Data Protection - What the regulations say
This information accompanies the online data sharing best practice guidance commissioned by ACE
The guidance cannot be relied upon as legal advice. This site gives guidance as to how to follow best practice. Organisations should follow the guidance, but as compliance is context sensitive, the Independent Commissioners Office must judge any complaint on its own merits, and organisations in need of context or situation specific legal advice should seek it from an appropriately qualified source.
Download the Legal Information in PDF format
This information sets out the relevant elements and obligations of the regulations governing the use of data for marketing and audience development purposes. It relates to each stage of the data journey (which is described in the best practice guidance here including data collection, permissions gathering, storage, sharing and uses.
For further resources, visit the Information Commissioner's Office website.
1.1 Brief introduction to the UK data protection regime
The Data Protection Act 1998 (the ‘DPA’) implemented the EU Directive 95/46/EEC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This replaced the UK's previous Data Protection Act 1984 in its entirety. The overarching purpose of the EU Data Directive was to introduce an extensive data protection regime by imposing broad obligations on those who collect personal data, as well as conferring broad rights on individuals about whom data is collected.
The new General Data Protection Regulation (679/2016/EU) (GDPR) will replace the DPA and bring with it significant changes to the data protection framework within the European Union. The GDPR will be enforceable by the Information Commission in the UK as of 25 May 2018.
Brexit and GDPR
Given the timing of the UK’s proposed separation from the EU, the GDPR will have already taken effect in the UK. However, at the time of the UK’s exit from the European Union the GDPR would cease to apply without UK legislation adopting the GDPR’s provisions (the DPA would continue to apply because it is an act of Parliament). The prevailing view is that the UK will adopt the GDPR by way of domestic legislation so as to ensure consistency with the EU. That will enable data to continue to be sent between the UK and the EU in much the same way as was the case before Brexit. We await clearer guidance on the issue.
Key definitions used by the DPA
A brief review of some of the key terms used by the DPA is probably helpful:
The person who either alone, jointly or in common with other people determines the purposes for which and the manner in which any personal data is processed. A party may be a Data Controller, even if the information concerned is held by somebody else. There can be more than one Data Controller in respect of a piece of data.
Most, if not all, of the principal obligations in the DPA fall to the Data Controller.
In the cultural sector this is commonly (but not exclusively) an organisation managing ticketing transactions, most often the presenting venue.
A data processor processes personal data only on behalf of a data controller.
An identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Any information relating to a data subject.
Personal data is data relating to living individuals who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
Data is also defined in the DPA as information which is being processed by means of equipment that operates automatically in response to instructions given for that purpose, or is recorded with the intention that it should be processed by means of such equipment. The DPA therefore applies to automated data, such as that stored on a computer. It also extends to certain manual records.
The DPA imposes some additional obligations on the Data Controller in relation to ‘sensitive personal data’. Sensitive personal data is data which relates to race, political opinions, health, sexual life, religious and other similar belief, trade union membership and/or criminal records.
The data protection principlesFollowing the introduction of the GDPR, seven data protection principles will apply. The seven principles require that:
1. personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (Article 5(1)(a)).
2. personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. (Article 5(1)(b).)
3. personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c)). The introduction of a "necessity" requirement is likely to make it more difficult for data controllers to collect data for some general or as yet unspecified future use.
4. personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (Article 5(1)(d)).
5. personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Article 5(1)(e)). Personal data may be stored for longer periods provided it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This is subject to the implementation of appropriate data security measures designed to safeguard the rights and freedoms of data subjects.
6. personal data must be processed in a manner that ensures its appropriate security (Article 5(1)(f)). This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. In this regard, data controllers and processors must use appropriate technical or organisational security measures.
7. the data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles (Article 5(2)).
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’)
The PECR are not relevant to all data protection matters but the Regulations do complement the DPA by giving more specific rights in respect of electronic communications.
The PECR principally cover the following areas:
- Marketing by electronic means, including marketing calls, texts, emails and faxes.
- Security of public electronic communications services.
- Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (e.g. caller ID and call return) and directory listings.
2.1 The Data Journey – an overview of the law
As data is legitimately put to practical use by cultural organisations it passes through several stages of a journey - from collection, to use, via permissions gathering, storage and sharing. This diagram charts the journey, highlighting at each stage factors which the legislation governing the use of data touches upon.
Cultural organisations which collect, store, use or share their customers’ personal information should be familiar with their obligations at each stage. The following sections of this document set out the relevant regulations that apply at each stage.
For example, when collecting data from their patrons, organisations should be aware of what constitutes personal data; what does and does not fall under the provisions of the regulations that protect the rights of the person to whom that data belongs, the ‘data subjects’.
