Monday, 18 October 2010

Data protection principles - mnemonics

When studying privacy law, in order to help me remember the data protection principles under the UK Data Protection Act 1998 (implementing the EU Data Protection Directive), which regulate the processing of personal data, I came up with some mnemonics.

For computery types - this blog is sort of a tribute to the OSI layer mnemonics. Which I am hereby changing to "All People Seem To Need Data Protection"! And note that "data protection", as a term in law, isn't just about backup and redundancy.

Here are my mnemonics. There are extra notes under each principle, which with Javascript turned on in your browser you can see if you [+/-] click here to show the notes (and click here again to hide them). Without Javascript the notes will be visible all the time.

If anyone has any better suggestions for mnemonics, please let me know - some of my ideas may be better for me than other people as it's just the weird way my mind works; you don't even want to know what tricks I use to try to memorise phone numbers!

1. First principle

F is for “First”, F is for “Fair and lawful” (and don’t Forget the compulsory conditions).

Personal data shall be processed Fairly and lawfully and, in particular, shall not be processed unless -

  • at least one of the conditions in Schedule 2 [of the Data Protection Act] is met, and
  • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

(About: collection limitation, data quality, purpose specification; openness / transparency, notice / awareness, choice / consent)

In plain English, for processing of personal data to satisfy the first principle, at least one of a list of conditions must be met (eg getting the data subject's "consent" to the collection of their data, or - for sensitive personal data - falling within circumstances specified by government Order), and, in addition, the processing has to be generally fair and lawful too; again, it's not "fair" unless eg the data subject has been given notification about who's processing their personal data, for what purpose etc.

In other words, if none of the required conditions can be met the processing can't be "fair" and the processing can't comply with this principle, no matter how generally fair it might seem as a matter of common sense. "Fair and lawful" is necessary but not sufficient - you have to scrutinise the conditions and other requiremens too.

For "sensitive personal data" there are stricter conditions, precisely because the data is sensitive. That includes personal data about health, race, religious or political beliefs and sexual life, even trade union membership - but, interestingly, financial data is not considered "sensitive" in the EU, eg your income or assets.

2. Second principle

S is for “Second Principle”, S is for “Specified and lawful Purposes only”.

Personal data shall be obtained only for one or more Specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

(About: data minimization, data quality, purpose specification, purpose limitation or use limitation, transparency)

In other words, if an organisation says they're collecting your personal data for purpose X only, they should tell you so up front, and they really shouldn't then use it for another purpose Y.

But how anyone can catch them using it for purpose Y is a different matter, and one of the biggest problems for privacy protection today.

3. Third principle

T is for “Third”, and there ARE Three elements here: Adequate; Relevant; and not Excessive.

Personal data shall be Adequate, Relevant and not Excessive in relation to the purpose or purposes for which they are processed.

(About: data quality, data minimisation, purpose limitation / use limitation)

Similar point to the above. Most websites don't really need your date of birth or mother's maiden name just to let you in, but many make you give that info before they allow you to even register.

Strictly, they shouldn't be seeking to obtain excessive personal data like that. But if they don't get caught out, reported or fined for doing it, what's to stop them?

4. Fourth principle

F is for “FoUrth”, F is for “Fidelity - Faithfulness to the Facts” (=Accuracy); U is for “Updated where necessary”

Personal data shall be accurate and, where necessary, kept Up to date.

(About: data quality, data integrity)

Of course, normally you can't find out what personal data an organisation holds about you (in order to check its accuracy and currency) unless you first fork out a tenner or more. In contrast, making Freedom of Information requests to public bodies doesn't you cost a penny.

5. Fifth principle

For “Five” the Roman numeral is L; L is for the Length of time for which personal data may be kept.

Personal data processed for any purpose or purposes shall not be kept for Longer than is necessary for that purpose or those purposes.

(About: data quality, data retention, purpose limitation / use limitation)

Again, the tricky practical issue is how one checks this and makes sure all backups or duplicates are also deleted too.

6. Sixth principle

S is for “Sixth”, S is for “Subject rights”.

