Personal Data Protection
Information on the Personal Data Act
Foreword
On 24 October 1998, a new act entered into force aimed at preventing the violation of personal integrity by the processing of personal data, namely the Personal Data Act (SFS 1998:204). This Act is based on common rules decided within the EU.
The Government has issued supplementary regulations in conjunction with the Act in the Personal Data Ordinance (1998:1191).
The Data Act (1973) is repealed by the Personal Data Act.
This brochure provides an overall presentation of the Personal Data Act.
Amendments to the Act have been taken into account up to SFS 2006:398.
This brochure presents the Act in its wording from 1 January 2007. Readers wishing to learn more about the Act may read the Government Bills 1997/98:44, 1999/2000:11 and 2005/06:173 together with the Standing Committee on the Constitution Report 1997/98:KU18. The first Bill referred to reports, inter alia, on the underlying EU rules. This material is also available on the Internet: www.riksdagen.se/dokument.
Further information is included in the report presented by the Data Law Commission in March 1997 and which formed the basis for the new Act: Integrity – Public Access to Information – Information Technology (Official Government Report SOU 1997:39). In addition, information about the application of the Act is available in the report presented by the Personal Data Commission in January 2004 which served as the basis for the most recent amendments to the Act: Review of the Personal Data Act (Official Government Report SOU 2004:6).
The Data Inspection Board is the supervisory authority under the Personal Data Act and may, in that capacity, provide information about the rules. Information is also available on the Board’s website on the Internet:
1. Background to the Personal Data Act
Developments within information technology are accelerating. Technology becomes increasingly powerful, simpler to use and less expensive. This means that it is available to increasing numbers of people. At the same time, it is becoming easier to receive and disseminate data stored on the computer. The facilities for storage and searching for information are becoming increasingly fl exible.
The opportunities afforded by new technology have brought with them an increase in the amount of data connected to people, for example, with the use of computers. Awareness has also increased that more and more data is available from an increasing number of sources. The methods that have been used to gather and process data relating to people are being continuously refined. A person using the Internet or modern cards for, for example, payment, can readily – without being aware of the fact – leave a so-called electronic trail behind him/herself.
Developments have meant that technology can be used in a manner that involves an unacceptable intrusion into personal integrity. The individual is entitled to be protected by society against such violations of integrity. At the same time, the need of the individual for protection must be balanced against other fundamental democratic rights and values, for example, freedom of information and freedom of expression. Legitimate needs for using information related to people also exist, for example, for the purpose of social planning.
A considerable amount of balancing is thus necessary when formulating legislation to protect personal integrity as regards personal data. Furthermore, the legislation must not unnecessarily restrict the use of new technology. New technology brings with it not only risks but also advantages. Things that were not previously feasible are now possible thanks to new technology – something which has already involved an improvement in the standard of living and increased freedom for many people.
The Swedish Data Act (1973) has been considered to be outdated for many years. It has not corresponded in all respects with the standards that can be expected for legislation to effectively protect personal integrity. The Data Act therefore needed to be replaced by a new modern Act. The rules have been developed having regard to the Data Protection Directive that was adopted by the EU in 1995 which is now introduced in all Member States. A basic starting point has been that responsibility for ensuring that personal data is conducted in a lawful manner should rest with the person processing such data.
2. What does the Personal Data Act mean?
The main features of the Personal Data Act are presented in this part. These are:
- People shall be protected against the violation of their personal integrity by processing of personal data.
- In contrast with the Data Act, the Personal Data Act does not only apply to automated processing of personal data but, in certain cases, also to manual registers.
- The Personal Data Act does not apply to the processing of personal data that forms part of a course of operation of a purely private nature.
- The provisions of the Act are not applicable to the extent that they would contravene the constitutional provisions relating to freedom of the press and freedom of expression or limit the principle of access to public information.
- The Act does not apply, in principle, to journalistic, artistic or literary activities
- Processing of personal data in unstructured material, for example running text, may take place as long as this processing does not entail a violation of the registered person’s personal integrity. Most of the other provisions of the Act shall not be applied to processing of this kind.
- If another act or ordinance contains rules that deviate from the Personal Data Act, those other provisions apply instead.
