In brief – what does the Data Protection Act say about objecting to processing?
The Act refers to the “right to prevent processing”. Although this may give the impression that an individual can simply demand that an organisation stops processing personal data about them, or stops processing it in a particular way, the right is often overstated. In practice, it is much more limited. An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organisation to stop (or not to begin) the processing in question.
So, in certain limited circumstances, you must comply with such a requirement. In other circumstances, you must only explain to the individual why you do not have to do so.
In more detail…
How can an individual prevent me processing their personal data?
An individual who wants to exercise this right has to put their objection in writing to you and state what they require you to do to avoid causing damage or distress. We refer to this notice as an “objection to processing” although it is also known as a “section 10 notice” in practice. The Act limits the extent to which you must comply with such an objection, in the following ways:
- an individual can only object to you processing their own personal data;
- processing an individual’s personal data must be causing unwarranted and substantial damage or distress; and
- the objection must specify why the processing has this effect.
In addition, an individual has no right to object to processing if:
- they have consented to the processing;
- the processing is necessary:
- in relation to a contract that the individual has entered into; or
- because the individual has asked for something to be done so they can enter into a contract;
- the processing is necessary because of a legal obligation that applies to you (other than a contractual obligation); or
- the processing is necessary to protect the individual’s “vital interests”.
A mobile phone company receives a written request from a customer requiring it to remove the customer’s details from its database. This should be treated as an objection to processing. The customer explains that using their personal data for credit referencing is causing them distress and has led to them being refused a credit card. The mobile phone company does not have to comply with this notice because the credit referencing is necessary for putting into effect the contract that the customer signed (and the customer can be said to have consented to it). Consequently, the right to object to processing does not apply. It would be good practice for the mobile phone company to write to the customer to explain why it does not have to comply with the notice.
The same customer cancels his mobile phone contract and withdraws his consent to the company processing his personal data. As a result he argues that the mobile phone company must comply with his objection. Although the right to object does now apply (because the mobile phone company cannot rely on any of the conditions for processing), the company only has to comply with the objection (ie to stop processing the customer’s personal data) if the processing is causing unwarranted and substantial damage or distress. The company must, however, respond to the customer within 21 days, explaining whether and to what extent it will comply with the objection.
In its response, the mobile phone company accepts that being refused a credit card might be considered financially damaging, but says that the effect on the customer is not unwarranted, since sharing information about the customer’s payment history with the agencies is justified and because the customer had been informed in advance that this would happen. The company is therefore entitled to refuse to comply with the notice.
The individual’s right to object to processing only extends to their own personal data, so they cannot prevent the processing of personal data relating to another individual or group of individuals. Nevertheless, an individual may still issue an objection to processing on behalf of another person.
What is meant by “damage or distress”?
The Act does not define what is meant by unwarranted and substantial damage or distress. However, in most cases:
- substantial damage would be financial loss or physical harm; and
- substantial distress would be a level of upset, or emotional or mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent.
An individual is refused a job in the construction industry and discovers that this is because the prospective employer checked his name against a blacklist maintained by a third party. The blacklist consists of the names of people who are regarded as unsuitable to be employed in the construction industry because they are trade union activists. The individual writes to the person who maintains the blacklist asking them to remove his name as it is denying him the opportunity to gain employment.
In these circumstances, the person who maintains the blacklist would have great difficulty in establishing any legitimate basis for processing the individual’s personal data in this way – because the assessment of “unsuitability” is arbitrary and lacks justification, and because the individuals concerned were not told that their names had been placed on the blacklist. In any event, the individual can show that he is suffering damage due to this processing and that this is substantial as it could continue to prevent him getting a job. It cannot be argued that the damage was warranted, because the processing was for an improper purpose. The person who maintains the blacklist would therefore have to comply with the objection. He must cease processing the individual’s personal data in this way, and must respond to the objection within 21 days confirming that he has done so.
The Act recognises that organisations may have legitimate reasons for keeping records about people which may have a “negative” effect on them. For example, the information you hold may lead to their arrest, to their being made to pay child maintenance, or to their being required to buy a TV licence. The Act does not give individuals the right to prevent this. Even where damage or distress has been caused, the Act limits the right to prevent processing to cases where the effects are unwarranted.
An individual writes to his local council asking them to stop using his personal data for administering and collecting Council Tax. Despite his argument that the processing is financially damaging and very irritating, it is clear that the cost to the individual is not unwarranted and that his annoyance at having to pay does not constitute substantial distress.
Any objection to processing must be based on a causal link between the processing of personal data and the damage or distress caused to the individual – the processing must have caused the damage or distress.
A bank files a default with a credit reference agency because Customer A has failed to repay a personal loan. Due to an administrative error, the default is filed against Customer B, who has a similar name to Customer A but has no liability in respect of the personal loan. If the record of the default causes Customer B to be refused credit when he would otherwise have been granted credit, the bank’s incorrect processing of his personal data has clearly caused damage.
How should I respond to an objection to processing?
An objection to processing will tell you what the individual wants you to do. So you need to decide whether you will comply with their request. The Act allows room for a decision that is more nuanced than simply “yes, we will comply" or “no, we do not have to comply”.
An employee discovers that his electronic HR file contains a negative comment about his political allegiances and resulting suitability for promotion. He writes to his employer demanding that it stops processing his personal data. The employer is entitled to respond that it will delete the reference to the individual’s political allegiances and any associated remarks, but that it intends to continue processing his personal data for legitimate HR purposes.
An employer is investigating allegations of harassment against one of its employees. The employee in question emails the HR department demanding that the investigation is discontinued and that any notes about it are destroyed. The employer is entitled to refuse to comply with this request because it has legitimate reasons to keep a record of the investigation, but it can agree to add a note to the file recording the employee’s insistence that the allegations are untrue.
There are several factors you should take into account when deciding whether and to what extent you intend to comply with an objection to processing. These factors are listed in the table below.
|Factors to check||Points to note|
|Is the objection to processing in writing?
||An objection is valid only if it is in writing. Like subject access requests, “in writing” includes information sent by fax or email. Once you receive a written objection, you have 21 calendar days to respond to the individual who sent it.|
|Does the objection set out how the processing is causing damage or distress?
||It is difficult to decide whether to comply with an objection to processing if the notice is unclear. You may wish to ask the individual who sent it to clarify what they think is the problem that processing their personal data has caused. Remember that the damage or distress caused has to be “substantial” before you are obliged to comply.|
|Is the damage or distress unwarranted?
||If you feel that any damage or distress caused to the individual is warranted, you do not have to comply with the objection. You should be prepared to explain why you think this is the case.|
|Which conditions for processing can you rely on to legitimise the processing?||If you can rely on any of the first four conditions listed in Schedule 2 to the Act, the individual has no right to prevent the processing in question, and you do not have to comply with an objection. You must still send a response.|
You must respond within 21 days of receiving the objection to processing. Your response must state what you intend to do and, if you do not intend to comply with the objection in some way, give reasons for your decision. Your record of the decisions you made about the factors listed above will help you compose your response.
What happens if I do not comply with an objection to processing?
If you decide that an objection to processing is not justified and you do not comply with it, the individual can apply to the court. The court can decide whether the objection is justified and, if necessary, order you to take steps to comply.