SlideShare une entreprise Scribd logo
1  sur  36
Télécharger pour lire hors ligne
COMPETITION &
REGULATORY
GROUP
Charles Russell LLP
5 Fleet Place
London
EC4M 7RD
www.charlesrussell.co.uk
Charles Russell LLP
Floor 31, World Trade
Centre
West Tower
Is Al Kabeer Avenue
PO Box 31249
Manama
Kingdom of Bahrain
www.charlesrussell.bh
Data Protection Update
Andrew Sharpe
18 March 2010
DATA PROTECTION
• Introduction
– Laws
– Definitions/jargon
• Data Protection Principles
• New Enforcement Powers
• “Hot topics” and future for data
protection
INTRODUCTION
LAW
• Data Protection Act 1998
– Data Protection Directive 95/46/EC
– see Europa website for other national laws
(http://ec.europa.eu/justice_home/fsj/privacy
/index_en.htm)
– “the Act is certainly a cumbersome and
inelegant piece of legislation” (Morland J,
Naomi Campbell v MGN Limited [2002] EWHC
499 (QB))
INTRODUCTION - Law
• Privacy and Electronic Communications
(EC Directive) Regulations 2003 (SI
2003/2426)
– Privacy and Electronic Communications (EC
Directive)(Amendment) Regulations 2004
(SI 2004/1039)
– Privacy and Electronic Communications
Directive 2002/58/EC
• Durant -v- Financial Services Authority
[2003] EWCA Civ 1746
INTRODUCTION - Definitions
Section 1(1) Data Protection Act 1998:
• “data controller” means, subject to
subsection (4), a person who (either
alone or jointly or in common with other
persons) determines the purposes for
which and the manner in which any
personal data are, or are to be,
processed;
INTRODUCTION - Definitions
• “data processor”, in relation to personal
data, means any person (other than an
employee of the data controller) who
processes the data on behalf of the data
controller;
• “data” means information which is or is
intended to be processed automatically
(i.e. computerised) or forms part of a
relevant filing system
INTRODUCTION - Definitions
• “relevant filing system” means any set of
information relating to individuals
structured by reference to individuals or
criteria relating to individuals in such a
way that specific information relating to
an individual is readily accessible
– “on a par” with a computerised filing system
– “temp test”
INTRODUCTION - Definitions
• “personal data” means information
relating to a living individual who can be
identified from that data or from other
information in the possession of the
data controller
– narrow interpretation
– must be significantly biographical, have
individual as its focus and affect an
individual’s privacy (personal or
professional)
INTRODUCTION - Definitions
• “sensitive personal data” means
personal data relating to race, politics,
religious beliefs, physical or mental
condition, sexual life, offences
(allegations and sentence), membership
of trade union
INTRODUCTION - Definitions
• “processing data” means obtaining it,
recording it, holding it, carrying out
operations with respect to it, including:
– alteration
– retrieval
– consultation
– use
– disclosure
– erasure
INTRODUCTION - Definitions
Section 1(4) Data Protection Act 1998:
• where personal data are processed only for
purposes for which they are required by or
under any enactment to be processed, the
person on whom the obligation to process the
data is imposed by or under that enactment is
for the purposes of this Act the data controller.
DATA CONTROLLER LIABLE FOR DATA
PROCESSOR.
INTRODUCTION - DPA 1998
Exemptions
• National security
• Crime and taxation
• Regulatory activities usually statutory
and usually designed to protect the
public
• Health, education social work
• Research history and statistics
• Disclosures required by law or made in
connection with legal proceedings
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Personal data must be processed fairly
and lawfully and, in particular, shall not
be processed unless-
(a) at least one condition in Schedule 2 is met,
and
(b) in the case of sensitive personal data, at
least one of the conditions in Schedule 3 is
also met.
First Principle
• Personal data must be processed fairly
and lawfully and … one of the
conditions must be met
– fair processing only if data controller is
identified to data subject, together with
identity of any data protection
representative, and purpose(s) for which
data are intended to be processed is stated
– conditions at Schedule 2 or 3 to DPA 1998
First Principle Conditions
• Consent to processing is most used condition
(explicit consent for sensitive personal data )
• Can process personal data without consent in
certain circumstances e.g.:
– paragraph 6 of Schedule 2: “The processing is
necessary for the purposes of legitimate interests
pursued by the data controller or by third party or
parties to whom the data are disclosed, except
where the processing is unwarranted in any
particular case by reason of prejudice to the rights
and freedoms or legitimate interests of the data
subject.”
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Personal Data shall be obtained only for
one or more specified and lawful
purposes, and shall not be further
processed in any manner incompatible
with that purpose or those purposes.
Personal Data shall be adequate,
relevant and not excessive in relation to
the purpose or purposes for which they
are processed
Personal data shall be accurate and
where necessary kept up to date
Personal data processed for any
purpose or purposes shall not be kept
longer than necessary for that purpose
or purposes
Fifth Principle
• Personal data processed for any
purpose or purposes shall not be kept
longer than necessary for that purpose
or purposes
– often misused as a reason not to process
personal data inappropriately, most
famously by Humberside Police (deleted
information on Ian Huntley may have
prevented Soham murders)
– question of judgement for data controller
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Personal data shall be processed in
accordance with the rights of the data
subject.
Sixth Principle
• Personal data shall be processed in
accordance with the rights of the data
subject
– data subject access rights
– “stop” notices for damage or distress
– “stop” notices for direct marketing
– “stop” notices for automatic decision making
processes
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Appropriate technical and organisational
measures shall be taken against
unauthorised or unlawful processing of
personal data and against accidental
