Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

UK secondary legislation further delayed [1999] PLBIRp 3; (1999) 47 Privacy Laws and Business International Report 3

UK secondary legislation further delayed

THE UNITED KINGDOM'S new Data Protection Act is now unlikely to be in force until the second quarter of 1999. The delay is frustrating for businesses wishing to to ensure that their compliance programmes will be up-to-date.

The UK Data Protection Registrar, Elizabeth France, predicted at the Data Protection Forum in London in December that there is only a remote chance of the secondary legislation being ready before April. She thought, however, that a more likely timeframe would be the second quarter of 1999, which may mean that the law will not be in force until June. Although not responsible for preparing the legislation, she was able to say that the delay in drafting the secondary legislation has been due to problematic issues regarding the new notification system and setting up the Data Protection Tribunal.

There are 22 pieces of secondary legislation to be adopted, and 8 of them need Parliamentary time to be debated. The other 14 are subject to a negative resolution, which means that they need to be debated only if someone asks a question.

The Registrar paid attention to some significant changes in the new Act. She emphasised that the new definition of personal data now includes information regarding the intentions of an individual. Her office will issue further guidance on this and other matters in the future.

WHAT TO DO NOW

1. Data controllers could assist the work of the Registrar's office by checking that their register entries are correct. In the future, only one register entry per controller will be allowed. However, when changes are necessary, her office will contact data controllers. There is no need for controllers to enquire now about the new notification regulations and their duties under them.

2. The Registrar advised companies to prepare for transborder data flows. Although it seems that most transfers will occur in multinational companies, some of which are already preparing intra-company agreements (see p. 7), all businesses involved in sending personal data abroad should keep informed about developments with regard to contractual solutions, and think about how to obtain individuals' consent for the transfer.

3. As for manual data, the best approach now would be to prepare to treat it as if it were automated data. In the end, complying with one set of rules may be simpler than trying to evaluate whether certain data falls under the provisions for manual data.

4. Companies could also look at their procedures on subject access requests to ensure that they are ready to comply with requests for information that did not need to be provided under the 1984 Act. An example of an enhanced subject access right is the logic behind automated decisionmaking systems.

FURTHER CHANGES TO UK LAW POSSIBLE

The second speaker at the Data Protection Forum, Nick Platten, an independent consultant who previously worked at the data protection section of DG XV of the European Commission, looked at the differences between the UK 1998 Data Protection Act and the EU Data Protection Directive. Having been involved in the closing phase of the negotiations leading to the adoption of the directive, he was able to spot some points of incompatibility. Should the EU Commission later take the same view, the UK may be asked to amend its law.

In his view, the UK law's personal data definition does not go far enough. The definition is focused on the controller, and ignores "any other person" as defined in the directive. Nick Platten wondered whether, for example, URL addresses on the Internet should be included.

He also thought that the definition of a relevant filing system is narrower in the UK's law. With regard to sanctions, he noted that most countries have included more direct sanctions in their laws or drafts.

Information from the Registrar's office is available at http//www. open.gov.uk/dpr/dprhome.htm. The latest publication, "The Data Protection Act 1998: An Introduction," includes information about definitions, principles, individuals' rights, exemptions, transitional provisions, powers and duties of the Commissioner, notification and offences. The UK Data Protection Forum was founded in 1992 for the purpose of information exchange and discussion on data protection issues. The Forum meets 4 times a year, and its members consist mainly of data protection managers. For more information, and to join the Forum, contact Sid Weber on + 44 (0)181 868 7225.