Data Protection: Are you ready for 24th October 2001?
The European Data Protection Directive grants rights to individuals about whom data are processed (data subjects) and imposes obligations on organisations which use such data. In the UK, the Directive has been implemented by the Data Protection Act 1998.
The Data Protection Act 1998 includes provisions which:
- grant rights to individuals (including a right to access information held about them);
- establish an amended registration scheme for organisations which process personal data; and
- set out data quality obligations relating to, and restrictions on, the use of personal data.
The UK government has used, to the full, the flexibility available under the Directive for bringing the UK legislation into force. As a result, although the Data Protection Act was enacted in 1998, it contained transitional provisions which have delayed its impact. However, the most extensive transitional relief (and therefore the relief which has been used by most organisations) will come to an end on 23rd October 2001. As from 24th October 2001, almost all personal data, whether held on computer or not, will need to comply with the Data Protection Act 1998.
Up until 23rd October 2001 these transitional provisions broadly continued to apply earlier legislation, the Data Protection Act 1984, to eligible processing. The Data Protection Act 1984 had limited obligations on organisations processing personal data. Therefore, for many organisations it has been "business as usual" even though the Data Protection Act 1998 received Royal Assent in 1998 and came into force on 1st March 2000.
There remains a second period of transitional relief which applies to old paper records and which will end on 24th October 2007. However, this relief is of limited value: in most cases it will only apply to paper records which actually existed on or before 24th October 1998. In addition the relief itself is extremely narrow and, for example, does not avoid the need to comply with requests for access to such records. The relief is likely to be of assistance for archived paper records only.
Position after 23rd October 2001
After this date most organisations processing personal data in the UK will need to comply fully with the Data Protection Act 1998.
Key areas which will change on this date are:
- All processing of paper records must comply with the Data Protection Act 1998. This will have a major effect on all businesses since it will require organisations to ensure such records are accurate, up to date and made available to data subjects who request copies of them.
- Organisations must comply with new data protection principles, including the obligation to make available information to individuals on the processing being carried out on them and a prohibition on processing any personal data unless statutory pre-conditions can be satisfied. In the case of sensitive personal data (which include data relating to health, racial/ethnic origin and criminal convitions) this may mean obtaining the explicit consent of data subjects.
- Personal data must not be transferred outside the EEA, except where adequate protection is made available. (The EEA consists of the EU, Norway, Iceland and Liechtenstein). For further information on this issue, ask for our guidance notes on transfer of data outside the EEA.
Preparation for 24th October 2001
Practical steps which organisations can take include:
- Preparing staff for an increase in requests for access from data subjects. The Information Commissioner (who has responsibility for enforcement of the Data Protection Act 1998) is intending to hold an advertising campaign to raise public awareness of data protection issues. This may well lead to higher than expected requests for access to information. In addition, individuals may be keen to use their new rights to access paper records.
- Performing a data protection compliance audit, to determine what data an organisation uses, and how, and to assist in drawing up policies and procedures to comply with the Act. This will be of particular relevance in relation to paper records. We have had experience in assisting clients in such audits and would be happy to help.
- Reviewing and, as necessary, purging out-of-date and/or unnecessary personal data. This should reduce effort in responding to requests for access to such data.