Data covering almost 180,000 patients, including every case of lung cancer diagnosed in England over the last four years, may have been unlawfully leaked by health officials to a firm which has connections to big tobacco companies.
With so many organisations interested in your data what exactly are your data rights and how can you protect your data from unauthorised or unlawful use?
What is the Data Protection Act?
First we need to look at the UK laws that are currently in place. The Data Protection Act 1998 (DPA) protects you from having your data stolen or used without your permission.
It sets out special categories of data that are protected, such as data concerning race, religion, politics, medical treatment or sexual activity. It can also protect personal information such as your name, address, phone number and email address.
The DPA sets out strict consent requirements requiring companies or government agencies to ask you before they use your data. There are also strict rules around how your data must be held, how it is processed and when it can be provided to another person.
Companies often find ways around these rules – such as the tick box at the end of forms – so it is important to know exactly what you are signing up for before you agree to hand over your data.
The rules also state that your data must only be used for the purpose for which it was collected. For example, you might agree to allow your doctor to collect sensitive data about your health in order to treat you. The doctor would only be able to use that data for your treatment and not for any other purpose e.g. to sell onto a medical research company.
There are also rules which state the data must be accurate. For example, if a hospital incorrectly records that you have a medical condition which might increase your insurance premiums, you have a right to request that the hospital corrects their records.
What are my data protection rights?
The DPA also sets out a number of specific rights that you have in relation to your data. These include the following points:
Do I have the right to request a copy of my data?
Yes- for example if you need information about your credit history for a loan application, in most circumstances, banks cannot refuse to give you a copy of the data they hold on you.
How do I request a copy of my data?
You can request a copy of your data by making a “data subject access request”. You can write to the organisation and ask them to provide you with copies of the data they hold on you. Organisations may charge a fee depending on the type of data you are requesting and it is important to remember that not all personal information is covered and there are some exceptions.
Can I stop organisations from using my data?
If you are concerned that an organisation has data that is likely to cause you substantial damage or distress, you can make a request that the person or organisation stop using that data. In practice, this is called a ‘section 10 notice’ and can only be used in situation where the person does not have a legitimate reason for processing the information.
Can I prevent my data being used for direct marketing?
You are able to give a notice at any time to an organisation to stop them using your details and the organisation is required to stop the marketing within a reasonable time. ‘Written notice’ can be as simple as you sending an email to the marketer or unchecking a tick box for direct marketing. Keep in mind, organisations may still keep your details on file, if only to ensure that you do not receive marketing in the future.
Is there a way around automated decision making?
Automated decision is a decision made by a computer with no human involvement. For example, if you make an online loan application for a new car loan and you are automatically rejected, you have the right to have a real person look at your application and make sure the decision was correct.
Can I correct the details of my data?
If an organisation is holding incorrect details about you, you have a right to correct those details. For example, if the police have incorrectly recorded an offence against your name when in fact it was committed by another person with the same name, the police cannot refuse to correct their records. It is important to remember that it may be up to you to prove that the information is incorrect.
How to report data protection breach?
If you are concerned that your data may have been used inappropriately, you can make a report to the Information Commissioner’s Office (ICO). The ICO can investigate the data breach and may require issue a fine in relation to the breach.
The ICO is not able to compensate you for a data breach. If you have lost money or suffered distress as a result of the data breach, you may also wish to speak to a data protection lawyer to see if compensation is available.
For a consultation with a specialist group litigation lawyer, contact Slater and Gordon today on freephone 0800 916 9015 or contact us online.
David Barda is a group litigation lawyer and data protection specialist at Slater and Gordon in London.
*It is important to note that the United Kingdom’s data protection laws will be updated on 25 May 2018 with the introduction of the General Data Protection Regulation, but all of the rights above will be preserved