Personal Data – What is acceptable data processing?
The National Police Air Service (NPAS) is intended to provide centralised air support to police forces. It has a number of helicopters equipped with high resolution cameras for surveillance purposes. It also has a twitter account. During a patrol in central London, comedian Michael McIntyre was spotted and photographed in Leicester Square, and his image was tweeted (using the NPAS official account). There was a small twitter-storm (as opposed to a full tweetnado), and the Information Commissioner’s Office (ICO) announced it would be following the matter up.
NPAS don’t believe they breached any data protection legislation however. So, what was the issue? And how is it relevant to businesses? Below, we’ll deal with a few of the problems surrounding personal data which affect many businesses without them even realising.
Was it Personal Data?
Personal data is, very broadly, information relating to living people who can be identified from it (or it and other information in the same possession or likely to come into the same possession). As you can see from that definition, personal data does not have to be confidential or sensitive (e.g. medical records), but can include telephone numbers, names, and photographs of a person. So the tweeted photo clearly contained personal data, and, in the same way, your records and systems may contain personal data without you being aware of it.
Photographs can also be considered sensitive personal data (which attracts greater protection) so information concerning topics such as race, religious and even political beliefs, which can be collected up alongside other personal data, should be treated with extra caution.
So, if you’ve collected personal data, what can you do with it?
Data Protection Principles
You can only process personal data in accordance with the data protection principles. While it’s beyond the scope of this article to list them all in detail, it’s sufficient to say that data should be processed fairly, accurately, compatibly with the lawful purposes for which it was collected, and without transferring it outside of the EEA unless the destination country has adequate data protection procedures in place.
To consider whether NPAS processing was appropriate, we need to understand what data processing is. Unsurprisingly, processing is also defined broadly and vaguely as processing wholly or partly by automatic means, or as part of a filing system. What this means in practice is that obtaining, recording, holding, using, disclosing or erasing data all count as processing. So, taking the photo, storing it, and uploading it to twitter were all acts of “processing”.
NPAS process data as necessary for the administration of justice and the carrying out of their policing functions, which is fair. Assuming you aren’t in the government spy-copter business, you will probably need to obtain the consent of the data subject in order to process their data fairly. Consent has to be specific and informed, and if you process data outside of the limits of your consent, you will be breaching the Data Protection Act 1998 (DPA). Arguably, in uploading the photo, NPAS processed data outside of their remit, and so weren’t doing so “fairly”. Similarly, businesses must be confident that each act of processing they carry out is covered by the consent they obtained from the data subject.
Compatible with the lawful purpose for which it was collected
The purpose for which NPAS is supposed to process data is broadly the same as the purpose of NPAS itself, to support police forces by providing information. Arguably, uploading a photo to Twitter doesn’t fall within that purpose. While NPAS purpose is set out as part of its mission statement, businesses must specify the purpose for which they are processing data before or at the time they collect it, and that purpose must be clearly and specifically identified. Vague wording on privacy policies and other notices, intended to cover many eventualities, can backfire. For businesses, making sure they comply with this requirement will involve carefully drafted notices prior to data collection, and a robust policy to ensure that they only process data for those purposes. It’s easy to think that just because somebody provided their email address, you can place them on a mailing list which you know is relevant and of interest to them, but without the right notice and consent, it may not be fair and it isn’t likely to be for the purposes that you collected the email address.
Data you collect cannot be transferred outside the European Economic Area to a country which doesn’t have an adequate level of data protection procedures in place. By publishing the photo on Twitter, it could be argued that NPAS transferred the data to such countries. For most businesses, the issue will arise if they have off-site storage, or if software they use is hosted elsewhere. As it may be difficult to ascertain if the data will ever pass through such countries, many businesses will simply obtain consent when they collect the data.
A whole host of other requirements, that data be accurate, relevant, not excessive, up-to-date, deleted when unnecessary, and kept secure, are beyond the scope of this article, but can easily trip up businesses which don’t have a thorough data protection policy in place. While not all slip-ups are as high profile as NPAS, businesses have to be confident that they aren’t falling foul of their obligations, as the ICO has the power to issue warnings and sanctions for breaches.