The
law on confidential information has now been supplemented by the
Data Protection Act 1998 which deals specifically with personal
data.
The
law treats as confidential any information which (1) has the necessary
quality of confidence (2) was communicated or became known to
the recipient in circumstances entailing an obligation of confidence
and (3) has been used without authority. The information must
be of limited availability and of specific character capable of
clear definition.
An
obligation of confidence is implied in law when material is imparted
in circumstances which make it clear that it is being communicated
subject to restrictions of confidentiality. Obligations of confidence
can be implied in contracts where the recipient, acting reasonably,
ought to have known that the material was confidential. If the
information is already independently available to the recipient
no obligation arises.
The
risks inherent in relying on the general law are obvious. It is
not possible to list all the sorts of documents or information
that might be classed as commercially sensitive or confidential.
Sales information, financial performance and other results, company
strategies and major policy changes are likely to be legally confidential
- until such time as they are officially released. Before sharing
confidential information, an organisation will invariably benefit
from the certainty of an express confidentiality agreement or
data use agreement. This may be a stand alone agreement or express
clauses in a trading contract setting out exactly what information
is confidential and for how long, what use may be made of the
information and over what period.
Non-compliance with any confidentiality obligation can lead not
only to reputational damage but also to claims from the “victim”.
The
DPA governs the use (“processing”) of personal
data, which is data about a living person that (on its
own or with other data held by or likely to be held by the data
controller) identifies the subject. Trading companies typically
hold personal data about their points of contact within their
contacts, suppliers and customers. All employers hold personal
data on their staff.
Processing
data includes collecting, storing, copying, updating, disclosing
and deleting it. The DPA governs processing either on a computer
or within a structured manual system. It includes
recording and holding CCTV images, and allowing anyone to watch
them in real time.
Certain
types of personal data are considered “sensitive”
eg racial or ethnic origin, political opinions, religious beliefs,
trade union membership, physical or mental health or condition,
sexual information, information about the commission or alleged
commission of offences.
The
Act requires data controllers to observe eight principles in respect
of personal data:
1...Data
must be processed fairly and lawfully.
2...Data
must be obtained for one or more specified and
lawful purposes and may not be further processed
in any manner incompatible with those purposes.
3...Data
shall be adequate, relevant and not excessive
in relation to the purposes for which the data is processed.
4...Data
shall be accurate and kept up to date.
5...Data
shall not be kept for longer than is necessary.
6...Data
shall be processed in accordance with the rights
of individuals under the 1998 Act.
7...Appropriate
technical and organisation measures
shall be taken against unauthorised or unlawful processing
of data as well as against accidental loss destruction
or damage to such data.
8...Data
shall not be transferred outside of the European
Economic Area ("EEA") unless the
recipient provides an adequate level of protection in
line with the EU Data Protection Directive.
|
An individual
has certain rights in respect of “his” personal
data including the right to see what data on him is held by
the data controller, to object to certain processing that causes
substantial damage or distress, to object to automated decision
taking about him and to object to direct marketing.
Collecting
data on a computer or a structured manual system requires the
consent of the individual subject (the “Subject”).
The Subject must be told the legal identity of the data controller
( the organisation doing the collecting or for whom it is being
done), its purpose in collecting and holding the data and any
other information necessary to enable the Subject to consent.
A Subject
can give his consent for the disclosed purpose by an opt-in
or opt-out box or orally. However it is implied where the processing
is in pursuit of the recipient’s legitimate business aims.
The one exception is that written consent must be given in respect
of sensitive personal data.
A holder
of data who has collected it from someone else must tell the
Subject within a reasonable time or when he wishes to pass it
on. Exceptionally, the holder does not have to do this if (1)
disclosure is pursuant to a statute or regulation or (2) involves
a disproportionate effort ie disproportionate to the prejudice
to the Subject’s rights if he is not told.
Any person
or organisation which processes personal data must register
that fact annually with the Information Commissioner (see www.ico.gov.uk).
They should ensure that they:
 appoint
one person with overall responsibility for data protection
compliance,
provide
information and, where necessary, training for all staff
members who handle personal information,
provide
clear lines of reporting and supervision for compliance
with data protection,
carry
out regular checks to monitor and assess new processing
of personal data and to ensure notification to the Information
Commissioner is updated.
|
|
