Data Protection Commissioner

[text version]
Data Protection Rule 1

Fair Obtaining and Processing

"the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly"
- section 2(1)(a) of the Acts

This is the fundamental principle of data protection. If your organisation wishes to keep personal information about people on computer, then you must collect the information fairly, and you must process (or use) the information fairly.

This provision requires that -

  1. At the time of providing personal information, individuals are made fully aware of:

    the identity of the persons who are collecting it (though this may often be implied)

    to what use the information will be put

    the persons or category of persons to whom the information will be disclosed.

  2. Secondary or future uses, which might not be obvious to individuals, should be brought to their attention at the time of obtaining personal data. Individuals should be given the option of saying whether or not they wish their information to be used in these other ways.
  3. If a data controller has information about people and wishes to use it for a new purpose (which was not disclosed and perhaps not even contemplated at the time the information was collected), he or she is obliged to give an option to individuals to indicate whether or not they wish their information to be used for the new purpose.

These are the ways a data controller achieves transparency and informed consent - the touchstones of fairness in data protection.

Fair Processing of personal data

Section 2A of the Acts details a number of conditions, at least one of which must be met, in order to demonstrate that personal data are being processed fairly. These include that the data subject has consented to the processing, or that the processing is necessary for at least one of the following reasons:

  • The performance of a contract to which the data subject is party, or
  • In order to take steps at the request of the data subject prior to entering into a contract, or
  • In order to comply with a legal obligation (other than that imposed by contract), or
  • To prevent injury or other damage to the health of the data subject, or
  • To prevent serious loss or damage to the property of the data subject, or
  • To protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged, or
  • For the administration of justice, or
  • For the performance of a function conferred on by or under an enactment or,
  • For the performance of a function of the Government or a Minister of the Government, or
  • For the performance of any other function of a public nature performed in the public interest by a person, or
  • For the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.

Fair processing of sensitive personal data

If processing sensitive data, you must satisfy the requirements for processing personal data set out above along with at least one of the following conditions, set out in section 2B of the Acts:

  • The data subject has given explicit consent, or
  • The processing is necessary in order to exercise or perform a right or obligation which is conferred or imposed by law on the data controller in connection with employment, or
  • The processing is necessary to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given, or the data controller cannot reasonably be expected to obtain such consent, or
  • The processing is necessary to prevent injury to, or damage to the health of, another person, or serious loss in respect of or damage to, the property of another person, in a case where such consent has been unreasonably withheld, or
  • The processing is carried out by a not for profit organisation in respect of its members or other persons in regular contact with the organisation, or
  • The information being processed has been made public as a result of steps deliberately taken by the data subject, or
  • The processing is necessary for the administration of justice, or
  • The processing is necessary for the performance of a function conferred on a person by or under an enactment, or
  • The processing is necessary for the performance of a function of the Government or a Minister of the Government, or
  • The processing is necessary for the purpose of obtaining legal advice, or in connection with legal proceedings, or is necessary for the purposes of establishing, exercising or defending legal rights, or
  • The processing is necessary for medical purposes, or
  • The processing is necessary in order to obtain information for use, subject to and in accordance with the Statistics Act, 1993, or
  • The processing is necessary for the purpose of assessment of or payment of a tax liability, or
  • The processing is necessary in relation to the administration of a Social Welfare scheme.

Comment: The nature of consent

Section 2A of the Acts does not specify a level of consent. This may vary from case to case and between implied and explicit. If relying upon consent, the key test will be to demonstrate that consent exists. However, when processing sensitive personal data, the level of consent must be explicit. This means that a data subject must be aware of and understand the purposes for which his/her data are being processed. Explicit consent need not require a data subject to sign a form in all cases. Consent can be understood to be explicit where a person volunteers personal data after the purposes in processing the data have been clearly explained. Thus a clear explanation on a form, a web page, or the delivery of a script by properly trained telephone staff might be sufficient to demonstrate consent has been explicitly given.

