David Miller, Partner at Flint Bishop Solicitors, gives a practical and straightforward guide into aspects you should consider with your eLearning site when it comes to complying with Data Protection Law.
The Basics (Part 1)
The law around data protection can seem very complex and confusing and many organisations struggle to understand it. Whilst this is a sometimes difficult area of law there are some basic principles which, if kept in mind, will help you appreciate your obligations.
If you hold or store data (whether gathered through your eLearning site or otherwise) which is personal data (broadly speaking, information relating to living individuals), you are probably a “data controller” for the purposes of the Data Protection Act 1998 (Act). It is on data controllers that the obligations under the Act fall. A data controller must comply with eight data protection principles in relation to the personal data they hold and what follows is a short, non-exhaustive, guide to those principles and complying with them:
1. Fair and lawful processing
The Act requires you to process personal data fairly and lawfully. In practice, this means that you must have legitimate grounds for collecting and using personal data and you must be clear and transparent on how you intend to use the data.
A practical step to take to comply with this principle would be to provide individuals with appropriate privacy notices when collecting their personal data detailing what information you collect and store and what you use it for. These notices should be placed on the front page of your eLearning site and brought to the attention of users whenever you capture data about them personally.
2. Specified purpose
Personal data must be:
- obtained for one or more specified and lawful purpose and;
- it must not be processed in any manner incompatible with that purpose or those purposes.
Organisations should be open about their reasons for obtaining personal data and what they do with the information must be in line with the reasonable expectations of the individuals concerned.
The Act specifies two ways in which you can specify the relevant purpose of obtaining personal data:
a) in a privacy notice given to individuals at the time their personal data is collected; or
b) in a notification given to the information commissioner.
3. Adequate, relevant and not excessive
The personal data you hold must be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. You should therefore ensure that where you hold personal data about an individual:
- that data is sufficient for the purpose you are holding it for in relation to that individual and;
- you do not hold more information than you need for that purpose. Any excess information should be securely disposed of.
Personal data must be kept accurate and up to date. To comply with this provision, you should:
- take reasonable steps to ensure the accuracy of any personal data you obtain;
- ensure that the source of any personal data is clear;
- carefully consider any challenges to the accuracy of information; and
- consider whether it is necessary to update the information and, if it is, update it promptly.
5. Not be kept for longer than necessary
Personal data processed for any purpose must not be kept for longer than is necessary for that purpose. The Act does not set out any specific minimum or maximum periods for retaining personal data. In practice, it therefore means that you will need to:
- review the length of time that you keep personal data;
- check whether you are under any obligation to keep the data for any particular length of time (whilst the Act may not spell out a timetable other laws or codes of practice may do);
- consider the purpose for which you hold the information in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose; and
- update, archive or securely delete information when you have held it for the maximum period.
6. Data subjects
The people whose information you hold (called in the Act “data subjects”) have certain rights under the Act. These are as follows:
- a right to access a copy of the information comprised in their personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to claim compensation for damages caused by a breach of the Act.
Where a data subject seeks to exercise a right in relation to data you hold about them you must comply with the Act. This can be a difficult and sensitive area however and we will be posting some further guidance on this soon. We always recommend that you get professional advice before responding to any enquiry by a data subject.
Under the Act, appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. You, therefore, need to ensure that you have appropriate security measures (both physical and technical) in place to prevent the accidental or deliberate compromise of personal data that you hold. This could include locked rooms and filing cabinets (for physical records) and password protection and encryption (for digital information).
8. Transfer outside of EEA
Personal data must not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. A transfer of personal data for the purposes of this principle occurs when information moves from an EEA country or territory outside the EEA.
Given that it’s so brief and general, this article cannot be considered to be definitive legal advice and you should not rely on it. However we hope that you found it useful and, if you do want some more specific or in-depth advice on compliance with the data protection regime, please feel free to contact David Miller on 01332 226466 or at [email protected].
About David and Flint Bishop:
David Miller qualified as a solicitor in 2002 and joined Flint Bishop Solicitors, based in Derby, as Head of Commercial Contracts in January 2011. He advises a wide range of private and public sector clients and commercial contracts, data protection and intellectual property issues. During the course of 2012 David spent several months working as the interim head of UK Legal at publishing giant Lexis Nexis. As well as advising on specific legal issues, David conducts numerous commercial and data protection audits for businesses, ensuring compliance and minimising risk.
We will be publishing Part 2 of David’s guest blog regarding data subject access requests in the coming weeks. So you don’t miss it, stay up to date with our latest advice for your Moodle or Totara LMS site by subscribing to our monthly newsletter here.
If you need to discuss your eLearning platform with our experts contact us on 0330 660 1111 or contact us here.