Understanding and Complying with Data Protection and Libel Laws

The following constitutes the notes and text from the slides from Andrew Charlesworth's presentation at Facing the Legal Challenges of Providing Internet Access in HEIs, organised by The JISC with support from UKOLN

Data Protection

• One of the most attractive aspects of the WWW is the relative ease with which even users with limited on-line experience can access and download data.
• Official webservers containing information about institutions, their courses, staff, and other attractions - PR
• More proficient webpage providers are developing ever more sophisticated methods of collecting data from individuals browsing their output.
  • "sign the visitors' book" by leaving their name, institution, and possibly an e-mail address.
  • offering goods for sale, and accepting names, addresses and credit card numbers via the "forms" mechanism offered by some browsers

The Data Protection Act 1984 Definitions

• "data" means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions - Sec 1 (2).
• "personal data" means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user) including any expression of opinion about that individual but not any indication of the intentions of the data user in respect of that individual - Sec 1 (3).

Definitions II

• "processing" means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject - Sec 1 (7).
• "Data user" means a person who holds data and you hold data if: the data form part of a collection processed or intended to be processed on behalf of that person and that person controls the contents and use of the data and the data are in a form through which they can be processed or have already been processed and they are being held with a view to further processing.

The Data Protection Principles

• Registered data users must comply with the Data Protection Principles in relation to the personal data they hold. Broadly they state that personal data shall:
  • Be obtained and processed fairly and lawfully.
  • Be held only for lawful purposes which are described in the register entry.
  • Be used or disclosed only for those or compatible purposes.
  • Be adequate, relevant and not excessive in relation to the purpose for which they are held.
  • Be accurate and, where necessary, kept up to date.
  • Be held no longer than is necessary for the purpose for which they are held.
  • Be held in a manner which allows individuals to access information held about them and where appropriate correct or erase it
  • Be surrounded by proper security.

Exemptions from registration

• Exemptions from registration are relatively limited in scope.
  • national security (sec 27)
  • payroll and accounts (sec 32)
  • domestic and other limited purposes (sec 33)
  • other exemptions (sec 34)
• It is unlikely that HR use of personal data on an intranet would fall within these exemptions.

Enforcement

• To enforce compliance with the Principles, the Registrar can serve three types of notice. They are:
  • nforcement notice, requiring the data user to take specified action to comply with the particular Principle.
  • A de-registration notice, cancelling the whole or part of a data user's register entry.
  • A transfer prohibition notice, preventing the data user from transferring personal data overseas if the Register is satisfied that the transfer is likely to lead to a Principle being broken.
• Failure to comply with the terms of a particular notice is a criminal offence.
• A data user on whom a notice is served is entitled to appeal against the Registrar's decision to the Data Protection Tribunal.

The EC Directive

• All the EC Member States are party to the Council of Europe's Convention on the Automated Processing of Personal Data. Contents of national statutes, are however varied. Those discrepancies were identified by the Commission as constituting an impediment to the attainment of the Single Market.
• The European Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data was adopted by the Council of Ministers on October 24, 1995. (Directive 95/46/EC, OJ 1995 L281 p. 31)
• Member States are obliged to implement the provisions of the Directive by 1998.

Features of the Directive

• The Directive applies to all situations where data is processed wholly or partly by automatic means.
• It also applies to manual systems where data is held as part of a structured filing system.
• Processing of data will be legitimate only in certain specified situations, although there are a number of proposed exceptions.
• Certain data such as indications as to 'racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health or sex life' is regarded as particularly sensitive, and may only be processed with the explicit consent of the data subject.

Features of the Directive II

• Limits are placed on the use of data processing equipment to make decisions which may adversely affect a data subject. Automatic processing will not be permitted as the sole basis for making such a decision, although this may be subject to certain exceptions.
• The Directive requires a national independent supervisory agency to oversee the operation of data protection legislation.
• However, the Directive is likely to make a significant change to the current UK registration system, as it proposes a three tiered supervisory regime.

