On 24th October 2001, most of the Data Protection Act 1998 came fully into force. This Act, which implements a European Directive on data protection, grants rights to individuals about whom data are processed and imposes obligations on organisations which use personal data. The Act:
- Grants rights to individuals (including a right to access information held about them, to prevent certain types of processing and to compensation for breaches of the Act);
- Establishes a public register of organisations who process personal data (failure to register is a criminal offence); and
- Sets out data quality obligations relating to, and restrictions on the use of, personal data.
The Data Protection Directive allowed Member States some flexibility in timing the implementation of new legislation. The UK Government used this to the full. As a result, although the Act received royal assent in 1998, and came into force in March 2000, it contains substantial transitional arrangements that delayed the impact of the Act for many organisations until 24th October 2001.
Up until 23rd October, these transitional provisions broadly continued to apply earlier legislation, the Data Protection Act 1984, to eligible processing. The 1984 Act imposed limited obligations: in particular it did not apply at all to paper records and granted individuals fewer rights. Most of these transitional arrangements ended on 23rd October 2001.
The Act does contain a second period of transitional relief that runs from 24th October 2001 to 23rd October 2007. However, this is far more limited, applying only to certain paper records which actually existed before 24th October 1998 and to certain limited kinds of public and health records. For most organisations, the relief is only likely to be of use for archived paper records.
Position after 23rd October 2001
Most organisations processing data in the UK will now need to comply fully with the Data Protection Act 1998. Key areas that have changed are:
- Paper records are now subject to data protection legislation. Amongst other obligations, this means that they must meet data quality standards, be held with appropriate security and be made available in response to an individual's request.
- The data protection principles. These key principles of good data handling practice existed in the 1984 Act, but have now been expanded. Organisations are now obliged to inform individuals that they are processing their personal data and to satisfy statutory pre-conditions before processing any personal data. Where the data are "sensitive", then these conditions may mean that the individuals explicit consent is required. Security obligations are expanded and there are new restrictions on transferring personal data outside the European Economic Area (which comprises the EU, Norway, Iceland and Liechtenstein).
Practical Steps for Compliance
Practical steps which organisations can take to assist in compliance include:
- Checking if the organisation informs individuals about whom it processes personal data - for example, if CCTV is used, there should be a prominent notice which conforms with the data protection code on CCTV (see insert reference to earlier edition);
- Listing the purposes for which personal data are processed and checking if these are consistent with what individuals have been told and the with the organisations notification to the Information Commissioner (who maintains the registration system). (Not all organisations need to notify - the Information Commissioner has a self assessment guide on-line at www.dataprotection.gov.uk). Organisations should also check if these purposes satisfy one of the statutory pre-conditions at Schedule 2 to the Act. Where "sensitive" personal data are concerned (which include health data), then one of the Schedule 3 conditions must also be met (the conditions can be found via the Information Commissioner's website, www.dataprotection.gov.uk);
- Reviewing and, if necessary, purging out of data or unnecessary personal data. Ensure that retention policies are in place, which set out how long data are to be held and the basis for this. Consider if there are adequate procedures to ensure the quality of data - for example, where accuracy is important, are the data, or samples of the data, reviewed or checked?
- Reviewing security arrangements - including :
- System security;
- Physical security;
- Staff training and awareness; and
- Use of third party contractors. If an organisation uses a third party to process its personal data, then the Act mandates that there must be a written contract which contains certain data security provisions; and
- Preparing for an increase in requests from individuals to see the information which is held about them - perhaps by drawing up an access procedure, setting out how the organisation will check the identity of the person making the request, locate the data and review the data before sending a copy out.
If organisations have not already nominated a member of staff with responsibility for data protection, then they would probably find it helpful to do so. The data protection officer may find it helpful to conduct a compliance audit - to determine what data an organisation uses and why, how this maps on to the new legal requirements, and where new policies or procedures are required.
First published in Facilities Management Legal Update - Volume 5, Issue 10 in November 2001.