WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Laws and Business International Report

You are here:  WorldLII >> Databases >> Privacy Laws and Business International Report >> 1998 >> [1998] PLBIRp 19

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

UK 1984 and new 1998 DP Act [1998] PLBIRp 19; (1998) 45 Privacy Laws and Business International Report 8

Key differences between UK 1984 and 1998 legislation

ON THE EVE OF THE ADOPTION of the Data Protection Act 1998, Elizabeth France, the UK Data Protection Registrar, examined the provisions of the new law and its significant changes.

As of 13th July 1998, she was still the Data Protection Registrar and was unlikely to change her title to Data Protection Commissioner for several months, until the new Act Commencement Order takes effect. She also warned that the vagaries of the Parliamentary timetable made any accurate forecasting of timing for the detailed Regulations uncertain. The 1998 Data Protection Act received Royal Assent on 16th July 1998, Individuals’ rights and obligations of data controllers are similar in the old and new legislation, and both pertain regardless of the issue as to who owns the data. This area will be strengthened by the forthcoming incorporation of the European Convention on Human Rights into UK law. The Data Protection Commissioner will continue the role of the Registrar as an independent supervisory authority. there will be no link between notifica- tion and the obligation to abide by the data protection principles.

SIGNIFICANT CHANGES

• While manual data has attracted much comment, the new, much wider definition of processing should have attracted more attention.

• Lawful criteria for processing is a new concept, and data controllers must consider which criteria apply to them.

although much essential detail remains to be fleshed out in more

Sensitive data has now been defined in the Act, and special mean

than thirty Statutory Instruments. The need for this mass of secondary legislation to be published in draft, presented to Parliament and passed, means that the Act will not be fully in force from 24th October, although some obligations will still run from that date. It is unlikely that the Act will be fully in force before

1st January 1999.

THE DATA PROTECTION ACT

1998: FAMILIAR FEATURES

The first five new data protection principles are similar to the existing first six principles, but stated without the link to registration. So is the seventh (previously the eighth) on security. There are two new princi- ples: principle six stating that data must be processed in accordance with data subjects’ rights, and principle eight on transfers of personal data to third countries. The Registrar empha- sised that, as previously, she would usually attempt to enforce the princi- ples by conciliation before resorting to enforcement notices.

The enforcement regime will remain largely unchanged, but with some enhancements, like information notices to allow the Registrar’s staff to seek information from data users under statutory powers. The Registrar described the new power as some- thing between a warrant power and just asking nicely. This new power is unlikely to adversely apply to rep- utable organisations.

Notification, which will replace registration, brings some changes. It will not be universal, and there will be some exemptions. Fundamentally,

sures need to be taken when processing it.

• Data transfers outside the EU will all be dealt with in more detail later.

• Codes of practice will now move from just being encouraged. In future, the Commissioner will be able to sponsor them herself, subject to con- sultation with industry bodies.

• Exemptions change significantly, especially for the media, which is a new feature in this law.

PROVISIONS STILL TO BE PUBLISHED

The new notification and fee regime has to be agreed between the Home Office and the Commissioner. This aims to be as simple as possible whilst remaining compatible with the EU Data Protection Directive – a concept that sounds simpler than it is. The new regime also has to be practical. It is hoped that for most data users, their first draft notification entry will be automatically produced from the current registration details. This is not a simple feature for the Commissioner’s IT system to cope with. Existing registrations will count as notification for the period of their validity in all cases where there is no entirely new processing of per- sonal data.

Exemption details will again need to be clarified in secondary legisla- tion, but are likely to include the standard core business purposes that the Registrar has already suggested. The levels of fees are also, of course, dependant on the exemption regime. The larger the scope of exemptions, the fewer organisations are available to spread the costs of running the office of the Data Protection Commissioner. Consultation on the draft regulations includes the issues of exemptions and fees.

MANUAL DATA AND PERSONAL FILES

Processing is now a very wide concept – anything you can do to

encouraging best practice, which she has a statutory duty to do, on all per- sonal data, whichever side of the legal borderline it is. Obviously, real cases will allow better guidance to be devel- oped. For public bodies, there will also be the need to disclose data (regardless of the form in which it is held) under the forthcoming Freedom of Information legislation.