- The old system with licences and permits is abolished. Responsibility for ensuring that processing of personal data is conducted in a lawful manner is imposed in the first instance, upon the person processing such data. The Data Inspection Board exercises supervision of compliance with the Personal Data Act.
- The Personal Data Act lists certain fundamental requirements concerning the processing of personal data. These demands include, inter alia, that personal data may only be processed for specific, explicitly stated and justified purposes.
- Personal data may, if these fundamental requirements are satisfied, in principle, only be processed if the registered person gives his or her consent. However, there are several exceptions to this rule, for example, if it is necessary
- in the exercise of official powers
- when a work task of public importance is to be performed
- in order to enable the controller of public data to fulfill a legal obligation
- in order that a contract with the registered person may be performed.
- Particularly stringent rules apply to the processing of sensitive personal data – e.g. concerning political views or health. These rules also apply to the transfer of personal data to other countries.
- The registered person is entitled to information concerning processing of personal data that concerns him/her.
- The processing of personal data shall be notified to the Data Inspection Board. However, this does not apply if the person who is responsible for the processing has appointed a personal data representative.
- A person who contravenes the Personal Data Act may be liable to pay damages or be sentenced to a criminal penalty.
3. The terminology of the Personal Data Act
The Personal Data Act uses some central concepts that reappear at several places in the various connections, inter aliain this brochure, and which are therefore useful to know. The most important of them are presented below.
3.1 Personal data
All kinds of information that is directly or indirectly referable to a natural person who is alive constitute personal data.
The Personal Data Act applies to such processing of personal data as is wholly or partly performed with the aid of computers. The Act also applies to other processing of personal data, if these form part of or are intended to form part of a structured collection of personal data that is available to searches or compilations according to specific criteria (so-called manual registers).
The Act does not apply to the processing of personal information that a natural person performs in an activity of a private nature. This means, for example, that individuals may maintain for purely private use electronic diaries or a register of the addresses of friends and relatives etc. The word and text processing and communication by electronic mail of individuals also normally fall outside the ambit of the Act.
A simplified provision applies to processing of personal data in unstructured material, for example, running text, stipulating that the processing may not entail a violation of the personal integrity of the registered person (see Part 6).
3.2 Processing (of personal data)
Processing means everything one does with personal data, whether performed through a computer or not. The following may be mentioned as examples of processing of personal data
- Collection
- Registration
- Storage
- Processing
- Disclosure by transfer, dissemination or other provision of data
- Compilations or joint processing.
There is no requirement that the information processed as data should be structured in a register or the like. Computerized work and text processing or similar processing of running text containing personal data is therefore per se subject to the Act, although a simplified provision applies to processing personal data in unstructured material, for example, running text (see Part 6).
Personal data in structured material may only be processed for specific, explicitly stated purposes.
Data that one has gathered for a particular purpose may not later be processed in a manner that is not compatible with that purpose.
3.3 The controller of personal data and the personal data assistant
A person who alone or together with others decides why and how personal data shall be processed is called the controller of personal data (the controller). This is usually a legal person – a company, an association, a public authority or a local authority. A natural person – for instance, a businessman – may also be a controller, however.
Personal data assistant (assistant) means a person who processes personal data on behalf of the controller. The assistant may be an independent service provider.
3.4 Personal data representative
A personal data representative (representative) is a natural person who, on the assignment of the controller, shall ensure that personal data is processed in a lawful and proper manner.
The representative must point out any inadequacies for the controller. If the representative has reason to suspect that the controller is contravening the provisions applicable to the processing of personal data, and points this out, but the controller does not rectify the matter as soon as practicable, the representative must notify this to the Data Inspection Board.
The representative shall also liaise generally with the Data Inspection Board if doubt prevails concerning whom the provisions applicable to processing of personal data should apply to. The representative shall also assist the registered person to obtain rectification if there is reason to suspect that personal data processed is incorrect or incomplete. Furthermore, the representative shall maintain a schedule of the processing that the controller performs and which would have been subject to the duty to given notice if the representative had not existed (cf Part 14).
The appointment and removal from office of a representative must be notifyed to the Data Inspection Board.
3.5 Consent
Consent means every kind of voluntary, specific and unambiguous expression of will, by which the registered person, after the receipt of information, accepts the processing of personal data concerning him/her.