It is imperative that the organisations collecting the data gain the right permissions from the data subjects at this stage. This ensures the data can be processed and put to use legitimately and in compliance with good practice. Patrons must be given adequate notification of the intended uses of their data. The process for providing this and the content of ‘notification statements’ will need to change according to the context in which the data is being collected, and in relation to the particular communication channels to be used.
It is important to note that there are certain items of information about individuals that constitute sensitive data (as defined by the regulations). These have specific implications and obligations for data controllers.
The regulations also address the manner in which data is stored and maintained to ensure that it is kept securely and that it remains clean and relevant.
The potential to then use or share data is wholly governed by notifications given and the permissions obtained.
3.1 Collecting data overview
There are various different channels through which arts organisations may interact with their audiences, and at which data may regularly be collected from those audiences.
Principally, these points tend to be focused around the point of sale for event tickets, which may happen in person over the counter, over the telephone or online. Data is also regularly collected through audience surveys.
The specific context determines to some extent the type of data that will most likely be collected from the audience. It also determines the specific means in which information notifications can be given to the audience that explain why the data is being collected and how it will be used.
For example, over the counter transactions allow staff to talk to customers about how their information is being used,and in which returning customers can also be recognised and their records looked up to attach the new transaction, saving the need to repeatedly ask for certain information about the customer.
In online transactions, however, there is a specific need and opportunity to build into the booking procedure processes which first recognise returning customers, and then present (or not) the necessary notifications, and permission gathering mechanisms as appropriate to the individual.
Aspects of Data Protection legislation address the type of data that may be collected, its storage and management and the reasons for collecting it. The legislation also covers the information that should be given to the customer and the permissions that must be sought from the customer in relation to how the data will be used.
The different contexts in which data is collected are sometimes governed by different pieces of legislation. The following is an overview of the legal obligations in relation to the collection of data.
3.2 The law relating to data collection
The moment you collect data from a customer, this constitutes ‘processing’ under the DPA.
The point at which the data is obtained from the customer (and even beforehand) is arguably the most important part of the data journey. This is because what is agreed with the data subject at the point of data collection will largely govern what can and must happen to the data thereafter.
In order to comply with the first data protection principle (fairness and lawfulness), the law requires that the data subject is provided with the following (as a minimum):
The identity of the organisation that controls the processing;
- The purpose(s) for which the data will be processed; and
- Any further information necessary in the circumstances to ensure the fair processing of the data.
The most common and effective way of providing the data subject with any or all the above information is by way of a privacy notice. If the data is going to be used in a way in which the data subject can expect, it is generally enough to simply make the privacy notice available for the data subject to access. However, if you are doing any of the following then you should actively communicate the privacy notice to the data subject:
- sharing sensitive personal data; or
- sharing is likely to be unexpected or objectionable; or
- sharing the data, or not sharing it, will have a significant effect on the individual; or
- the sharing is particularly widespread, involving organisations individuals might not expect; or the sharing is being carried out for a range of different purposes.
Examples of active communication are sending a letter, reading out the privacy notice or sending an email. The third data protection principle also requires that the data collected be “adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”. This principle is best complied with prior to collecting the data, by giving thought to what information you require from the data subject in order to meet the objectives that the data is to be used for, such as information customers of a forthcoming show to sell tickets. You should then take no more data than is necessary for that purpose(s).
4.1 Permissions overview
The basic principles of the Data Protection Act say that people should know who is processing their personal information and for what purposes, what the results will be and that people should be able to agree to what happens to their personal information.
Therefore, how data from customer records can be used for marketing and audience development purposes, rely entirely on;
- the circumstances in which the data in the records was captured,
- the notifications given to the customer at the time
- The permissions obtained.
Good practice dictates that the permissions sought should be specific about who is going to be using the customers’ data and specific about what they are using it for. It’s therefore important that the notifications given to customers are clearly presented at the right point of the customer interaction and that they allow the organisation to safely use the data for the required purpose.
Opt in or Out?
Sometimes there can be confusion about whether customers are expected to ‘opt-in’ or ‘opt-out’ of certain uses of their personal information.
Past good practice guidance has also highlighted some specific circumstances in which organisations can reasonably ‘assume’ that customers have ‘opted-in’, or in which there is a ‘soft opt-in’ (which may be assumed because the appropriate notifications have been made), but in which a particular permission has not explicitly been sought.
These situations can be complicated further when both a presenting venue and a touring company wish to share and use the same customer data. Moreover, the appropriate application of these ‘assumptions’ are precise to the context in which the transaction is taking place.
