“Data protection” and “misuse of personal data” are phrases which are thrown around without much consideration being given as to what they mean. But given the Data Protection Act 1998’s wide definitions of the “processing” of “personal data” in the UK, most businesses which operate in the UK and hold information about individuals (including employees and agents) are affected by the Act.
So what is “personal data”? It’s essentially data relating to living individuals who can be identified from that data. The meaning of “processing” is such that pretty much any activity which involves personal data will fall within its scope.
How does this affect principals?
All of the obligations under the Act fall on the “data controller” – meaning the person (including company) who determines the purposes for which and the manner in which any personal data is, or will be, processed – and this is invariably the principal in an agency context. The principal will be responsible for any data processed relating to his customers, and this will be the case even if the information is held by an agent.
For the purposes of the Act, it is control rather than possession of personal data that is the determining factor. Therefore, where data is processed by an agent on behalf of its principal (that is the data controller), the principal is responsible for ensuring that the agent has implemented the necessary security measures in relation to such data. However, it may also be the case that where an agent acquires personal data for his own use, then the agent may be the data controller.
The dividing line is often an inexact science, however it is important that all principals who intend to process personal data notify the Information Commissioner’s Office before they start processing.
Our agents operate across different EU territories – does this make a difference?
Quite simply, yes. At present, EU data protection legislation in EU member states is similar but not the same. This means that principals and agents are only subject to the member state’s laws in which they are registered. The relative advantages or disadvantages of the status quo depends on the nature of that member state’s data protection laws.
Requests for personal data
Under the Act, an individual, referred to in the Act as a data subject, can request from a company access to personal data which it holds on the individual. This is known as a Subject Access Request (“SAR”).
The data subject is entitled to have access to or be provided with copies of the personal data relating to them held by the company. The purpose of such an entitlement is to enable the individual to establish how the company has used the individual’s personal data.
A SAR is commonly used in employer / employee scenarios, but applies to any scenario where a company holds personal data. Therefore:
- a principal holds personal data in respect of its individual agents; and
- an agent may hold personal data belonging to individual customers.
If a principal is served with a SAR, it has 40 days within which to provide the personal data sought. The principal is entitled to verify who the data subject is and to seek clarification of what information is sought. However, generally speaking, a principal has no statutory right of refusal under the Act and therefore must comply with a SAR.
In contrast where litigation is threatened or has commenced, the Courts do not look favourably upon parties who seek to take advantage of their entitlement under the Act to request access to documents in order to avoid the stricter Court rules on disclosure. Particularly if the party is simply fishing for reasons to commence a claim!
- If you are the recipient of a SAR, think about whether it is a genuine request for personal data.
- Remember you do not need to provide any further information than data that contains personal information relating to the individual, such as their name, date of birth, address, national insurance details, tax code.
- If you think that the individual might be seeking to misuse the SAR process to obtain documents to which they would not otherwise be entitled, consider requesting more information from the individual to establish whether or not it is a valid request.
- If you are not satisfied that it is a valid request, you could consider rejecting the request. But beware – currently, only the Courts recognise a data controller’s right to reject an invalid request. The Information Commissioner still expects all SARs to be complied with. Therefore, you may face questions from the Information Commissioner if a SAR is rejected outright.
Evie Meleagros is an associate in the agentlaw team