Leducate Explains: Data Protection and the Law

Hint - key terms are defined. Just click on the blue words to see their definitions!

This LedEx article aims to help you understand data protection laws in the UK, how individuals and organisations might use personal data, what happens if personal data is misused, and what ‘profiling’ is. This article is part of a series on data, privacy, and the law. Read the first article on Privacy and the Law here. 

Introduction

Data protection in the United Kingdom is governed by the General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

Data protection law has developed over the past few decades and more recently, the GDPR was introduced to make sure that the law adequately matched the huge developments in technology and data use. Sometimes data protection is treated as equivalent to privacy, but there are important differences in the law. If something happens that has breached data protection law, this does not mean it is also automatically an invasion of privacy. Privacy law is explained in the article ‘Privacy and the Law’.

It is important to understand that you do not ‘own’ your personal data. For example, when you give your name, your mobile number, or your address to a company or organisation, you do not have ownership over that information.

The companies that use your personal data also do not own it. They can have certain intellectual property rights over it, for example if it is in a database, they own the database. Companies and organisations do however have responsibilities when using your personal data that is imposed by data protection law. 

Data protection law gives individuals (known as ‘data subjects’) some control over how their personal data is kept and used (known as ‘processing’). Companies and organisations using personal data (known as ‘controllers’) must abide by the data protection principles. These are found in Article 5 of the UK GDPR and impose a number of requirements. Controllers must process a data subject’s personal data:

1. Lawfully, fairly and transparently

2. With specific and limited purposes

3. Keeping the minimum amount of personal data required for the purpose(s)

4. Accurately

5. Only keeping the personal data for the amount of time required

6. Securely and maintaining confidentiality 

7. With accountability

To process personal data ‘lawfully’ under (1), the controller must be using a lawful basis listed in Article 6 of the UK GDPR. Each basis has its own specific requirements. Where a controller is not meeting the requirements or is processing personal data in a way that breaches the data protection principles, then a data subject can either complain to the Information Commissioner’s Office (the “ICO”) or bring a claim in the civil courts.

For public policy reasons there are certain types of processing that are excluded from some of the requirements of data protection, for example in criminal enforcement, immigration and social services.

What does the legislation protect?

The legislation protects ‘personal data’. Personal data is given a wide definition in the UK GDPR and includes any information that relates to a person, or from which a person can be identified. In data protection, even information such as an Internet Protocol address is considered to be personal data. There are also additional rules in relation to the use of ‘sensitive’ personal data. This is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health, sex life or sexual orientation (known as ‘special category’ data). 

What is a controller?

A controller is a person, company or organisation that is ‘processing’ personal data. Processing means anything done to data, such as storing, email, adapting etc.

A person is not a data controller where they are using the data for purely personal reasons, such as saving the contact details of a friend on their phone. However, where personal data are being used on social media, this is not always considered to be purely personal because of the wide audience that could view that data. 

Who can find out about what is happening to their personal data?

The legislation allows ‘natural persons’ (i.e. a person who is alive) to make a ‘data subject access request’. Individuals can make a request to a controller for a copy of their personal data that are being processed by the controller. They also have a right to know how, and for what reason, their personal data is being processed. Usually, controllers provide this information in a ‘privacy notice’.

What can a controller do with my personal data?

A controller must have a lawful basis to process personal data under Article 6 of the UK GDPR. The most commonly used are:

• Contract

• Consent

• Legitimate interest

A controller may use personal data in the way in which it has been agreed under contract or from the person’s consent. The lawful basis of legitimate interest permits a controller to use personal data for a specific aim, so long as it does not cause detriment to the person or infringe his or her rights. There are stricter lawful grounds for processing sensitive data and a controller cannot use legitimate interests to do so.

What can I do if I don’t want a controller to use my personal data?

This will depend on the lawful basis that the controller is relying on to process your personal data.

• If there is a contract, you may be able to terminate the contract and request that the controller deletes your personal data.

• You can also withdraw your consent for processing and ask that your personal data is deleted. The controller may however have a legal right to retain your personal data after termination of the contract, for example, for insurance purposes.

• If a controller is using legitimate interests as a lawful basis, then you can only request that it stops using your personal data if you can show that your rights outweigh that of the controller. If a controller refuses, then you can make a request to the ICO to review the decision.

It is also possible to make what is known as a ‘Right to be Forgotten’ request. See article ‘Privacy and the Law’.

What happens if my personal data is misused or lost?

The law also allows ‘legal persons’ to claim for loss or damage where there has been a breach of the data protection principles by a data controller. This means individuals and companies can sue under the UK GDPR and DPA 2018. If personal data is misused or lost and this causes harm, the data subject can make a legal claim for damages and ask for an injunction to stop the processing and/or deletion of the data. It is also possible to complain to the ICO, although the ICO cannot award damages. The difficulty in claims based on data protection law is often in showing harm. The law was recently amended to include non-financial harm such as distress, but it can still be difficult to prove. 

