Feeds

Experts: What ICO should know BEFORE your private info ends up in a skip

Businesses do need 'explicit consent' before outsourcing data protection – legal eagles

Top three mobile application threats

The view of the Information Commissioner's Office (ICO) that businesses do not require individuals' "explicit consent" in order to contract others to process their sensitive personal data is in contrast with the wording of data protection law, according to two experts.

A spokesperson for the UK's data protection watchdog told Out-Law.com that it is the ICO's view that there is "nothing within the Data Protection Act" that requires companies to obtain the 'explicit consent' of individuals in order to outsource the processing of sensitive personal data to other firms.

However, data protection law specialists Marc Dautlich and Christian Knorst of Pinsent Masons, the law firm behind Out-Law.com, have questioned the legal basis of the ICO's view.

The comments follow an issue raised in a report by The Independent newspaper last weekend. The report detailed the concerns of medical practitioners that individuals had not consented to the processing of their benefits claims forms by Royal Mail staff on behalf of the Department for Work and Pensions (DWP). DWP is the Government department responsible for assessing individuals' welfare and benefits claims.

According to the report, Royal Mail staff open and sort mail for DWP relevant to individuals' benefits claims in order to direct the mail to the "appropriate processing centre". The mail can contain information revealing sensitive health information about those individuals. The outsourcing arrangement is governed by a contract and a number of measures have been put in place to ensure data security requirements are met, DWP said.

The ICO told Out-Law.com that organisations do not need to obtain individuals' explicit consent to outsource the processing of those individuals' sensitive personal data. Such data refers, among other things, to details of individuals' medical health or condition.

The watchdog has issued guidance on outsourcing of personal data processing. The guidance contains a number of 'good practice' recommendations for businesses but does not advise them to inform individuals if they contract others to processing those individuals' personal data on their behalf. The guidance does not contain a single reference to 'sensitive personal data'.

Under the UK's Data Protection Act (DPA) all personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes only.

However, under the DPA organisations generally need the "explicit consent" of data subjects in order to be able to process those individuals' sensitive personal data. This general rule is subject to a number of strict exceptions that set out circumstances in which consent is not required.

Rules around non-sensitive personal data processing are less restrictive. They provide organisations with a greater scope to process personal data without the need to obtain individuals' consent to do so.

One example where consent to personal data processing is not required is where the activity is "necessary for the purposes of the legitimate interests" organisations are pursuing, as long as the processing is not "unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

The ICO said that when organisations obtain individuals' explicit consent to process sensitive personal data they can then outsource some or all processing activities to others without the need for individuals to consent to those arrangements.

The ICO said that businesses' outsourcing arrangements must comply with sections 11 and 12 of the DPA.

Under the DPA data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

When outsourcing personal data processing to others, data controllers are required to select processors that can provide "sufficient guarantees" that they can properly meet the "technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance".

The data controllers must establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to comply with the "technical and organisational measures" requirements under the DPA. Data controllers are also responsible for any failure of processors in meeting those personal data security standards.

Further rules apply to outsourcing of personal data processing where that processing takes place outside the European Economic Area.

However, Dautlich and Knorst said that those sections contain rules governing the processing of personal data by contractors only, and do not account for the special rules around sensitive personal data.

"Whilst it is positive that the ICO has sought to take a pragmatic approach to the outsourcing of sensitive data, it is unclear upon what legal basis they have done so," Dautlich said. "Before outsourcers rely on what seems to be a very pragmatic understanding and liberal interpretation they would be well advised to identify exactly what grounds they could rely on in order to outsource sensitive data without explicit consent."

Christian Knorst, a data protection law expert based in Pinsent Masons' Munich office, added: "It is fair to say that also under German law a transfer of health data without the explicit consent of the affected person may only be made under very strict preconditions. One cannot say that an outsourcing with respect to health data is in general possible without consent."

The DPA in the UK and German data protection laws are based on the implementation of the EU's Data Protection Directive. The Directive is set to be replaced by a new general Data Protection Regulation, but Dautlich said that the reforms, which are still being negotiated, are likely to require that businesses generally obtain individuals' consent to outsource the processing of their sensitive personal data.

"It is difficult to see on current progress that the new Regulation could countenance such an approach even assuming that the ICO's liberal interpretation is possible under the existing Directive and its implementation in the DPA," Dautlich said.

DWP said that CCTV is used to monitor staff sorting mail, and that at least two staff must be present in order for mail to be opened, according to the Independent's report. DWP said that it has a contract with Royal Mail that requires sorting office staff "abide by the same data protection and security checks as any DWP employee."

However, Dr Tony Calland, chair of the British Medical Association ethics committee, criticised the processing arrangements and said the security measures in place were irrelevant, according to the Independent.

"We are very concerned that a Government department could even contemplate allowing such sensitive and confidential medical data to be handled by a third party without the person's consent," he said.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

SANS - Survey on application security programs

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.