The Proposed Supervisory Regime

• Processing operations which do not unduly affect the data subject may not require registration, although the data user may be required to appoint a 'personal data protection official' to oversee operations.
• Processing operations which have some implications for data subjects will be required to notify the national supervisory agency of certain details of their activities, especially security measures.
• Processing operations which carry significant implications for the data subject will require checks by the national supervisory agency before processing occurs.
• There will be a publicly accessible register.

Compliance under the DPA 1984

• If personal data to be placed on the Internet or on an Intranet allows the identification of data subjects, or if combined with other data held by the data user would permit such identification, registration is required.
• An organisation should have a DP Officer with responsibility for ensuring personal data on the Internet or on an Intranet is:
  • held in conformity with the registration
  • used in line with the Data Protection Principles
• Security of an Intranet (i.e. a HR Intranet) is particularly vital. Data should not be accessible to "outsiders". Both tangible and intangible security should be considered.
• Ensure there is a clearly identifiable system in place for dealing with data subject requests and complaints.

Compliance under EC legislation

• Implementation of the EC Directive will result in a tightening of UK data protection law, however, compliance with existing law will go a long way to meeting its requirements.
• Important potential changes:
  • Wider scope of data covered
  • Wider scope of "processing"
  • Data subject to be given more information at time of data collection
  • Data subject allowed to object to lawful processing
  • Tighter conditions on processing of sensitive data
  • Limits on use of data for direct marketing

Compliance under EC legislation

• Examine and understand the workings of, and relationship between, the electronic and manual systems of data processing within the organisation.
• Examine data currently held for "sensitive" status - is it necessary to hold such information ?
• Ensure data collection mechanisms, electronic and manual, clearly state purpose for which data is collected and uses to which it may be put.
• Ensure there is a clear system in place, run by a readily identifiable individual, for dealing with user requests for access, amendment and deletion.
• Establish a "Code of Conduct" within the organisation for personal data use.

Conclusion

• Data Protection law is currently not difficult to comply with, but should nonetheless be treated seriously. The role of Data Protection Officer should not be given to the office junior. Compliance with an organisational "Code of Conduct on personal data use" might perhaps be a condition in employment contracts.
• Future developments are likely to place higher burdens on the data user, thus cost of compliance with the law should be included in Intranet and related budgets.
• Organisations will have to think carefully about both their existing data holdings, and future data acquisition strategies.

Notes

• The Data Protection Registrar's Website which contains a large amount of guidance material is at: http://www.open.gov.uk/dpr/dprhome.htm
• You can check the public register at : http://www.dpr.gov.uk/
• The text of the EU Directive is available at: http://elj.warwick.ac.uk/jilt/dp/material/directiv.htm
• Implementing the EU Data Protection Directive http://www.open.gov.uk/dpr/impeudir.htm

The Law of Defamation

Libel

Constituents of Libel

• "Libel consists of a defamatory statement or representation in permanent form ... Any thing temporary and audible only is slander. Statements in books, articles, newspapers and letters are libels"
• Is the allegation complained of defamatory as opposed to vituperative/abusive ?
• Does the defamatory statement refer to the plaintiff ?
• Has the defamatory statement been made known to others - has it been published ?
• "every repetition is a fresh publication giving rise to a fresh cause of action against each successive publisher. Thus not only the author of an article, but the editor, printer and publisher are also liable."

The Defamation Act 1996

s1. - (1) In defamation proceedings a person has a defence if he shows that-
(a) he was not the author, editor or publisher of the statement complained of,
(b) he took reasonable care in relation to its publication, and
(c) he did not know, and had no reason to believe, that what he did caused or contributed to the publication of a defamatory statement.

The Defamation Act 1996

s1(2) For this purpose "author", "editor" and "publisher" have the following meanings, […]
"author" means the originator of the statement, but does not include a person who did not intend that his statement be published at all;
"editor" means a person having editorial or equivalent responsibility for the content of the statement or the decision to publish it; and
"publisher" means a commercial publisher, that is, a person whose business is issuing material to the public, or a section of the public, who issues material containing the statement in the course of that business.