Another issue in data protection is that future harm cannot be claimed. If personal data has been lost or disclosed to unidentified persons, even though the person has lost control over their personal data and this could lead to future harm (for example, identity theft or fraud), this cannot be claimed until the particular harm has occurred. It is not always easy to prove that a particular harm is as a consequence of a specific controller’s actions. It is also difficult to bring claims where the harm is not specific to the person but to large groups of people, or society as a whole.

What is profiling?

Profiling is where information is taken from the Internet and other sources to create a profile of a person. From a person’s internet browsing history it is possible to make certain inferences, for example, their age, income, spending habits and interests. This tracking is achieved through the use of ‘cookies’ and other website techniques. Cookies are small files that are placed on a person’s web browser. Some cookies are useful, for example they will automatically fill in an address for a website that a person visits often. However, cookies can also track not only what a person is looking at on that particular website, but they can also record every other website that the person subsequently visits. 

There are other methods of tracking. For example, unless access is turned off to a mobile phone’s microphone, applications (‘apps’) will be able to listen to the phone’s surroundings.

Through the development of natural language processing, software is able to detect and understand words. When a person is talking about, for example, the beach, the software can identify the word and understand that it is likely to be used in the context of a holiday. This information is then used to advertise holidays to you, through the app that was tracking you. Data brokers buy this information and sell them to companies and advertisers who then use the information to create profiles that are tailored to their particular purpose. 

In data protection, the tracking and profiling of people are allowed but there are certain conditions. Controllers are not allowed to use sensitive data for profiling unless the person has given explicit consent, or for reasons of ‘substantial public interest’ based on law. However, profiling of non-sensitive personal data is permitted with less onerous requirements. Individuals can make a data subject access request to a controller for a copy of the personal data used to create a profile and may be able to object depending on the lawful basis relied on by the controller. Under Article 21(2) UK GDPR, where profiling is used for direct marketing, a person has an unconditional right to object to profiling. The difficulty can be in identifying the controller.

What is Profiling? (cont.)

There are different opinions on targeted advertising. Some people do not have a problem with the tracking of their habits on the Internet and through their devices for advertising. Others find this activity uncomfortable and prefer not to be tracked in their day-to-day Internet use. The issue with profiling is that while it may not affect one particular individual negatively, it could lead to the discrimination of other persons or lead to less equitable results. For example, offering different prices for products to different individuals, or refusing insurance based on the poor credit history of other persons living in the same area.

If a profile is being used to make an automated decision that has a significant, or legal effect, on a person then the controller must notify him or her. Examples are where a person is making an online credit application, or applying for a job online, and algorithms are used to determine suitability. The controller must explain the logic involved to make the decision and the person can object and ask that the decision be reconsidered with human input rather than by the algorithm. 

It is possible to stop tracking by doing the following: 

• maximise privacy settings on devices

• prevent access to the camera and microphone to apps and websites

• remove cookies from a web browser by clearing the Internet history regularly

• decline cookies and tracking when visiting websites. 

However, some tracking methods are difficult to prevent. Your Internet browser, network and device have a unique set of combined characteristics, known as a ‘fingerprint’. Companies can insert a code into a website and when a person visits that website, the code can collect the fingerprint identity of the user and track them. This method is called fingerprinting and is difficult to prevent. Over time it is likely that solutions will be found, but technological advances tend to outpace the public’s understanding of the use of their personal data.

Do photos and videos come within data protection law?

Photographs and videos of people do come within data protection law. However, the UK GDPR makes a distinction between when a controller is processing photos and images in a general sense and when the controller is processing them specifically to identify a person. An example of the latter is where photographs are tagged on social media to a particular person. 

Where a photograph or video is being used to identify a specific individual, it is considered sensitive data, or ‘special category’ data under Article 9 of the UK GDPR and there are stricter rules on the processing. There are limited grounds to process this type of information and the controller must put suitable measures in place to safeguard a person’s rights, freedoms and legitimate interests. A controller will usually rely on the fact that the person has already made the photo public or obtain explicit consent. 

There is no law on image in the UK, except in circumstances where a person relies on their image as a commercial pursuit (for example celebrities who endorse products). This means that a private individual cannot prevent the filming or photographing of themselves in public. To challenge the taking of photographs, or the publication on the Internet where data protection does not apply, a person could bring a claim in misuse of private information or in extreme circumstances, harassment by publication. 

Conclusion: 

Now you should have a better understanding of what data protection is, how it is legally governed, and the rights and responsibilities of individuals and organisations in relation to the protection and use of personal data. You should also have a basic understanding of profiling,  targeted advertising, and fingerprinting.