loss destruction of or damage to
personal data
Seventh Principle: data
processors/outsourcing
• Express terms governing due diligence
of data processors
– where processing carried out by data
processor on behalf of data controller, data
controller must take reasonable steps to
ensure compliance with technical and
organisational measures
– ensure data processor subject to
contractual obligations AND include audit
rights for at least Seventh Principle
DATA PROTECTION PRINCIPLES
Summary
1. Process fairly and lawfully
2. Obtain data only for one or more specified
purposes
3. Data adequate relevant and not excessive
4. Data accurate and kept up to date
5. Data not to keep longer than necessary
6. Process in accordance with rights of data
subject
7. Take appropriate security measures
8. No transfer of data outside EEA without
adequate protection
Personal data shall not be transferred to
a country or territory outside the EEA
unless that country or territory ensures
an adequate level of protection for the
rights and freedoms of data subjects in
relation to the processing of personal
data
Eighth Principle
• Personal data shall not be transferred to
a country or territory outside the EEA
unless that country or territory ensures
an adequate level of protection for the
rights and freedoms of data subjects in
relation to the processing of personal
data
– export always permitted where data subject
give consent to transfer
– other transfers without consent possible
(Schedule 4 of the DPA 1998)
Lawful Export of Data
• Disclosure outside of the EEA
– to third country approved by Commission
(Art. 25(6)) (Argentina, Australia, Canada,
Guernsey, Isle of Man, Jersey, Switzerland)
– US Safe Harbor -
http://www.export.gov/safeharbor/
– Binding corporate rules (Art. 26(2))
– Model Contracts (Art. 26(4))
Model Contracts
• In standard form for use in following
situations:
– Controller to processor:
• Commission Decision (2002/16/EC) of 27
December 2001
– Controller to controller:
• Commission Decision (2001/497/EC) of 15 June
2001
• Commission Decision C(2004)5271 of 7 January
2005 (preferred)
Transfer of Data Agreements
• New controller to processor approved
agreement
– effective date 15 May 2010
– set out in 2010/87/EU Commission Decision
of 5 February 2010 on standard contractual
clauses for the transfer of personal data to
processors established in third countries
under Directive 95/46/EC of the European
Parliament and of the Council (notified
under document C(2010) 593)
Transfer of Data Agreements
– available in Word
(http://ec.europa.eu/justice_home/fsj/privacy
/modelcontracts/index_en.htm)
– introduces obligations on sub-processors
– not yet formally adopted by Information
Commissioner
ENFORCEMENT
• Investigations
• Enforcement Notice
• Prosecution
• Criminal Justice and Immigration Act
2008
• Coroners and Justice Act 2009
Criminal Justice and Immigration
Act 2008
• introduces monetary penalties for breach of
data protection principles (s.144)
– amends Data Protection Act 1998 (new sections 55A
– 55E)
– maximum penalty set by Secretary of State
– fining guidelines published by Information
Commissioner’s Office (see www.ico.gov.uk)
• only allowable for:
– “serious contravention of [a data protection
principle]”
– “likely to cause substantial damage or substantial
distress”
– deliberate breaches or where controller knew or
ought to have known that there was risk of
contravention and that the contravention would be
likely to cause substantial damage or substantial
Criminal Justice and Immigration
Act 2008
• secondary legislation being passed to bring
into effect
• no official announcement as to when it will be
brought into effect
• maximum penalty
– £500,000
– some lobbying, including from previous Information
Commissioner, to be given OFT-style power (i.e. up
to 10% annual turnover of offender)
• appears from secondary legislation that
measures being passed to be bring measures
into effect on 6 April 2010
Coroners and Justice Act 2009
• Royal Assent on 12 November 2009
• Part 8 – Data Protection Act amendments
– assessment notices - will give Information
Commissioner statutory audit powers over
government departments and public authorities
– data-sharing code – requires ICO to produce code
for data sharing, to be approved by Secretary of
State (and Parliament)
• Some lobbying, including by previous IC, for
assessment notice power to be for private as
well as public sector
HOT TOPICS
• Breach notification
Privacy and Electronic
Communications Directive 2002/58/EC
• Amended by Citizens’ Rights Directive
2009/135/EC
• Amendments introduce breach
notification requirements by electronic
communications networks or services
providers to national regulatory bodies
and subscribers
• Member States must implement by 18
June 2011
Breach Notification
• some early discussion about widening
measure to all data controllers, and
including general public notification
– Reding speech 23 October 2009
– already more extensive breach notification
in some member states (e.g. some federal
states in Germany)
– EU looking closely at mixed practice in
USA, where majority of states have some
kind of breach notification law
Andrew Sharpe
Charles Russell LLP
Tel: + 44 (0) 20 7203 5194
+973 17 133219
Mobile:+ 44 (0) 77 1307 9516
+973 39 035451
Email: andrew.sharpe@charlesrussell.co.uk
andrewjsharpe
TMT_Lawyer
http://www.linkedin.com/in/andrewsharpe
CRITique at http://charlesrussell.wordpress.com
Offices in: London, Oxford, Cambridge, Cheltenham, Guildford, Geneva (Switzerland), Manama (Bahrain)
This information has been prepared as a general guide only and does not constitute advice on any specific
matter. We recommend that you seek professional advice before taking action. No liability can be accepted by
us for any action taken or not taken as a result of this information.
Charles Russell LLP is a limited liability partnership registered in England and Wales, registered number
OC311850, and is regulated by the Solicitors Regulation Authority. Any reference to a partner in relation to
Charles Russell LLP is to a member of Charles Russell LLP or an employee with equivalent standing and
qualifications. A list of members and of non-members who are described as partners, is available for
inspection at the registered office, 5 Fleet Place, London EC4M 7RD.
www.charlesrussell.co.uk www.charlesrussell.bh