In simple terms, this section explains what the law says customers need to know and agree to about how their data is going to be used. It also sets out what the law says about the types of use for which permission must be sought, and also what the legislation says must be done to enable organisations to share customers’ personal information.
The guidance then details the practicalities which should be followed to enable organisations to gain the right permissions to enable them to use and share their customer data whilst ensuring compliance with the legislation.
4.2 The law relating to permissions
There is a fundamental difference between:
- Informing a data subject how you are going to use their data
- Getting the data subject’s consent to that use.
There is no definition of consent in the DPA. However, the accepted definition is “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." Meaning you need to be clear about the use of the data to the customer at the specific data collection point.
The consent given by the data subject must also be unambiguous.
The DPA sets out a number of grounds on which the lawfulness of the processing can be established. One of those grounds is consent. As such, if the data subject gives consent to the processing of their data then the lawfulness element of the first data protection principle is adhered to.
When should consent be obtained?
There is an element of unresolved conflict here between the UK and EU positions. The position adopted by the EU Article 29’s Working Party on the definition of consent, is that consent should be obtained prior to any data processing unless any of the other legitimising grounds in the DPA apply.
What constitutes valid consent?
Freely given consent
This means that:
the data subject has a real choice about whether to consent to what the data controller wants to do with the data; and there is no risk of deception, intimidation, coercion or significant negative consequences if the data subject does not consent.
In order to be specific, consent must be given with respect to the type of personal data that is processed and the exact purpose for which it is processed. Different aspects of the processing must be clearly identified. Blanket consent for an open-ended set of processing activities is not sufficient. For example, you cannot simply share information with every touring company because you have specific agreement for one. This means that the consent obtained must refer clearly and precisely to both the scope and the consequences of the data processing.
If the data controller proposes to use the same data for a purpose which is somewhat different to the purpose covered by the original consent, then it may be possible to rely on the original consent so long as the subsequent processing falls within the reasonable expectation of the data subject at the time the consent was given.
The most effective way of ensuring that informed consent can be given by the data subject is for the data controller to express the information in a clear and understandable way. The information should also be readily accessible (this links to active communication that was discussed in 3.2 in relation to permissions).
In short, this means that the indication by which the data subject signifies their agreement to the data processing must leave no doubt about the fact that the data subject does in fact agree to that processing.
Consent and the rest of the DPA
It is important to note that obtaining consent from the data subject does not relieve the data controller of the other obligations imposed by the DPA. The data protection principles still apply to data that has been obtained when the legitimising ground for processing is consent.
5.1 Data storage overview
With arts organisations collecting, processing and using increasing volumes of customer data, it is important to consider what data is stored how and where it is stored and managed to ensure compliance with the Act’s stipulations on the adequacy and accuracy of data. The Act is also concerned with the security of data, to ensure it cannot be accessed or processed by anyone without permission to do so and to ensure the safety and integrity of data in the event that it is shared with any third parties.
5.2 The law relating to data storage
The seventh data protection principle states that organisations that process personal data must take "appropriate technical and organisational measures" to protect that data against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to personal data.
It is important to understand that the requirements of the Data Protection Act go beyond the way information is stored or transmitted. The seventh data protection principle relates to the security of every aspect of the processing of personal data.
The DPA 1998 does not define ‘appropriate technical and organisational measures’. However, the interpretive provisions of the Act state that, in order to comply with the seventh data protection principle, data controllers must take into account the state of technical development and the cost of implementing such measures.
A data controller must also take reasonable steps to ensure the reliability of any employees who have access to personal data. Additionally, the data controller is responsible for ensuring that any data processor it employs takes the necessary steps to ensure the controller’s compliance with the seventh data protection principle.
Overall, the security measures adopted must ensure a level of security appropriate to both:
the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage of personal data; and
the nature of the personal data to be protected.
In terms of what organisations should do if there is a breach, organisations would be well advised to have a data breach response plan in place to enable them to respond to a data breach swiftly and effectively.
The Information Commissioner suggests that in order to appropriately manage a breach of security, an organisation should:
- Adopt a recovery plan, including damage limitation.
- Carry out an assessment of any ongoing risks associated with the breach.
- Consider whether a breach of security should be notified, who should be notified and what information should be given, including specific advice to individuals on the steps they can take to protect themselves.
- Evaluate the cause of a breach and the effectiveness of its response to it.
The fifth data protection principle (data should be kept no longer than is necessary) is also important to bear in mind in terms of a Data Controller’s obligations as far as storage is concerned.
