UK: The New Data Protection Act 1998

The Data Protection Act 1998, which came into force in March 2000, provides a new framework for regulating the processing of information relating to individuals. The act will be implemented in stages, and it is anticipated that the new legislation will be fully implemented in October 2001.

In many respects the new act is similar to its predecessor, The Data Protection Act 1984. Data controllers are required to uphold various principles in relation to the data they hold. There are a number of differences, however, especially in relation to the detail, and it is very important that businesses who use personal data are aware of the new act, as there are both civil and criminal sanctions for non-compliance. Many e-commerce businesses use the personal data of customers and it is especially important for these businesses to have an understanding of the new legislation.

The new is act is based on Directive 95/46 EC which required implementation in member states. The objective of this directive is the harmonisation of data protection regulation across the European union. It is generally considered that the act is a good attempt by the Government to implement the Directive.

Under the Data Protection Act 1984, any business which processed personal data was required to register with a body known as the Data Protection Registrar. The 1998 act re-establishes this office as the Data Protection Commissioner. There is also a Data Protection Tribunal consisting of a chairman appointed by the Lord Chancellor and a number of deputy chairmen also appointed by the Lord Chancellor. The act provides that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the commissioner. Any breach of this section is a criminal offence.

There are a number of exceptions, for example where the disclosure of personal data to the commissioner would be contrary to the interests of national security.

Data controllers who process personal data will fall within the ambit of the act. A dramatic change in the new act is the widening of the scope of the act to cover "any structured set of personal data". The 1984 act only applied to personal data held in an automatically processable form. As a result of this, written records as well as computerised ones may need to adhere to the regulations set out in the act. Personal details, customer databases and credit rating information will all be regulated.

The definition of "processing" in relation to information or data has been expanded to include obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data. In practice, this definition is likely to encompass any contact with data in electronic form.

The new act sets out eight data protection principles with which data controllers are required to comply. These principles are as follow;

1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data should be adequate, relevant and not excessive in relation to the purposes or purposes for which they are processed.
4. Personal data should be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or distraction, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

This is a controversial principle, especially in relation to the situation when a data controller puts personal data on its internet web site. Information on a web site can be accessed anywhere in the world and many countries will not fulfil the conditions set out in this principle. It is anticipated that the European Community may produce a list of approved countries for the export of data which meet the necessary standard or even a blacklist of those which do not. EU discussions are continuing on this issue.

Schedule 1 Part 2 of the Data Protection Act sets out guidelines for the interpretation of these principles. Case law will demonstrate how these principles will be applied in practice.

If the commissioner is satisfied that a data controller has breached any of the data protection principles stated above, the commissioner has the power to serve a notice (an enforcement notice) requiring him to either take steps specified by the commissioner or to refrain from processing any personal data as set out in the notice.

A person who fails to comply with an enforcement notice is guilty of a criminal offence.

The act provides that an individual is entitled to be informed by any data controller when personal data of which the person is the data subject is being processed by or on behalf of that data controller. If an individual's personal data is being processed, then the individual has a right of access to the personal information and compensation if there has been a breach of the act which causes damage or distress to the individual.

The Data Protection Act 1998 is an important new development in the field of e-commerce and it will be important for all businesses dealing with personal data, especially using the internet, to know their rights and obligations under the new legislation. For more detailed advice as to how the new act will affect your business please contact Fenners.