United Kingdom

United Kingdom Image
LEG-01:

Legislation enacted specifically for data privacy?
– Data Protection Act 1998.

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Regulation of Investigatory Powers Act 2000 (RIPA).
– The Freedom of Information Act 2000.
– Communications Act 2003.
– The Privacy and Electronic Communications Regulations 2003 (PEC).

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy. Note: These guidelines are guidelines ONLY, each country which agrees and signs then needs to incorporate into legislation in some form.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
– United Kingdom – United States of America Agreement (UKUSA).
– EU Data Protection Directive 1995/46/EC (DPD).
– EU Privacy and Electronic Communications Directive 2002/58/EC (EUPEC).
– EU Regulation 45/2001/EC (CIB).
Notes: UKUSA is the multilateral agreement for the “Five Eyes” alliance.
“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ” is full title of DPD.
“Regulation (Ec) No 45/2001 of the European Parliament and of the Council Of 18 December2000.
On the Protection of Individuals With Regard to the Processing of Personal Data by the Community.
Institutions and Bodies and on the Free Movement of Such Data” is the full title of CIB.

LEG-04:

Local government has any Bills going through the legislative process.
– Gerneral Data Protection Regulation
Notes: This will be a replacement for the current DPD (From 25 May 2018)

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Telecommunications (Data Protection and Privacy) Regulations 1999.
– Convention on Cybercrime 2001.

LEG-06:

Has other state laws related to privacy.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.
– Communications Act 2003 Section 1.
Notes: The Communications Act sets up The Office of Communications (OFCOM).
The Information Commissioner’s Office (IOC) is an independent authority.

PRI-02:

There is a requirement to establish a privacy commissioner.
– Data Protection Act 1998 Section 6 (1),(2)
Notes: Originally established as the Data Protection Registrar in Section 3(1)(a) of the 1984 Act. Now the Information Commissioner.

PRI-03:

The functions of the authority clearly set out.
– Communications Act 2003 Section 1 (5), Schedule 1.
– CIB Article 46.
Notes: IOC website states to: ” uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” (not mentioned in Act).

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
Notes: Not as yet. It has been drafted in the updated EU Data Protection Framework (still to be adopted).

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.

PRI-07:

An internal audit process is outlined for each company.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– Data Protection Act 1998 Section 1.
– CIB Article 2 (a).
Notes: Personal data.

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline
– Data Protection Act 1998 Section 2.
Notes: Sensitive Personal Data.

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– Data Protection Act 1998 Schedule 2
– CIB Article 5 (d)

PCP-05:

Type of consent required is either explicit or implicit.
– Data Protection Act 1998 Schedule 3.
Notes: Explicit consent only applies to sensitive data.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.
– Data Protection Act 1998 Section 10

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– Data Protection Act 1998 Section 16, Schedule 1 Principle 2.

PRO-01:

Individual has the ability to access their data by request.
– Data Protection Act 1998 Section 7.
– Freedom of Information Act 2000 Section 8.
– CIB Article 13.

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– Data Protection Act 1998 Section 14.
– CIB Article 14.

PRO-03:

Data can be sent to a third party for processing.
– Data Protection Act 1998 Schedule 2 6, Schedule 3 4.
– CIB Article 9 1, 6.

PRO-04:

Data is only used for the purposed outlined at pre collection stage.

– Data Protection Act 1998 Schedule 1 Principle 2, 3.
– CIB Article 6 1.

PRO-05:

Encryption used for processing of data to ensure anonymity.
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

PRO-06:

Unique identifiers can be used .

PRO-07:

Information may not be disclosed, sold or interfered with.
– Data Protection Act 1998 Section 55.
– CIB Article 22 2.

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– Data Protection Act 1998 Section 13, 21, 55 (3)-(5), 60, 61.
Notes: Section 60 sets out penalties for the offences.
Section 61 relates to offences by a body corporate.

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– Data Protection Act 1998 Section 42.
– Communications Act 2003 Section 52 (2).
Notes: DPA refers to this as a Request for Assessment, Section 43 then outlines “Information Notices”.

STO-01:

All data is stored with at least a “reasonable” level of security.
– Data Protection Act 1998 Schedule 1 Principle 7, 8.
– CIB Article 22 1.

STO-02:

Encryption techniques used to store data.
– CIB Article 4 1 (e).
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

STO-03:

Data can be transferred to third-parties to use.
– Data Protection Act 1998 Schedule 1 Principle 8, Schedule 2 6, Schedule 3 4.
– CIB Articles 7 – 9.

STO-04:

Data can be stored off shore in different Country.
– Data Protection Act 1998 Schedule 1 Principle 8
– CIB Articles 22 1.
Notes: Although storage locations are not specified, this may be seen as a reasonable protection method.

STO-05:

Data can be stored off site but in same Country.
– Data Protection Act 1998 Schedule 2 6, Schedule 3 4.
– CIB Articles 22 1.
Notes: Although storage locations are not specified, this may be seen as a reasonable protection method.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– Data Protection Act 1998 Section 33 (3), Schedule 1 Principle 5
– PEC Section 26
– CIB Article 4 1 (e)
Notes: Section 33 refers to research purposes which states personal data can be kept indefinitely.

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
– Data Protection Act 1998 Schedule 1 Principle 7 11.
Notes: The Act and the CIB both refer to “processing” which covers a variety of operations, including erasing or destroying data.

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– Data Protection Act 1998 Section 13, 21, 55 (3)-(5), 60, 61.
Notes: Section 60 sets out penalties for the offences.
Section 61 relates to offences by a body corporate.
Neither are specific to storage.

STO-09:

Notification has to be given to individuals in case of a data breach.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– PEC Section 23.
Notes: Section 24 relates to automated calling, facsimile and automated calling.

SPM-03:

Subject line to be clear and not misleading.

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
– PEC Section 22 (3).

SPM-05:

A form of a “Do Not Call” register is in place.
– PEC Section 21.
Notes: The “Telephone Preference Service” is a non governmental agency that manages this.
OFCOM is an independent regulator for the communication industry which the Act refers to as the “register”.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
– PEC Section 22 (2)

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.
– Regulation of Investigatory Powers Act 2000 Section 11 (7).

INT-03:

A warrant is needed to have the ability to intercept personal data.
– Regulation of Investigatory Powers Act 2000 Section 5.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.

INT-05:

External countries have the ability to intercept data with permission from the host country.
– Regulation of Investigatory Powers Act 2000 Section 1 (4), 6 (2)(j).

United Kingdom

United Kingdom Image