Consent may either be verbal or in writing. It must be voluntary.
The registered person must, before consent is given, have received the information necessary to enable him/her to assess the advantages and disadvantages of the processing of the personal data concerned and so that he/she may exercise his/her rights under the Personal Data Act. Consent shall also be unambiguous. Thus, no doubt may prevail about whether voluntary consent has been given. The consent must also be specific, which means that it must apply to a particular processing concerning the registered person that is performed by a particular controller for a particular purpose.
4. The scope of the Personal Data Act
The Personal Data Act applies to those controllers who are established in Sweden. As a main rule, Swedish law is also applicable when a controller from a third country (i.e. a country outside the EU and EEA) uses equipment, for example terminals and questionnaires, situated in Sweden for the processing of personal data. In such cases, the controller must appoint for himself an agent who is established in Sweden. The agent is equated with a controller when applying the Personal Data Act.
The Personal Data Act never applies if equipment is only used to transfer information between two countries that are outside the EU and EEA.
5. The principle of public access to official documents and also freedom of the press and expression
The principle of public access to official documents, which is embodied in the Freedom of the Press Act means that the public authorities are liable upon request to provide copies of public documents unless secrecy applies. The duties of public authorities to save information – and not to alter it in such a manner as the original information is erased – is also of importance to the principle of public access to offi cial documents.
The provisions of the Personal Data Act are not applied in such a manner that they might limit the principle of public access to documents or contravene the provisions concerning the freedom of the press and freedom of expression contained in the Freedom of the Press Act or Fundamental Law on Freedom of Expression.
The Personal Data Act also includes an exemption for such processing of personal data as is only related to journalistic work or artistic or literary creation. However, the provisions of the Act concerning security measures when processing personal data (see Part 12) shall be applied in such cases.
6. Personal data in unstructured material
The great majority of provisions of the Personal Data Act need not be applied when processing personal data in unstructured material, for example, running text. This may entail sound or images, e-mail messages, texts published on the Internet or short or long memoranda or other documents produced with word processing software. In order for the simplified regulation to apply, the material worked with must not be included in or be intended to be included in a document or case management system or any other database. The provisions of the Act on security measures when processing personal data (see Part 12) must also be applied. However, it is not necessary to apply the provisions on fundamental requirements for processing personal data (Part 7), permitted processing of personal data (Part 8), information to the person who is registered (Part 9) and transfer of personal data to a third country (Part 13).
Processing of personal data in unstructured material must not, however, entail a violation of the integrity of the registered person. The following guidelines should be complied with:
- Do not process personal data for improper ends, such as persecution or disgracing.
- Do not compile a large quantity of data about one person without acceptable reason.
- Correct personal data which proves to be incorrect or misleading.
- Do not defame or insult another person.
- Do not breach secrecy or a duty of confidentiality.
In the first place, it is the responsibility of the controller to ensure that no violation takes place in particular cases. However, what constitutes a violation is ultimately determined by the Data Inspection Board, which shall ensure compliance with the rule, and the courts. Provisions on damages and punishments (see Part 16) apply in the event of violations.
Persons who are uncertain of what constitutes a violation or what unstructured material is can instead decide to comply with the provisions of the Personal Data Act. Provided this is done, a violation cannot come into question.
7. Fundamental requirements on the processing of personal data
The controller shall, inter alia, ensure that personal data
- is only processed if it is lawful
- is processed in a proper manner and in accordance with good practice
- is gathered only for specific, explicitly stated and legitimate purposes
- is not processed for any purpose that is incompatible with that for which the data was gathered
- that is treated is adequate and relevant to the purpose of the processing
- is only processed if it is necessary having regard to the purpose of the processing
- which is processed is correct and, if it is necessary, up-to-date
- is rectified, blocked or erased, if it is incorrect or incomplete having regard to the purpose of the processing
- is not kept for a longer period than is necessary.
As regards processing of personal data for historical, statistical or scientific purposes, certain special rules apply. If personal data that is processed for such purposes is also processed later, this shall be considered incompatible with the original purpose for which the data was gathered.
It is also permitted, for such purposes, to save data for a longer period. However, personal data may not be stored in such cases for a longer period than is necessary.
