Free help and advice to the UK Further and Higher Education community

Helpdesk

Data Protection

Last updated: 10 January 2005
Published in: Managing a project
Tags: business & community engagement | data protection | digital collections

Comment icon Comments (0)

Summary

This advice document provides a simple introduction to the Data Protection Act, but considers in some depth the issues relating to photographs.

Contents

This document has been drafted with care but in no way constitutes legal advice. JISC Digital Media always recommends seeking professional legal advice where there is any uncertainty or risk of infringement.

1. Background

The Data Protection Act 1984 introduced some protection for personal information processed by computer systems. This was replaced by the much more extensive Data Protection Act 1998. The 1998 Act was the UK's implementation of a 1995 European Union Directive, intended to harmonise data protection laws throughout the EU. Most of the 1998 Act's provisions came into force on 1 March 2000, although some limited exemptions are in place until October 2007.

The Data Protection Act is also closely related to the Human Rights Act 1998 (in force from 2000) and the Freedom of Information Act 2001 (in force from the beginning of 2005). The latter governs access to information held by public bodies, including FE and HE institutions.

Both the Data Protection Act and the Freedom of Information Act are regulated by the Information Commissioner's Office.

The Office provides advice and oversees compliance with both acts. It also provides systems for formal notification and registration.

2. Summary of the Data Protection Act

The purpose of the Data Protection Act is to ensure that personal data is dealt with in a responsible way. It details a set of principles for those who hold and process personal data and rights for individuals whose data is held.

Important definitions

In order to understand the scope of the Act there are several key terms or concepts that need to be understood (these are summaries - refer to the Act itself for formal definitions):

  • Personal Data - information about a living individual that is processed automatically (e.g. by a computer) or held within a relevant filing system (e.g. manual records system) or recorded with the intention of processing or filing it, and which enables the individual to be identified or identifiable. Personal data can include photographs or images, in digital or analogue (non-digital) form.
  • Sensitive Personal Data - this is personal data (as above) that consists of information on someone's racial or ethic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health condition, sex life, offences (committed or alleged), or proceedings/sentences for those offences. As with personal data, sensitive personal data could take the form of photographs or images.
  • Processing - this has a very broad scope, including: obtaining, recording or holding data as well as specific activities such as organising, adapting, altering, retrieving, consulting, using, disclosing, disseminating, aligning, combining, blocking, erasing or destroying information.
  • Data Subject - the person who is the subject of the personal data. As they must be a 'living individual', a Data Subject cannot be an organisation or company.
  • Data Controller - the person (or persons) who determine how the personal data is processed. Unlike the Data Subject, the Data Controller is a 'legal person', which could include organisations and companies, their members or employees, or individuals. Unless they are only dealing with manual data, Data Controllers are meant to provide the Information Commissioner with details about themselves and the data they are processing.

Eight Data Protection Principles (see Schedule 1 of the Act)

Personal data must be:

  1. Fairly and lawfully processed
    (see Conditions, below)
  2. Processed for limited purposes
    Purposes should be made known to the Data Subject and should not be determined retrospectively once the data has been obtained.
  3. Adequate, relevant and not excessive
    Only enough data to fulfil the purposes should be obtained; it is unacceptable to hold additional data 'just in case' it might be needed.
  4. Accurate and, where necessary, up-to-date
  5. Not kept for longer than is necessary
  6. Processed in line with the rights of the data subject
    (see Rights of the Data Subject, below)
  7. Secure
    Appropriate technological and management systems must be in place to prevent unlawful use or accidental loss or damage (e.g. password access, back-ups, staff training, risk assessments).
  8. Not transferred to countries without adequate protection
    With certain exceptions (e.g. where the Data Subject has given permission), personal data should not be transferred to countries outside the European Economic Area (EU members plus Norway, Iceland and Liechtenstein) unless there is appropriate data protection in place.

This is a brief summary. Please see the Act for a full statement of the principles and the Commissioner's web site for guidance on interpreting them.