Personal data shall be processed in accordance with the rights of data Subjects under this Act.

(About: openness / transparency, individual participation / access, enforcement / redress)

An individual's rights in relation to personal data held about them aren't as good as you might think.

Frankly individual data subject rights don't amount to very much, in the UK. That's one of the reasons why the European Commission took issue with the UK over the UK's data protection laws. The Commission is also taking the UK to the European Court over the UK's inadequate internet privacy laws.

7. Seventh principle

S is for “Seventh”, S is for “Security - ATOM, U2 And D2”.

Appropriate Technical and Organisational Measures shall be taken against Unauthorised or Unlawful processing of personal data and against Accidental loss or Destruction of, or Damage to, personal data.

I admit I’m reaching here - the capitalised words above, and going through the explanations below of how to (vaguely!) connect the abbreviations to the concept, should hopefully help clarify my bash at the mnemonics, and make them stick better -

  • ATOMic stuff (for Appropriate Technical and Organisational Measures), you’ll certainly want security for that!
  • U2 (for Unauthorised or Unlawful) - that's an Irish band, well some authorities are still nervous about security in relation to things Irish aren’t they? (reminds me - I once heard a Northern Irish guy remark, only half-jokingly, about the risks of being arrested for being in possession of an Irish accent!).
  • And” is for Accidental loss.
  • D2 (for Destruction and Damage) - the connection there with security isn’t too hard. (I just couldn’t squeeze R2-D2 in there, believe me I tried.)

(About: data security, data integrity)

Yet again, a difficult issue is how to make sure those measures really have been taken. Which is where the principle of accountability, that's increasingly gaining credence, comes in.

8. Eighth principle

E is for “Eighth”, E is for EEA - that’s “EEA-only Except if ALPS” (Adequate Level of Protection for Subjects).

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an Adequate Level of Protection for the rights and freedoms of data subjects in relation to the processing of personal data.

(About: data transfer)

No, Switzerland is not part of the EEA, though it certainly boasts alps galore. Austria is in the EEA, however. As are Norway, Iceland and Liechstenstein, as well as the other usual EU suspects. (Another suggested memory trick - Norway, Iceland and Liechstenstein are NOT in the EU though they're in the EEA, so think Eurovision song contest and NIL points (I know, purists would say it's actually "nul")).

(Yes, the Eighth Principle's mnemonic is a recursive acronym, as a tribute to GNU. And there's nesting too, if you count ALPS. Am I allowed to be slightly smug about that mnemonic, or d'ya think I'm just sad?)

This is another tricky area. It's not straightforward figuring out the "location" and "transfer" of data, just for starters. I won't say more about it here.

Warning notes

For non-lawyers - this blog isn't meant to explain the data protection principles or their application, it's just to provide an aide memoire and make a few points about the principles. Whole books have been written about the principles. Just bear in mind that in legislation and cases, "normal" words can have special meanings - so you can't always read the data principles (or indeed other laws) literally, as they don't necessarily mean what you'd think. Which is partly why you need specialist lawyers and judges.

F'rinstance, even the concept of "personal data" is both wider and narrower than you might think.

And "processing" includes passively storing data as well as collecting, manipulating, deleting data, using it; even sending or giving someone else access to data is "processing" it.

See generally the ICO's data protection guide, which is excellent. (The Information Commissioner is the UK's main data protection / privacy regulator.) There are good glossaries at the European Data Protection Supervisor's website and the ICO website.

For everyone - the data protection principles are good stuff and don't need changing at their core, as was recently pointed out in the ICO's response to the UK Ministry of Justice's consultation seeking views on data protection laws. Many best practices are implicit in the principles (eg using PETs).

But just having laws or regulations in place doesn't mean people will automatically respect or obey them.

If you can't monitor or police properly the extent to which organisations are failing to follow the principles, or you can't punish breaches adequately to provide a meaningful deterrent against infringements, then many will continue to ignore laws and regulations.

When proposals for a modernised EU Data Protection Directive come out in 2011 hopefully they'll include provisions that will help improve matters on this front.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.