Data protection and the expert
Most expert witnesses will be processing personal data as part of their forensic practice and so should be registered with the Information Commissioner
Expert witnesses should be registered under the Data Protection Act. Failure to be registered where necessary is a criminal offence. Are you breaking the law?
In recent months, a number of solicitors, and even the Crown Prosecution Service, have been prosecuted under the provisions of the Data Protection Act (DPA) 1998 (the ‘Act’). No doubt, this came as something of a surprise to them. The simple fact is that many people who process personal data in the course of their work still do not appreciate that they have duties under the Act – and we suspect that includes a fair few expert witnesses too!
Experts and personal data
The Act identifies personal data as being data related ‘to a living individual who can be identified from that data, or from that data and other information in the possession of or likely to come into the possession of the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual’.
In the course of your work, you may hold and process data for a number of reasons. You might:
- collect and store information about individual solicitors for the purposes of case management
- hold information about individuals in connection with your instruction, e.g. social services case notes, pension records, medical histories, criminal records, education records
- hold records relating to individuals employed by you, and/or
- collect and hold information and data relevant to research into your particular field of expertise.
In short, if recording, storing or using information about people in some form of database, you need to ask yourself whether the Act applies to you.
Having established whether the data relate to identifiable individuals, you will next need to consider whether the data is being ‘processed’. There is a distinction to be made between the storage and processing of data and the mere receipt and holding of information relating to an individual. The Act applies to the processing of personal data only where such processing is wholly or partly by automatic means, or where the personal data form part of a ‘filing system’. Where personal data are concerned, the definition of ‘processing’ becomes very broad.
Information that is processed automatically will be covered by the Act. Information processed manually (referred to as ‘manual records’) is not intended to be covered by the Act unless it is held in an organised filing system structured either by reference to individuals or by criteria relating to individuals which allow ready access to specific information about a particular individual. The key consideration is not the time and effort involved in finding a piece of information about a person, but whether there is a system in place that allows the organisation to find that information without searching through every item in a set of information.
Most experts will be processing personal data as part of their forensic practice and so should be registered with the Information Commissioner
The Act requires businesses that process personal data to comply with its eight principles of data protection. These state that data must be:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- not kept longer than necessary
- processed in accordance with the data subject’s rights
- secure, and
- not transferred to countries without adequate protection.
Most businesses processing personal data are also required by law to register with (‘notify’) the Information Commissioner and to pay a registration fee of, currently, £35 per year.
How to Register
Notification is a statutory requirement and every organisation that processes personal information must notify the ICO, unless the organisation is exempt. Failure to notify is a criminal offence.
Notification is the process by which a data controller informs the Information Commissioner of certain details about their processing of personal information. These details are used by the Information Commissioner to make an entry describing the processing in the register of data controllers. This is available to the public for inspection.
The principal purpose of having notification and the public register is transparency and openness. It is a basic principle of data protection that the public should be able to find out who is carrying out the processing of personal information as well as other details about the processing (such as for what reason it is being carried out).
You can complete the notification form online, print it out and send it with the notification fee or a direct debit instruction to The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline 0303 123 1113
Reporting concerns about your own data being misused
If you have concerns about your own personal data being misused, you can report it to the ICO by visiting https://ico.org.uk/concerns/. You can check to see if an organisation is registered with the Information Commissioner by searching with a name, address or postcode at https://ico.org.uk/esdwebpages/search.