Back in December 2010 Martin offered some wonderful advice to Santa Claus regarding his data processing obligations, and provided some further thoughts yesterday on how the proposed draft data protection regulation might affect Santa’s data processing activities.
With under a week to go until Christmas Day I thought it would be good to offer Santa some further advice about that Naughty List that his mince spies have spent all year compiling.
Complying with the First Data Protection Principle
Santa’s Naughty List contains lots of personal data about misbehaving children, and the First Data Protection Principle of the Data Protection Act 1998 (the “DPA”) provides that personal data shall be processed “fairly and lawfully”. In particular, personal data should not be processed unless at least one of the conditions in Schedule 2 is met. (And further, if the personal data involved is “sensitive” – for example concerning the “commission or alleged commission of any offence” (!) – then at least one of the conditions in Schedule 3 also has to be met too).
Santa has to tread carefully here (not easy after gorging on so much sherry and mince pies!) because the Information Commissioner has provided clear guidance that enticing children to divulge personal data with the prospect of a prize (or similar inducement) is likely to breach the requirements of the Data Protection Act.
For children of a certain age (11 or under), Santa should ensure that parental/guardian consent for any disclosure of personal data has been obtained. (This is potentially a good result for Santa, as a naughty child would have been unlikely to consent to Santa processing his/her data and therefore limiting his/her prospects of presents.)
But before Santa heads down the chimney, he also has to comply with Paragraph 2 of Part II of Schedule 1 to the DPA, which provides that for the purposes of the First Data Protection Principle, personal data isn’t processed fairly unless the data subject is provided with:
- the identity of the data controller;
- if he has nominated a representative for the purposes of the DPA, the identity of that representative;
- the purpose or purposes for which data are intended to be processed; and
- any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed.
Complying with the Fourth and Fifth Data Protection Principles
Having dealt with the First Data Protection Principle, we then arrive at a pair of subordinate clauses.
The Fifth Data Protection Principle requires that data is not kept for longer than is necessary. It’s virtually impossible to provide an easy answer as to how long is truly “necessary”, but Santa should consider:
- the current and future value of the information;
- the costs, risks and liabilities associated with retaining the information; and
- the ease or difficulty of making sure it remains accurate and up to date.
Ensuring the data is accurate and up to date is actually the Fourth Data Protection Principle. In order to comply with this principle, Santa should:
- take reasonable steps to ensure the accuracy of any personal data he obtains;
- ensure that the source of any personal data is clear;
- carefully consider any challenges to the accuracy of information; and
- consider whether it is necessary to update the information.
Keeping the Naughty List up to date must be a huge undertaking, especially when candidates even appear from heavenly sources.
Blacklists
Of course, Santa wouldn’t be the first individual to have compiled a blacklist that potentially breaches the DPA.
You may remember that in 2009, a secret blacklist of construction industry workers made the headlines. That blacklist was found by the ICO to have been established and maintained in contravention of a number of the Data Protection Principles described above.
The exact nature of the information held is still coming to light, and the ICO is still trying to deal with the fallout. The private investigator who compiled the blacklist was fined £5,000 – the maximum fine available at that time for persistent breaches of the DPA.
It’s likely that if such a blacklist was discovered today it would be deemed to be a deliberate breach of the DPA (or at best risking a breach likely to cause substantial damage or distress), with the result that whoever compiled it could face a monetary penalty of up to £500,000.
This isn’t to say that blacklists are impossible to maintain. For example, Stockholm football club Djurgården has a “hooligan register” (though everybody on it has to be informed, and their details immediately deleted if they successfully contest their inclusion).
So, if Santa follows our guidance above then he might keep the Naughty List on the right side of the law. Not that he’s probably too bothered – if you spend all night out sleighing, then you’re probably more worried about the police then the ICO!
Merry Christmas!