M'Learned Web - Technology and Law in the UK

Robin Bynoe is a senior partner at the London law firm Charles Russell. He specialises in Internet law and continues his monthly column with a second look at the Data Protection Act, which was recently updated.

How to make a nuisance of yourself under the Data Protection Act

The Acts, 1984 and 1998, derive from a concern to protect the privacy of individuals. They impose rules on companies which keep data on people. The office of the Data Protection Commissioner attempts to enforce the rules as part of its general supervisory role. But there are also self-help provisions, and this month I will look at them.

As an individual on whom data is held, you have four separate rights:

1. access

2. correction

3. compensation

4. complaint

The access right entitles you to a copy of the personal data held on you by someone. Until the 1998 Act came into force, this right, like the other three, was not available if the person holding the data should have registered under the Act, but hadn't. That loophole has now been filled.

There are some general exceptions, most importantly for medical, social security, police and tax records. Not everything the police or Inland Revenue have on file about you is quarantined; it has to be germane to an issue involving actual liability for a crime or to tax, but a good working assumption is that you will not find out anything useful from these sources.

There is a provision to stop you finding out your exam results before anyone else does, and legally privileged information is protected, as are journalists' workings.

Assuming that none of the exceptions apply, you write to the people holding the data at the address given in their registration entry. That information is publicly available and can be obtained by telephoning the Registry. Sometimes they will ask that you apply using a form of their own, but that is not compulsory. They are entitled to charge a fee of not more than £10 (which includes VAT). (Banks, when asked to provide duplicate statements, often try to charge you rather more than this, but that is all they are entitled to.)

The data holder is entitled to some assurance that you are really you and not someone using your name to find out information about you. Indeed there is an obligation not to release information to people who are not entitled to it. The more sensitive the information, the more in the way of driving licences and affidavits is likely to be required of you.

In many cases the most significant limitation will be where records involve more than one individual. You are entitled to the stuff about yourself, but if it involves someone else too, they are entitled not to have the stuff about themselves released to you. Your personnel records mention your liaison with Mr. or Ms X. X is entitled not to be named in the copy given to you. If it's obvious who they are even if disguised by being called X (or Y, if X is actually their name) the employer may have no alternative but to keep the whole record secret. There is no answer to this. Having done this, you are entitled to a copy of the data held on you, to be sent within forty days, and, if the original is coded in any way, in a comprehensible form.

And if it's wrong, the right of correction entitles you to get the data holder to put it right.

You may be entitled to compensation if the data holder has breached any of the Act's Principles in a way that affects you. For example, by holding or disseminating false information without excuse, or providing the information to someone who should not have it. Your loss has to be monetary (as opposed to emotional) if you are to succeed in a claim for compensation, but if you do have a monetary loss which has caused you distress as well, you may get more.

And finally, you can complain to the Registry and ask them to take action directly. That means , in practice, persuasion, but in the last resort there are powers of criminal prosecution.

Enough on data protection. Next time, drugs and the Internet.