The Defamation Act 1996

s1(3) A person shall not be considered the author, editor or publisher of a statement if he is only involved-
(a) in printing, producing, distributing or selling printed material containing the statement;
[...]
(c) in processing, making copies of, distributing or selling any electronic medium in or on which the statement is recorded, or in operating or providing any equipment, system or service by means of which the statement is retrieved, copied, distributed or made available in electronic form;

The Defamation Act 1996

S1(4) Employees or agents of an author, editor or publisher are in the same position as their employer or principal to the extent that they are responsible for the content of the statement or the decision to publish it.
(5) In determining for the purposes of this section whether a person took reasonable care, or had reason to believe that what he did caused or contributed to the publication of a defamatory statement, regard shall be had to-
(a) the extent of his responsibility for the content of the statement or the decision to publish it,
(b) the nature or circumstances of the publication, and
(c) the previous conduct or character of the author, editor or publisher.

The Defamation Act 1996

ss2-4 Offering to make amends.

2 (3) An offer to make amends-
(a) must be in writing,
(b) must be expressed to be an offer to make amends under section 2 of the Defamation Act 1996, and
(c) must state whether it is a qualified offer and, if so, set out the defamatory meaning in relation to which it is made.

(4) An offer to make amends under this section is an offer-
(a) to make a suitable correction of the statement complained of and a sufficient apology to the aggrieved party,
(b) to publish the correction and apology in a manner that is reasonable and practicable in the circumstances, and
(c) to pay to the aggrieved party such compensation (if any), and such costs, as may be agreed or determined to be payable.

To Censor or not to Censor

• US caselaw - Cubby Inc. v Compuserve (776 F. Supp. 135, 140.) - did not censor - not liable. Stratton Oakmonth, Inc. and Daniel Porush v Prodigy Services Co. & Others, New York Supreme Court 24 May 1995 - did censor - liable
• UK caselaw - s1 of the Defamation Act 1996 provides for a specific defence for on-line providers, although its effect will depend on the "all reasonable care" test. For those who have an authorial or editorial role in publishing on the Internet, the law of libel applies as much to the Internet as it does to the print medium.
• Jurisdiction - one should not forget that the Internet is an international medium, and that liability may therefore be multi-jurisdictional. The fact that a message or webpage may be accessible or sent to another country may be enough for its courts to accept a claim there - collecting damages, is of course, another matter.

Policy Issues

• Universities are always going to be more attractive to sue than staff and students - deeper pockets.
• Too prescriptive a role is counterproductive - and may be deemed as 'editing'.
• The key issues are:
  • user education - the law, and the disciplinary consequences.
  • limitation of liability - guidelines and regulations.
  • responsibility - it should be clear who has responsibility for dealing with any problem, and they should have the authority to remove the offending material as rapidly as possible after a complaint.
  • response time and making amends - s2, 3 & 4 DA 1997 - the quicker the apology, the smaller the award.

Notes

The law of defamation in Scotland is different to that of England and Wales, and looks set to remain different in some respects.

For Scots Law see:
McNorrie, K. 'Defamation and related actions in Scots Law' Butterworths 1995.

For England and Wales see:
Scott-Bayfield, J. A. 'Defamation:Law and Practice' FT Tax & Law 1996.

For the Defamation Act 1996 see
http://www.hmso.gov.uk/acts/acts1996/1996031.htm

Please note that all material contained in the presentations "Data Protection & Defamation", and "Educating the User, Training the Administrator" at that seminar, and their accompanying notes remains copyright of A.Charlesworth unless otherwise specifically provided. Permission is granted to the JISC and others to provide access to, or make, multiple copies on paper or in digital format, for use in UK educational institutions, as long as the author and his institution are credited on each copy. This includes mounting the material on a web server.

Facing the Legal Challenges of Providing Internet Access in HEIs
Organised by The JISC with support from UKOLN