|Over the last couple of years most organisations have been pre-occupied with one major issue the Year 2000 and their IT systems. With so much emphasis being placed on this issue with concern over whether systems would operate and whether businesses would continue past December 1999, many organisations are not aware that a new piece of legislation has come into force, namely the Data Protection Act 1998.|
|The Y2K issues
seem to have died down now so this article aims to bring the
issue of data protection to the front of your thinking. Most
organisations are aware of the fact that legislation existed
following the introduction of the 1984 Data Protection Act. The
1998 Act redefines some of the major principles from the 1984 Act
and extends responsibilities and rights of individuals.
Holding data about individuals?
Then read on because this affects you.
The 1998 Act defines data as information which:
By Protecting data we mean ensuring that personal data about an individual is processed in accordance with legal requirements in order to protect the rights of the individual. The 1984 and 1998 Acts defines particular legal requirements that are to be adhered to.
For those of you who became experts in the 1984 Act, dont think that this Act is the same. There are new definitions for the terms data, personal data and processing which will have the effect of substantially broadening data protection regulation in the UK; the Personal Data will include new types of data such as sounds and images.
Importantly, there is a definition of a relevant data filing system (an expanded definition of personal data) to reflect the Directives requirement that personal data held in structured manual files be brought within the data protection regulatory scheme.
There are also changes in the following significant areas:
The Act is applicable to every organisation that holds or processes data about any individual or organisation. There are to be broad exemptions for data held exclusively for journalistic, artistic or literary purposes
The Act creates a category of Special Purposes covering journalism, artistic and literary purposes. Only in this respect have the remedies available to data subjects been reduced; the 1984 Act made no concessions to, or special provisions for, the media: by comparison with the 1998 Act makes substantial exemptions in favour of those who obtain information with a view to publication in circumstances which would have been prohibited for other data controllers as being either unfair or unlawful obtaining or processing of personal data.
The Data Protection Registrar becomes the Data Protection Commissioner, and has somewhat extended powers to regulate data controllers, the new name for data users.
Data Subjects are given strengthened remedies, including a new right to prevent processing likely to cause them damage or distress, and a right not to be subjected to wholly automated decision making.
Registration is now called notification, and the Commissioner is given power to require information to be provided by Data Controllers: lack of any such power under the 1984 Act has proved a constraint on the Registrars ability to enforce its provisions.
Those who, as data users under the 1984 Act, control the contents and use of personal data will find that, as data controllers under the Act, they have obligations which broadly match their current obligations as data users, but with extensions to personal data recorded or intended to be recorded as part of a personal data filing system.
The European Communitys Data Protection Directive, EC/95/46 defines Data Privacy within the context of data relating to identified persons and seeks to ensure that the same basic rules are obeyed throughout the Single Market comprising the European Union. The Directive has been adopted by all Member States at governmental level and all Member States entered into a legal obligation to implement its requirements in law by 24th October 1998.
The objective of the Directive is to promote the development of the Information Society with all its implications both business and social within the context of a European view of Data Privacy. This will allow the Information Society to develop in Europe in a fashion that is acceptable to obtain a competitive edge in their businesses at the expense of the rights of particular groups of citizens.
The Data Protection Act 1998 is designed to implement the requirements of the Directive in UK law. The requirements of the Directive only apply within the legal competence of the European Union. The government decided to introduce primary legislation in order to avoid the possibility of having two different Data Protection regimes within the UK according to whether the processing were within or without the EU legal competence. It is open for all EU countries to introduce stricter requirements than the Directive but they cannot reduce the rights and requirements set in the Directive, except where specific exceptions are permitted. The definitions and requirements are set out in the Directive and they are not optional although the Directive provides a number of options that can be chosen by Member States.
In the event of a legal challenge, the requirements of the Directive would take precedence over UK law, if that law has not adequately implemented the requirements of the Directive.
The 1998 Act incorporates Eight Data Protection Principles, as before, but the details and interpretation is different. A new Principle 8 is concerned with transfers of Personal Data outside the European Economic Area while the first three Principles have been condensed into two.
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
A - at least one of the conditions in Schedule 2 is met and
B - in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
In considering whether personal data are processed fairly, consideration must be given to the way in which they are obtained:
Where the data are provided by the data subject, the data controller must tell the data subject:
If the personal data contain an identifier (e.g. NI or NHS number), which relates to an individual and similar identifiers are in general use, then lawful processing must obey the conditions that have been laid down for such a general identifier.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
The purposes for which personal data are to be used can be specified in many ways. In particular, a notice to the data subject issued because of the first principle will satisfy the requirement. Equally, a notification to the Data Protection Commissioner will suffice.
