Obligations For Preserving Personal Data and Confidential Information

by Kate McCormick

This guide aims to make employers and business aware of their obligations with regard to personal and confidential information and to outline some measures to prevent accidental breaches of data protection and confidentiality from happening.

Data Protection Act 1998 (DPA)

A starting point is the definition of ‘personal data’ and of ‘sensitive personal data’ in the Data Protection Act 1998. ‘Personal data’ is data about an identifiable living person, i.e. a person distinguished from other members of a group, though not necessarily by name. ‘Sensitive personal data’ is information regarding a person’s race or ethnic origin; political opinions; religious or other similar beliefs; trade union membership; physical or mental health; sexual life; commission of offences or proceedings with regard to the commission of offences. ‘Data’ is: all data processed on a computer or automatically; or which forms part of a particular ‘accessible record’ such as health records; or which is held by a public authority; or which is manual data that is held in a ‘relevant filing system’. A ‘relevant filing system’ is one that is organised in a systematic or structured way in order to allow ready access to specific information about individuals (i.e. indexed, sub-divided etc).

If any such data is ‘processed’ (i.e. organised, altered, adapted, disclosed, constructed, consulted, used, retrieved, aligned, erased, destructed etc) by or upon the instructions of a business or person, then that business or person (the ‘data controller’) must comply with the eight ‘data protection principles’. They also have to ‘notify’ the Information Commissioner, if they hold automated data, unless exempt, so that they can be placed on a public register of data controllers. The registration must be renewed every year by a new notification.

The eight principles ensure that the individual subject is protected as far as possible when their personal data is processed. The first principle states that data must be processed fairly and lawfully and in accordance with various conditions. ‘Fairly’ means that the subject must be informed immediately, and not misled, as to the use of the information (which must be only for the purposes for which it was acquired); as to the data controller’s identity and of any other specific circumstances relating to the manner in which the data is to be processed (such as who else is to have access to it). Their consent must be obtained to the processing, although this can be implied or inferred where ‘personal data’ is concerned.

‘Lawful’ means that any other law must be complied with in relation to the data and its processing, such as any express or implied obligations of confidentiality. The ‘processing’ must be necessary for fulfilling a legal obligation or contract or fulfilling a legitimate interest, for the administration of justice or for protecting the vital interests of the data subject. This is quite wide, so, provided the data is used fairly and lawfully, a business is unlikely to infringe these ‘processing’ conditions. ‘Sensitive personal data’ however, is subject to more rigorous conditions, including that the express free consent of the subject must be obtained before processing.

So it is evident that marketing and sales lists, staff and employee information are all likely to be personal or sensitive personal data under the Act and should be held and used in accordance with the principles.

Care should also be taken when selling or buying a business or company. During the due diligence exercise, personal data (on marketing lists, employee records etc) should be anonymised wherever possible. As soon as possible after completion of the sale the buyer should notify the subject of the transfer of the data and give them the chance to have their details removed from any database. Where the data is ‘sensitive’, express consent should be obtained before disclosure. The buyer must comply with the eight data protection principles when dealing with the information and may be required to ‘notify’ the Information Commissioner that s/he/it will be doing so. It is easy to notify the Commissioner, simply by filling in an on-line form at (www.ico.gov.uk) and paying a fee of £35 or £500 (depending on size and turnover).

Section 7 of the DPA gives individuals the right to see copies of all personal data to which the Act applies, by making a ‘subject access request’ in writing to the data controller, who may charge a fee of up to £10 for each request. The controller has to comply within a reasonable time of no longer than forty days from receipt of the request, provided s/he/it has received the fee and all necessary information and provided that the information is not exempt from being disclosed. Subject access requests are becoming more and more common, as demonstrated by the cases of Durant v Financial Services Authority [2003] and William Smith v Lloyds TSB Bank Plc [2005]. However, the courts have been careful to try to strike a balance between data controllers and subjects when dealing with such requests.

In the Durant case, the request failed because the data held was not found to be ‘personal’ i.e. relating to an individual. Durant was in a dispute with Barclays Bank and made a complaint to the FSA. He made a subject access request under the Act for copies of all information held by the bank that mentioned his name or were related to him. It was held that, to be ‘personal data’ under the Act, the information must be “biographical in a significant sense” and “have the data subject as its focus, rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or had an interest”. The purpose of a request should be to protect one’s privacy rather than to fish for information about others or to find out facts in advance, for potential litigious purposes. In the Smith case it was held that information relating to a loan made by Lloyds TSB to a company was not ‘data’ under the Act as it was not automated or part of a relevant filing system. This restrictive interpretation of ‘personal data’ and ‘relevant filing system’, shows that the court is reluctant to allow the DPA to be used to obtain disclosure by the back door through making a subject access request, instead of through the proper litigation procedures.

