Consumers gain new rights over data

For the first time in the UK, consumers now have legal redress against companies who flout data protection laws

British consumers have been granted new data protection rights today (Wednesday), which will allow them to access any personal information held about themselves by companies.

The first transitional deadline for compliance to the Data Protection Act 1998 expires on 24 October, 2001, and UK companies will be required to comply with new data processing principles that place the balance of rights back in the hands of the consumer. Companies found to be in breach of the Act could face an unlimited fine in a Crown Court.

Individuals will be able to demand access to any personal data that is held on them by a company in the UK -- whether electronically or on paper -- for a maximum fee of £10. Manual records were not covered by the old rules. Access to medical records will now be slightly more costly, amounting to a maximum charge of £50 for a mixture of manual and computerised records. Companies will also be obliged to provide more information about their purposes for processing personal data on request, and must also reveal the source of their data. Consumers who are refused access to their records are now entitled, for the first time in the UK, to take the case before a magistrate court.

"There will be substantial compensation available for financial loss which has caused harm or distress through the processing of personal information in breach of the provisions of the Act," said Dave Clancy, strategic policy officer to the Information Commissioner (formerly the Data Protection Commissioner).

The Act defines personal data as "data which relates to a living individual who can be identified" by that data. The principles offered by the Information Commissioner advise that "data controllers should consider whether or not and, if so, the extent to which, a decision not to treat the information as being covered by the Act will prejudice the individual concerned."

There are eight data protection principles in the Act. The Information Commissioner has the power to issue an enforcement notice to any organisation found to be in breach of any of the principles, which could result in a £5,000 fine in Magistrates Court, or an unlimited fine in a Crown Court. Depending on the nature of the breach, the Commissioner may decide to offer educational advice instead.

"We are not looking to make examples of companies at the moment -- action is ongoing, irrespective of date," said Clancy. "It is business as normal, we are not going to get out the big stick."

Companies set up after 24 October 1998 did not have the benefit of the first transitional period, and should already be compliant with the eight data protection principles. "These companies have been informed of their obligations by a number of bodies, and so have no excuse for being in breach of data protection principles," said Clancy.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet news forum.

Let the editors know what you think in the Mailroom. And read other letters.