Privacy law compliance check

The organisation must ensure that the project, and the personal data it that handles, and the business processes that it uses are compliant with all relevant laws. Unlike a PIA, which is best commenced early in the project life-cycle, compliance checking is normally conducted later, once the design has reached a detailed stage.

A separate part of the PIA Handbook provides guidance in relation to compliance with the Data Protection Act. This section relates to other elements of the law.

Responsibilities

The organisation should undertake a survey of the law relevant to the project and to the data processing and business processes it gives rise to.

Further, all participating organisations should do the same in connection with their involvement in the project.

Ordinarily, the organisation would utilise the services of professionals with relevant legal expertise for this exercise.

Sources of the law and other rules

The law comprises statutes, secondary legislation, statutory instruments created and maintained under delegation from Parliament (including Regulations and formal codes), and the common law.

Further documents may be relevant, such as codes of conduct and privacy policy statements, particularly where the organisation has provided some form of undertaking to comply with them. This might arise from some formal act of adoption (such as membership of the association that issues the code), or the terms of a document that the organisation itself has produced.

There are also matters of public policy that may not be formally law, but that are generally respected.

Potentially Relevant Sources of the Law

A number of examples of relevant laws were identified in the segment of this Handbook that described the criteria for privacy law compliance checks.

The following is an indicative, but not exhaustive, list of laws that may be relevant:

• Statutes regulating such activities as public health, education, family law, children's safety, occupational health and safety, archives, telecommunications, and surveillance devices.
• For government agencies, provisions within the statutes that govern their activities and programmes.
• For public-private partnerships, provisions within the statutes that govern their activities and programmes, and terms within the contracts that the parties have entered into.
• For sub-contractors, terms within the contracts that the parties have entered into.
• The law of confidence, which has recently been extending to cover more general protection of privacy and private information.
• The tort of negligence.
• The tort of passing off.

A specific example of delegated privacy legislation is the Privacy and Electronic Communications Regulations 2003, which applies to organisations conducting marketing projects to interact with potential customers via electronic communications.

Compliance checking

The organisation must evaluate the project process and the project outcomes (including the design, data processing and wider business activities), to ensure that all aspects are compliant with all relevant provisions of all relevant laws.

Each participating organisation must evaluate the activities it will undertake as part of the project, and as part of the resulting system or scheme, in order to ensure that it is compliant with all relevant provisions of all relevant laws.

In some cases, guidance may be available to assist in the performance of compliance checking. An example arises in respect of the HYPERLINK "http://www.opsi.gov.uk/si/si2003/20032426.htm" Privacy and Electronic Communications Regulations 2003, for which the Information Commissioner's Office provides a Privacy and Electronic Communications Regulations template (in Word format).

Deferral of implementation and design adaptation

To the extent that the design is not compliant, it would be illegal to deploy the new or adapted system or scheme. It will be necessary to change the design prior to deployment, in order to achieve compliance.