Investigations: understanding data privacy
| Date | 01 October 2005 |
| Published date | 01 October 2005 |
| DOI | https://doi.org/10.1108/13590790510700571 |
| Pages | 352-359 |
| Author | Daniel P. Cooper |
| Subject Matter | Accounting & finance |
Journal of Financial Crime Ð Vol. 12 No. 4
Investigations: Understanding Data Privacy
Daniel P. Cooper
INTRODUCTION
Today, UK regulatory authorities, such as the Finan-
cial Services Authority, are increasingly focusing their
attention on unlawful conduct occurring in the course
of corporate transactions Ð mergers, acquisitions or
joint ventures Ð involving a target company.
Accordingly, these investigations can uncover not
only ®nancial improprieties associated with the trans-
action but other regulatory breaches arising from the
transaction. One issue that can arise, and has done so,
involves corporate failures to comply with applicable
privacy legislation, which can compound the dicul-
ties faced by a company subject to an investigation.
This paper examines an often overlooked aspect of
regulatory compliance in the transactional context:
UK privacy laws. Since the UK implemented the Eur-
opean Union's 1995 Data Protection Directive 95/46/
EC, UK companies have needed to ensure that their
transactional work complies with the complex set of
rules regulating the processing of `personal data': data
that relate to a living, natural person, including data
that can be made to relate to such a person when com-
bined with other information in or likely to come into
an organisation's possession. The relevant persons may
be customers, vendors, suppliers or even the employees
of one or more companies involved in a transaction.
This paper looks at how UK privacy rules operate in
the transactional context, and hopes to shed light on
those rules for parties involved in the prevention,
detection or prosecution of ®nancial crimes. The
main lessons to be learned are the following:
First, data privacy rules always need to be consid-
ered whenever a transaction involves the disclo-
sure or processing of any personal data.
Secondly, if a transaction includes the disclosure or
processing of any personal data, the parties may
need to notify the individuals (`data subjects')
whose data are involved and inform them about
how their data will be handled (see `Issues in
Compliance Ð Notice and data disclosures',
below). The UK data privacy regulator, the
Information Commissioner, allows parties to a
transaction to engage in unnoti®ed processing
for due-diligence purposes, provided certain
conditions are met.
Thirdly, the parties should ensure that a legitimate
ground exists for any disclosure or processing of
personal data by the parties, both leading up to
and after completion of the transaction (see
`Issues in Compliance Ð Legitimate grounds
for data processing', below). In particular, the
disclosure or processing of `sensitive' personal
data Ð data that relate to a subject's racial or
ethnic origin, political opinions, religious or phi-
losophical beliefs, trade-union membership,
health or sex life, or commission of criminal
oences Ð can be problematic.
Fourthly, the parties should ensure that suitable
security measures are in place when any personal
data are disclosed or processed; special care will
need to be taken where data rooms Ð both real
and virtual Ð are in use (see `Issues in Compliance
Ð Security for data', below).
Fifthly, the parties should consider whether any
disclosure or processing of personal data involves
the transfer of personal data outside the European
Economic Area (`EEA') and, if so, whether
mechanisms are in place to perform the transfer
lawfully (see `Issues in Compliance Ð Interna-
tional data transfers', below).
Sixthly, the parties should consider whether as a
consequence of the transaction they will need to
amend their existing data protection registrations
(also referred to as `noti®cations' under UK law)
or, less likely, ®le their ®rst registration with the
Information Commissioner (see `Issues in Com-
pliance Ð Regist ration', below).
OVERVIEW OF EU DATA
PRIVACY LAWS
The EU Data Protection Directive 1995/46/EC,
which all 25 Member States have transposed into
national law, remains the principal EU statute regulat-
ing the processing of personal data. The 1998 Data
Protection Act (`the Act'), now supplemented by
over 20 Statutory Instruments, transposes the Direc-
tive into UK law. These privacy laws strictly regulate
the collection and use of `personal data' relating to an
identi®ed or identi®able natural person, known as a
`data subject'. Although information attributed to a
Page 352
Journalof Financial Crime
Vol.12,No. 4, 2005,pp. 352 ±359
#HenryStewart Publications
ISSN1359-0790
To continue reading
Request your trial