Page: 1 2 3 4
3. Interaction with Other Legislation
The Human Rights Act 1998 (HRA 1998) incorporates the European Convention on Human Rights into UK law. The Act does three main things:
1. Makes it unlawful for a public authority, such as a government department, local council or the police to breach the European Convention on Human Rights, unless an Act of Parliament meant it could not have acted differently
2. Permits individuals bringing an action for alleged breach of their rights to have the case heard by a UK court or tribunal rather than having to go to the European Court of Human Rights in Strasbourg
3. Requires UK legislation to accord with the rights set out in the Convention
The main provision of the HRA 1998 relevant to data protection is Article 8, which states:
- Everyone has the right to respect for his private and family life, his home and his correspondence
- There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others
The Act is designed to apply human rights guarantees beyond the obvious governmental bodies. S.6 HRA 1998 identifies two distinct categories of "public authorities" which would have a duty to comply with the Convention rights:
- "Pure" public authorities (such as government departments, local authorities, or the police) are required to comply with Convention rights in all their activities, both when discharging intrinsically public functions and also when performing functions which could be done by any private body. s.6(3)(a)
- "Functional" public authorities who exercise some public functions but are not "pure" public authorities are required to comply with Convention human rights when they are exercising a "function of a public nature" but not when doing something where the nature of the act is private. s.6(3)(b)
Only those bodies which fall within either of these categories ("pure" or "functional" public authorities) have a direct obligation under the Act to comply with Convention rights. The precise nature of particular HE institutions under these categories appears to remain unclear - unlike FOISA, the HRA 1998 contains no listing of either 'pure' or 'functional' public authorities.
The HRA and Data Protection Legislation
From a data protection point of view, in circumstances where an HE institution was not directly breaching the HRA 1998, UK courts are required to comply with Convention rights, and obliged to interpret legislation in accordance with Convention rights. Therefore, breaches of the DPA 1998 could give an indirect cause of action to individuals seeking to claim that their Article 8 rights were being breached. The requirement of respect for private and family life, home and correspondence under Article 8 will influence judicial interpretations on Data Protection related issues such as the protection of personal information and the right to private communications. Article 8 is not an absolute right but any interference with the right must be in legitimate pursuit of fair and lawful purposes and must be demonstrably necessary and proportionate to achieve those purposes.
It should be noted that the HRA 1998 may require the University to balance an individual's claims for breach of privacy or misuse of private information under Article 8 ECHR against countervailing arguments based on the Article 10 ECHR rights relating to freedom of expression, including the freedom to receive and impart information and ideas.
The Regulation of Investigatory Powers Act 2000 (RIPA 2000) provides, in conjunction with the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBPR 2000), grounds for the lawful interception of communications, including telephone and computer communications (e.g. e-mail, instant messaging). However, personal data collected under the RIPA and the LBPR must be processed in accordance with the requirements of Data Protection Legislation, unless elements of that processing are specifically exempted e.g. processing of personal data collected under the RIPA/LBPR for the purposes of law enforcement (Part 3 of the DPA 2018) or national security (Part 4 of the DPA 2018) is exempted from parts of the Act.
Page: 1 2 3 4