Successfully Managing the New Data Protection Laws

August 31, 2000

The 13th Annual Privacy Laws & Business Conference was held, once again, at St. John’s College, Cambridge over three full days in early July. It was attended by over 200 delegates representing the legal profession, industry, academia, as well as Data Protection and Privacy regulators both from the UK and worldwide. The speakers, likewise, represented an array of authoritative privacy practice professionals.


Much of the Conference was split into parallel sessions, largely UK issues against international ones, and for most attendees the choices on which sessions to attend were not easy ones to resolve.
For a UK audience, the main burning issues, I felt, were:




  • What has been the effect of the Data Protection Act 1998 (DPA 98) which in the UK started to come into force on 1 March 2000? In particular we were interested in the effects on registration (now notification) on the obligations of data controllers and on the rights of data subjects.



  • What are the ramifications going to be of other likely legislative changes that will have an impact on this (eg the Human Rights Act and the Freedom of Information Bill)?



  • How can personal data be safely transferred to countries outside the European Economic Area (EEA), especially the USA, without being in breach of the new Act?



  • Can an organisation successfully audit its likely compliance with the new Act, and if so, how?


For the both UK and the wider international audience, the key issue which has still not properly been resolved is probably the one of the adequacy of data protection regimes outside the EC, and which countries may be on the EC’s white (black or grey) list.


Whether officially billed as the keynote speech or not, many of us were particularly interested to hear from the Data Protection Commissioner, Mrs Elizabeth France, as to her thoughts on implementing the new legislative regime.


Data Controllers’ Notification Obligations
Notification has replaced registration and it is more than just a change of nomenclature. Firstly the obligations to comply with the Data Protection Principles now no longer rely on notification but are present whether notification is required, optional or exempted. Secondly, the categories for processes have been revised (they are now fewer and broader). Thirdly, most notifications will be template-driven, although only a relatively small number will be able to be carried across directly from the registration entries under the Data Protection Act 1984. Fourthly, there will only be a single notification per legal entity, replacing what was previously in some cases many separate register entries. Finally, the anomalies of needing multiple registrations for schools and, theoretically, partnerships, have now been removed. It was also revealed that the Data Protection Commissioner’s office and the Home Office hope that, by an amendment to be introduced in the Freedom of Information Bill, existing 1984 Act registrations will not expire on 24 October 2001, if they had not expired earlier, but will continue for their full three years’ life. This will alleviate the situation of an unnecessary notification peak hitting the Commissioner’s Office leading to administrative delays and problems.


Other Obligations of Data Controllers
These have been widely publicised for many months if not years, and should not come as a surprise. Most large and many medium-sized enterprises are aware of and are taking active steps to comply with the new Act, although, as always, many small firms are blissfully and/or wilfully unaware of their obligations.


The Commissioner is going to take more active steps to publicise the Act, largely to the public, which in turn may prompt an increase in subject access requests and possibly also queries and complaints.


Although the 1998 Act extends the scope of data protection legislation only to certain (structured) manual records, it was clearly recommended as best practice that data controllers treat all manual records containing personal data as needing to be compliant. This is partly due to the difficulty of accurately defining what a ‘structured manual record’ is, and partly due to the imminent Freedom of Information Bill which will extend the scope of subject access to a wide range of public bodies, or private bodies performing a public function. Particular sectors (eg credit reference, medical records, housing) have needed to disclose manual records already for a number of years, under separate legislation now subsumed under the Data Protection Act 1998.


Prior Checking
The Commissioner has the duty to give an opinion on any processing of personal data that is likely to be of especially high risk, before processing occurs. Although no areas have yet been specified, and the Commissioner is wary of the resource implications for her Office, genetic data has been flagged as an area likely to be designated in this way.


Exemptions
The Notification Regulations set these out in detail, and in due course these will be more clearly explained in published guidance from the Commissioner’s office, in addition to the explanation already existing on the Commissioner’s Web site. Although there is a wider exemption from notification for commonplace non-contentious business functions than was previously available under the 1984 Act (‘Payroll Pensions and Accounts only’), it should be clearly recognised that this does not imply exemption from the requirement to comply with the Act and the new Data Protection Principles. It will often be the case that many exempt organisations will choose to notify voluntarily to avoid the alternative obligations to supply data similar to notification data to every person making a subject access request, individually.