Contenu connexe

Tendances

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6  Privacy and Data Protection 8 hrUnit 6  Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...LiamKelly95
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsAT Internet
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacylegalPadmin
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 

Tendances (20)

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6  Privacy and Data Protection 8 hrUnit 6  Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection Presentation
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for...
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
 
GDPR
GDPRGDPR
GDPR
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 

Similaire à Data Protection (Download for slideshow)

An introduction to data protection - 26 March 2014
An introduction to data protection - 26 March 2014An introduction to data protection - 26 March 2014
An introduction to data protection - 26 March 2014Rachel Aldighieri
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney
 
Cross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesCross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesKarl Larson
 
An introduction to data protection - 30 Jan 2014
An introduction to data protection - 30 Jan 2014An introduction to data protection - 30 Jan 2014
An introduction to data protection - 30 Jan 2014Rachel Aldighieri
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteClive Rich
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
GDPR - New European Union Legislation
GDPR - New European Union LegislationGDPR - New European Union Legislation
GDPR - New European Union LegislationTekwill
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson LLP
 
Data protection act new 13 12-11
Data protection act new 13 12-11Data protection act new 13 12-11
Data protection act new 13 12-11mrmwood
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICECFG
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsWSO2
 
Hexagon presentation light.pptx
Hexagon presentation light.pptxHexagon presentation light.pptx
Hexagon presentation light.pptxPabRonaldCalanoc1
 