Conditions for fair and lawful processing (Schedules 2 and 3 of the Act)

The first principle states that personal data should only be processed if it meets at least one of these conditions (summarised, see Schedule 2):

  1. Data Subject has given their consent
  2. Processing is necessary for fulfilling a contract or entering into a contract
  3. Processing is necessary to comply with a legal obligation of the Data Controller
  4. Processing is necessary to protect the vital (i.e. life and death) interests of the Data Subject
  5. Processing is necessary for the administration of justice, activities of the Crown or a government department, or functions of a public nature exercised in the public interest
  6. Processing is necessary in pursuing legitimate interests of the Data Controller or third parties unless this prejudices the rights and freedoms or legitimate interests of the Data Subject

In the case of sensitive personal data it should only be processed if it meets at least one of the above conditions plus at least one of the following additional conditions (summarised, see Schedule 3):

  1. Data subject has given their explicit consent
  2. Processing is necessary to comply with employment law
  3. Processing is necessary to protect the vital interests of Data Subject or another person
  4. Processing is part of the legitimate activities of a non-profit organisation existing for political, philosophical, religious or trade union purposes
  5. Data Subject has already made this information public themselves
  6. Processing is necessary for legal proceedings, advice, or defence
  7. Processing is necessary for the administration of justice, activities of the Crown or a government department
  8. Processing is necessary for 'medical purposes', including preventative medicine, medical diagnosis, medical research, care and treatment or the management of healthcare services
  9. Processing of information relating to racial or ethnic origin is done for the purposes of monitoring equal opportunities
  10. Processing occurs according to specific statutory instruments (these provide several additional contexts for processing information, including confidential counselling, insurance, research, and processing by police constables or elected representatives)

Rights of the Data Subject (see Part II, sections 7-15, of the Act)

A Data Subject has the right to:

  • Access their personal data
    A Data Subject has a right to be informed, upon request, of any personal data being processed by or on behalf of a Data Controller. They can also request, for a small fee, a copy of that data and information about how and why the information is being processed and to whom it is being disclosed.
  • Prevent processing causing damage or distress
    Gives a Data Subject the right to prevent (through written notification) any processing of their personal data where this processing is likely to cause substantial and unnecessary damage or distress to them or another person, unless they have consented or there are conditions requiring the processing to take place (i.e. the first four Conditions for fair and lawful processing, above).
  • Prevent processing for direct marketing
    Enables a Data Subject to request that a Data Controller cease using their personal information for direct marketing.
  • Prevent automated decision taking
    Gives a Data Subject the right to prevent decisions being made about such things as creditworthiness or work performance solely on the basis of automatically processed data.
  • Compensation
    Data Subjects and others damaged by the actions of a Data Controller are entitled to claim compensation. To date, compensations awarded by courts under this section have been fairly modest.
  • Action to deal with inaccuracy
    As well as awarding compensation, a court can insist on the 'rectification, blocking, erasure or destruction' of personal data.

Exemptions (see Part IV, sections 27-39, of the Act)

The Data Protection Act offers many exemptions. Some are 'transitional' and will cease in October 2007; others are permanent exemptions.

Many of the exemptions are fairly obvious - much of the Act can be disregarded, for example, for the purposes of safeguarding national security; and you do not need to abide by the principles in disclosing information within your own family!

There are a couple of others that Data Controllers might be able to claim when using photographs of people:

  • Journalistic, literary, and artistic purposes (section 32 of the Act)
    Many of the Data Protection Act's provisions can be set aside where personal data is processed for journalistic, literary or artistic purposes, if this is done with a view to publication and is believed to be in the public interest.

    This exemption ensures certain freedoms for the press.
  • Research, i.e. historical and statistical purposes (section 33 of the Act)
    Personal data which is processed for research purposes and is (1) not used to take decisions about individuals and (2) will not cause substantial damage or distress, may be exempt from: (a) the requirement that personal information be used for limited, specified purposes (Principle 2), and (b) the requirement that personal information be kept for a limited time period (Principle 5).

    Research data will also be exempt from the Right of Access (above) where the research outputs are not being made available in a form that identifies individuals.

    This exemption enables archives to keep certain information indefinitely.

Each of these exemptions are considered more fully in the next section.

