The Data Protection Act 1998
The main thing about the Data Protection Act 1998 is not so much the new stuff in it but that it underlines the obligations in its predecessor, the 1984 Act which have been extensively ignored. Nevertheless, there are important innovations. Here are three of them that are most important to the data user, as opposed to that of the individuals whose data is being used.
Under the 1984 Act only data stored on a computer was relevant. Well-advised companies would keep, manually, information they didn't want to have to disclose to the person concerned. The new Act attempts to fill the loophole and the rules now apply to a manual filing system in just the same way as a computer database.
The filing system, to count, has to be structured, and a loose-leaf file is not a 'system'. Lawyers, who like this sort of thing, are debating whether a file which is not a 'system' becomes one if you put file-divider cards in. What matters practically is that companies should expect to have to disclose information held manually, and should therefore no longer quarantine sensitive information in paper files. Existing manual systems, not just new ones, will be covered, and companies may want to weed their files (bearing in mind that the destruction of data is itself an act which has to be carried out fairly and in accordance with the Data Protection Principles set out in the Act.)
Under the new Act data cannot automatically be transferred to another country which does not have 'adequate' data protection laws. The EEA (the European Union plus Norway, Liechtenstein and Iceland) is adequate, because the countries in it all have similar statutes. However nowhere else can be assumed to be adequate, including the United States. Multinationals used to transferring information around the group and maybe processing data from around the world centrally, will need to reconsider their actions. The Act suggests one solution. Where data is to be transferred abroad, the transfer should be made under a contract between the British company sending the data and the foreign company receiving it. The contract would supply the obligations the foreign legislature had failed to enact. Groups such as the CBI have worked on standard wording, but this has stalled; certainly more discussion will be required before an acceptable consensus emerges.
One of the guiding principles is that individuals can consent to any use of information about them but they must know what they are consenting to. Some uses are so specific and so obvious that consent goes without saying. If you give your details to a travel agent to buy a ticket, you consent to its use for that specific purpose. The problem comes when information given for one purpose is then used for another: the travel agent sells your details to an insurance company. Under the old Act the practice grew up of asking individuals to tick a box if they did not want their details to be sent to all and sundry for targeted mailings. The new Act has things to say about consent: where the information is sensitive, the consent must be given positively and the proposed use of the information must be explained. Any use that strays beyond that will be a breach. Even with less sensitive information, it will be a breach to use it in ways that the individual would not have expected.
Next month I will say something about the rights of individuals under the new regime.