BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
United Kingdom Journals |
||
You are here: BAILII >> Databases >> United Kingdom Journals >> Widdison, 'U.K. Data Protection Law: The Key Changes' URL: http://www.bailii.org/uk/other/journals/WebJCLI/1998/issue4/widdis4.html Cite as: Widdison, 'UK Data Protection Law: The Key Changes' |
[New search] [Help]
Director, Centre for Law and Computing
University of Durham
<Robin.Widdison
@durham.ac.uk>
* Many thanks to Professor Ian Lloyd of Strathclyde University Law School for his very helpful comments.
Copyright © 1998
Robin Widdison
First published in Web Journal of
Current Legal Issues in association with Blackstone
Press Ltd.
This article takes the form of an examination of the important new and revised rights and obligations that will be introduced into United Kingdom law when the Data Protection Act 1998 is brought into force later this year or early in 1999.
The Data Protection Act 1998 received Royal Assent on 16
July of this year.(1) Its primary purpose is to
implement the European Union Data Protection Directive
(95/46/EC). In doing this, it will completely replace
the existing scheme which is currently embodied in the
Data Protection Act 1984. A substantial proportion of
the present law is preserved in the 1998 Act. However,
even a crude quantitative analysis indicates that a
great deal is about to change. The 1984 Act comprised 43
sections and 6 schedules. The 1998 Act, by contrast,
weighs in with 75 sections and 16 schedules.
How
will data protection law change? A great deal of the
existing law will be revised and overhauled. A good
example is that of the regulation of trans-border data
flows. Appearing as almost an after-thought in s 12 of
the 1984 Act, the control of such data flows will be
elevated to the rank of a data protection principle in
the new Act. This principle will then qualified by a
whole range of new exceptions to be found in Schedule 4
of the 1998 Act.
The new Act does much more than just revise existing law, though. It also creates many important new rights and obligations. One of the most attention-catching changes is the extension of data protection law to manual data in 'relevant filing systems' by virtue of s 1(1) of the 1998 Act. However, as we shall see, the impact of this momentous change will be lessened by comparatively long lead-in periods.
This article examines the important changes that are about to be introduced - whether in the form of substantial revisions to the old law or brand-new law. It takes the form of a table in which the old provisions are compared with the corresponding new provisions. The topic headings used are taken from the labels used in the new Act. (2)
TOPIC |
THE DATA PROTECTION ACT 1984 |
THE DATA PROTECTION ACT 1998 |
PRELIMINARY |
'Data user' - s 1(5) | In future to be known as 'data controller' - s 1(1) |
'Computer bureau' - s 1(6) | There will be a new, wider concept of 'data processor' - s 1(1) | |
'Data' means data recorded in order to be automatically processable by equipment in response to instructions - s 1(2) | 'Data' will also include manual data in a 'relevant filing system' structured so that 'specific information relating to a particular individual is readily accessible' - s 1(1) | |
'Processing' of personal data requires the performance of operations by reference to a data subject - s 1(7) | 'Processing' of personal data will no longer require the performance of operations by reference to a data subject - s 1(1) | |
'Personal data' does not cover indications of intentions - s 1(3) | 'Personal data' will also cover indications of intentions - s 1(1) | |
'Data Protection Registrar' - s 3 | In future to be known as 'Data Protection Commissioner' - s 6 | |
The first data protection principle is rather loose and open-ended in tone - Schedule 1 | By Schedule 1, The first data
protection principle will
require a data controller to justify processing by
reference to detailed and restricted criteria to
be found in:
|
|
No equivalent | The second and third data protection principles will be merged into a new second principle - Schedule 1 | |
The Registrar can serve a 'transfer prohibition notice' to prevent transfer of data in order to protect the interests of data subjects - s 12 | A new eighth data protection principle will ban trans-border data flows unless the target country 'ensures an adequate level of protection for the rights and freedoms of data subjects' - Schedule 1. Schedule 4 then contains a number of important detailed exceptions to this principle. | |
RIGHTS OF DATA SUBJECTS |
Right to be informed and provided with a copy of data - s21(1) | There will also be a right to be:
|
A data user does not have to provide information if a third person would be identified unless the third person has consented - s 21(4)(b) | By s 7(4) data controller will also
have to provide information even if a
third person would be identified if:
|
|
No equivalent | There will be a new right to prevent processing likely to cause damage or distress - s 10 | |
No equivalent | There will be a new right to prevent processing for purposes of direct marketing - s 11 | |
No equivalent | There will be a new right to prevent decision-making based solely on automatic processing - s 12 | |
