The importance of compliance checking
The organisation must ensure that the project, the personal data that it handles, and the business processes it uses are compliant with all relevant laws. Compliance checking should be started at an early stage of the project to address issues such as the legality of any proposed course of action, but this work will normally only be completed later, once the design of the project has reached a more detailed stage.
While compliance checking as part of a privacy impact assessment (PIA) will focus on laws which affect privacy, organisations will have to consider broader legal compliance as well. Public sector organisations will have to consider the extent of their powers, any obligations they have in relation to the personal information they collect and any prohibitions on the use of that information. Private sector organisations will have to consider industry standards and law.
Further documents may be relevant, such as codes of conduct and privacy policy statements, particularly where the organisation has provided some form of undertaking to comply with them. This might arise from membership of an association that issues the code, or the terms of a document that the organisation itself has produced. There are also matters of public policy that may not be formally law, but that are generally respected.
Chapter VII of the handbook provides guidance in relation to compliance with the Data Protection Act and the Privacy and Electronic Communications Regulations. This section relates to broader elements of the law but any legal compliance checking should include these areas.
Responsibilities
The organisation proposing the project is responsible for undertaking a survey of the law relevant to the project and to the data processing and business processes it gives rise to. All participating organisations should do the same in connection with their involvement in the project.
Professionals with relevant expertise should be consulted as part of checking compliance with privacy law and other legal obligations. If your organisation has an in-house compliance unit or established compliance process, it might be useful to ensure that the compliance checking process takes full account of privacy law obligations and adds to the compliance checking process if necessary.
Potentially relevant sources of the law
You can refer to the examples of relevant laws in the segment of this handbook that described the criteria for privacy law compliance checks.
The following is an indicative, but not exhaustive, list of other laws that may be relevant.
- Statutes regulating such activities as public health, education, family law, children’s safety, occupational health and safety, archives, telecommunications, and surveillance devices.
- For government agencies, provisions within the statutes that govern their activities and programmes.
- For public-private partnerships, provisions within the statutes that govern their activities and programmes, and terms within the contracts that the parties have entered into.
- For sub-contractors, terms within the contracts that the parties have entered into.
- The law of confidence, which has also developed into the tort of misuse of private information.
- The tort of negligence.
- The tort of passing off.
- The Privacy and Electronic Communications Regulations 2003.
- The Human Rights Act 1998.
Postponing or redesigning a project
To the extent that the design is not compliant with the law, or it would be illegal to deploy the new or adapted system or scheme, it may be necessary to change the design prior to deployment, in order to achieve compliance.