The Data Protection Act 1998 - questions and answers

What type of information does the entry include? 

The entry states the purposes for which you process data. These might include personnel/employee administration, marketing and selling, work planning and management and customer/client administration. You require to give details about whom you hold personal data, e.g. employees, what type of information is held, where you intend to get the information from and who you intend to disclose it to.

How much does it cost? 

Registration under the 1984 Act costs £75 for three years. This may change under the 1998 Act as notification is likely to be for one year periods and the fees have yet to be announced.

What are the data protection principles? 

There are eight data protection principles which data controllers have to observe. These are: Personal data must be produced fairly and lawfully. Personal data must be obtained only for one or more specified and lawful purposes and not further processed in any manner incompatible with that purpose or those purposes. Personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Personal data must be accurate and where necessary kept up to date. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Personal data must be processed in accordance with the rights of data subjects under the 1998 Act. Appropriate security measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

What are the conditions for processing? 

Under the 1984 Act so long as you registered the purposes for which you wanted to process data with the Commissioner you could go ahead and carry out your processing. The position has changed under the 1998 Act which provides that notwithstanding that you have registered your purposes you have to meet one of the conditions for processing set out in the 1998 Act before you can carry out the processing. This applies to all processing except where you can rely on an exemption. Some examples of the conditions for processing are: the individual has consented to the processing; or the processing is necessary for the performance of a contract to which the individual is a party; or it is necessary in order to protect the vital interests of the individual; or the processing is necessary for the exercise of a function conferred by legislation. Remember you have to meet one of the conditions for processing before you can carry out the processing.

What is sensitive personal data? 

The 1998 Act introduces a special category of personal data called sensitive personal data. Sensitive personal data is personal data consisting of information regarding: the racial or ethnic origin of an individual; his political opinions; religious beliefs; trade union membership; physical or mental health; sex life; commission of offences; or court proceedings regarding offences. Where a data controller wishes to process sensitive personal data not only does one of the conditions for processing ordinary personal data require to be met but at least one of the additional conditions for processing sensitive personal data must also be met. The additional conditions include that: the individual has given his explicit consent to the processing; or the processing is necessary for the purposes of exercising or performing any right or obligation imposed by law on the data controller in connection with employment; or the information contained in the personal data has been made public as a result of steps taken by the individual. Remember that only one of the additional conditions must be met. If none of these additional conditions can be met then the processing of sensitive personal data is unlawful. The full list of conditions for processing sensitive personal data can be found in Schedule 3 of the 1998 Act. This is a major departure from the 1984 Act and the onus is on each data controller to make sure that the processing is legitimate. If not, the Commissioner may take enforcement action.

What amounts to consent? 

If the individual gives consent to the processing then the processing may be carried out. Unfortunately 'consent' is not defined in the Act. The Commissioner has issued guidelines which state that consent must be assessed in light of the facts. Data controllers have to remember that even though consent has been given in relation to particular processing an individual may later withdraw that consent. Data controllers must take great care to ensure that where they are relying on consent as a basis for processing that this consent is unambiguous.

What is fair processing? 

The first data protection principle requires data controllers to ensure that processing is fair. The 1998 Act gives some guidance on what amounts to fair processing. Where information is obtained from the individual himself the data controller is required to supply certain information to the individual including: who the data controller is; and the purposes for which the data controller intends to process the data. If information is obtained from a third party about an individual, the individual is still entitled to be provided with the information noted above. The provision of information to all individuals about whom a data controller intends to process information does have cost and management time implications for every business. There are some exceptions available to data controllers where information is obtained from a third party. These include an exception where providing the information to the individual would involve 'a disproportionate effort'. Again this term is not defined in the 1998 Act and is question of fact in each case. The Commissioner has stated that she will take into account a number of factors including how much it would cost the data controller to provide the information weighed against the benefits to the data controller of processing the information.

What type of manual information is caught by the 1998 Act? 

