Data Protection Legislation and a Satisfactory Balance - Research Paper Example

 Data Protection Legislation and a Satisfactory Balance Introduction Maintaining a satisfactory balance between the need for privacy and data protection on one hand and law enforcement on the other side is not an easy task for national legislation (Room and British Computer Society 2007). The current data protection laws aim at protecting the right to individual privacy by ensuring that the data protection guidelines prohibit either accidental or unlawful access or destruction of personal data without the consent of the individual (Room and British Computer Society 2007). However, the need of the state or public interest demands that exemptions must be put in place which erodes privacy of an individual (Carey 2000). The law enforcement and security agencies are increasingly demanding exemption from the current privacy laws due to the borderless society, but the possible abuse of these powers are some of the costs that the society has to bear in combating crime in the current information age (Harris 2007). The recent advancements in information communication technologies have enhanced the ease of transfer of personal data across borders and national laws of data protection require good data management practices that ensure data is securely processed (Waldo, Lin and Millett 2007). (Kerr, Sleeves and Lucock 2009). The paper will review the current data protection legislation and determine whether it maintains a satisfactory balance between the individual right to privacy and the interests of security managers. The current UK legislation on individual right to privacy and data protection is modeled around the EU directive on privacy and data protection principles issued by Directive 95/46/EC (Harris 2007). The EU Directive 95/46/EC aims at harmonization of personal data protection legal framework across the member states in order to ensure citizens are granted equal protection across the union (Harris 2007). The data controllers are required to process data fairly and lawfully and data should be collected and used for legitimate purposes only. The personal data should be accurate and kept up to date and data controllers are expected to provide reasonable measures for the data subjects to rectify or block incorrect data about them (Loses 2000). The member states are required to establish a supervisory authority that will maintain an updated public register that the general public can use to access to name of all data controllers. Article 7 outlines the criteria for legitimate data processing and include situations when the individuals have provided unambiguous consent, performance of a contract which the individual is a party, for necessary compliance with a legal obligation to which the controller is a subject or in the protection of the vital interests of the data controller (Loses 2000). The processing is allowed when protecting an interest that is essential for the individual. For instance emergency paramedics are allowed to give blood tests if an individual is unconscious after involvement in an accident in order to save the life of the individual (Schwartz and Reidenberg 1996). The Directive allows for processing by the data controller in the performance of a task carried out in the public interest or in exercising official authority vested in the data controller or in a third party to whom data are disclosed (Schwartz and Reidenberg 1996). Accordingly, the data controller can process data for legitimate interests pursued by the controller or third party or parties whom data is disclosed except when fundamental rights and freedoms of the data subject override the interests of the data controller and require protection under Article 1 (1) (Slapped and Kelly 2014). Slapped and Kelly (2014) asserts that the Directive provides special categories of data processing under Article 8 that requires member states to prohibit processing of personal data such as data that reveals ethnic origin, political opinions, religious beliefs or trade union membership, but the prohibition is limited if the purpose is carrying out specific obligations and rights of data controller in employment law. Article 8 (3) grants exemption to personal data processing for preventive medicine, or medical treatment where the data is processed by a health professional subject under national law while Article 8 (5) further grants exemptions for data relating to criminal convictions or security measures when carried out under control of official authority (Slapped and Kelly 2014). Although with a veiled expression, Art 12 entitles the individuals a right of confirmation whether data relating to them is being processed by the data controllers, the right to access a copy of the data, the right to have data rectified or blocked and right to information on the logic used in the processing in case of automated decisions (Slapped and Kelly 2014). The right to access personal data was emphasised by the European Court of Justice in the case of College van Burgemeester en Wethouders van Rotterdam v. M.E.E. Rijkeboer decision that outlined that right to access is a active right that is exercisable in a two-step approach since an individual must seek a confirmation from the data controller on whether personal data is being processed and then seek a copy if the outcome