6.1 Data sharing overview
The sharing of customer information is permitted in compliance with the Data Protection Act, provided that the appropriate procedures have been followed. It is absolutely the case that venues can share customer data with touring companies, (and vice versa) should they wish to, as long as the customer has received the appropriate notifications at the appropriate time, and the relevant permissions have been obtained.
Arts organisations appear to discuss the ownership of “customer” records, but what should be understood is that the customer owns their data, and the law puts them in charge of granting permissions for its usage.
No organisation is an “owner” of the data, but is responsible for controlling the use of the data they have in their customer records in accordance with the customer’s wishes and the relevant regulations.
The customer is the first party in transactions, and the organisation they are transacting with is the second party; in the case of ticket purchases the organisation actually selling the ticket and directly receiving the income is the second party. The second party is the Data Controller and must manage the arrangements for data sharing and any practicalities to obtain additional permissions.
6.2 The law relating to data sharing
Data sharing essentially relates to the disclosure of data between parties. Sometimes, the disclosure of data within an organisation can even constitute ‘sharing’ data for the purposes of the DPA. Sharing data can be systematic, ad-hoc or on a one-off basis.
In a data-sharing context, it is important to recall that there can be more than one Data Controller in respect of the same item of data. In the context of a venue sharing data with a touring company, both parties will likely be Data Controllers.
Analysis of prospective data sharing
What is the reason for sharing the data?
Identifying the objective of sharing data is central to dealing with the data in a way which complies with the DPA, especially the first data protection principle. Without knowing the aim of disclosing the data, one cannot properly analyse the process with a view to verifying that it is compliant.
Privacy Impact Assessments
Although it is not a specific requirement of the DPA, it is considered good practice for organisations that are intending to share data (whether as the discloser or the recipient) to carry out a privacy impact assessment (a ‘PIA’). The PIA should seek to address the risks of sharing the data and the risks of not sharing it. This would include weighing up the potential benefits that the data sharing might bring to society and individuals against the negative effects or likelihood of damage, distress or embarrassment to individuals and the potential harm to an organisation's reputation if the information is incorrectly shared or not shared at all.
The types of issues that might be addressed as part of a PIA are:
- What information needs to be shared? Does all of the data that you hold about a person need to be shared with the third party in order to achieve the objective that the disclosure is designed to achieve?
- Who requires access to the shared personal data? Does the party with whom you are proposing to share the data need it or do they just want it?
- When should it be shared?
- How should it be shared? Consider the security framework relating to how the data is to be disclosed and then stored by the receiving party.
- What risk(s) does the data sharing pose? For example, is any individual likely to be damaged by it? Is any individual likely to object? Might it undermine individuals’ trust in the organisations that keep records about them?
- Could the objective be achieved without sharing the data or by anonymising it?
Processing the data
In accordance with the first data protection principle, one of a number of conditions needs to be satisfied in relation to processing the data. The relevant conditions are as follows:
- The data subject has given their consent to the processing of their data. Where personal data is shared by way of a legitimising condition other than that of consent, it is recommended good practice to keep a record of the basis upon which it is shared.
- The processing is necessary in relation to a contract which the data subject has entered into or because the data subject has asked for something to be done so they can enter into a contract.
- The processing is necessary because of a legal obligation that applies to the party proposing to disclose the data (except an obligation imposed by a contract).
- The processing is necessary to protect the individual’s ‘vital interests’ (effectively cases of life or death).
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
- The processing is in accordance with the ‘legitimate interests’ condition. The ‘legitimate interests’ condition provides grounds to process personal data in a situation where an organisation needs to do so for the purpose of its own legitimate interests or the legitimate interests of the third party that the information is disclosed to. This condition cannot be satisfied if the processing prejudices the rights and freedoms or other legitimate interests of the data subject.
Whilst it is feasible to rely on any of the above conditions, it is obviously preferable to obtain the consent of the data subject to the processing and sharing of their data (for more on this, please refer to the chapter regarding the collection of the data).
Fair and Lawful processing of data in a sharing context
Although these two elements of the first data protection principle are of general application, they perhaps come into sharper focus in a data sharing context. As such, it may be useful to consider both elements separately.
The DPA does not define what is ‘fair’. However, in circumstances where the data is obtained directly from the data subject the DPA states that personal data is only fairly obtained if the data controller provides the data subject with certain fair processing information about how, why and by whom their personal data is to be processed (see the chapter regarding ‘permissions’).