Manual information which is held in a 'relevant filing system' is caught by the 1998 Act. A relevant filing system is defined as any set of information relating to individuals which, although not processed automatically, is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. The critical point relating to relevant filing systems is the structure of the information within a filing system rather than the nature of the information itself. If specific information relating to a particular individual is readily accessible then the manual information will be caught. There is some confusion over what a relevant filing system actually is however the government believes that the wording covers highly structured systems including card index systems but would not include a ring binder full of information about an employee if specific information about that employee could not be readily accessed. Companies need to have a look at how they hold manual information to see whether this could fall within the definition of a relevant filing system. It should also be remembered that individuals will have the right to see manual data held in a relevant filing system by making a subject access request and companies need to think about setting up procedures to give individuals subject access to manual files. There are transitional provisions under the 1998 Act which mean that not all existing manual files will be caught by the 1998 Act from day one. These provisions will be introduced over time and companies should use that time to think about their procedures. Individuals will have the right to request access to new manual files created after 24th October 1998 at once.

What rights do individuals have? 

Individuals are given various rights by the 1998 Act in respect of personal data held about them by others. These are: the right to have access to the information (this is known as subject access); the right to prevent processing likely to cause damage or distress; the right to prevent processing for the purposes of direct marketing; rights in relation to automated decision taking; rights to take action for compensation; the right to take action to rectify, block, erase or destroy inaccurate data; and the right to ask the Commissioner to make an assessment as to whether any provision of the 1998 Act has been contravened.

How do I make a request to see the information? 

An individual is required to make a request to see the information in writing and to pay a fee to the data controller. This fee is currently a maximum of £10 and this is likely to stay the same under the 1998 Act. Following the request, the individual must be told by the data controller whether the data controller is processing personal data and if so to be given a description of the data, the purposes for which they are being processed and a description of those to whom data may be disclosed. If the information is encoded in some way then the individual is entitled to be given an explanation of the information. Particular rules apply where the data controller finds itself in the situation that it cannot comply with the subject access request without disclosing information relating to an individual who is not the data subject but who can be identified from that information.

What happens if a data controller does not comply with the Act? 

The Act sets out various offences including: processing personal data without notification (i.e. being registered); failure to notify the Commissioner of any changes to a register entry; failure to comply with an enforcement notice or other notice issued by the Commissioner. There are also offences in relation to unlawful obtaining and sale of personal data. Under the 1998 Act it will also become illegal for a person to require another person or a third party to supply a copy of that other person's records. Often prospective employers would require a prospective employee to provide a copy of the prospective employee's police record as a condition of obtaining employment. Subject to some exemptions, the prospective employer can no longer force the individual to provide a copy of that record. Companies should note that directors and other officers of the company may have personal liability for offences under the 1998 Act.

Are there any exemptions? 

Yes, there are a number of exemptions from various provisions of the 1998 Act . These include exemptions relating to national security, crime and taxation and health education and social work. New exemptions are introduced relating to confidential references given by the data controller and confidentiality of personal data processed for the purposes of management forecasts or planning. There are also exemptions in relation to processing of payrolls and accounts, unincorporated members clubs and mailing lists.

What powers does the Commissioner have? 

The Commissioner has similar powers of enforcement to those already existing under the 1984 Act. It is thought that however as the notification or registration procedure becomes more streamlined this will free up time within the Commissioner's office to concentrate on enforcement. The Commissioner may serve an enforcement notice requiring a data controller to take or stop taking specified steps or to refrain from processing personal data in a specified manner. Data controllers will also be required to comply with information notices issued by the Commissioner requesting the data controller to provide certain details in order that the Commissioner can assess whether the provisions of the 1998 Act are being complied with. The Commissioner also has powers of entry and search of premises where it is suspected that an offence has been or is being committed under the 1998 Act.

OK, we've got the general idea - but let's look at some specifics. Let's say I'm a small shopkeeper with a list of its customers' names addresses and accounts on a computer - will I have to Register and / or to keep the computer in a locked room? 