is positive (Slapped and Kelly 2014). Article 13 (1) of Directive 95/46/EC has created exemption and restrictions for national interests by outlining restrictions to right of privacy such as when data processing is a necessary measure to safeguard national security, defense, public security, prevention and prosecution of criminal offences or breaches of ethics in professional regulations and in safeguarding financial and economic interest of a member state (Slapped and Kelly 2014). In addition, Article 13 (2) provides for exemption in data processing for scientific research provided that the data controller does not breach the privacy of the individual and personal data is not kept for a long period that exceeds the sole purpose of creating statistics (Schwartz and Reidenberg 1996). Article 14 grants additional right for protection since the individuals can object at any time on compelling legitimate grounds where there is a justified objection provided by the national legislation like instances when the individual anticipates that processing is for the purpose of direct marketing (Harris 2007). The individual should be informed before the data is disclosed to third parties for the purposes of direct marketing (Harris 2007). The individuals acting on authority of data controllers are expected to ensure confidentiality and security of individual personal data and there should be appropriate technical and organisational measures to protect the individual personal data from accidental or unlawful loss, destruction, alteration and unauthorised access especially during transmission over a network (Morgan and Boardman 2012). Directive 97/66/EC requires the member states to enact laws that protect privacy in telecommunications in order to ensure confidentiality in communications and avoid unethical and illegal practices such as unauthorised tapping, unauthorised listening and storage (Huley-Binns and Martin 2014). Personal data is subject to a complex array of data protection laws in the UK and businesses must comply with Data protection Act 1998 in order to avoid legal liability. The Data protection Act 1998 implemented EU data protection directive of 1995 and applies to information that is processed automatically (computer-based records), information recorded on paper and health records or public authority records (Huley-Binns and Martin 2014). The Act requires data to be processed fairly and lawfully by making sure the processing is legitimate by satisfying the specified preconditions or providing individuals with certain information when collecting data concerning them even when data is not collected directly from them (Huley-Binns and Martin 2014). The Act protects sensitive personal data in order to avoid prejudicing individuals’ rights since the identity of data controllers, intended use of the data and other information that is essential for fair processing must be disclosed to the individual before collecting data regarding health, race, religion and union membership (HM Government 1998). The Act goes further to grant individuals the right to access their personal data, the right to prevent any processing that may cause substantial damage or distress and right to object to direct marketing (HM Government 1998). The individuals have a right to veto any automated decisions that significantly affect them and can sue for compensation id the data controllers breach the provisions of the Data protection Act of 1998 (Slapped and Kelly 2014). The UK legal framework has prohibited the transfers of personal data to countries outside the European Economic Area unless the destination country has provided adequate level of individual privacy and data protection (Housden and Thomas 2012). The transfers to countries outside EU require certain preconditions to be fulfilled such as request of the genuine consent of the individual or necessity of performance of a contract which the individual or rights of the individual are protected by a contract based on EU approved terms between the sender and recipient of the personal data. The UK law requires strict compliance since it sets out criminal offences and personal liability for directors of companies that contravene the rights of individuals to privacy and protection of confidentiality (HM Government 1998). The Information Commissioner is empowered by the Act to impose fines of up to 500,000 British Pounds to corporate organizations that deliberately or recklessly commit serious breaches of the Act (Slapped and Kelly 2014). The exemptions that are provided by the Act aim at restricting certain rights of individuals in relation to processing their data and limiting the security manager rights in accessing or processing the data (Harris 2007). The UK data protection law tries to create a room for the interests of the state and law enforcement agencies by exempting processing that concerns detection or criminal activities or assessment of legal taxation (Housden and Thomas 2012).. The Act recognises that law enforcement officers and criminal justice system may require personal data in order to deal with crime situations and thus law enforcement agencies can be exempted in accessing and processing personal data in order to detect and prevent crime (HM Government 1998). The security managers are empowered to process personal data in capturing and prosecution of