Critical regulations governing data privacy and data protection 20 dec2018
Critical regulations governing data privacy and data protection 20 dec2018Critical regulations governing data privacy and data protection 20 dec2018
Critical regulations governing data privacy and data protection 20 dec2018Surabhi Jain
 
mHealth Israel_EU General Data Protection Regulation_Simon Marks
mHealth Israel_EU General Data Protection Regulation_Simon MarksmHealth Israel_EU General Data Protection Regulation_Simon Marks
mHealth Israel_EU General Data Protection Regulation_Simon MarksLevi Shapiro
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 
An Introduction to Data Protection (London) - June 2015
An Introduction to Data Protection (London) - June 2015An Introduction to Data Protection (London) - June 2015
An Introduction to Data Protection (London) - June 2015Rachel Aldighieri
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
 

Similaire à Data Protection (Download for slideshow) (20)

An introduction to data protection - 26 March 2014
An introduction to data protection - 26 March 2014An introduction to data protection - 26 March 2014
An introduction to data protection - 26 March 2014
 
Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19Niall Rooney FD Event 05.09.19
Niall Rooney FD Event 05.09.19
 
Cross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesCross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property Issues
 
An introduction to data protection - 30 Jan 2014
An introduction to data protection - 30 Jan 2014An introduction to data protection - 30 Jan 2014
An introduction to data protection - 30 Jan 2014
 
GDPR webinar presentation | LawBite
GDPR webinar presentation | LawBiteGDPR webinar presentation | LawBite
GDPR webinar presentation | LawBite
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR - New European Union Legislation
GDPR - New European Union LegislationGDPR - New European Union Legislation
GDPR - New European Union Legislation
 
GDPR and Research Data Management
GDPR and Research Data ManagementGDPR and Research Data Management
GDPR and Research Data Management
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017
 
Data protection act new 13 12-11
Data protection act new 13 12-11Data protection act new 13 12-11
Data protection act new 13 12-11
 
3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE3A – DATA PROTECTION: ADVICE
3A – DATA PROTECTION: ADVICE
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity Architects
 
Hexagon presentation light.pptx
Hexagon presentation light.pptxHexagon presentation light.pptx
Hexagon presentation light.pptx
 
Critical regulations governing data privacy and data protection 20 dec2018
Critical regulations governing data privacy and data protection 20 dec2018Critical regulations governing data privacy and data protection 20 dec2018
Critical regulations governing data privacy and data protection 20 dec2018
 
mHealth Israel_EU General Data Protection Regulation_Simon Marks
mHealth Israel_EU General Data Protection Regulation_Simon MarksmHealth Israel_EU General Data Protection Regulation_Simon Marks
mHealth Israel_EU General Data Protection Regulation_Simon Marks
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
An Introduction to Data Protection (London) - June 2015
An Introduction to Data Protection (London) - June 2015An Introduction to Data Protection (London) - June 2015
An Introduction to Data Protection (London) - June 2015
 
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17
 
Gary Davis
Gary DavisGary Davis
Gary Davis
 

Dernier

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 

Dernier (20)

Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 

Data Protection (Download for slideshow)

