Step 3 - Criteria for privacy law compliance checks

Senior executives of government agencies and company directors must ensure that the operations for which they are responsible comply with all relevant laws. The purpose of this segment of the Handbook is to assist organisations comply with privacy-related laws.

The services of a legal professional with relevant expertise may be needed.
If any of the following questions are answered "Yes", then a Privacy Law Compliance Check should be conducted:

Does the project involve any activities (including any data handling), that are subject to privacy or related provisions of any statute or other forms of regulation, other than the Data Protection Act?

In particular, the following laws and other forms of regulation should be considered, but the list may not be exhaustive.

The Human Rights Act, in particular Schedule 1, Article 8 (Right to Respect for Private and Family Life) and Article 14 (Prohibition of Discrimination)

The Regulation of Investigatory Powers Act 2000 and Lawful Business Practice Regulations 2000

The Privacy and Electronic Communications Regulations 2003

The Data Retention (EC Directive) Regulations 2007

In the case of government agencies, the statutes under which the agency or programme operates

Statutes that impose regulatory conditions on the manner in which the organisation operates

Sectoral legislation, e.g. Financial Services and Markets Act 2000

Statutory codes, e.g. the Information Commissioner’s CCTV Code of Practice.

Where projects are cross-jurisdictional the law of more than one country may be involved and other legal provisions may also need to be considered .

Does the project involve any activities (including any data handling) that are subject to common law constraints relevant to privacy?

In particular, the following should be considered:

confidential data relating to a person, as that term would be understood under the common law of confidence

the tort of privacy as it develops through case law

Does the project involve any activities (including any data handling) that are subject to less formal good practice requirements relevant to privacy?

In particular, the following should be considered:

industry standards, e.g. the BS ISO/IEC 17799:2005 Information Security Standard
industry codes, e.g. the NHS Code of Practice on Confidentiality

Privacy Law Compliance Checking is described in Part IV of this Handbook. Before proceeding to that part, however, organisations must continue with step 4 of the screening process, to determine whether Data Protection Act compliance checking also needs to be included in the project schedule. Note that compliance checking activities are usually conducted reasonably late in the overall project schedule, once detailed information about business processes and business rules is available.