|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Laws and Business International Report |
Six new UK Data Protection Draft Statutory Instruments
The United Kingdom's Home Office published, on 9th November, a further 6 draft instruments of the 19 that will form data protection secondary legislation. The six instruments are:
1. The Data Protection (Subject access modification) (Health) Order 1999, which establishes an exemption to subject access rights. Access can be refused if it would be likely to cause serious harm to the individual or any other person's physical or mental condition.
2. The Data Protection (Processing of sensitive personal data) Order 1999. This order specifies the circumstances in which it is permitted to process sensitive data. These include the prevention or detection of any unlawful act, the provision of services such as confidential counselling and advice, certain insurance contexts and processing by the police.
3. The Data Protection (Corporate finance exemption) Order 1999, which means an exemption from the subject information provisions, i.e permission not to disclose information for reasons of safeguarding an important economic or financial interest of the UK.
4. The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 1999. This order relates to the information requirements, i.e providing the data subject information about the processing. Part 3 of Part II of Schedule 1 sets out the conditions in which the data controller does not have to fulfil the information requirement. This is the case when providing the information would require "disproportionate effort". The order prescribes the conditions when data processors can rely upon this provision.
5. The Data Protection Tribunal (Enforcement appeals) Rules 1999. The rules include the details on lodging appeals, Tribunal hearings etc.
6. The Consumer Credit (Credit reference agency) Regulations 1999. These regulations revoke the Consumer Credit regulations of 1977 and supplement sections 157- 160 of the Consumer Credit Act 1974.
The drafts are available on the Home Office website at http://www.homeoffice.gov.uk. They will come into force, together the Data Protection Act 1998 on 1st March 2000, apart from the Health Order, which will come into force on the date on which section 7 of the Act comes into force.
Norway to adopt a new law
Norway is in the process of replacing its 1978 Data Protection Act with a new law that will follow the provisions of the EU Data Protection Directive. A bill was published in June, and is expected to be discussed in Parliament next spring.
The new law will introduce a few significant changes. Data subjects will have a right to object to direct marketing. The use of social security numbers will be restricted. The requirement to apply for a license for the processing of personal data would apply only to sensitive data under the new law.
Norway is a member of the European Economic Area and will change its data protection law to facilitate international business.
The data protection law is enforced by Datatilsynet, which is an independent Data Protection Authority. Contact details: Datatilsynet, Postboks 8177 Dep 0034, Oslo 1, Norway. Tel: + 47 22 42 19 10, Fax: + 47 22 42 23 50, e-mail: postkasse@datatilsynet.no, Internet: www.datatilsynet.no
BSI guidance on UK Data Protection Act
The British Standards Institution (BSI) has published guidance on the UK Data Protection Act 1998. The guide, which will be updated from time to time, includes general advice about the new law. Produced in association with the Office of the Data Protection Registrar, the guide explains in plain English what the Act is all about, and is probably best suited for readers with little previous knowledge. Clear presentation and references to the old, 1984 Act, ensure that the reader gets a full picture of the basic data protection issues.
The practical approach with useful action points offers valuable assistance for organisations preparing for compliance. However, specific issues such as processing data within the health sector, media or credit reference agencies have not been included.
The Data Protection Registrar Elizabeth France has welcomed the guide. However, she has made clear that following the advice contained in the guide can be no guarantee of total compliance with the UK Data Protection Act 1998.
The Guide includes chapters on data protection principles, changes from the 1984 Act, transitional periods, exemptions, data quality, managing data protection operations, data subjects' rights, transborder data flows, preparing a data protection action plan, frequently asked questions, bibliography, useful addresses & websites. There is also a "sample" data protection policy and examples of possible data retention periods.
"Guide to the Practical Implementation of the Data Protection Act 1998" was written by Professor Charles Oppenheim and Dr J Eric Davies of Loughborough University. It is available from BSI, 389 Chiswick High Rd, London W4 4AL, Tel: +44 181 996 9000, Fax: +44 181 996 7448. Price: £20 (just the Guide), or £78.75 with the updates.