crime thus security managers may be exempted from complying with some data protection principles. For instance, the police authorities may be exempted from notifying an individual that they are processing his or her personal data if they suspect him or her of being involved in serious crime if such notification may interfere with evidence collection (HM Government 1998). However, just exemptions apply depending on the existing circumstances and should not be utilised to deny an individual access to personal data if the criminal investigations purpose is unlikely to be prejudiced. Surprisingly, the data protection Act fails to explain the ‘likely to prejudice’ thus it is assumed that the existing circumstances should involve a substantial chance of damaging the crime or taxation purposes of investigations (Housden and Thomas 2012). For instance, employers who disclose home addresses of their employees for criminal investigations when the employee is absent from work may not breach the law if the personal data was collected for human resource management purposes (HM Government 1998). The security managers are exempted from seeking consent of the individual if the personal data processing is done in discharging statutory functions (Housden and Thomas 2012). For instance, the statutory review bodies may be exempted from certain data protection principles if the information is passed by the law enforcement agencies. For instance, the Independent Police Complaints Commission (IPCC) may start investigations in to a conduct of a police officer using documents received by the law enforcement agencies which the agencies may not an obligation to request for consent (Housden and Thomas 2012). The law further exempts the data processing provisions for information that must be made in public (Klang and Murray 2004). The bodies that perform public regulatory information may be exempted from the request of right to disclose personal data in circumstances that aim at protecting the members of the public from incompetence, serious improper conduct or malpractice by a certain individual. The functions must be conferred by law, crown or public interest and include protecting of the charities and ensuring fair competition in industries (Klang and Murray 2004). Another essential exemption is the public information. For instance, the Registrar of Companies has a statutory obligation to collect and process information for the maintenance of public register of companies including the names and addresses of the directors. The registrar is thus exempted from director’s right to have the inaccuracy corrected under the principles of the data protection Act unless the information requires a publication (Housden and Thomas 2012). The law exempts disclosures that are made in connection with pursuant to court orders or legal proceedings (Slapped and Kelly 2014). The personal data is exempt from non-disclosure if it is necessary in legal proceedings, obtaining legal advice and defending legal rights, but such information should not be disclosed to third parties unless an application for exemption of disclosure is obtained. Another exemption is the processing that is purely for journalistic, literature and art since the constitution protects the freedom of expression (Slapped and Kelly 2014). The Act does not exempt the unlawful obtaining of personal data under Section 55, but the exemption should only apply when the data is processed only for journalism purposes, with the intention of publication, with a reasonable belief that such publication is of public interest and compliance with data protection Act (Housden and Thomas 2012). Domestic purpose is another exemption that is essential in data protection since personal data can be processed by an individual data controller only for the purposes of their family, personal and household affairs (Klang and Murray 2004). For instance, an individual can keep a database of his relative’s addressees, images of friends and their names without contravening the data protection principles. The UK law grants exemption from some data protection principles if the purpose of processing the personal data and information is purely for research, history and statistics (Slapped and Kelly 2014). The data protection Act 1998 is not the only statute that protects the individuals’ right to privacy and data protection since the recent years have seen significant expansion of individual right to privacy and confidentiality legislation (Waldo, Lin and Millett 2007). The Privacy and Electronic communications (EC Directive) Regulations 2003 provides provisions that regulate direct marketing and short message services (text messages). The Directive requires senders of both e-mail and text messages through electronic communications to obtain prior consent of the recipient, but the need for consent is not essential when the individual contacts are obtained by the business in ordinary course of sale negotiations that may ultimately lead to a potential sale (Carey 2000). In this case, it is permissible for the business to send e-mail or message short message provided that it is marketing own similar products and services only and recipient has already been notified of a simple means of refusing the use of his details for marketing during the initial collection of the individuals contact information (Housden and Thomas 