Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

New UK Act now in force [2000] PLBIRp 15; (2000) 53 Privacy Laws and Business International Report 12

New UK Act now in force

THE UNITED KINGDOM'S Data Protection Act 1998 entered into force on 1st March. The Act has been supplemented by secondary legislation, which provides further provisions including those on notification, exemptions to subject access and processing of sensitive data.

The 1998 Act, which implements the EU Data Protection Directive, replaces the 1984 Data Protection Act. While transitional period applies to existing processing, organisations with new processing operations will have to comply with the more stringent rules immediately.

The new Act includes many familiar elements from the 1984 Act, but there are also many changes. For example, the new Act extends the scope of the law to manual records. However, not all paper files are included, and this has caused some concern, as the guidance on which records fall within the legislation is still vague. Another important change introduced by the new law is the prohibition on the transfer of personal data to countries outside the EEA that do not provide adequate protection (on the US situation, see p. 14-16).

Further significant differences between the old and the new Act include the right to prevent processing for the purposes of direct marketing, and conditions that have to be fulfilled before processing sensitive data. The notification regime has also changed, and many organisations are now exempt from notifying their data processing to the Data Protection Commissioner (PL&B Feb 2000 p.6-7).

In the near future, organisations will have to take into account other laws, too. The Freedom of Information Bill is currently being debated in Parliament, and the Human Rights Act will enter into force in October this year.

SECONDARY LEGISLATION

The secondary legislation, adopted in February, came into force on 1st March together with the new Act. There are 17 statutory instruments. Some of them, however, deal with matters to do with the Commissioner or the Tribunal, and do not, therefore, affect organisations' day-to-day data processing.

The secondary legislation that needs to be taken into account by most data controllers prescribes the detail of the notification regime, exemptions to the general right of subject access, and processing of sensitive data. There is also an order prescribing five media codes of practice, and an order that sets out further conditions under which the requirement to provide information about processing to the data subject does not need to be fulfilled.

The subject access orders provide exemptions to subject access rights with regard to health data, social work and education records. One of the orders deals with the financial interest of the country. Data that may jeopardise the UK's economic or financial interests cannot be provided as a response to a subject access request.

The conditions allowing the processing of sensitive data have been widened by the secondary legislation. For example, in the insurance sector, it may be possible to obtain consent for a group of people, without having to seek consent from each individual, by relying on the ordinary law on agencies. The Government has provided an example of booking a group holiday. In this case, the person who makes the booking on behalf on the group acts as an agent, and may consent for the other persons.

THE NEXT STEPS

The 1998 Act provides transitional provisions, but any processing that was not already under way before 24th October 1998 must now comply with the new Act. Processing that was under way before the 1998 deadline must comply by 23rd October 2001.

Manual data benefits from a longer transitional period. While some aspects of the Act have to be complied with by 2001, there is a further exemption until 23rd October 2007 from the first five data protection principles. However, subject access rights to manual data apply from 2001.

Organisations need to note that the transitional relief for automated processing already under way may be lost if the processing changes. The Data Protection Commissioner's Office advises that if a change in processing does not produce a new result in terms of data controller's overall processing operations, it is likely to remain "processing under way." Changes such as amending or adding names is unlikely to affect the status of data processing.

A new aspect for all data controllers is the new notification regime. A wide range of organisations will benefit from the exemptions. The Commissioner has published guidance on assessing whether an organisation is exempt from notification (see http://www. dpr.gov.uk).

Those who need to notify can now do it electronically. Online notification was introduced at the beginning of March.

VOLUNTARY PRIVACY LOGO LAUNCHED

The new Data Protection Act also applies to processing on the Internet, if personal data are gathered. In order to make it easier for consumers to identify, both off-line and online, how their information will be used, the Privacy Commissioner has developed a privacy logo. The signposting logo, launched on 30th March, is called the Information Padlock. It warns consumers when their personal details are being requested by companies, and must be accompanied by an explanation as to why the information is collected, and what it will be used for. The use of the logo is voluntary.

The idea for the logo came from the National Consumer Council (NCC), which was worried that consumers are unsure of how their information is used by companies.

NCC's Director Anna Bradley said at the launch of the logo: "We are delighted to work with the Data Protection Commissioner on this important measure. A company that uses the Padlock will show consumers that it can be trusted, and this should give it a competitive edge. We are also pressing for businesses to build on this initiative and be crystal clear about what consumers are consenting to when they give personal data."

The Data Protection Commissioner, Elizabeth France said: "This is another important step towards ensuring people have the information they need about how their personal information is being processed by both the private and public sector."

Both organisations recommend that data controllers use the padlock at any point where information is requested, such as an advertising coupon, application form or Internet site. Posters and leaflets explaining how to use the sign are available from the Commissioner's Office. These, together with an electronic copy of the padlock can also be downloaded from her website (http://www. dataprotection.gov.uk).

For more information about the Data Protection Act 1998, contact

Privacy Laws & Business

Tel: + 44 (0)20 8423 1300

Fax: + 44 (0)20 8 423 4536

e-mail: info@privacylaws.co.uk

www.privacylaws.com

or visit the Data Protection Commissioner’s website at

http://dataprotection.gov.uk