There is a right to ask a court for an order rectifying or erasing inaccurate data - s 24 | There will be a wider right to ask a court for the 'rectification, blocking, erasure or destruction' of inaccurate data - s 14(1) | |
No equivalent | Where a court exercises its power to make an order under s 14(1) it will also be able to order that third parties that have already received data be notified - s 14(3) | |
NOTIFICATION |
There is a near universal duty on data users to register data holdings - s 5(1) | There will be a duty on data
controllers to notify data holdings (s 17(1))
unless:
|
The Registrar has a general power to refuse registration where she 'is satisfied that the applicant is likely to contravene any of the data protection principles' - s 7(2)(b) | The Commissioner will have no power to refuse registration but may use an enforcement notice instead (see 'Enforcement' below) | |
Processing pending entry in the register is generally permitted - s 7(6) | Processing pending registration
will be banned (s 22) where it is likely to cause:
The Commissioner must make a speedy preliminary assessment |
|
EXEMPTIONS |
There is a total exemption in respect of national security data if a Minister issues a certificate. Such a certificate is not challengeable - s 27 | A person 'directly affected' will have a right to appeal to the Data Protection Tribunal against such a certificate - s 28 |
Exemption in respect of the regulation of financial services - s 30 | There will be a much wider exemption in respect of regulatory activities - not only financial but also many non-financial activities too - s 31 | |
Exemption in respect of payrolls and accounts - s 32 | This provision will be removed but is likely to fall into the 'unlikely to prejudice rights and freedoms of data subjects' category of data (see 'Notification' above) | |
No equivalent | Exemption in respect of processing for the purposes of journalism, literature or art where the data controller reasonably believes that 'publication would be in the public interest' - s 32 | |
No equivalent | There will be a new exemption from subject access for education and employment references - Schedule 7(1) | |
No equivalent | There will be a new exemption from subject access for data concerning honours and public appointments - Schedules 7(3) + (4) | |
No equivalent | There will be a new exemption from subject access for management forecasts and plans - Schedule 7(5) | |
No equivalent | There will be a new exemption from subject access for intentions formed in relation to negotiations - Schedule 7(7) | |
No equivalent | There will be a new exemption from subject access for examination scripts - Schedule 7(9) | |
ENFORCEMENT |
The Registrar can serve:
|
The Commissioner will be able to
serve:
|
MISCELLANEOUS |
The Registrar can only encourage other bodies to prepare and disseminate codes of practice - s 36(4) | The Commissioner will also be able to prepare and disseminate codes of practice herself - s 51(3) |
No equivalent | There will be a new ban on enforced access by subjects to data - s 56 | |
No equivalent | Any contract term that purports to require a data subject to obtain and/or reveal health records will be void - s 57 |
The Data Protection Directive requires Member States to implement the new law by 24 October 1998. However, the Home Office has already indicated that it cannot meet this deadline.(3) It seems likely that commencement will not now occur until the end of 1998 'at the earliest' and probably not until the early part of 1999.
Beyond this, Schedule 8 of the 1998 Act itself contains 'transitional relief' in respect of the new rights and obligations. This schedule has the effect of phasing in some of the changes by giving temporary exemptions from the full rigor the new law. Here is an example of the phasing provisions at work in the case of manual data. All manual data held in a 'relevant filing system' will be exempt from the main operative provisions of the new Act during the 'first transitional period' - i.e. from commencement until 23 October 2001. Manual data held on a 'relevant filing system' prior to 24 October 1998 will be exempt from control during the 'second transitional period' - i.e. from commencement until 24 October 2007.
Those who begin studying data protection law from now on are lucky. For them, there is a brand-new, clear and comprehensive code to work from. For those who were brought up with the existing law, however, there is a grueling upgrading process ahead. Hopefully, the above table of changes will make that process a little easier - at least at the outset. There is one great consolation for those who do need to 'unlearn' the old law and replace it with the new law, though. Given the intense and prolonged discussion and debate about the new code across the whole of the European Union, the Data Protection Act 1998 is likely to remain largely unchanged for a many years to come...we hope!
Footnotes
(1) The full text of the new Act can be found at <http://www.hmso.gov.uk/acts/acts1998/19980029.htm>
(2) For a much fuller description and analysis of the new law, see Lloyd I, Guide to the Data Protection Act 1998 (Butterworth, 1998).
(3) Gibb F, 'Data Protection Law Delayed' The Times 20 July 1998.