Legal: Data Protection Act 1998 In this feature exemptions customer protection Information Commissioners Office Data discussions Obtaining information in the course of trading standards investigations is often seen as a hurdle to struggle over. However, according to Richard Roberts, it neednt be T he Data Protection Act 1998 (DPA) is often perceived as overly complex and a source of regulatory burdens. Fortrading standards officers, it can also be seen as an obstacle to obtaining disclosure from organisations in the course of investigations. However, the DPA is an important source of rights for consumers. Through familiarisation with the exemptions relevant to trading standards and the sharing of this information with organisations officers can put themselves in a better position to anticipate problems and, it is hoped, avoid objections to disclosure by data controllers. Initial requests The Data Protection Act 1998 is an important source of of rights for consumers In the course of investigations, trading standards officers will need to contact organisations asking for disclosure of personal data relating to consumers. This is often the case in relation to fraud and scams on vulnerable individuals, where information is sought from banks and other institutions. The response at least initially can be that the organisation feels it cannot comply without breaching the DPA rights ofthe individual consumer. The first data protection principle says data controllers must ensure that at least one of certain specified conditions is satisfied for processing of personal data. Processing is very broadly defined and would include disclosing any personal information. These conditions are set out in Schedule 2 to the act. They include consent from the data subject; exercising statutory, governmental or other public functions; orwhen it is in the legitimate interests of either the organisation processing the data, or the third party to whom the information is disclosed. In some cases it will be possible for the organisation to supply the information to trading standards while ensuring one of these conditions is satisfied. Importantly, however, there are also exemptions to this requirement, on which trading standards officers might in many cases beable to rely on. Exemptions The Information Commissioners Offices (ICO) guidance on the DPA to data controllers states: You may be approached by a third party seeking personal data about one of your employees or customers. For example, the police may want information in connection with an investigation, or an individual may want information to pursue legal action. In such cases, you may choose to disclose the information if the conditions of a relevant exemption are satised. Personal data is exempt from the non-disclosure provisions in the DPA, if the disclosure is for crime prevention purposes and applying those provisions would be likely to prejudice any of the crime and taxation purposes that are defined in the act. The exemption is set out in section 29(3) of the DPA. The ICO has published guidance for data controllers about the crime exemption. This is a useful document for trading standards departments to be aware of, and could even be supplied alongside disclosure requests to organisations that are unsure of their obligations. There is also a potentially relevant exemption in section 35 of the Act if the disclosure is required by law or is necessary for the purpose of legal proceedings, including prospective legal action. This is likely to be of more use if a prosecution or other litigation is under way, or is likely to be under way in the near future. Obtaining data It should be noted that if an exemption does not apply, the data could still be disclosed if the individual to whom it relates consents. Indeed, the best first step in many cases may be for the third party to seek such consent. Although the crime exemption, for example, may assist, it should only be applied to the extent that it is necessary to do so to avoid prejudicing the crime prevention purposes. This means that the data controller making the disclosure must do as much as it can to comply with the usual requirements of the DPA. While data controllers may eventually be willing to comply with a disclosure request from a local authority, it may be worthwhile to include an explanation of the exemption being relied upon, and the relevant guidance, with the initial request for information. The hope is that the more information provided up front, the more likely it is that any potential objections will be resolved before they are even made. If the data controller is able to comply with the Schedule 2 conditions, or the exemption applies, this does not mean it is obliged to disclose the information to a trading standards authority. It simply means that if such disclosure is provided, then the data controller will not be in breach of the DPA. The power to require such disclosure on the part of the trading standards team will be found elsewhere, for instance in Schedule 5 of the Consumer Rights Act 2015. If there is any doubt, advice should be sought from the data protection officer in your authority Retaining information Once you have obtained disclosure, it should be borne in mind that retaining personal information engages an individuals right to respect for their private life. It was decided by the Court of Appeal in 2009 that the retention of photographs of individuals taken in a public place had to be proportionate to the legitimate aim of preventing crime. Whether it is proportionate will depend on the facts in each individual case. This willapply to other types of personal information relevant to an individuals private life. Therefore consideration should be given as to whether information should be retained or deleted after it has been acquired and assessed. A related issue is when information can be disclosed by trading standards teams to others either within their authority or to other agencies. The principles set out above apply. However, if there is anydoubt, advice should be sought from the data protection officer inyourauthority to ensure that you are acting in accordance with itsprocedures. Credits Richard Roberts is a barrister at 36 Bedford Row. Images: vasabii / Shutterstock To share this page, in the toolbar click on You might also like Expanding the enforcement toolkit January 2016