Matthew Williams | No need to fight for the right to data
Published:Tuesday | December 31, 2024 | 12:05 AM
The Data Protection Act (DPA) has placed numerous responsibilities on data controllers, who are now required to act in accordance with the rights of data subjects.
Rights are referred to in this way because they are, in part, a mechanism to compel controllers to meet their obligations. Data controllers will internally fulminate about the work these rights cause for them, but remember that in most instances, no one will need to exercise their rights if a controller has done their job properly to begin with.
The sixth standard, which deals with these rights, can be found at Section 29 of the DPA; but in fact, all it does is refer to other sections and establish that controllers will be in contravention if they fail in the duties set out there.
SECTION 6 OF THE DPA
The most extensive of these referenced sections is number 6, which deals with the provision of information. These privacy notices have been discussed in a previous column, so it is time to look at the other rights the section confers. These start simply with the right to know whether a controller is processing the data subject’s data and if so, what is being done with it. That might seem obvious - after all, doesn’t a privacy notice contain that information? But if a person has a look at some privacy notices, one will quickly find that they contain a lot of ‘ifs’ and ‘may’. So working out exactly what data a controller has and exactly which processes apply to one’s particular circumstances, is not necessarily straightforward. Hence, the right to demand a clear accounting from the controller.
Section 6 goes on to empower the data subject to ask for a copy of their data. The sometimes dreaded ‘(Data) Subject Access Request’, or (D)SAR as the jargon calls it. It is a complicated topic, and the detail is beyond the scope of this column, but the summary is that in principle, a controller has to provide, in a form intelligible to the data subject, all the personal data that they have about them, together with details of the processing, including a description of the logic where automated decision-making is involved. Controllers must also comply within a specified time frame. There are provisions for verifying the requester’s identity, limiting - at their request - the scope of the data provided, protecting data belonging to other persons, protecting trade secrets and refusing unreasonably repeated requests. There is also the option to charge a modest fee payable by the data subject. The amount is set by regulation. A very careful reading of sections 6 through 8 is recommended or seeking professional advice if one receives a (D)SAR.
Section 6 also provides for data portability - the right to have one’s data passed on to another controller in machine-readable form. This right is subject to ‘technical feasibility’. Elsewhere in the world, this has meant limited adoption of easy portability, but it is something in which sectoral regulators are increasingly interested, especially in financial services.
DIRECT MARKETING
Section 10 deals with rights regarding direct marketing. Be aware that direct marketing of any kind requires explicit written consent using a form signed by the data subject except where a controller is offering ‘similar product’ to an existing customer. The form to use is specified in the regulations – look for form number six. The controller must always include their identity and contact information with every piece of marketing along with a simple means of opting out. Crucially, this consent for marketing may only be requested once, ever, and like all consent, it can be withdrawn at any time with immediate effect.
Talking of opt-outs, Section 11 gives the right to request cessation or suspension of processing on various grounds. These include:
• The processing is causing unwarranted distress.
• The data being processed is incomplete or irrelevant to the stated purpose.
• The processing is unlawful.
• The data has been retained longer than necessary.
As always, there is detail for which there is not enough space here. An important point to note is that storage is a form of processing, so Section 11 also effectively confers a right to erasure where one of the grounds applies.
RIGHT OF OBJECTION
The data subject’s other right of objection is contained in Section 12, which deals with automated decision-making and profiling. Here again, another column will have to expand on later, but the short version is that controllers must tell data subjects that they intend to make or, indeed, that they have made decisions or evaluations by automated means, and the subject has the right both to require that they desist and to challenge decisions so made. As always, there are exemptions and constraints on both sides. Seek advice.
Finally, there is Section 13, which is – oddly, perhaps – not referenced in Section 6 but which confers the right to request rectification of personal data. This can mean correction or completion. Controllers are entitled to determine whether a rectification is actually justified – one doesn’t have to take the data subject’s word for it. However, as noted in a previous column, a controller must include with the data a note that a rectification was requested. They must also pass on any rectification request to any other controller or processor with whom they have shared the data concerned in the past year.
Matthew Williams is an attorney-at-law and data privacy consultant at Securys Limited. Send feedback to info@securys.com.jm.