Participants in the Commission’s data matching exercises should inform individuals that their data will be processed, as required by the Data Protection Act 1998. For data processing to be fair, the first data protection principle requires data controllers to inform individuals whose data is to be processed of:
- the identity of the data controller
- the purpose or purposes for which the data may be processed
- any further information which is necessary to enable the processing to be fair
The provision of this information is known as a fair processing notice. It enables people to know that their data is being used in order to prevent or detect fraud and to take appropriate steps if they consider the use is unjustified, or unlawful in their particular case.
However, when certain exemptions within the Data Protection Act 1998 apply, data controllers are not required to provide fair processing information. For example, where personal information must be made available to the public because of a statutory requirement, there is no need to provide fair processing information (the section 34 exemption).
The notice should clearly set out an explanation that their data may be disclosed for the purpose of preventing and detecting fraud. The notice should state that the data will be provided to the Commission for this purpose. The notice should also contain details of how individuals can find out more information about the processing in question.
Communication with individuals whose data is to be matched should be clear, prominent and timely. Where further data sets are required that individuals were not informed about in the original notices, new notices should be issued outlining the additional information needed. Where a data controller is not required to provide a notice e.g. because of the section 34 exemption, it is good practice for new notices to be issued anyway.
Participants should submit a declaration confirming compliance with the fair processing notification requirements (Fair processing compliance return).
The Information Commissioner recommends a layered approach to fair processing notices. Usually there are three layers: summary notice, condensed text and full text. Taken together, the three layers comprise the fair processing notice. Participants should decide the content and means of issue of fair processing notices for themselves.
Benefits of a layered approach
The benefits of using a layered approach are to give appropriate levels of fair processing information to different audiences, depending on their information needs. Individuals who wish to have a relatively short explanation can access this in a summary notice, while more comprehensive information is made available for others.
Guidance and good practice examples based on the Code of Data Matching Practice 2008 are provided at the following pages. Such notices will have the effect of deterring fraud as well as informing applicants about the use of data in data matching.
The full text is available on the Commission’s website and will include an explanation of the legal basis for its data matching exercises and a more detailed description of how the initiative works.