3. Specific issues relating to photographs and digital images

Laws cannot anticipate every situation in the world; they require interpretation, application, and testing in the courts. The Data Protection Act has only been considered in a small number of cases, so the precise meaning and application of some parts of the Act is still unclear. Until the courts rule on these matters, it is best to rely on the guidance of the Information Commissioner's Office and advice from relevant legal practitioners.

Are photographs personal data?

The courts have determined that photographs and images of people are capable of being personal data (the case of Durant v Financial Services ). Where the name and image of a person are linked - or are capable of being linked - then the person can be identified and the image should be regarded as personal data.

The problem arises where an image is anonymous (unnamed and unknown to the Data Controller) but is theoretically capable of being recognised and identified by someone else who knows that individual.

The Act states that personal data is information relating to living people who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (our italics). Does 'can be identified' mean 'is identified' or more broadly 'is capable of being identified'?

The UK courts have not yet ruled on this issue. The Information Commissioner's Office has not given unambiguous guidance, but has tended towards the 'is capable of being identified' definition. They have said to JISC Digital Media that where a person is the focus of an image, that image is likely to be personal data - even in the absence of a name or other identifying information. But where people are incidentally included in an image or are not the focus (e.g. a busy street scene) the Information Commission's Office believe that the image is unlikely to contain personal data.

Are photographs sensitive personal data?

If photographs are personal data, can they further be regarded as sensitive personal data?

As stated above, sensitive personal data consists of information on someone's racial or ethic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health condition, sex life, offences (committed or alleged), or proceedings/sentences for those offences. Particular conditions must be met if you wish to process someone's sensitive personal data (e.g. explicit consent).

It is clear that a photograph could sometimes relate information of a sensitive nature (e.g. someone participating in a religious ceremony). But does a depiction of someone holding a cane or sitting in a wheel chair provide information about their physical condition? Does any image of a person provide some information about their racial or ethnic origin? If this is so, any photograph of any recognisable person should be regarded as sensitive personal data and treated as such.

This issue has been raised in a UK case ( Campbell v MGN Ltd , involving a photograph of the model Naomi Campbell leaving a Narcotics Anonymous meeting). However, the judge deliberately chose not to rule on whether a photographic image could amount to sensitive personal data.

The Information Commissioner's Office has said to JISC Digital Media that while an image might indeed constitute sensitive personal data, the depiction of someone's skin colour is not a clear indication of ethnicity and should not, by itself, be regarded as sensitive personal data. Some legal commentators have taken a more cautious approach, recommending that all photographs of people be regarded as sensitive until the courts have provided a clear ruling (e.g. Michalos - see references below).

Accuracy of data (Principle 4)

The fourth principle states that personal data must be accurate and 'where necessary' kept up to date. This may have some impact on digital photographs that have been manipulated. Simple enhancement or retouching of an image is unlikely to pose a problem, but any manipulation that misrepresents things (e.g. showing someone at a place they have never visited) is likely to breach this principle. In some cases, the manipulator might be able to claim an artistic or journalistic exemption.

Transferring images to certain countries (Principle 8)

Putting an image of someone on a public Internet site could amount to transferring personal data to a country without adequate protection (Principle 8). Permission should be sought, or the image restricted to those in appropriate locations (perhaps through password access or by filtering IP addresses).

Journalistic, literary, and artistic purposes exemption

Could someone creating or handling photographic or digital images claim an exemption on the basis of journalistic, literary or artistic purposes?

These three activities are regarded by the Act as 'special purposes' and can receive exemption from many of the Act's provisions, including any need to obtain consent, provided they satisfy all of these conditions:

  1. The personal data is only processed for this special purpose
  2. The processing is done with a view to 'publication' (which has a broad definition, including broadcasting and the Internet)
  3. The Data Controller reasonably believes publication would be in the 'public interest' (as determined by relevant codes, such as those of the Press Complaints or Broadcasting Standards commissions)
  4. The Data Controller reasonably believes that meeting a particular provision of the Act would be incompatible with their special purpose

Journalism, literary and artistic purposes are not defined by the Act but legal commentators expect them to have fairly wide definitions. Photographs created especially for artistic purposes might qualify for an exemption, or a photograph that is used as an illustration. 'Public interest' is likely to be interpreted a little more broadly than the common meaning (i.e. things of a serious nature) - otherwise it would seem difficult to relate this to literary and artistic activities.