2012). The individual rights to privacy of information are enhanced by Privacy and Electronic Communications (EC Directive) Amendment Regulations 2011 that came in to force in 26th May 2011 that prohibits companies from placing cookies (and any other equivalent technologies) to machines whose users have not provided such consent (Waldo, Lin and Millett 2007). The law exempts the use of cookies in provision of a ‘strictly necessary’ service that has been requested by the user or subscriber such as situations where the cookie is useful in underpinning the operation of a shopping basket or providing additional customer security (Kerr, Sleeves and Lucock 2009). The Human Rights Act 1998 (HRA) clearly outlines that individuals have a right to their private life, family life and privacy of their correspondence (Slapped and Kelly 2014). Although the Act may not be enforceable against private entities, the Act requires the tribunals or courts to interpret the legislation in a manner that complies with the human rights provisions outlined in the Act (Klang and Murray 2004). In the case of Mosley v. News Group Newspapers Limited (2008), Mas Mosley sued for intrusion in private life after the news company exposed his investment in Sado-masochistic act and the court awarded him 60,000 British pounds in damages (Waldo, Lin and Millett 2007). According to the court opinion in the case of Campbell v. MGN Ltd (2002) EWCA Civ 1373, the complainants sought to sue for their right to privacy under this Act, but the courts pointed out that the UK law needed more amendments in order to include provisions that strictly safeguard right to privacy. Accordingly, the Article 8 of European Convention on Human Rights (ECHR) requires the state parties to guarantee right to privacy and family life subject to restrictions that are prescribed in the national law and which are necessary in a democratic society (Waldo, Lin and Millett 2007). The UK legal framework on data protection is also governed by the Regulation of Investigatory Powers Act 2000 (RIPA) that prohibits unlawful interception of communications on either private or public network (Klang and Murray 2004). The Act requires the monitoring of e-mails or calls to comply with Lawful Business Practice Regulations 2000 thus setting out circumstances where the communication network controller can keep records or monitor the communications. The Act grants exemptions for network communication monitoring that aims at ascertaining compliance with self-regulatory or regulatory practices that are acceptable in ordinary carriage or business or in detecting unauthorised use of the employer’s systems (Klang and Murray 2004). The Freedom of Information Act 2000 grants the individuals the right to access information that is held by public authorities such as educational institutions, local authorities and government departments (Waldo, Lin and Millett 2007). The companies that request for individual information from public authorities should consider whether such requests infringe data protection Act especially when obtaining information regarding competitors (Waldo, Lin and Millett 2007). The Act grants the security managers certain exemptions in disclosing information since Sec 24 outlines that information that is necessary in safeguard of national security must not be disclosed while Section 26 provides that information that would likely prejudice defense of territory should be withheld. The Act further creates exemptions for particular court, inquiry and tribunal records, formulation of government policy documents and law enforcement interests (Waldo, Lin and Millett 2007). Another important legislation is the Private security Industry Act 2001 that regulates the private security industry (Waldo, Lin and Millett 2007). The Act established the Security Industry Authority (SIA) that is responsible of licensing of individuals working in various security roles by ensuring that the legitimate private security industry complies with the principles contained in the Constitution and other applicable roles. The Security Authority ensures professionalism and accountability by ensuring that security managers adhere to data protection legislation and implement measures to protect the privacy of individuals (Waldo, Lin and Millett 2007). The authority is empowered to withdraw accreditation of persons offering security training and can revoke licenses of security firms that contravene the data protection principles or engage in unlawful processing of individual data (Huley-Binns and Martin 2014). The Security Industry Authority has set out the standards of conduct of its inspectors, but grants its inspectors powers to enter any premises without prior notice in order to inspect the affairs of a security service provider (Waldo, Lin and Millett 2007). In 2012, The European Commission published a draft Data Protection Regulation with the view of proposing major reforms on the EU legal framework for personal data protection in order to strengthen the individual rights and deal with challenges associated with new technologies (Waldo, Lin and Millett 2007). A major loophole that exists in the current data protection is the processing by third parties since Article 29 Working party outlines the requirement of ‘prior consent’ (Carey 2000). The law should prevent the UK businesses from sending