Sensitive Data
Data controllers also need to give more thought and care to the processing and security of sensitive personal data, which, as it includes trade union membership and ethnic origin, may often be found in unexpected places. It should also be noted that although financial data is not specifically defined as sensitive data, it is good practice to treat it similarly, as most data subjects usually think of it as such.


What will the Data Protection Commissioner be looking for?
As always, she is looking for best practice and the continuation of the previous regime of advice and guidance with enforcement only as a last resort. If an organisation has good policies and procedures, training, accurate registration and a proactive approach then it probably has little to fear. If, on the other hand, it tries to adopt its strategies to avoid being caught by the legislation until the last possible minute, or to plead ignorance of the new Act’s requirements, it is unlikely that the Registrar will be sympathetic, especially for a procedure or obligation that hasn’t changed significantly between the old and new regimes.


Other Likely Legislative Changes Relevant to the New Data Protection Laws?


Human Rights Act 1998
Many speakers, including the Data Protection Commissioner Mrs. Elizabeth France herself, referred to the implications of the Human Rights Act 1998 when it comes into force in October 2000. In particular they referred to Article 8 of the ECHR (the right “to respect for his privacy, family life, his home and his correspondence” and “no interference by a public authority with the exercise of this right except . in accordance with the law .”). This thinking will strongly influence the thinking of the Commissioner when considering the balance to be struck between the rights of individuals for privacy (as reiterated in the Recital to the EC Directive (95/46/EC) which the DPA 1998 is supposed to be implementing) and the legitimate rights of data controllers to pursue their interests.


Freedom of Information Bill
Freedom of Information (FOI) legislation is still before Parliament, and at the time of writing is still awaiting its final Parliamentary stages. There is no clear implementation timetable as yet, although it is expected to take effect in late 2001. The Data Protection Commissioner will then become a Data Protection and Information Commissioner, with responsibilities for administering both regimes. The interface between both Acts can best be described as complex. An extremely wide range of public bodies and many other organisations ‘performing a public function’ will be directly caught in its scope – many unexpectedly. It will be a difficult task to balance often conflicting requirements for privacy and disclosure. The FOI Act will come into force, in stages, over a period of five years from when it is passed.


Transfer of Personal Data to Third Countries – what is ‘adequate’ protection?
Under Articles 25 and 26 of the EC Directive (and the new Eighth Data Protection Principle):


“Personal Data shall not be transferred to a country or territory outside the EEA [the EEC plus Norway and Iceland] unless that country or territory ensures an adequate level of data protection”.


This might mean that organisations within the EC might have difficulties exporting personal data to countries without wide ranging data protection legislation, or which do not have independent enforcement bodies. The USA is a particularly prominent example of a country with neither. Lengthy negotiations have concluded with a ‘Safe Harbour’ agreement embracing a largely self-regulatory regime, which is to be deemed ‘adequate’ by the EC. This agreement is, at time of writing, awaiting approval by the European Parliament.


Other Topics
A wide range of other topics were covered by speakers at the Conference including the potential personal data problems arising from possible uses of genetic data by health professionals, governments and, especially, insurance companies. We also heard from individual organisations, such as Sainsbury’s, as to how they collect and use personal data from their loyalty card. My interest was particularly attracted by the final sessions which were on a Data Protection Audit Manual, which will be published in the next few months by the Commissioner. This will allow organisations to audit their own data protection compliance themselves, indeed, it also provides a mechanism for external bodies to audit their compliance, if required. Will this mean that all organisations will henceforth be totally data protection compliant? It is unlikely. Those attempting ‘best practice’ will find ways to improve and the ‘head in the sand’ brigade will remain in blissful ignorance until the Data Protection Commissioner’s agent comes knocking at their door, usually following a complaint. They should have attended this conference.


Conclusion
A most useful and well organised conference with authoritative speakers, questions and replies. I hope all participants got as much out of it as I did.


Robert Waixel is a Senior Lecturer in the Computer Science Department at Anglia Polytechnic University, Cambridge. He is interested in computer law in general and data protection law and practice in particular.






Useful URLs:
The Data Protection Commissioner: www.dataprotection.gov.uk/
Data Protection Commissioner’s Notification Web site: www.dpr.gov.uk/
Home Office (for Freedom of Information): www.homeoffice.gov.uk/foi/index.htm
Home Office (DPA 98 subordinate legislation): www.homeoffice.gov.uk/ccpd/dpsubleg.htm
Privacy Laws & Business: www.privacylaws.com/