  • 1. COMPETITION & REGULATORY GROUP Charles Russell LLP 5 Fleet Place London EC4M 7RD www.charlesrussell.co.uk Charles Russell LLP Floor 31, World Trade Centre West Tower Is Al Kabeer Avenue PO Box 31249 Manama Kingdom of Bahrain www.charlesrussell.bh Data Protection Update Andrew Sharpe 18 March 2010
  • 2. DATA PROTECTION • Introduction – Laws – Definitions/jargon • Data Protection Principles • New Enforcement Powers • “Hot topics” and future for data protection
  • 3. INTRODUCTION LAW • Data Protection Act 1998 – Data Protection Directive 95/46/EC – see Europa website for other national laws (http://ec.europa.eu/justice_home/fsj/privacy /index_en.htm) – “the Act is certainly a cumbersome and inelegant piece of legislation” (Morland J, Naomi Campbell v MGN Limited [2002] EWHC 499 (QB))
  • 4. INTRODUCTION - Law • Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) – Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2004 (SI 2004/1039) – Privacy and Electronic Communications Directive 2002/58/EC • Durant -v- Financial Services Authority [2003] EWCA Civ 1746
  • 5. INTRODUCTION - Definitions Section 1(1) Data Protection Act 1998: • “data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
  • 6. INTRODUCTION - Definitions • “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller; • “data” means information which is or is intended to be processed automatically (i.e. computerised) or forms part of a relevant filing system
  • 7. INTRODUCTION - Definitions • “relevant filing system” means any set of information relating to individuals structured by reference to individuals or criteria relating to individuals in such a way that specific information relating to an individual is readily accessible – “on a par” with a computerised filing system – “temp test”
  • 8. INTRODUCTION - Definitions • “personal data” means information relating to a living individual who can be identified from that data or from other information in the possession of the data controller – narrow interpretation – must be significantly biographical, have individual as its focus and affect an individual’s privacy (personal or professional)
  • 9. INTRODUCTION - Definitions • “sensitive personal data” means personal data relating to race, politics, religious beliefs, physical or mental condition, sexual life, offences (allegations and sentence), membership of trade union
  • 10. INTRODUCTION - Definitions • “processing data” means obtaining it, recording it, holding it, carrying out operations with respect to it, including: – alteration – retrieval – consultation – use – disclosure – erasure
  • 11. INTRODUCTION - Definitions Section 1(4) Data Protection Act 1998: • where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller. DATA CONTROLLER LIABLE FOR DATA PROCESSOR.
  • 12. INTRODUCTION - DPA 1998 Exemptions • National security • Crime and taxation • Regulatory activities usually statutory and usually designed to protect the public • Health, education social work • Research history and statistics • Disclosures required by law or made in connection with legal proceedings
  • 13. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Personal data must be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one condition in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  • 14. First Principle • Personal data must be processed fairly and lawfully and … one of the conditions must be met – fair processing only if data controller is identified to data subject, together with identity of any data protection representative, and purpose(s) for which data are intended to be processed is stated – conditions at Schedule 2 or 3 to DPA 1998
  • 15. First Principle Conditions • Consent to processing is most used condition (explicit consent for sensitive personal data ) • Can process personal data without consent in certain circumstances e.g.: – paragraph 6 of Schedule 2: “The processing is necessary for the purposes of legitimate interests pursued by the data controller or by third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”
  • 16. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Personal data shall be accurate and where necessary kept up to date Personal data processed for any purpose or purposes shall not be kept longer than necessary for that purpose or purposes
  • 17. Fifth Principle • Personal data processed for any purpose or purposes shall not be kept longer than necessary for that purpose or purposes – often misused as a reason not to process personal data inappropriately, most famously by Humberside Police (deleted information on Ian Huntley may have prevented Soham murders) – question of judgement for data controller
  • 18. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Personal data shall be processed in accordance with the rights of the data subject.
  • 19. Sixth Principle • Personal data shall be processed in accordance with the rights of the data subject – data subject access rights – “stop” notices for damage or distress – “stop” notices for direct marketing – “stop” notices for automatic decision making processes
  • 20. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss destruction of or damage to personal data
  • 21. Seventh Principle: data processors/outsourcing • Express terms governing due diligence of data processors – where processing carried out by data processor on behalf of data controller, data controller must take reasonable steps to ensure compliance with technical and organisational measures – ensure data processor subject to contractual obligations AND include audit rights for at least Seventh Principle
  • 22. DATA PROTECTION PRINCIPLES Summary 1. Process fairly and lawfully 2. Obtain data only for one or more specified purposes 3. Data adequate relevant and not excessive 4. Data accurate and kept up to date 5. Data not to keep longer than necessary 6. Process in accordance with rights of data subject 7. Take appropriate security measures 8. No transfer of data outside EEA without adequate protection Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
  • 23. Eighth Principle • Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data – export always permitted where data subject give consent to transfer – other transfers without consent possible (Schedule 4 of the DPA 1998)