Where the data are disclosed to a third party, the purposes for which that third party uses the data, must also be considered.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Ensuring that the personal data are adequate is normally straightforward but care should be taken with default settings. Although default settings can substantially simplify the process of data, it is vital that those using the systems should properly record the information that is obtained without either making assumptions because their system requires an amount or because they too rapidly accept default values suggested by the system.
Maintaining relevance and avoiding the collection of excessive items of personal data is vital to the collection and processing of Personal Data because it might be useful would contravene this Data Protection Principle. For example asking for both daytime and an evening telephone number. This is clearly irrelevant and excessive where the only telephone contact will be during the day and no emergency action may be required. The uncontrolled use of free format fields completed by end users may breach this principle and be particularly dangerous.
Personal data shall be accurate and, where necessary, kept up to date.
Data are inaccurate if they are incorrect or misleading as to any matter of fact.
It is not always possible to have accurate and up to date data. However, data controllers must make reasonable efforts to ensure the accuracy of the data. Furthermore they must take appropriate steps to ensure that their data are kept up to date where this is necessary to address the notified purposes of the processing. If the data subject notifies the data controller of his or her view that the data are inaccurate, the data must either be corrected or indicate the view of the data subject.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
This is a straightforward requirement. The collection and storing of data is within the definition of processing, so the data protection principles apply for as long as personal data are kept. By ceasing to keep personal data, data controllers remove these obligations.
Erasing and destroying data are also within the definition of processing, so the protection continues until the data are no longer kept by the data controller.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
The data subject has the following rights under the Act:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and again accidental loss or destruction of, or damage to, personal data.
When considering the level of security measures to be taken, the judgement must taken into account the following:
The data controller must ensure the reliability of the staff that have access to personal data. Where the data controller uses an external organisation to process their information, called a data processor, to process personal data, the seventh principle still applies. The data controller must use only those data processors that provide sufficient guarantees for the level of security of the data. Reasonable steps must be taken by the data controller to ensure the data processor complies with the security measures.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Act describes an adequate level of protection as one that is adequate in all the circumstances of the case and having regard to:
If you are already covered by an existing registration, you will probably not need to re-register (notify) until the existing data protection registration reaches the end of its normal life, which in most cases is three years from the date of registration. It is advisable, however, to clarify this and to check existing registrations.
If any of your systems are not covered by an existing registration, you may need to notify the Data Protection Commissioner. Registration is now called notification. All data controllers are required to notify their use of personal data unless such a use is granted an exemption.
Anyone not complying can be prosecuted under either Act of Parliament depending upon the date and decisions by the Secretary of State in respect of the implementation of the 1998 Act and the repeal of the 1984 Act.
The penalties for a breach of the law are generally sufficiently large that no organisation could expect to withstand wilful non-compliance. The Act imposes requirements on both companies and staff in their processing of Personal Data and individuals can be prosecuted for non-compliance.
Directors and managers of corporate bodies have specific liability in this context. Any challenge to an individual or company could lead to action by the Commissioner, which could put those individuals or that companys activities at risk. The commissioner has greater powers than the previous registrar and will be able to obtain information from organisations through an Information Notice, which was not previously possible. Enforcement of the principles will be achieved by the Data Protection Commissioner issuing enforcement notices, a breach of which will be a criminal offence.
The data subject has a number of rights under the 1998 Data Protection Act, some of which did not exist under the previous legislation. The data subject now has the right:
You must tell the data subject when you collect the data from him/her:
If you dont have dealings with the data subjects directly, you should still attempt to get in touch with them and let them know.
You must be prepared to cease processing if the data subject has a valid reason to complain about what you are doing but, in any case, the data subject has an absolute right to demand that you cease processing for direct marketing purposes.
|Except under limited circumstances, you should not rely entirely on automatic decisions affecting the data subject. If there are any such decisions, you must be prepared to explain the logic behind them. You should also be prepared to revise these decisions or make them by some other means using a human being.|
Just like with the Y2K issue, the advice is dont just sit back and think that you are not affected. The legislation applies to all organisations and individuals, whatever their structure and purpose. It covers the public and the private sector; businesses and not for profit organisations limited companies, partnerships, unincorporated bodies, and the self employed. The only exception is that it does not cover data held purely for domestic and personal purposes.
Useful services and other info...