No age limit is associated with consent. However, it is important that the data subject appreciates the nature and effect of such consent. Therefore, different ages might be set for different types of consent. If in doubt, it is advised that you select the common age of majority, 18 years. Where a person is unlikely to be able to appreciate the nature or effect of consent, by reason of physical or mental incapacity or age, then a parent, grandparent, uncle, aunt, brother, sister or guardian may give consent on behalf of the data subject. These are the only circumstances in which a third party may give consent on behalf of a data subject.

Fair Obtaining: Test Yourself

You should be able to answer YES to the following questions:-

When people are giving you information,

  • do they know what information you will keep about them?
  • do they know the purpose for which you keep and use it?
  • do they know the people or bodies to whom you disclose or pass it?

If you collect information about an individual from a third party (e.g., from a husband about his wife) you have to consider whether the individual (in this case the wife) needs to be made aware of what is being noted about her as well as the purpose in holding that data. In general, the fair obtaining principle requires that every individual about whom information is collected for holding will be aware of what is happening.

Practical steps

Where you use application forms or standard documentation in signing up new customers or clients, you should explain your purposes/uses etc. on such forms or documentation.

Where your customers or clients mostly call to your premises, you might consider displaying a notice with such explanations in your reception area for their information.

Some Case Studies relevant to this topic:

The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

CASE STUDY 9/04 - Inadvertent disclosure - Health Board to Research body

CASE STUDY 4/04 - In-house legal diary - data obtained for the purposes of data processor contract may not be processed subsequently for a different purpose

CASE STUDY 2/02 - Recording of telephone calls by bank

CASE STUDY 1/01 - Bank and insurance company - cross- marketing of a third-party product - incompatible use and disclosure - fair obtaining and processing - small print and transparency

CASE STUDY 2/01 - Major charitable organisation - disclosure of donors' details to a financial institution - pro-active investigation - unfair obtaining - consent

CASE STUDY 4/01 - Credit card transaction - use of details from a previous transaction without consent - fair obtaining - transparency - retention period

CASE STUDY 5/01 - MBNA Bank - unwanted direct marketing - mailings and telemarketing - failure to delete details from direct marketing databases - Eircom - the practice of 'teleappending' - fair processing - incompatible purpose

CASE STUDY 6/01 - Legal firm - identification of source of personal data - lack of co-operation - issue of enforcement notice

CASE STUDY 7/01 - Ryanair - on-line booking - delayed credit card charge - whether charge activated upon a subsequent transaction - question of disclosure of passenger data

CASE STUDY 2/00 - Department of Education and Science - use of trade union membership subscription data to withhold pay - fair obtaining and processing - specified purpose - compatible use - purpose as described in register entry

CASE STUDY 1/99 - mass circulation questionnaire - apparent official nature of the questionnaire - compilation of lifestyle databases - whether data fairly obtained - assistance of United Kingdom data protection authority

CASE STUDY 5/98 - unsolicited loyalty cards - clear consent - fair obtaining

CASE STUDY 10/98 - school web site - personal data relating to children - issue of fair obtaining

CASE STUDY 1/97 - hospital patient's data disclosed for research – data not obtained fairly for this purpose

CASE STUDY 4/97 - "small print" on application forms – inadequate for fair obtaining

CASE STUDY 5/97 - use of Electoral Register to prepare mailing lists and for other purposes not related to its primary function – concerns about such use of publicly available information

CASE STUDY 7/97 - direct mailing to children – complaint by parent – issues of fair obtaining and keeping data longer than necessary

CASE STUDY 8/97 - credit record indicated that borrower had faced litigation and loan had been partly written off – issue of accuracy – previous concerns about fair obtaining revived

CASE STUDY 9/97 - Data subjects who previously refused direct mail asked to make new choices – fair obtaining

CASE STUDY 10/97 - Customer satisfaction survey – compatible use – merging of data – fair obtaining

CASE STUDY 9/96 - fair obtaining – code numbers on anonymous surveys

MENU Select Page No.
<- Previous    Next ->

» Permanent Link