New South Wales publishes Annual Report
The Australian state of New South Wales has published its Annual Report for 1997-98. The Privacy Committee received 2,000 telephone complaints and inquiries during the year. In addition, 178 formal written complaints were received.
The report includes interesting examples of cases handled. One of them deals with employee data: "The complainant worked for a volunteer organisation which provided support for individuals appearing in court. He alleged that the organisation has recently asked volunteers to wear identification badges bearing their surname, sex, height, hair and eye colour, date of birth and signature. The previous identification badges bore only the volunteer's first name and the name of the organisation.
The Committee asked the organisation why each additional personal detail was required for inclusion on the badges. In reply the organisation stated that the new badges were introduced for uniformity and to allow for identification of current volunteers. The organisation agreed to waive the additional requirements for new volunteers and gave an undertaking that steps were being taken to remove signatures from existing cards."
Contact details: The Privacy Committee of New South Wales, GPO Box 6, Sydney NSW 2001, Australia. Tel: + 61 2 9228 8199, Fax: + 61 2 9228 88187
Australia likely to adopt private sector law soon
Australia is currently preparing a data protection law for the private sector. The Government's intention is to adopt "light touch regulation" based on creating enforceable industry codes (PL&B Feb '99 p.12-13).
The current thinking is outlined in an information paper, published in September. The Government proposes that privacy codes could be developed by members of an industry body, a specific industry sector, or interested organisations or individuals wanting a code to cover a type of activity, such as direct marketing, or a type of information (such as health data). The codes, which should be consistent with the national privacy principles, would override legislative provisions. The Privacy Commissioner would have the responsibility to approve codes.
A bill is expected to be introduced in Parliament by the end of 1999.
Ireland to publish a bill soon
Work on the new Irish data protection law is very far advanced, and a bill is expected to be published before the end of the year. Few changes are predicted as the bill proceeds through its committee stages, and the intention is that in substance, the Act will follow the Directive in most respects. Unlike the UK, the Irish bill will amend and not repeal the previous legislation of 1988, and it is likely that the changes will be in emphasis rather than structure. The new Act may be passed by April next year.
German data protection bill a threat to direct marketers
The German Direct Marketing Association criticises the new data protection bill, which restricts direct marketing. Parliamentary work is now to begin on the bill, published on 6th July. Direct marketers are concerned by the proposed provisions, the requirements of which go beyond the EU Data Protection Directive in terms of protecting personal data within direct marketing.
According to Datenschutz- Berater, a German data protection journal, a particular problem for direct marketers is the obligation to inform the recipients of direct mail about the source of their address for the purpose of direct marketing. Another problem is that according to German law, a consent is valid only if confirmed with a signature. The EU Data Protection Directive has no such requirement. The German Direct Marketing Association is demanding that the new law follows the Directive in this respect.
Contact details for Datenschutz- Berater are: Augustinusstrasse 11 B, D-40002 Düsseldorf, Germany, Tel: + 49 211 8870.
Hong Kong drafting code of practice on employment data
The Hong Kong Privacy Commissioner is seeking comments by the end of December on the Draft Code of Practice on Human Resources Management. The code addresses the question of processing personal data on current and former employees, as well as contractors. The full text is available on http://www.pco.org.hk.
Berlin adopts freedom of information law
The German state of Berlin adopted, in September a Freedom of Information Act. The law, which is enforced by the Data Protection Commissioner, enables Berliners to access public sector documents. The Berlin Data Protection Commissioner, Dr Hansjürgen Garstka, has welcomed the new law and encouraged a similar law to be adopted at federal level.
For more information (in German), see http://www.datenschutz-berlin.de/aktuelle/presse99/presse12.htm
US considers national health privacy standards
The Clinton administration has proposed measures to protect computerised health data. The proposed rule would prohibit disclosing identifiable health information, except when patients have given their consent, or the disclosure is explicitly permitted. Health data could be used without consent, for example, for the purposes of research, public health and quality assurance.
The amount of information allowed to be disclosed would be the absolute minimum required for the purpose in question. Health care providers would also have to inform people of how their information is used, and allow access. In addition, individuals would have the right to request amendments or correction of their data.
Health care providers would be required to appoint a privacy official within their organisations to ensure that the administration respects these rights, and would also have to provide privacy training to members of staff. Paper records would not fall within the scope of the standards.