unsolicited messages by electronic mail to subscribers in third countries unless they have provided their prior consent. Accordingly, the law should ensure strict review of the third countries that have adequate data protection measures since some countries have been associated with poor individual privacy protection (Carey 2000). According to current legislation, it is possible to send personal data to third countries that are not approved where data controllers have Binding Corporate Ruled or uses contracts thus leading to high instances of individual privacy breaches (Huley-Binns and Martin 2014). The current law does not provide for general obligation of informing the individuals of any personal data security breaches since only sector-specific guidelines such as internet service providers (Huley-Binns and Martin 2014). It is essential to provide timeframes that individuals should be informed of data security breaches in order to prevent undue delay and likelihood of more harm (Morgan and Boardman 2012). The current Data protection Act does not outline the security requirements for personal data since it only requires the data controllers to take appropriate technical measures to prevent unlawful and unauthorised access or loss of personal data (Klang and Murray 2004). The technical measures have been guided by code of ethics and thus a new legislation should be enacted to outline the specific measures that would guarantee the personal data security measures that should be implemented by the data controllers and data processors (Morgan and Boardman 2012). Conclusion The current data protection legislation does not maintain a satisfactory balance between the interests of the security manager and the individual. The individual rights to privacy are overridden when there is a need to protect the public against criminal activities or under circumstances when public interests need to take priority. The security managers are accorded more preference to access personal data due to the various exemptions that are created for law enforcement agencies in criminal investigations, taxation purposes and pubic interest purposes thus making the legislation weaker in protecting individual right to privacy. The legal framework does not set out the extend that consumers are protected against their own consent to provide data relating to themselves. The exponential growth in stored data and information on social networks and other online platforms requires a new Act that will protect the rights and privacy of individuals, ensure that stored information is not processed with the consent of the individual, and define the categories of sensitive personal data. The current legislation needs a number of changes that will ensure more stringent data protection since the current legislation applies to only the data controllers and not the data processors. The law should be extended to non-EU data controllers whose activities relate to trade with EU residents. The existing legislation such as data protection principles outlined in the 1998 Act is weaker since the consent of the individual should be explicit. The current UK practice assumes that implied consent is sufficient for collection and processing of personal data. The UK government and entire European Union should support the development of enhanced privacy technologies that ensure persona data is not lost or unlawfully accessed during transmission. The current legislation is either abused or irrelevant to the current technological environment since there are inconsistencies in data protection across the EU. The current legislation sets out a lengthy and cumbersome system of transferring data to third countries and the international transfer rules that have been set out by the EU are unrealistic due to the globalisation of data flows. Reference List: Blake, C., Sheldon, B and Williams, P. (2010). Policing and criminal justice. Exeter: Learning Matters. Carey, P. (2000). Data Protection in the UK. London: Blackstone Press. Harris, P. (2007). An introduction to Law , 7th ed. Cambridge: Cambridge University Press. Harris, P. (2007). Law in Context. Cambridge: Cambridge University Press. HM Government. (1998). The Data protection Act 1998, London: HMSO. Housden, M and Thomas, B. (2012). Direct marketing in practice. London: Taylor & Francis. Huley-Binns, R. and Martin, J. (2014). Unlocking the English legal system, 4th ed. London: Routledge. Kerr, I., Sleeves, V.M and Lucock, C. (2009). Lessons from the identity trail: anonymity, privacy and identity in a networked society. NY, Oxford: Oxford University Press. Klang, M & Murray, A. (2004). Human Rights in the Digital Age. New York: Psychology Press. Loses, J. (2000). Data Privacy in the information age. Westport, Conn: Quorum Books. Morgan, R and Boardman, R. (2012). Data Protection strategy: implementing data protection compliance. London: Sweet & Maxwell. Room, S and British Computer Society. (2007). Data protection and compliance in context. Swindon: British Computer Society. Schwartz, P.M and Reidenberg, J.R. (1996). Data privacy Law, Charlottesville, V.A: Lexis Law Publishing. Slapped, G and Kelly, D. (2014). The English legal system,15th ed. London: Routledge. Waldo, J., Lin, H. and Millett, L.I. (2007). Engaging privacy and information technology in a digital age. Washington, D.C: National Academics Press. Read More