Making Privacy a Competitive Advantage

November 1, 2001

Lots of issues, UK and international, were raised at the conference. For a UK audience, the main burning issues, I felt, were these:

  • What do some of the ‘new’ terms and concepts introduced in the Data Protection Act 1998 really mean, now that almost all organisations are supposed to be adhering to them?
  • What will be the effect of the Freedom of Information Act 2000 (FoIA 2000) for public bodies – and this includes a wide range of organisations providing a public function?
  • For any organisation transferring personal data outside the EEA, there remains the vexed question of achieving ‘adequate’ protection for data subject’s data. Which country’s laws are automatically ‘adequate’, and how else might ‘adequacy’ be achieved?
  • Can an organisation successfully audit its probable compliance with the new Act, and if so, how? What does an ‘audit’ really mean?
  • How can e-business maintain good practice across a range of data protection and privacy issues?

The interests of overseas delegates or those from multi-national organisations were also covered by a range of speakers who provided information and advice on the working of the EC ‘Article’ committees, data protection legislative progress in a variety of EC and non-EC countries, and how international organisations juggle the impossible task of complying with a range of requirements which, even in the EC, come close to being contradictory!

The Conference also held a number of sessions on particular ‘Sector’ themes: Telecoms, Direct Marketing, Public Sector and Data Security being examples.

Although this was not officially described as the keynote speech, many of us were particularly interested to hear from the Information Commissioner, Mrs Elizabeth France, about her thoughts on integrating data protection and freedom of information regimes. She compared and contrasted her approaches to both the relevant Acts, and also her duties to advise on best practice, and likely enforcement regimes. Lurking behind all her efforts to persuade and reach consensus is the ‘big stick’ of prosecution and enforcement notices.

Transition to the DPA 1998

Graham Sutton, Head of Data Protection at the Lord Chancellor’s Department (which took over both data protection and freedom of information responsibilities from the Home Office in June 2001), reminded attendees of a change to data protection registration/notification deadlines made by an amendment to the DPA under the FoIA 2000. The position was that if protection registrations which lasted for three years had expired on or before 24 October 2001, they would need to become notifications under the DPA 1998 and be renewed annually. If they expired after 24 October 2001, they would expire at that date and would also have to be turned into DPA 1998 notifications. This would have produced a ‘bulge’ in workload for the Commissioner which would be difficult to manage. Under the FoIA 2000, sch 14, para 2, the DPA 1998 is amended so that such registrations are now allowed to run their full three-year term before having to be turned into notifications.

There is also an amendment to s7(3) of the DPA 1998 which affects the situation where a data controller has received a subject access request from a data subject. The data controller now has a duty to ask the data subject to produce additional information to identify the personal information sought, if that is needed, rather than just to sit back on the basis that the information originally provided was inadequate. This, of course does not give the data controller the right or need to ask the purpose of the subject access request since the Act is blind as to purpose, and the data subject’s access right is absolute (subject as always to the Act’s exemptions).

Graham Sutton also gave more information about the government consultation about the working of the DPA 1998, even though it had only been in force for a short period and was still not fully operational. This was at least partly due to the need to contribute to the EC’s own review of the EC Directive on which the Act was based, in October 2001. Because of the extended time that has been taken for various EC countries to implement their own legislation to conform with the Directive (the UK by no means the slowest) such a review is unlikely to be of great benefit.

Freedom of Information Act 2000

This was covered by a number of speakers. Nobody, unfortunately was able to give us a timetable for implementation as yet as this was still under Ministerial consideration; it was only possible to reiterate the five-year overall deadline (30 November 2005) in the FoIA 2000 itself. John Hughes of the Home Office discussed how the Home Office, itself likely to be in the first wave of departments affected, was preparing for its responsibilities under the Act.

Key concepts

The Act itself is complex but some key strands emerged.

  • Although the FoIA 2000 applies only to ‘public authorities’ this definition goes much wider than central and local government, and includes many private sector organisations undertaking ‘public’ functions.
  • Requests currently covered by data protection legislation will remain so covered.
  • All (written) requests for information need to be treated as FoI requests whether they cite the Act or not.
  • There is a 20-working-day time-limit for response (this compares with a 40-day response time for most DPA subject access requests).
  • There is a presumption for disclosure, and any refusal (or grant) can be appealed (by either party) to a departmental review body, the Information Commissioner, the Information Tribunal and then through the courts. A Cabinet minister could have a final overriding veto on disclosure, but this is expected to be rarely exercised.
  • All public authorities will have to prepare publication schemes detailing the information they will make publicly available automatically.
  • A significant level of training will be required throughout all affected organisations, and it will need to result in a culture shift in many.