Failure to comply with the Act and/or a subject access request can lead to individuals taking court proceedings and data controllers being ordered to disclose information, pay damages and injunctions being imposed to prevent them from further processing of the data.

See our Practical Guide to the Data Protection Act 1998 for more information on the Act.

Breach of Confidence
 

Even if the requirements of the Data Protection Act are not met however, data could still be classed as ‘confidential information’. This is an area that is expanding and developing through the decisions of the courts over the years.

The primary case is Coco v A. N. Clark (Engineers) Ltd [1969]. This case sets out the test for confidential information as being: that the information was of a confidential nature; was communicated in circumstances importing an obligation of confidence and that there was unauthorised use of the information. This definition has been further developed through case law, being held to include, in addition to trade secrets, all sorts of private and personal information, which by its nature, or the form in which it is kept, makes it plain that it is to be kept confidential. The Human Rights Act has developed the concept of the protection of private (information) and family life further, particularly where it is a public authority that holds the information, although this protection must be balanced with the ‘public interest in favour of disclosure’.

This development in the law of confidence is apparent in the case of Douglas v Hello! [2007], where it was stated that the law of confidence could be used to protect a ‘commercial commodity’ such as a trading agreement or deal. An injunction was awarded to Michael Douglas and Catherine Zeta Jones to prevent ‘Hello!’ magazine from publishing photographs of their wedding, when they had given exclusive rights to do so to ‘OK!’ magazine. It was held that they had a right to control their images as an article of trade.

The case of Jackson v Royal Bank of Scotland [2005] highlights the dangers associated with confidential information. Here, the bank mistakenly sent information relating to the price under a company’s contract with a supplier, to a competing supplier, resulting in loss by the company of the contract with the competing supplier. The company sued the bank and was awarded damages for loss of potential profits under the course of the trading relationship. There was no express obligation of confidentiality in the bank’s retainer with the company however, the court found that there was an ‘implied obligation of confidentiality’ upon the bank in relation to the information in the company’s contracts.

The case of Thomas v Pearce [2000] also serves as a warning, where new employees are taken on from competitors. A letting agent left her employment to join a rival firm, taking the client list with her to use in the new firm. Damages and an injunction were awarded against both the former employee and the new firm for breach of confidence, as they were both aware that the client list contained confidential information.

A breach of confidentiality can result in the court imposing an injunction preventing further use of the information and/or awarding compensation for damage, or an account of profits for loss of business.

Conclusion

The consequences of a breach of the DPA or of confidence can be severe, losing businesses money and time, but they can be avoided through the implementation of preventative measures.

Marketing, sales and HR departments need to be particularly careful when carrying out their daily work. Mailing lists need to be kept up to date and any requests to be taken off them should be promptly complied with. The Privacy and Electronic Communications Regulations 2003 may also need to be complied with if electronic marketing is carried out. Businesses should also watch out when engaging in other activities that could impinge on peoples’ privacy, such as the use of CCTV cameras for surveillance. Here, the data protection principles could involve carrying out a privacy impact assessment and developing clear procedures for how the CCTV system is used.

Where there is a risk that your business could be involved in processing personal data, it is worth carrying out a data protection compliance audit. The data protection principles are a good starting point for doing this. A business’ policies should reflect these principles and contain measures to ensure that they are consistently complied with. For example, wherever possible, hard copy files should be kept in a locked room or drawer; electronic records should be password protected with a password of appropriate length and complexity and should be accessible to certain staff only. Staff should be forbidden from carrying or downloading critical information on mobile equipment such as laptops and memory sticks. Firewalls and virus and anti spy-ware protection should be installed on computers and portable devices such as Blackberry’s and should be maintained and updated regularly. Information should be backed up regularly, keeping any back up material in a safe place. All personal data and confidential information should be disposed of when no longer needed, by shredding it or securely removing it from a computer before the computer is disposed of or reallocated.

Businesses should carry out a review of trading contracts to ensure that they contain adequate limitations on their liability in the event of a breach of confidence. On the other hand, confidentiality agreements should be entered into wherever confidential information is to be disclosed. Contracts of employment for staff and compromise agreements should be updated to contain adequate restrictions on using and taking confidential information both during and after employment, which should be drawn to the attention of employees when they leave and also carefully monitored for compliance after they have left. New employers should ensure that staff do not make use of confidential information stolen from a previous employer and should destroy any such information that may be disclosed to them. Retainers and contracts with other businesses should be regularly reviewed on an ongoing basis to ensure that confidentiality obligations are still not being breached.

Measures and procedures should be put into place to double check information and documents that are sent out by employees or contractors in the course of business. Confidential information should be clearly labelled as such whether in hard copy or electronic form and receiving parties should also be expressly told that it is confidential. All staff should be trained to comply with the business’s policies and procedures, to delete unsolicited attachments and spam emails without opening them and to watch out for people trying to solicit information from them, reporting any such incidents and obtaining advice where necessary.