CaseLines and the Data Protection Act
CaseLines users are often concerned to ensure that use of the CaseLines service is consistent with their obligations under the Data Protection Act 1998 (the “DPA”).
CaseLines has addressed the key issues through its terms and conditions, in two key respects, so that users can be reassured that DPA compliance is better served using CaseLines than with alternative approaches. They key provisions are:
- Formal data controller/data processor provisions are incorporated in the customer terms and conditions
- A data sharing protocol is built into the user terms and conditions, which binds third party users to observe appropriate controls even if they do not have a formal agreement with the party that created the case to which they have access
CaseLines provisions are stronger than traditional alternatives
Legal proceedings cannot operate effectively without the sharing of data, which of necessity will often include sensitive personal data. Users of CaseLines are bound to a data sharing protocol. Additionally, CaseLines offers a secure way to share that data, ensuring that any party that becomes a data controller by virtue of being provided with personal data is capable of meeting the requirements of the 7th principle – that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Without CaseLines, users must rely on paper or sending documents by email. Sending paper correspondence is covered by the DPA in exactly the same way as an electronic communication, since even in paper form the information is part of, or intended to be part of a relevant, structured filing system which will make information about individuals readily accessible. However, paper can be lost or misplaced, and has virtually no effective audit trail. Using paper does not simplify or relieve recipients of their obligations under the 7th principle – in fact the opposite. The alternative, sending documents (such as a pdf bundle) by email is far less secure than CaseLines, since documents are very commonly sent via unencrypted email, and there is no subsequent audit trail to allow enforcement of the security provisions.
Data controller/Data processor
CaseLines customer terms and conditions address the key requirements of the DPA. In summary:
- A written contract is established clarifying that CaseLines is the data processor
- CaseLines is obliged to maintain security in accordance with the 7th principle
- CaseLines undertakes not to hold your data outside the European Economic Area
Data sharing protocol
CaseLines user terms and conditions oblige all users that have access to a case to:
- Use the information to which they have access only for the purpose for which access was given
- Comply with provisions relating to Subject Access Requests and FOIA enquiries
- Comply with provisions relating to breach of confidentiality
- Maintain appropriate technical and operational security relating to their access and use of data
- Not to transfer data outside the European Economic Area