  • 24. Lawful Export of Data • Disclosure outside of the EEA – to third country approved by Commission (Art. 25(6)) (Argentina, Australia, Canada, Guernsey, Isle of Man, Jersey, Switzerland) – US Safe Harbor - http://www.export.gov/safeharbor/ – Binding corporate rules (Art. 26(2)) – Model Contracts (Art. 26(4))
  • 25. Model Contracts • In standard form for use in following situations: – Controller to processor: • Commission Decision (2002/16/EC) of 27 December 2001 – Controller to controller: • Commission Decision (2001/497/EC) of 15 June 2001 • Commission Decision C(2004)5271 of 7 January 2005 (preferred)
  • 26. Transfer of Data Agreements • New controller to processor approved agreement – effective date 15 May 2010 – set out in 2010/87/EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)
  • 27. Transfer of Data Agreements – available in Word (http://ec.europa.eu/justice_home/fsj/privacy /modelcontracts/index_en.htm) – introduces obligations on sub-processors – not yet formally adopted by Information Commissioner
  • 28. ENFORCEMENT • Investigations • Enforcement Notice • Prosecution • Criminal Justice and Immigration Act 2008 • Coroners and Justice Act 2009
  • 29. Criminal Justice and Immigration Act 2008 • introduces monetary penalties for breach of data protection principles (s.144) – amends Data Protection Act 1998 (new sections 55A – 55E) – maximum penalty set by Secretary of State – fining guidelines published by Information Commissioner’s Office (see www.ico.gov.uk) • only allowable for: – “serious contravention of [a data protection principle]” – “likely to cause substantial damage or substantial distress” – deliberate breaches or where controller knew or ought to have known that there was risk of contravention and that the contravention would be likely to cause substantial damage or substantial
  • 30. Criminal Justice and Immigration Act 2008 • secondary legislation being passed to bring into effect • no official announcement as to when it will be brought into effect • maximum penalty – £500,000 – some lobbying, including from previous Information Commissioner, to be given OFT-style power (i.e. up to 10% annual turnover of offender) • appears from secondary legislation that measures being passed to be bring measures into effect on 6 April 2010
  • 31. Coroners and Justice Act 2009 • Royal Assent on 12 November 2009 • Part 8 – Data Protection Act amendments – assessment notices - will give Information Commissioner statutory audit powers over government departments and public authorities – data-sharing code – requires ICO to produce code for data sharing, to be approved by Secretary of State (and Parliament) • Some lobbying, including by previous IC, for assessment notice power to be for private as well as public sector
  • 32. HOT TOPICS • Breach notification
  • 33. Privacy and Electronic Communications Directive 2002/58/EC • Amended by Citizens’ Rights Directive 2009/135/EC • Amendments introduce breach notification requirements by electronic communications networks or services providers to national regulatory bodies and subscribers • Member States must implement by 18 June 2011
  • 34. Breach Notification • some early discussion about widening measure to all data controllers, and including general public notification – Reding speech 23 October 2009 – already more extensive breach notification in some member states (e.g. some federal states in Germany) – EU looking closely at mixed practice in USA, where majority of states have some kind of breach notification law
  • 35. Andrew Sharpe Charles Russell LLP Tel: + 44 (0) 20 7203 5194 +973 17 133219 Mobile:+ 44 (0) 77 1307 9516 +973 39 035451 Email: andrew.sharpe@charlesrussell.co.uk andrewjsharpe TMT_Lawyer http://www.linkedin.com/in/andrewsharpe CRITique at http://charlesrussell.wordpress.com
  • 36. Offices in: London, Oxford, Cambridge, Cheltenham, Guildford, Geneva (Switzerland), Manama (Bahrain) This information has been prepared as a general guide only and does not constitute advice on any specific matter. We recommend that you seek professional advice before taking action. No liability can be accepted by us for any action taken or not taken as a result of this information. Charles Russell LLP is a limited liability partnership registered in England and Wales, registered number OC311850, and is regulated by the Solicitors Regulation Authority. Any reference to a partner in relation to Charles Russell LLP is to a member of Charles Russell LLP or an employee with equivalent standing and qualifications. A list of members and of non-members who are described as partners, is available for inspection at the registered office, 5 Fleet Place, London EC4M 7RD. www.charlesrussell.co.uk www.charlesrussell.bh

Notes de l'éditeur

  1. SCHEDULE 2 - CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA 1. The data subject has given his consent to the processing.2. The processing is necessary- (a) for the performance of a contract to which the data subject is a party, or(b) for the taking of steps at the request of the data subject with a view to entering into a contract.3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.4. The processing is necessary in order to protect the vital interests of the data subject.5. The processing is necessary- (a) for the administration of justice,(b) for the exercise of any functions conferred on any person by or under any enactment,(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.6. - (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.
  2. This is implemented in the Data Protection Act 1998 at paragraph 4 and 5 of Schedule 4: “4 (1) The transfer is necessary for reasons of substantial public interest. (2) The Secretary of State may by order specify: (a) circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest, and (b) circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest. 5 The transfer: (a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), (b) is necessary for the purpose of obtaining legal advice, or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.