Auditing Compliance against DPA 1998

Useful URLs

The Information Commissioner: http://www.dataprotection.gov.uk/

Information Commissioner’s Notification Web site: http://www.dpr.gov.uk/

Lord Chancellor’s Department – Freedom of Information: http://www.homeoffice.gov.uk/foi/index.htm

Lord Chancellor’s Department – DPA 98 subordinate legislation: http://www.homeoffice.gov.uk/ccpd/dpsubleg.htm

EC Commission’s standard clauses for ensuring adequacy

a) for EEA Controllers to Third Country Data Controllers (final version):

b) for EEA Controllers to Third Country Data Processors (draft for consultation):

http://europa.eu.int/comm/internal_market/en/dataprot/news

Criminal Records Bureau: http://www.crb.gov.uk/

Privacy Laws & Business: http://www.privacylaws.com/


Despite her express wishes, the Information Commissioner has not been given power by the Data Protection Act 1998 to . assess processing for the following of good practice. (ie an audit) of a data controller, without that controller’s consent. It is a quite different situation, of course, if there has been a request for assessment since she then has a statutory duty to determine whether the controller’s processing is in breach of the Act.

She also has inspection powers as the ‘National Supervisory Body’ under the Europol, CIS/Schengen and needs to exercise those, and her assessment powers, on a fair and consistent basis. An Audit Manual had been developed for her Office and has been undergoing pilot studies over the past year, it was launched shortly before the Conference. It is available directly from the Commissioner’s office on CD-ROM but more easily from her Web site. Organisations themselves, or specialist auditors, both from the large ‘traditional’ suppliers (eg accountancy firms, consultancy firms, BSI etc) and also from smaller organisations, can conduct audits using a ‘standard methodology’. Of course just conducting an audit, or even showing compliance against an audit, does not guarantee total compliance over time, or even avoid all risks of prosecution. But it can help, especially if the will to implement any recommendations is also present.

We also heard from Kathy Perkins of the London Clinic, one of the ‘pilot’ organisations to be audited. Despite a careful audit and essentially excellent procedures (in a business with highly sensitive medical personal data), she indicated that personal data could still be inadvertently disclosed in a number of ways.

Transfers Abroad: Advocating Adequacy

This thorny question has been regularly raised ever since the Directive was approved. It is likely to continue to be a problem area until reviewed by the courts. The problems surrounding transferring personal data to the USA have, at least temporarily, been resolved by the ‘Safe Harbor’ agreement, although its take-up by US organisations is, to say the least, disappointing. Many would argue that the agreement is a fudge and would not be considered sufficient were it not for the USA being the other party. An ongoing question is which other countries may be considered to have ‘adequate’ data protection laws? New Zealand put the case at the Conference for it to be considered as such. There was also the launch of an EC-wide set of model contract clauses which have been accepted as providing adequate protection. Those for data controllers exporting to third country data controllers have been approved and there is a draft set under consultation for data controllers exporting to third country data processors (see Internet references box). For many organisations these will help to resolve a number of practical difficulties in exporting personal data to countries outside the EEA, where specific informed consent, or one of the other permissible conditions for such export, cannot otherwise be met.

The Opportunities and Perils of E-business

A number of speakers addressed various aspects of e-business. By its nature e-business usually involves regulation by any number of jurisdictions since it results in the flow of personal data across data protection ‘boundaries’.

As Bojana Bellamy of Privacy Laws & Business highlighted, the difficulties become greater when sensitive data or data involving children is involved. The USA has recently legislated to restrict and (they hope) control marketing to minors using the Internet. The EC, via the Article 29 Working Party of Data Protection and Privacy commissioners, has recently received a Report from their Internet Task Force on the privacy and data protection issues of the Internet in general and e-commerce in particular. We also heard from several key players as to how they try to cope with the different regulatory regimes and promote their view of best practice. Inevitably, of course, these only represent the tip of the iceberg and many if not most e-traders are unaware of and/or unwilling to consider such issues except cursorily.

Other Topics

A wide range of other topics were covered by other speakers at the Conference. The Criminal Records Bureau discussed the ways in which they will disclose some or all of an individual’s criminal records to registered bodies. This is intended to provide greater protection for vulnerable groups such as children and the aged, and would also avoid the currently deplored but not yet illegal practice of ‘enforced subject access’. How the Telecommunications Directive and Regulations interact with data protection regimes was another topic covered.

Robert Waixel is a Senior Lecturer in the Computer Science Department at Anglia Polytechnic University, Cambridge. He specialises in Computer Law in general and Data Protection Law and practice in particular.