Here we have a piece of legislation that’s very often misunderstood. This is what the legislation says:
10 Right to prevent processing likely to cause damage or distress.
(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b) that damage or distress is or would be unwarranted.Data Protection Act 1998
This is what the ICO says:
In brief – what does the Data Protection Act say about objecting to processing?
The Act refers to the “right to prevent processing”. Although this may give the impression that an individual can simply demand that an organisation stops processing personal data about them, or stops processing it in a particular way, the right is often overstated. In practice, it is much more limited. An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organisation to stop (or not to begin) the processing in question.
So, in certain limited circumstances, you must comply with such a requirement. In other circumstances, you must only explain to the individual why you do not have to do so.Information Commissioner
Note the text highlighted above. Also note the word LIMITED. Section 10 is not an open door for everyone to command others to stop processing their data, nor does issuing a notice under that section guarantee compliance. Now let’s look at the definition of “damage or distress”:
What is meant by “damage or distress”?
The Act does not define what is meant by unwarranted and substantial damage or distress. However, in most cases:
- substantial damage would be financial loss or physical harm; and
- substantial distress would be a level of upset, or emotional or mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent.
Note that distress goes beyond annoyance and irritation. In other words, it’s not enough merely to be unhappy with the data being processed.
It is also important to establish what is personal data. An opinion or commentary is not “data”; saying that someone is unqualified, misunderstands legislation or gives wrong advice is not “personal data”. Nor is quoting what that person has said, written or posted, unless its his own personal details (for example, his name, address, date of birth and NI number).
In some cases, personal data is already in the public domain. This is often the result of actions taken by the data subject himself. For example, registering a limited company and becoming a director will result in the director’s personal details (name, address, date of birth, nationality and other directorships) being available from Companies House and other websites that draw company data. Legal action can also result in some details being made publicly available, for example, in connection with a judgment, order or decision.
The Data Protection Act was drafted in order to protect individuals’ rights to respect to private life amongst other things. This means an INDIVIDUAL can serve a section 10 notice, a business cannot. It’s not unusual for an individual to engage in business, in which case, the data in question may well refer to the individual’s business as well as his business practices. These are not covered by rights to privacy. People have a right to know how other people conduct their business, particularly if these people give advice or charge for their services.
Finally, there is also the requirement for the damage or distress to be unwarranted. The ICO states:
The Act recognises that organisations may have legitimate reasons for keeping records about people which may have a “negative” effect on them. For example, the information you hold may lead to their arrest, to their being made to pay child maintenance, or to their being required to buy a TV licence. The Act does not give individuals the right to prevent this. Even where damage or distress has been caused, the Act limits the right to prevent processing to cases where the effects are unwarranted.Information Commissioner
It should also be noted that section 10 of the DPA applies to DATA CONTROLLERS, defined by the ICO as follows:
Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Note that not everyone is a data controller. Although the ICO states that data controllers can be individuals or organisations, its main concern is with organisations that process other people’s data. The reference to individuals would be to people working as sole traders, freelancers, consultants, etc., in which case they are “the organisation”.
Section 10 also says:
(4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.Data Protection Act 1998
Note that the court MAY order someone to comply with a section 10 notice. This is obviously once the court has had the opportunity to look at the evidence, which is not quite the same as making an emergency application for an interim injunction.