
The Data Protection Act 1998 (the ‘DPA 1998’) has recently appeared across the media in light of the whistleblower Edward Snowden’s accusations of the unlawful use of private data of citizens of the United States and the United Kingdom by Prism and the Government Communication Headquarters (‘GCHQ’).
Prism is an electronic surveillance program that is run by the National Surveillance Agency (‘NSA’), the United States government’s security agency. Snowden has accused the NSA of collecting, through the Prism program, private information on US citizens but also on those in Europe, including the UK. The alleged link between Prism and the GCHQ was raised by Snowden.
According to accusations raised by Snowden, potentially thousands of British citizens have had their telephone and online communications monitored or intercepted in some way. This is potentially a violation of the DPA 1998.
Everyday, reams of private and personal information is exchanged and stored, physically and electronically. For example, a school’s administration office compiles personal details of pupils; a hospital logs a patient’s personal details onto the hospital’s database; internet companies retain the private information of customers for their marketing analysis purposes. The recipient of the data, known as a ‘data controller’ under the DPA 1998, is responsible for how that private information is kept and used.
It is important to note that your private information does not necessarily have to refer to you by your name. This means that personal information about you may be held by a company or organisation by a unique number referencing system. These reference numbers may then be matched against an index system which identifies individuals by their names. Even though your name may not appear in a company’s database records, the fact that you can be identified through the database means that the information amounts to personal data and private information under the DPA 1998.
The DPA 1998 states that information given to companies, business and the government must be controlled following these guidelines:
- The information must be used fairly and lawfully
- The information can only be used for the specific purpose it was given for
- The information must not be kept for no longer than necessary
- Kept safe and secure
- The information must not be transferred outside the UK without adequate protection
One key right enshrined in the DPA 1998 is that individuals, or you the citizen, are entitled to know if private companies and government organisations are ‘controlling’ or holding information on you.
The procedure to find out if your private data is being retained by an organisation is known as a ‘subject access request’ or SAR. A SAR may be made to any of the following:
- Credit card companies
- Past or present employers
Once a SAR is made and submitted, the recipient of the SAR must within a prescribed time limit reveal to you all the information they hold on you. What may be of more interest to many of you is that the data controller must also provide information on:
- How they obtained your data
- Whether your data has been passed on to third parties or other organisations
Requests for your personal information may become complicated when there is an issue of confidentiality arising out of certain relationships (e.g. doctor/patient, lawyer/client) and when private information retained on one individual subject contains information or references to third parties. For example, private data on an individual who spent his or her youth in child care with social services is bound to contain names and data on other individuals who were involved with the child. In order to release the individual subject’s data, the data controller would need to get the consent of those third parties before releasing the individual’s data.
In an age when information technology and the internet have made the exchange of information reach lightning speeds, it is important to be aware of how your data and private information are being held. There are certain rights and obligations imposed upon data controllers who store and process your private information.
Regardless of whether there is a codified document establishing the ‘right to privacy’ set in stone or not, there are sufficient legal measures in place to protect the privacy of individual citizens. The DPA 1998 is an essential piece of legislation in this country which helps safeguard the storage and processing of your private information.