Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

UK heralds explicit privacy right [1998] PLBIRp 26; (1998) 45 Privacy Laws and Business International Report 18

UK Registrar heralds explicit privacy rights

THE UK REGISTRAR’S 14TH ANNUAL REPORT was published on July 15th and includes complaints about loyalty cards and unsolicited marketing faxes. In the last year, the Registrar has concentrated on prosecuting procurement cases.

The UK Parliament is now close to enacting the Human Rights Act which will incorporate the European Convention of Human Rights into UK law, and give individuals an explicit right to privacy (PL&B Feb

’98 p. 21).

“Having Human Rights legisla- tion will make a significant difference in a couple of years time,” the Registrar said at the launch of her annual report. So far, there has been a problem of defining certain concepts, for example, “fairness.” In the future, any such interpretation can be made in conjunction with the Human Rights Act.

Furthermore, the Government is currently drafting a long-awaited Freedom of Information Bill (PL&B Feb’98 p.22). The access rights to per- sonal information that it will provide, will overlap with the existing data protection regime, and a balancing of these rights is therefore needed in the future. The Registrar had recom- mended that the Data Protection Act and FOI laws could be enforced by one body. This has not been agreed by the Home Office. The Registrar will, however, have an important role as the applications for personal infor- mation under the FOI Act will be treated as subject access requests under the Data Protection Act.

GUIDANCE FOR THE TRANSITION PROCESS

At the time of the Privacy Laws & Business Annual Conference, on 15th July, the data protection bill was only one day away from receiving Royal Assent. The Registrar emphasised that the delayed implementation of the 1998 Data Protection Act will not mean that data controllers can ignore it for the time being. Although the Act is not likely to come into force before the beginning of next year, all new processing after 24th October will immediately fall under the provi- sions of the new Act.

The Registrar’s office will soon provide guidance on definitions and transitional periods. Work has already been done on a number of issues, for example, interpreting the data security clause (p.13). A consultation conducted by the Data Protection Registrar’s Office last December (PL&B Dec ’97 p.5) showed that small and medium-sized enterprises are likely to need a different approach from large organisations which could perhaps rely on BS7799 certification to demonstrate compliance with the new Act’s requirements on security of processing and notification of security policy.

Much work has also been done on registration systems. The staff have been identifying elements that still cause problems for companies when registering. As the new law provides for exemptions from notification, the office has considered the extent to which exemptions could be granted. It has already been decided that in order to smoothen the transitional period from registration to notification, data users who are currently registered do not need to notify under the new law before their registration is due to be renewed.

HIGH LEVEL OF SATISFACTION Even if the Registrar’s office has directed a great deal of its time to deal with the new legislation, data con- trollers are more than happy with the advice the office continues to provide on the 1984 Act. A recent survey on the office’s services reveals that organ- isations are extremely pleased with the quality of advice given. The highest level of satisfaction was scored on the ease of understanding the advice (93%).

The survey was conducted in March/April 1998 on 500 organisa- tions. Of those, 250 were organisations which had been in contact with the office in the last six months. Another 250 organisations were picked randomly from the regis- ter. It was found that large companies contact the office regularly. More than half of those interviewed with more than 5,000 employees contact the office once a month or more. Most often companies seek advice on how to reply to a complaint or query from a customer. Although smaller companies do not have the same need to contact the Registrar, 80% of all companies interviewed know how to contact the office. Only 20% of the companies that had not been in contact with the office knew about the forthcoming legislation.

NEW SOURCES OF COMPLAINTS The number of complaints, 4,173, indicates an increase of 7% compared with the year before. While consumer credit issues continued to produce most complaints, a significant number were received about unsolicited mar- keting faxes. The Registrar has so far been powerless to deal with these cases, as the sender of the fax does not use personal data. The sender of faxes using automated dialling does not send the faxes selectively to named individuals.

owners can be targeted with specific marketing materials (PL&B May ’98 p.20). The Registrar’s office has adopted the view that as long as cus- tomers are informed about the possible future uses and disclosures of their personal data when applying for the cards, no action is necessary to restrict the loyalty schemes.

UNLAWFUL PROCUREMENT

In the last fiscal year, the Registrar’s office secured 38 convictions. While the number is smaller than before, the

to consider the application of the law to new technologies. The Internet is already subject to normal data protec- tion rules, and E-mail addresses can be regarded as personal data, at least if the person’s name appears as a part of the address.

The Registrar paid special attention to look-up services which are common in the USA (PL&B May ‘98 p.18). These services are used to collect all kinds of information on an individual, in the hope that someone might be willing to pay to receive the

Registrar explained that they have purposefully concentrated on pro-

information. The compilation of infor- mation is nowadays easy by combining

The Telecommunications Data Protection Directive, which is to be implemented in the UK in the near future (p.22), will change this practice by making it unlawful to sent unsolicited marketing faxes without prior consent.

WORRIES ABOUT LOYALTY CARDS

Complaints have also been received about retail loyalty cards which are offered by supermarkets. With the help of data mining techniques, card curement cases where personal data has been unlawfully accessed and disclosed. In July, the Registrar suc- cessfully prosecuted a father and a son who had procured personal infor- mation from the NatWest Bank where the son worked. The informa- tion was used by the father, who is a private investigator. The Registrar was delighted that the suggestion to investigate came from the bank itself. The fines that were imposed on the two of them were £8,000. “The level of fines clearly shows how seri- ously these offences are viewed,” the Registrar said. In addition to the

fines, the son lost his job.

REGISTRAR WARNS

ABOUT LOOK-UP SERVICES

The office has, in the course of its work on the new legislation, also had

databases. The Registrar hoped that these services will not emerge in the UK. If they do, they should comply with data protection rules.

The Registrar’s Fourteenth Annual Report is available from The Parliamentary Bookshop Tel 0171 219 3890

HMSO Publications Centre

Tel 0171 873 9090

Price £21.30