The question of enforcement is mainly left open. However, fines are proposed for non-compliance: there would be certain criminal penalties and civil monetary penalties up to $25,000.
The proposed rule, drafted by the US Department of Health and Human Services (HHS), was published on 29th October. It fulfils the requirement of section 264 of the Health Insurance Portability and Accountability Act of 1996 to have regulations in place in 1999. The statutory deadline for Congress to enact legislation was 21st August. As the Congress missed the deadline, the HHS has now developed this rule, which is currently available for public comment until the end of December.
President Clinton is determined to improve the system of handling health information. "Every American has a right to know that his or her medical records are protected at all times from falling into the wrong hands," he said at a press conference.
The draft rule is available on the Internet at http://aspe.hhs.gov/admnsimp/pvcsumm.htm.
UK scrutinises the Freedom of Information Bill
The Select Committee on Public Administration published, on 11th November, a short response to the Government's reply to its report. The Committee points out that the Government is still not proposing to give the Information Commissioner the power to overrule an authority's decision not to disclose information. The Committee also regrets that the exemptions in the Bill remain too broad; in particular that for information relating to decision-making and policy formulation, and that relating to commercial interests.
The report, which is the House of Commons Paper 925, is available from the Stationery Office, Tel: + 44 171 873 0011, Fax: + 44 171 873 8200. The report is also available on the Internet at http://www.parliament.uk/commons/selcom/pubahome.htm.
UK credit card company promises safe e-commerce
A new UK credit card guarantees the safety of purchases on the Internet. The company behind the new card, called Marbles, is HFC Bank plc. It promises to cover any financial losses should someone manage to use a cardholder's account details fraudulently over the Internet. The company uses 128-bit encryption technology.
For more details, see http://www.getmarbles.co.uk
Lunn Poly fined £1,000
A recent prosecution in the Isle of Man under the Data Protection Act resulted in a fine of £1,000 for the travel company Lunn Poly. After registering their use of data in the UK, they had allowed their registration to lapse in the Isle of Man, resulting, after several warnings, in a prosecution.
The fine represented a huge increase from fines in previous cases. The High Bailiff wanted to set an example to other companies the scale of penalties, either for nonregistration under the separate jurisdiction of the Isle of Man, or for neglecting to renew lapsed registrations. There have been seven court cases so far this year, because, despite a publicity campaign, many large companies are still unregistered. The maximum fine is £5,000.
New report on biometrics
The Netherlands' Data Protection Authority published, in September, a report that reviews the technologies available for biometric identification. The report also offers guidance on how these technologies can be applied in a way that does not infringe individuals' privacy.
Biometric identification uses characteristics such as fingerprints, voice, signature and iris patterns. The authors predict that in the coming years, biometric identification will be commonly used for authentication to control access, for example to cash machines. The report also addresses the question of legal aspects. The authors conclude that processing of biometric data falls under the concept of processing of personal data, and should, therefore, follow the provisions of the EU Data Protection Directive.
The authors make several recommendations on how best to avoid privacy risks when using biometric technologies, for example, encryption of databases where personal data is being stored. System designers and developers should create products that use privacy enhancing technologies. It is impor-tant to create privacyfriendly methods so that the general public will accept the use of biometrics in the future.
A summary of the report, "At Face Value - Biometrical Identification and Privacy," is available on the Internet at http://www.registratiekamer.nl. The full report is available from bookshops, ISBN: 90 74087 175. The authors of the report are: Dr R. Hes, Mr. Drs T.F.M Hooghiemstra, Drs J.J Borking.
Information society poses new legal policy questions
The legal information society requires lawyers to be proactive in ensuring that technological developments are in line with basic legal and democratic values. Professor Peter Blume of the University of Copenhagen studies these issues in a booklet entitled Legal Issues at the Dawn of the Millennium. The author discusses legal tendencies in the information society, and privacy protection from a Danish perspective. The booklet includes remarks about the forthcoming Danish Data Protection Act.
The booklet is published (in English) by Djof Publishing Copenhagen. ISBN: 87-574-7310-2.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1999/49.html