Keeping an eye on the data bank

Keeping an eye on the data bank

As Data Protection continues to permeate different areas of business, Mark Smulian warns solicitors to be aware of the implications and liabilities in this changing area of law.

Little more than 20 years ago, most computers were the size of a bungalow and needed squads of technicians in white coats to perform mysterious tasks to keep them running.

Now, hardly a business in the country has not embraced information technology.

As the pace of change in IT has become ever more relentless, so the law regulating its use has grown in both size and the range of legal work on which it impinges.

This is a rapidly growing area of the law, and even solicitors whose work has no direct bearing on IT are likely to need to get their heads around data protection.

It is changing all the time.

A few examples include new rules to toughen up e-mail marketing which take effect in October, the Home Office's efforts to acquire controversial powers to require telecommunications records to be kept by carriers, and rulings on privacy rights may affect data protection too.

But at its simplest, solicitors' firms need to be registered as 'data controllers' with the Information Commissioner, Richard Thomas, himself a former solicitor and head of public policy at City giant Clifford Chance.

Even a list of client details held on a computer ensnares a solicitor in data protection law.

Last October, a survey by the then Information Commissioner Elizabeth France suggested that only 25% of law firms had registered as 'data controllers'.

While the commissioner's office does not have more recent figures, his legal adviser, Nick Tyler, suspects that things are only improving slowly.

'I would say that all firms of solicitors should be registered,' says Mr Tyler.

'The only exception would be if there are no computers in their office, which I should think is pretty unusual.'

The commissioner will be making fresh efforts to ensure compliance this year and has, rather perversely, been assisted by the scam in which people with no official standing have written to solicitors demanding payments of registration fees.

Mr Tyler says: 'The bogus data protection agencies are nothing to do with us, but their letters have raised our profile.'

It is not just law firms that are affected.

Exeter practice Foot Anstey Sargent found in a survey that only 30% of the region's top 100 companies had complied, which could see the other 70% needing legal advice if they face action by the commissioner.

This confusion about who needs to be registered for what typifies the lack of clarity in this area of law, with solicitors often being called on to make subjective judgements.

Peter Hall, a partner at Birmingham-based Wragge & Co, says: 'Data protection seems a bit dry and technical to some solicitors as a practice area and it can be difficult to advise clients because the law is not always clear-cut.

'It is more like risk management than giving black or white legal advice.

You need to know the area backwards, not just the law but all the regulatory stuff and codes of practice, and be able to offer practical advice from that.

That is a difficult skill to learn.'

Wragges tries to ensure that all its staff keep abreast of data protection law, not just the specialists.

'We take the view that it is a basic requirement for anyone dealing with employment to have a fundamental knowledge of it, and others should have whatever knowledge they need,' he says.

James Davies, joint head of the employment and incentives department at City firm Lewis Silkin, says: 'One of the biggest issues is data subject access requests, which are issued under the Data Protection Act 1998, for personal details held by employers.

'Employees use it to obtain information or just to see what is there that might be useful in any dispute.'

The rules on what data has to be disclosed are 'quite complex and unclear', Mr Davies says, with the result that aggrieved employees will make requests to employers as a way of applying pressure.

Another major issue is the processing of sensitive data on employees' health, sex life, criminal records, religion or trade union affiliation.

Mr Davies says: 'The law is flawed because employers thought they had the right to process this data by securing the consent of the individual, but it is difficult to say consent is freely given if it is part of a contract and the employee does not get the job unless they sign.'

He sees data protection as an area of law that will grow as the public comes to understand its rights more fully and starts to use them.

'Lawyers will have to become skilled at understanding it.

Once an employer gets a claim they start to take the issue seriously, and I do think they are not aware yet of the extent this could be used to advance a claim against an employer,' he says.

Eduardo Ustaran, senior assistant at City firm Berwin Leighton Paisner, deals with a quite different area - the way businesses use information about customers.

'To exploit the information, they have got to do it in a way that conforms with data protection law,' he says.

'Data protection is about being transparent and telling people what you are doing with data on them, what it is being used for and by whom, so the main pitfall is not telling people.'It is not a matter of black and white and it is very important to use common sense.

It is very subjective.'

Mr Ustaran says good data protection lawyers are those who can 'understand what their client wants and also what is required from the consumer viewpoint.

They have got to be able to see both sides quite clearly'.

Multinational clients wishing to transfer data abroad and use it globally face problems as data may only be removed from the European Union if the recipient country has the same quality of data protection.

'Since the EU has one of the strictest regimes, it is very difficult to find another jurisdiction that meets that standard.

There are ways round it but they require quite a bit of work,' says Mr Ustaran.

The other big issue he sees coming is marketing by e-mail.

When the Privacy and Electronic Commerce Regulations take effect in October, it will be a requirement to get a recipient's consent in advance.

This anti-spam measure means things will be 'radically different from today where e-mail has been used freely unless a recipient asks you to stop.

There is no doubt it will affect loads of businesses', he says.

Solicitor Sue Cullen, who is City firm Masons' data protection officer, says the most complex issues arise when data is sent elsewhere.

This applies to outsourcing contracts, where data held on the public is transferred to a third party for processing, and where data is sent abroad.

She warns: 'Whatever the type of business, data protection is an issue.

The legislation bites as soon as you have a database with personal details on it, and if you want to use that abroad it bites very hard indeed.'

Simon Chalton, a consultant to City firm Bird & Bird, sees data protection as 'a subset of privacy law'.

He thinks it will change radically if the House of Lords holds in the case of Wainwright v Home Office that there is a free-standing right of privacy in English law.If the Home Office loses the case, which concerns strip-searching during a prison visit, 'all sorts of things will change', says Mr Chalton.

He explains: 'The first data protection principle states that data must be fairly and lawfully processed, and "processing" is very widely defined.

If the House of Lords says English law respects a right to privacy, then he maintains that the scope of information covered by data protection law would be greatly widened.

As the speed and sophistication of IT increases, and the law struggles to keep up with the pace of change, the one certain thing is that a knowledge of data protection will be essential to all solicitors - unless they really do have no computers in the office.

Mark Smulian is a freelance journalist