Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

UK secondary legislation [1999] PLBIRp 31; (1999) 49 Privacy Laws and Business International Report 14

Drafting of UK secondary legislation still under way

A report by Charles Raab

THE PASSAGE OF THE UK DATA PROTECTION ACT 1998 in July of last year left many specific matters to be filled in by orders and regulations before the Act could come into force. Assistant Registrar David Smith provides a taste of the future provisions.

There has been a long period during which consultations and representations have played an important part in shaping the terms of the secondary legislation. Speaking at the Privacy Laws & Business 12th Annual International Conference in Cambridge, David Smith, Assistant Data Protection Registrar, described the secondary legislation that is still yet to be enacted by Parliament. At the time he spoke, 30th June, only six of some 18 or 20 anticipated orders and regulations had been published in draft form by the Home Office following informal and formal consultations (p.26). They were rather trivial, but more important and controversial matters were waiting in the wings.

In a speculative mood, David Smith focused on the regulations for notification, subject access, sensitive data processing and fair obtaining, adding some remarks on telecommunications data protection regulations for good measure. There would probably be exemptions from notification, and deciding on these has played a large part in the delay so far.

The Home Office had found it very difficult to draft exemptions where processing is unlikely to affect the rights and freedoms of individuals, the condition that is stipulated in the EU Data Protection Directive. The Registrar was of the opinion that businesses should not be unduly burdened. At the end of the day, under the new Act all data controllers have to abide by the data protection principles, and not just those registered.

SAME NOTIFICATION FEES FOR ALL?

The form for notification will not differ too much from the present registration, but eventually on-line notification would be possible. Security measures would form part of the information required, subject to the Registrar's precise determination of what controllers would be asked to describe. There will be 'other information', such as the nature of one's business, which would help to clarify the purposes that are entered on the form.

There will probably be some measures to deal with multiple controllers, so that partnerships can register as partnerships. Statutory office holders who were employees of organisations, however, will have to register in their own right. As for schools, the current duplication (head teachers and governors) may be resolved.

The period of validity of a register entry will now start from the day the form is received by the Registrar. Changes to entries are to be notified within 28 days. The idea of a 'black mark' on a register entry if a controller has been issued with an enforcement notice has now been abandoned. The fee for notification might not vary from the current principle of the same fee for all, especially if there are many exemptions.

NO EXTRA CATEGORIES OF PRIOR CHECKING?

Turning next to assessable processing ('prior checking'), David Smith said that if the processing was likely to cause substantial damage or distress, or significantly prejudice the rights of individuals, then the Registrar has to assess, within 28 days (extendable to 42 days), whether it is likely or not to comply with the Act. However, although the Act delays processing for that period, it does not prevent it from going ahead thereafter even if there were an unfavourable assessment. The areas of processing in question are all quite difficult to define: data matching, genetic data, and private investigators. The Registrar was pressing the Home Office not to have any categories at all, because it is probably not a very useful process - much depends on the context of processing - and the method of assessment would not be easy to implement within the allotted time.

SUBJECT ACCESS FEE PROPOSED TO BE £10

As for subject access rights, the Assistant Registrar outlined what these are under the Act. The regulations would specify how a data subject would make a request - one application form or many? It was likely that a separate access request would have to be made only for the logic of automated decision-taking.

Other regulations would concern the extent of information provided and the time limits. It is likely that the time limit for providing the information will be 40 days, except for credit reference requests. These will have to be dealt with in 7 days, as already specified under existing arrangements which are being brought under the new Data Protection Act.

Another regulation would deal with health, social work and education. These provisions would be similar to what already exists, and enable data controllers to withhold information that would be considered detrimental to the subject's physical or mental health. Fees will be set out in regulations: probably still £10, except where different fees could be charged for requests that were already permitted under existing laws, such as requests for manual health or education records.

SENSITIVE DATA RULES AND PUBLIC INTERESTS

With regard to assessing the conditions for the fair and lawful processing of 'sensitive data' under Schedule 3, David Smith outlined the conditions stated. But he pointed out that other circumstances could be indicated by order. These might be given effect where there was a substantial public interest. They might apply to crime prevention and detection; police constables' duties; regulatory activities concerning dishonesty and malpractice; political parties' data on voters' political opinions; confidential counselling and advice services; pressure groups like Amnesty International who hold sensitive data on the prisoners they are pleading for; data held by insurance companies; equal opportunities concerning disabilities and religion; and research that was not related to decisions about individuals.

These were all areas in which consent was impossible or very difficult, but safeguards could be built into the permission to process.

SPECIAL RULES ON THE USE OF NHS NUMBER POSSIBLE

The 'fair processing' rules would now also apply to data obtained indirectly. The data subject would have to be told unless 'disproportionate effort' was involved, or there was a legal obligation to keep the data. An order would specify further conditions concerning the way in which data subjects could be informed, but David Smith did not think these conditions would prove to be very onerous.

It was unlikely that an order would implement the provision that companies could appoint independent data protection supervisors. An order to do with exempting data concerning Crown appointments from subject access has already been proposed by the Home Office.

A further proposed order would designate certain media codes of practice for the Commissioner to take into account in assessing fair processing. Another one dealt with international co-operation by the Commissioner with her counterparts abroad, with the European Commission, and with Europol and other systems. There might be an order specifying conditions for processing with reference to general identifiers, such as the NHS (National Health Service) number.

TELECOMS REGULATIONS ENFORCED BY REGISTRAR

Finally, David Smith referred to the Telecommunications (Data Protection and Privacy) Regulations 1999. These came into effect on 1st May, and the Registrar had received a small amount of extra money to carry out her enforcement functions under them.

These regulations prohibit sending marketing faxes without consent. David Smith predicted that the Registrar's enforcement powers might have to be used in this area. The telecoms regulations also ban direct marketing phone calls, to which people had registered an objection, and automated calls without consent.

Other legislation would soon clarify the position with regard to e-mail. The current regulations will soon be replaced by new regulations, which will also deal with calling line identification, the use of communications traffic and billing data, and directory information (see p.2).

This presentation at the Privacy Laws & Business 12th Annual International Conference was reported by Professor Charles D. Raab, Department of Politics, University of Edinburgh, 31 Buccleuch Place, Edinburgh EH8 9JT, Scotland. Tel: +44 (0)131 650 4243 Fax: +44 (0)131 650 6546 e-mail: c.d.raab@ed.ac.uk A set of conference papers is available from Privacy Laws & Business, Tel: + 44 (0)181 423 1300.