Feeds

Code for handling personal data is muddled, says lawyer

Further confusion in an already bewildering area

Internet Security Threat Report 2014

A code of conduct for handling personal data was launched in London yesterday. But the document is inconsistent on the need for consent when collecting personal data, according to a data protection expert. Sometimes consent is not necessary, he said.

The Personal Data Guardianship Code was published jointly by the British Computer Society and the Information Security Awareness Forum (ISAF) in response to the number of high profile data breaches in recent years. Its aim is to change the culture of organisations towards the handling of personal data.

According to its authors, the Code "follows on the success of the BCS petition objecting to the changes in the Coroners and Justice Bill which would have seen drastic changes to the way in which government departments could have used personal information."

In March the Ministry of Justice announced that, in response to criticism from many groups, it would scrap plans that featured in the draft legislation to allow Government departments to share citizens' personal information with each other and with the private sector.

The new Code is intended to help organisations and the people in them who handle personal data to understand their individual responsibilities. It aims to promote best practice and provide 'common sense' guidance, and also lays out information for the data subject.

However, William Malcolm, a specialist in data protection law at Pinsent Masons, the law firm behind OUT-LAW.COM, described the Code as muddled.

"The Code's high-level guidance on the data life-span, stewardship and accountability is helpful but very much echoes existing guidance from the Information Commissioner's Office and Government," he said. "It's an alternative approach but it's certainly not a new approach."

Malcolm added that some references to the need for consent were wrong.

"The guidance on consent seems inconsistent and therefore muddled," he said. "The initial 'Principles' section [of the Code] suggests consent should be obtained where appropriate, which is the correct position. But the other sections seem to suggest that consent should be collected as a matter of course in a variety of situations."

The 'Principles' section of the Code states: "Individuals should be given as much control as is possible over how their personal information is used and disclosed. This means giving them clear information about this when they provide their personal data and seeking their consent where this is appropriate."

Malcolm says this is consistent with the Data Protection Act and with existing guidance from the ICO.

Another section, though, implies that consent is always required when collecting data. Under the heading 'Responsibilities of the data handler' the Code states: "Data handlers tasked with the collection of personal data should verify that the consent of the data subject has been obtained for the personal data collected."

Malcolm said that notification will suffice in many cases.

"Consent is one ground for processing data, but it is not the only ground. In many cases an organisation only needs to notify individuals that it will be processing their data – it does not need their consent," he said. "As the 'Principles' section of the Code notes, the focus should be on giving clear information about how data will be processed at the point of collection."

Louise Bennett, Chair of the BCS Security Forum, said that the Code is the culmination of two years' work. "The consultation work we've undertaken in that time exposed the need for practical help in changing culture to embed good data guardianship principles in all organisations," she said.

"This is the equivalent of the Highway Code for motorists – it will help all those involved in the management of personal data understand their role and enable them to carry out their jobs better."

Another guide to data protection compliance was launched today. British Standard BS 10012, Data protection – Specification for a personal information management system has been developed to establish best practice and aid compliance with data protection legislation. It is the first standard from BSI for the management of personal information. OUT-LAW will report on BS 10012 shortly.

The code can be downloaded from here. (Link to pdf)

Copyright © 2009, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Beginner's guide to SSL certificates

More from The Register

next story
Bono apologises for iTunes album dump
Megalomania, generosity and FEAR of irrelevance drove group to Apple deal
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
America's super-secret X-37B plane returns to Earth after nearly TWO YEARS aloft
674 days in space for US Air Force's mystery orbital vehicle
10 Top Tips For PRs Considering Whether To Phone The Register
You'll Read These And LOL Even Though They're Serious
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.