With the adoption by the European Commission, Counsel and Parliament of the new General Data Protection Regulation, due to replace the UK's Data Protection Act in early 2018, our thoughts turned quickly to the man of the moment - Santa Claus. Does he qualify as a data controller? After all, as the song goes, "He's making a list. And checking it twice. Gonna find out who's naughty or nice…"
In determining the purpose for which and the manner in which personal data is collected, there can be little doubt that Santa Claus is a data controller. Indeed, I hope I'm on his list! The list, we should assume, is held on a computer of some description but, in any event, would be part of a relevant filing system. And it relates to living individuals and contains indications of the intentions of Santa in respect of those people and his opinions of them. I've been nice, by the way, all year.
So with all the data that Santa Claus is collecting and storing, does the Act apply to him? Section 5 is always a bit tricky, and especially so in this case. It only applies if the data controller is established in the United Kingdom and the data is processed in the context of that establishment (section 5(1)(a)), or if it is neither established in the UK or any other EEA member state, but uses equipment in the UK for processing data other than in transit. Lapland is of course in Finland, which is an EU member state, and therefore in the EEA, so section 5(1)(b) does not apply.
But does section 5(1)(a) apply to him? Well, under section 5(3)(d)(ii), a person who is not ordinarily resident in the UK, or incorporated here, or a partnership or unincorporated association not formed under any UK laws, but which maintains in the UK a regular practice, is covered. And what constitutes a 'regular practice'? No-one really seems to know. I think it qualifies that I've seen him in London, with his grotto, reindeer, sleigh and bells, and various elves and other assistants. It was definitely Santa Claus and he was definitely here – and not just in transit. There were queues of adults, many with children, waiting patiently and expectantly to see him.
So, having determined that Santa Claus is a UK data controller, he really needs to make sure that he complies with all the data protection principles. I think he can probably tick them all off as he will have collected the data fairly and lawfully. It really is necessary in order to protect the vital interests of the data subject - what could be more vital than getting the right presents delivered?
But, of course, some of the data that Santa Claus is processing might be sensitive. If naughtiness goes so far as to include the alleged commission of any offence, for example, can he get round the Schedule 3 conditions? I'm actually quite relaxed about this – paragraph 3 on vital interest protection surely applies and it would hardly be fair to get the data subject's consent – that would spoil all of the surprise!