Data Protection: A Bromidic Tale
Dexter Flynn | 16/03/16
Unlike Michael Caine in Alfie, when Mr Elkins is left wondering: “what’s it all about?”, my “what’s it all about?” moment generally arises when someone says to me: “Data Protection Law.” Others will, of course, say it just arises generally!
To be fair, most people find data protection extremely …. challenging. If you google “data protection fail”, unusually for the internet no funny images appear.
However, irrespective of your views regarding data protection, one thing is clear. It is an important subject matter, one to which we must all have regard. So come on people – stay awake while I shed some light on the subject.
When the Data Protection (Jersey) Law 2005 (the “Law”) was discussed back in 2004 its prime purpose was stated as being, amongst other things, “to safeguard the rights of individuals with regard to their personal information which may be held, stored or processed about them” and “to ensure that organisations and individuals hold and process personal information that is accurate, up to date and only used for the purposes that are described in their notification details to the Data Protection Authority”.
Why am I now referring to a law which came into force in 2005?
Well, in February, the Royal Court produced an 18 page judgment arising from an application seeking various orders pursuant to the Law. The judgment has been the subject of some publicity in Jersey.
The case is significant in that the Court stated that: “Absent the instant case, there appears to have been no disputed case before the Royal Court on the legislation so far.” In national hunt parlance, fresh ground for the Royal Court.
The Court took the opportunity of undertaking a belt and braces analysis of various UK authorities. It “drew themes together” and set out principles which it says ought to apply when an application is made against a data controller in relation to request for documentation.
In essence the Court said the following:-
- The first duty of the data controller is to review what information he has about the data subject. The Court found in this particular case that “the real issue is whether the information in question is obviously about the data subject as an individual, and is private to him or her”. It is about an individual not only where it relates to a particular person, but also where it is obviously linked to such a person.
- The data controller has an obligation to comply with Article 7 of the Law. Article 7 provides a person with the cardinal right to know whether a data controller is processing personal data of which the individual is subject.
- Article 8 of the Law sets out how a data controller is to “react” to a request for access. There is an exception under Article 8 which leaves the data controller with a discretion to refuse a request to disclose where the supply of relevant information is not possible or would involve a disproportionate effort. The Court concluded that “the principle of proportionality needs to be applied to the rigour with which the obligation of the data controller to identify whether data is in fact being processed is enforced”.
- The Court then went on to establish certain criteria that it must assess when the data controller has refused a request; obviously in this regard each case will turn on its own facts.
As is now standard with much of Jersey’s reputable “nanny state” legislation, the origins of the Law lie outside of Jersey, namely in the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data EC IO8 and the European Data Protection Directive 95/46 EC. Wow!, I hear you cry. Or, perhaps you are just crying.
Leaving aside its rather convoluted and bureaucratic history, what is clear is that with the amount of computers and databases and the level of personal information held by countless organisations in relation to us personally, we all need protection from (i) the misuse by organisations of such information; and (ii) such information falling into the wrong hands, as was the case in the Ashley Madison hack (involving something to do with dating about which I know nothing …………….. your Honour). The Law brings some level of protection to us all.
So let’s be clear. Data protection on the face of it may be mundane. The Law may refer to perceived ethereal principles. It may be regarded as one of the signature legislative tunes in the pan pipe orchestra of social legislation. It is, however, essential law and the Royal Court has demonstrated this in its lengthy and considered analysis.
Finally, congratulations to everyone who managed to keep reading to the end of this piece. “DP Oscars” all around.