CRITERIA FOR PROCESSING CHANGE

The Data Protection Commissioner will also have responsibility for acces- sible files in certain areas previously dealt with under separate Acts of Parliament (e.g. health records, social work). This was a late amendment to the Data Protection Bill. The Commissioner will, in future, be a middle tier of review for a disgruntled data subject between the data con- trollers’ own review on the one hand, and the Courts, on the other hand.

individual. The individual is to be informed either at the time the data is first processed, or when the data is first disclosed to a third party. Organisations will have to look care- fully at how personal information is collected. This can, and should be done during the transition period for bringing the 1998 Act fully into force. Subject access has also changed. In addition to the rights already guaran- teed under the 1984 Act, the data subjects are entitled to be given any information as to the source of the data, and to be informed of the logic behind any automated decision- taking. In order to satisfy these requests, organisations need to make decisions now on how to comply.

NEW PROCESSING MUST CONFORM IMMEDIATELY

The Registrar pointed out that although many provisions, including notification, will not be brought into

personal data is now covered by the term. Manual records has caused force until the secondary legislation is passed, it is still a requirement that

widespread concern and comment. The legal definition of a “relevant filing system” is: “any set of informa- tion relating to individuals structured... in such a way that specific informa- tion relating to a particular individual is readily accessible.”

There was still some disagreement between the Minister and the Registrar over the exact meaning of this defini- tion. Both agree that specific case files are covered where the file contains one individual’s data on one piece of subject matter. There is disagreement over such data as personnel files. The Minister believes that personnel files, for example, are excluded because they are not homogeneous - that is they contain relatively unstructured data about a wide range of issues - even though they have a person’s name on the front. The Minister believes that this would make them unstructured, and therefore outside the scope of the Act’s definition.

The Commissioner will take the legal definition as a starting point, and refer to the Minister’s definition. However, the final arbiter will be the courts. The Commissioner will be Criteria for processing are now explicitly important, as these have to be met before any processing of per- sonal data can lawfully take place (see Schedule 2 of the 1998 Act). For the legal processing of sensitive data (such as health, ethnic origin, sexual orien- tation, trade union membership, religious beliefs, other beliefs) addi- tional criteria need to be met (see

Schedule 3 of the Act).

ORGANISATIONS NEED TO ACT NOW

Informing individuals about process- ing is implicit in the (1984) first principle, but becomes explicit in the new law. It deals also with obtaining data from a source other than the

new processing started after 24th October 1998 must conform with the requirements of the 1998 Act imme- diately. The Government will allow three years (i.e. until 24th October

2001) for processing under way on

24th October 1998 to conform with the requirements of the Act. Thus the end date will remain the same even if the Act’s entry into force is now delayed.

WHAT IS MEANT BY

“PROCESSING UNDER WAY”?

“Processing under way” is a phrase permitting a wide range of interpreta- tions. In an answer to a Parliamentary Question in the House of Lords (HL Hansard, 14th May 1998, col. WA128) Lord Williams of Mostyn gave a reasonably broad definition which included the addition to and amendment of data on new and exist- ing data subjects and “essential program and software changes to enable such processing to continue.” The Registrar promised that she would take a similar approach, but would also have to consider how an individual’s rights were adversely affected. In this case, as with other difficulties of interpretation, the ultimate arbiter will of course be the courts’ interpretation of the statutory wording, regardless of the Minister’s, or indeed, the Registrar’s own interpretations.

Checklist for action

The Registrar advised that data controllers should now:

1. Look at manual records to prepare procedures to be able to treat them as automated records are currently treated

2. Be ready for subject access to manual records from 24 October 2001

3. Ensure that your organisation knows what criteria are used to justify and legitimate the processing of all personal data for all purposes

4. Ensure that procedures meet all the requirements for informing individuals when obtaining or disclosing data

5. Ensure that procedures are in place for meeting the (enhanced)

rights of individuals for subject access

6. decide whether data is transferred outside the EU, and if so, whether action is needed to give it adequate protection, or whether (and which) exemptions apply

7. Bring the (1984 Act) register entries up to date, as well as rationalise and consolidate them where possible. (The new Act envisages one notification per data controller – this may give problems for some public sector bodies)

8. Keep up to date with the advice from the Registrar and Government, particularly on the transitional arrangements.

i

This is an edited version of the talk given by Elizabeth France, at the Privacy Laws & Business Annual Conference in July at Cambridge. Reported by Robert Waixel who is a lecturer at Anglia Polytechnic University. E-mail: rwaixel@cd sd.anglia.ac.uk The latest informa- tion from the Registrar’s Office on the new Act is available on her website:http://www.open.gov.uk/

dpr/dprhome.htm


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1998/19.html