What Rights Do I Have To Get Access To Data Held About Me, Including Personnel Records?

There are a number of exemptions to the right of subject access. In particular, where subject access would disclose information about an identifiable third party, or the fact that they are the source of personal information on the file, the data controller is not obliged to grant a subject access request unless the third party has consented to disclosure of the information; or it is reasonable in all the circumstances to comply with the request without their consent. Tests for determining reasonableness are set out in the Act. Additionally, there are exemptions in cases where subject access would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. There are also exemptions for confidential references given by the data controller and for certain health, education and social work records.

This is quite a complex area. More detailed advice can be obtained by contacting the Inforamtion Commissioner, Mrs Elizabeth France, who is responsible for administering and enforcing the Data Protection Act. Her address is: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. The telephone number is: 01625 545745.

What is the Government doing to protect my personal data from inappropriate disclosure to third parties or other misuse?

The Data Protection Act 1998 (the full text is available on the Stationery Office website) came into force on 1 March 2000. It gives effect in UK law to the 1995 EC Data Protection Directive. The Act strengthens and extends the data protection regime created by the Data Protection Act 1984, which it replaces. It provides the statutory framework for the use of computerised information and some manual records about living, identifiable individuals in the United Kingdom. The Act does not prohibit disclosures of such information to third parties, but it regulates the circumstances in which they can be made.

Under the Act, an organisation wishing to hold personal information on computer must, with some exceptions, notify key details about its processing to the Information Commissioner, who makes these publicly available in a register. Among other things, the notification must contain descriptions of the personal data being processed; the purposes for which they are being processed; and the recipients to whom they may be disclosed. It is an offence to process personal data without notifying, unless the particular data are exempt from the notification requirement.

Data controllers must also comply with the Act's data protection principles (a form of statutory code of good data handling practice). The principles require personal data to be:

* processed fairly and lawfully;

* processed only for limited purposes;

* adequate, relevant and not excessive;

* accurate;

* not kept longer than necessary

* processed in accordance with individuals' rights

* kept secure; and

* not transferred to non-EEA countries without adequate protection.

If the Commissioner is satisfied that a data controller has broken or is breaking one or more of the principles, it is open to her to serve an enforcement notice requiring compliance. Failure to comply with such a notice can be a criminal offence.

There are exemptions from some of the Act's provisions (which would otherwise prevent disclosure) for disclosures made in certain very limited circumstances, for example where the disclosure is for the purposes of preventing or detecting crime and where failure to disclose would be likely to prejudice those purposes; or where disclosure is required by or under any enactment, by any rule of law or by order of a court.

The Act lays down conditions which must be satisfied before personal data can be processed, with additional conditions for sensitive data (which includes data about ethnic origin, political opinions, trade union membership and health). It also strengthens the rights individuals had under the 1984 Act and creates some new ones (for example there are new express rights to be told who is processing your data and why, and to prevent your data being used for direct marketing.)

The Information Commissioner, Mrs Elizabeth France, is responsible for administering and enforcing the Act. Further information about the Act is available from her office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. The telephone number is 01625-545745.