Home & Office

M'Learned Web - Technology & Law in the UK

Robin Bynoe is a senior partner at the London law firm Charles Russel. He specialises in Internet law and begins his monthly column with a look at the Data Protection Act, which was recently updated.
Written by Robin Bynoe, Contributor

The Data Protection Act 1998

In 1984, they hardly had PCs. They hardly had direct marketing. Information about individuals was held on mainframes so it wasn't very sophisticated. Information an individual might worry about was mainly on police, social security or doctor's computers.

The UK Government passed the Data Protection Act 1984. The name is misleading of course because if anything was to be protected it was the people, not the data. They passed the Act, not out of any particular concern about individual's rights (earlier initiatives had been shelved) but because they had to - Brussels said so. They did the minimum they could get away with. Strangely, the only interesting data, that on police computers etc, was largely excluded.

So, a structure was established. If you held data about individuals you were required to register with the newly-appointed Data Protection Registrar. You filed a form recording where you got the data from and what you did with it - in particular who you provided it to. Once registered, you had to comply with eight Principles. These established, in rather hazy Euro-language, ground rules about fair use. On paper, the most radical bit was that which allowed individuals to inspect what was recorded against their names and to correct it if it was wrong.

Then, as far as the law was concerned, nothing much happened. With the explosion of computer-use every new PC-owner became a potential registrant, particularly when Web use took off. Furthermore, data-owners started marketing the information they held, giving rise to the list brokers. Their precise function was to act as middlemen between the companies that had the data and those that wanted to use it for different purposes from the ones' the individuals had provided it for: say you give your birth-date when you join a book club and the book club sells it to a life assurance company, which sends you a birthday mailing - the list broker sits in the middle.

Circumstances were too vast and too new for the vague Principles, and in the UK, a country with no law of privacy and no freedom of information act, no one much cared. The practice developed of ticking a box if your personal details were not to be used for junk mail, specific rules were made to deal with consumer credit, and that was pretty much that.

But now we have the Data Protection Act 1998.

Again, it has been introduced because of a Directive from Brussels and although the structure remains the same some details have been tightened. The rules now catch data held manually as well as on computer (the practice had evolved of keeping controversial information about people on card indexes). The Principles now bind data-owners who should register but don't bother, as well as those who do. There are additional safeguards for specially sensitive information such as that concerning race, and sexual or medical history.

The most practical significance are the limits on sending data overseas: within Europe you can but elsewhere, including the US, there are restrictions which we'll look at in future articles. In the meantime they can be studied on the Registrar's Website.

The difference between the old version and the new is not so much in what the Act says but in its context. People are beginning to realise the value of the electronic profiles companies are being allowed to build. If you shop regularly at Tesco through the Internet, think what an accurate picture Tesco's computer has of your lifestyle, and how much other traders would pay for it. The Registrar's view is that it's fine if you want to trade that information for airmiles, but that it should be an informed sale.

At the same time, a law of privacy seems to be an idea whose time has come, even if it's an idea largely fuelled by our ambivalent feelings for young, dead royals. The Government has introduced the European Convention on Human Rights directly into UK law and is coyly proposing a freedom of information act - both will cover information held on individuals by government.

The Data Protection Act is important: not just the new provisions but the existing ones, which people are (arguably) beginning to take seriously. Unlike most legislation, however, the real interest is not in the details but in the uninformed discussions that surrounds it.

If you have any questions for Robin, please mail the editor

Editorial standards