This information is usually given by the data controller by way of a privacy notice (see 3.3). In the context of data sharing, the privacy notice should contain (in addition to the matters identified above):
Details of the data controller’s identity;
Information regarding how the data is to be used including why the data is to be shared in the way proposed and which organisations the data is to be shared with (in respect of this latter point, information could just be given regarding the type of organisation that the data controller may share the data with).
More broadly, fairness in a data sharing context means that personal data should be shared in a way that is reasonable, that individuals would be likely to expect and would be unlikely to object to. In particular, and importantly, the data subject should not be deceived or misled about the purpose for which their data is to be processed.
Processing data in a lawful way has two main strands to it:
(i) Data must only be dealt with according to the law;
(ii) Processing of the data must be premised on one of the legitimising conditions (see above).
What if there is a change to the original circumstances in which the data was collected?
In this context, data controllers should be aware that any new additional data sharing arrangements must comply with the second data protection principle (data must be obtained only for specified lawful purposes and not further processed in a manner which is incompatible with those purposes). In short therefore, the data must not be processed for a purpose other than that for which it was originally collected or one that is not incompatible with it.
To establish whether a further processing operation is compatible with the original purpose, the data controller must carry out a compatibility assessment. The processing of personal data in a way that is incompatible with the purpose specified at collection is unlawful and therefore not permitted.
It is important to note here that a data controller cannot simply consider the further processing as a new processing activity and therefore rely on a different legitimising condition. For example, if the data controller originally relied on a consent as the lawful basis on which the data was to be processed, but the proposed secondary processing is for a purpose outside of the scope of the original consent, the data controller cannot then rely on the ‘legitimate interests’ condition in order to legitimise the further processing.
There are some exceptions to this, the most relevant one in our context being that the further processing of data for research purposes is permitted even if research was not the original purpose for which the data was obtained.
It is important to have governance procedures in place to ensure the quality of the data that you hold, especially if you are planning to share the data. It is worth recalling the third (data must be adequate, relevant and not excessive in relation to the purposes for which it is processed), fourth (data must be accurate and, where necessary, kept up to date) and fifth (data must not be kept for longer than is necessary) data protection principles in this context.
For example, if one is sharing data then consideration should be given to what data is necessary to share (in order to comply with the third data protection principle).
Data sharing agreements
There is no formal legal requirement for the parties to a data sharing arrangement to enter into a written agreement. The Information Commissioner’s Office Data Sharing Code says that drafting and adhering to a data sharing agreement will not in itself provide any safety from action under the DPA but the ICO will take it into account if it receives a complaint about an organisation's data sharing activities.
7.1 Overview of data uses
As we have noted, the potential for organisations to use (and share) customers’ personal information for contact purposes is dependent entirely on the notifications that were given to the customer and the permissions obtained from them.
7.2 The law relating to data uses
The uses to which the data can be put will depend upon the condition which legitimises the processing of the data (for example, consent or the legitimate interests condition). Suffice is to say that whatever the condition relied on that legitimises the processing, the use to which the data is put must (subject to what is written below regarding exemptions) comply with that legitimising condition.
There are, however, exemptions to certain of the DPA’s obligations that may enable the data controller to deal with the data in a way that would, but for the exemption, be inconsistent with certain parts of the Act. For the purposes of this DPA guidance we will focus on the exemption relating to research.
There is no definition of research in the DPA, but it does include statistical analysis.
The first point to note is that the research exemption only exempts the data controller from complying with the second and fifth data protection principles and Section 7 of the Data Protection Act. The remaining principles of the DPA apply to the data even if it is used for research purposes. As such, the data controller must still have a legitimising condition in relation to processing the data in order to render the processing lawful, as required by the first data protection principle. Researchers often rely on the ‘legitimate interests’ condition when seeking to satisfy the first data protection principle regarding research or statistical analysis so that further consent from the data subject is not required in order to conduct the research. There is no blanket rule that this approach is satisfactory; a case-by-case analysis must be undertaken. More stringent conditions continue to apply if the data is sensitive personal data.
With regards the application of the research exemption, the second data protection principle states that data must be obtained only for specified lawful purposes and not further processed in a manner which is incompatible with those purposes. However, further processing which is only for research purposes and which has not been expressly authorised by the data subject is not incompatible with the second data protection principle so long as the following two conditions are met:
- The data is not processed to support measures or decisions with respect to particular individuals
- The data is not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.
Additionally, if the data is used for research purposes then:
- It can be kept indefinitely in connection with the research purpose (whereas the fifth data protection principle usually requires data to be kept by the data controller for no longer than is necessary); and
- The data is exempt from the data subject’s right to access their own data so long as the conditions referred to above are met and the results of the research or any resulting statistics are not made available in a form which identifies the data subject(s).