Yes, the shopkeeper will have to register if any of the customers are individuals. The list of names and addresses constitutes personal data. In terms of the 1998 Act it is likely that the shopkeeper would require to register even if he did not keep the information on a computer as, unless all the information were stored randomly in a shoe box, it would form part of a relevant filing system. The way in which the shopkeeper will require to control access to the information will depend on its nature. If all that is stored is names, addresses and account details, it may be sufficient that the computer is kept securely in the premises and that they are lockfast. Where, however, the data were held by a newsagent or milk roundsman and indicated when his customers were to be on holiday, a greater degree of security might be necessary. In any event, the shopkeeper would require to ensure that such of his staff as had access to the data understood the necessity of retaining its confidentiality. It may be that such data should be kept in a file to which a password, known only to selected trustworthy members of staff, was applied.

Now, I work for a very large company. Who is legally liable for any infringement of the Data Protection Principles or the Act? 

If the organisation commits an offence in terms of the Act - the processing of Data other than in accordance with the organisation's registration - or in contravention of one of the Data Protection Principles, and, having been served with an enforcement notice, an information notice, or a special information notice by the Data Protection Commissioner, fails to comply with such a notice, an offence will be committed in terms of the Act. Where the offence is committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any officer, he as well as the body corporate shall be guilty of the offence and liable to be proceeded against and punished accordingly. If you are the person (of suitably senior status) responsible for data processing and protection within your organisation you may be personally liable. You should ensure that your organisation's systems ensure that any notices from the Data Protection Commissioner are received by you and not some other part of the organisation.

My organisation does not use databases but I keep copies of all my correspondence on my computer. This includes the names and addresses of all my staff and my customers. Am I subject to the Act? 

Probably yes. It would appear that the information which you are holding falls within the definition of Personal Data in the Act and that, in that you will be able to search for correspondence relating to a specific individual, you will be 'processing' the Personal Data. However, it appears that such a use of the Personal Data may be authorised by either Paragraph 4 ('The processing is necessary in order to protect the vital interests of the Data Subject') or paragraph 6(1) ('The processing is necessary for the purposes of legitimate interests pursued by the Data Controller...'). Care should be taken to ensure that the use does not extend to the point at which the data is being used as a quasi-database in which case registration under the Act will be essential. The safe course, for commercial organisations must be to register under the Act.

My company is a multi-national, with branches throughout the world. Data is collected and sorted in each of our regional branch offices before being sent to Head Office for central storage and evaluation before being the subject of co-ordinated international marketing efforts. In addition the Head Office collects, processes, collates and evaluates the time records of all our employees. What will be the effect of the new Act? 

You may have severe problems under the 1998 Act. The Eighth Data Protection Principle prohibits the transfer of personal data outwith the EEA unless the recipient country ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data. This assumes that all EEA States will have implemented Directive 95/46 as this provision is drawn from Article 25(1). There is no objective test of adequacy given in either the Directive nor the Act; the level of adequacy has to be determined subjectively as 'one which is adequate in all the circumstances of the case having regard...' to factors similar to the other Data Protection Principles. The adequacy test applied to the recipient country or territory is likely to be the same (or higher) than that imposed by the Act. Where it appears to a Member State that a particular country does not afford an adequate level of protection and the European Commission confirms this, Member States will be required to prohibit the transfer of data to that country.

Conclusion 

The 1998 Act, although built around the provisions of the 1984 Act, constitutes a major departure in some areas. Companies require to look at how they hold and process data and will in particular have to consider how they intend to meet the new conditions for processing of data discussed above. In addition procedures will require to be put in place to deal with subject access requests which, in time, will also apply to manual as well as computerised data. The Act's provisions regarding the prohibition of the transfer of data to countries which do not have an adequate level of protection will have a significant on companies which process or transfer data overseas or which have overseas customers or branches. Much of the Act's terms will require to be fleshed out in subordinate legislation and guidance. Further information can be obtained on the Commissioner's web site at .

The information contained in this guide is intended to provide a brief overview of the main provisions of the new law. It is of the nature of general comment only and neither purports nor is intended to be advice on any particular matter. Readers should not act on the basis of any of the information contained here without taking appropriate legal advice on their own particular circumstances.