Chapter 4: What are the Rights of Individuals? – Data Protection Compliance in the UK, Second Edition

CHAPTER 4: WHAT ARE THE RIGHTS OF INDIVIDUALS?

The DPA provides individuals with some important rights. These are:

• the right of subject access;

• the right to object to direct marketing;

• the right to object to processing in some circumstances;

• the right to object to automated decision making;

• the right to rectification of inaccurate data; and

• the right to compensation.

In addition, under the PECR, data subjects can decide to register on the Telephone Preference Service (TPS).11

Subject access

If a data subject makes a written application to a data controller, he or she is entitled to be told whether the controller has any personal data about that individual; and if so, to receive a description of the information held and an explanation of the purposes for which it is processed. Most importantly, the data subject must be provided with a copy of the information about themself. It should be noted the data subject is not entitled to a copy of the actual documents or printouts but to a copy of the information which is contained in that material. A data controller does not have to respond to an access request unless they receive a request in writing which gives sufficient information for them to verify the identity of the individual and to find what is being requested. The data controller can also charge a fee up to £10.

The definition of personal data is wide and can cover e-mails, digital sound recordings, CCTV films as well as relevant filing systems. This may require a wide range of information to be searched, although in Ezsias v Welsh Minsters12 the judge held that a data controller is only required to make a ‘reasonable and proportionate search’ to find the information requested. Where the data controller is a public sector organisation, it also has to search and give information from all its manual files, subject to some special rules:

• The subject has to describe unstructured information so the organisation can find it.

• The individual cannot have his or her manual personnel records; and

• If it would take longer than 18 hours to find the information (or 24 hours if it is a government department), the request can be refused.

In responding to a request, the data controller must consider whether to remove or ‘redact’ information that relates to other living individuals. The controller must consider whether they have agreed to the disclosure of the information about them, the importance of the information, and whether any duty of confidentiality is owed to the third party. However, if the data controller judges it sufficiently important to the data subject, the data controller may choose to provide such information.

The right of subject access generally overrides other prohibitions on disclosure. There are, however, some circumstances in which subject access need not be given, including where to do so would prejudice the prevention or detection of crime, apprehension or prosecution of offenders, would cause problems with national security or where the information is subject to legal professional privilege. In addition, exemptions apply which are intended to protect vulnerable data subjects and allow information about physical or mental health conditions or about social work to be withheld. These are subject to specific rules and have to be signed off by appropriate professionals. Care should be taken when seeking to apply any of these exemptions.

Where information is already publicly available, for example on the electoral role, then the individual cannot exercise a right of subject access in relation to it.

A data controller has 40 days within which to respond to a subject access request. A person who considers him or herself aggrieved by a failure to obtain subject access can either complain to the Information Commissioner or has the right to go to court and ask the court for an order requiring the controller to provide the access requested. A court looking at such a request is entitled to see all of the information in order to decide whether or not it should have been disclosed.

Objection to direct marketing

A data subject is entitled to object to his or her personal data being processed for the purposes of direct marketing. If an organisation receives such an objection, it must act on it and stop sending the material. Data controllers are usually advised to suppress names: that is, put a marker against the name showing that the individual does not wish to be marketed, rather than removing a name from a list. If a name is removed from a list there is always the concern that it may be added back in without the organisation realising that this is the name of a person who has already lodged an objection.

There is also a service called the Mailing Preference Service (MPS).13 This service is run by the Direct Marketing Association14 and individuals can opt out of marketing by direct mail by registering on the stop list. Members of the Direct Marketing Association must check their marketing list against the stop list so that people who have registered with the MPS do not receive unwanted mail. There are additional rules for e-mail, fax and telephone marketing which are covered in Chapter 9. These apply in addition to the general right to object to marketing.

Objection to processing

Where a data controller processes personal data for purposes other than direct marketing, an individual can raise some objections but these are more limited. As an example, if a data controller is processing in order to perform a contract with the data subject or because the data controller is under a legal obligation to process, then the right to object does not apply. A data subject who wants to object to processing must lodge a written objection with the controller. They have to show that the processing in question is causing, or is likely to cause, substantial damage or substantial distress to themself or another, and that this is not outweighed by the legitimate interests of the data controller in carrying out the processing. Relatively few objections to processing are lodged but where they are, the individual does not have to refer specifically to the DPA, so data controllers should be alert in recognising these. A data controller who receives such an objection has 21 days within which to respond and either agree or disagree. The data subject who is not happy with the response can ask the court to make an order telling the controller to stop processing.

Objection to automated decision making

Automated decisions are decisions which significantly affect an individual and are based solely on the processing by automatic means of personal data about that data subject. Examples given in the DPA are decisions made for the purpose of evaluating matters such as performance at work, credit worthiness, reliability or conduct. The decision must significantly affect the individuals. An individual can either object before the processing takes place and require the data controller to take a decision by a non-automated means, or they can object after the processing has taken place and ask for the decision to be revisited. A data controller which takes automated decisions which fall within this section must notify the data subject of this as soon as is reasonably practicable after the decision was taken.

Again, if an individual is not satisfied with the way their rights have been handled, they have a remedy by going to court.

Rectification

The courts are given wide powers to deal with information which is shown to be inaccurate. They can order that the record be put straight or that additional information be added to a record. Equally they may require a data controller to ‘block’ data so that others cannot see it, or to erase or destroy inaccurate records.

An individual who wants the court to exercise these powers must apply to the court and show that the information is inaccurate within the terms of the DPA; that is, that it is incorrect or misleading as to any matter of fact.

Compensation

Individuals are entitled to compensation if they have suffered damage because a requirement of the DPA has been breached by a data controller. The individual has to show that damage has been suffered. This means either physical damage or some tangible financial loss. It is not enough that the individual has suffered from hurt feelings or embarrassment. However, where the complaint is that the data controller has been processing information that is being used for the special purposes (that is, journalism, art or literature) in breach of the DPA, then damage is not needed and distress alone can be a ground for action. The Information Commissioner cannot award compensation; the individual must go to the courts.

It should be noted that these rights are quite significant. The one most often used by data subjects is the right of access, and organisations should be alert in recognising and dealing with subject access requests within the 40-day timescale.

 

11 www.mpsonline.org.uk/tps/

12 Ezsias v Welsh Ministers [2007] All ER (D) 65 (Dec) High Court

13 www.mpsonline.org.uk/mpsr/

14 http://www.dma.org.uk/content/home.asp