At first appearance this exemption seems quite broad. However, the fourth condition is important. It says that the Data Controller will only be exempt from a provision of the Act if that provision is incompatible with their journalistic/literary/artistic purpose. One of the most obvious provisions someone would seek an exemption from is the need to obtain consent.

Someone taking an artistic photograph of people might not want to seek permission because they want to capture their subjects unaware, in a natural setting. This seems like a reasonable argument. However, since there is little to stop them seeking consent after the photograph has been taken, there is no real incompatibility between their special purpose (artistic photography) and the need to seek consent. Because of this it is doubtful whether they could claim an exemption.

However, someone taking and publishing a journalistic photograph might have a stronger claim. If consent were refused they could well be unable to take or use the photograph (unless they could claim another of the conditions in schedules 2 or 3, above). In this case it could be argued that the requirement for consent is incompatible with their journalistic purpose and that there is a strong public interest in taking and publishing the photograph.

Research exemption

Could someone creating or handling photographic or digital images claim a research exemption?

'Research' is not defined by the Act, except that it includes 'statistical and historical purposes'. This is an important exemption for those holding historical material, such as archivists. It enables personal data held (legitimately) for one purpose to be transferred to an archive and held there indefinitely (an exemption from Principle 5) and used for another purpose (i.e. research, an exemption from Principle 2). The data can also be disclosed to other people as long as this is also for research purposes.

It seems that this exemption could enable historical images to be held within a digital collection that is limited to research purposes. Note that the exemption only applies to certain, limited, provisions of the Act. All other standard conditions of the Act must be met (e.g. not transferring the data to unprotected countries) along with the two specific conditions that the data isn't used to make decisions about individuals and will not cause substantial damage or distress.

4. Recommendations

Data Protection may seem complicated and prohibitive, but there are some simple practices that will help you meet any obligations and there are some good sources of help and advice - particularly the Information Commissioner's Office helpdesk).

  • Find out who is responsible for Data Protection within your institution . They are likely to have policies in place and will want to know about the personal data you are holding and using.
  • Don't forget that the Data Protection Act only applies the living people . If you know or can be reasonably certain that your subjects have died, Data Protection will be of no issue.
  • Err on side of caution and read the law reports! As this document has suggested, there are areas of the Act that are ambiguous and have yet to be determined by the courts. In these instances it may be wise to err on the side of caution.
  • Where possible, obtain consent... in writing. Principle 1 requires that at least one of several conditions are met. The simplest condition to meet - and in some cases the only appropriate condition - is that the Data Subject has provided their consent. Written consent is not a legal requirement (even for sensitive personal data), however it would be sensible to have some evidence of the Data Subject's agreement.
  • When photographing an individual, get them to sign a release form, detailing all the uses you intend for the data (both their image and their name, if you're going to use it). This is particularly important if you intend to publish their image on the Internet.
  • When photographing groups, an opt-out approach may be more practical . Tell the group why you're photographing them and how you want to use the image and give people time to move out of the frame if they wish.
  • If you already have a historic collection of photographs, you may be able to claim a research exemption - but remember that this does not give you a license to use the image as you please.
  • If you don't have consent or another legitimate reason consider using a different image. A legitimate reason might be another condition from schedule 2 or an exemption.
  • Don't forget that those using your images also have rights! If you are collecting information from those using your collection (registration details, usage information etc), you will need to consider the way you handle their data too.
  • Don't forget that there may be other legal issues involved in using an image , such as Copyright or Moral Rights. JISC Digital Media's Web site includes information on these issues.

5. Further Information

Last updated: 10 January 2005
Published in: Managing a project
Tags: business & community engagement | data protection | digital collections

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Comments (0)

Post your comment

How was this document useful to you? Do you have any questions?

Name

Email (required, but will not be shown)

URL (optional)


Please note: All comments are reviewed by a moderator for approval