The Data Protection Act 1998 came into force on 1 March 2000 and entirely replaced the existing data protection regime. At first glance the new Act looks very similar to the previous Data Protection Act 1984 and many people assumed it would have no greater impact on them than the previous Act. Those people are in for a rude awakening. Not only does the new Act carry wider implications but also increased rights to compensation and greater publicity given to the new Act will ensure that individuals are much more aware of their rights and do seek their enforcement.

Raising Public Awareness
The Act will receive extensive publicity so that all individuals and employees specifically, will be fully aware of the protection to which they are entitled.

The Data Protection Commissioner is under a duty to publicise certain aspects of the Act and she has already stated an intention to produce a fair processing code of conduct for employers. This will ensure that employees will have full knowledge of their rights, for example, to make a subject access request and to ensure data held about them is accurate (see below).

The need for greater publicity was demonstrated by research recently carried out by The Stationery Office. This found that over half of directors of companies surveyed were unaware of the impact of the Data Protection Act 1998 on their businesses and they were also unaware that the Act came into force on 1 March 2000.

Any filed information relating to a person is protected
The Act has widened the scope of the protection afforded to individuals by broadening the definition of what is protected data.

Data is regulated under the Act if it identifies a living individual. More onerous obligations apply to ‘sensitive personal data’ which includes information about a person’s religious beliefs, political opinions, membership of a trade union, sex life, health, criminal record and ethnic origin. A company is most likely to hold information of this nature as part of its employee records.

For the first time data protection also covers certain manual records. Whereas previously all records not held on computer would escape the regulations the new Act apples to manual records held as part of a ‘relevant filing system’.

This is of great significance, especially where employee's records are concerned: it means that any information about an individual that is readily available through a filing system is protected. Although there is some debate on the precise meaning of this it is thought not to cover a collection of papers with no particular order nor a file which is simply ordered chronologically. It will cover files ordered in accordance with different topics and a good example is employee files ordered as to attendance records, appraisals, references and so on.

The findings of a study commissioned by the Data Protection Commissioner showed no evidence that manual files were being disordered to fall outside the Act but there was evidence of ‘spring-cleaning’ to remove papers that the data controller would find embarrassing to reveal.

Eight Data Protection Principles to ensure that individuals remain in control
The eight data protection principles form the backbone of the Act. The overriding obligation is for personal data to be processed fairly and lawfully. In order for processing to be fair a number of conditions must be met.

One of the most striking is that the consent of the individual must be obtained. Processing will also be prohibited unless it is necessary for the performance of a contract, to comply with a legal obligation or to protect the vital interests of the data subject. Furthermore stringent conditions must be met in the case of sensitive personal data.

Other principles require that data is obtained for a specified purpose, is accurate, and is not kept longer than necessary.

The 'seventh principle' is a broad requirement that appropriate measures are taken against unauthorised use, disclosure, destruction or damage to data.

This is a far-reaching requirement with substantial practical consequences:

• companies must monitor advances in technology designed to protect data from unauthorised access and upgrade systems as necessary.
• the reliability of all employees with access to personal data should also be monitored and training offered where necessary.
• if a third party processes data on behalf of the company (a pension administrator, payroll company etc) the company must ensure, through a written arrangement, that this processor takes sufficient security measures.

Personal Data protection does not stop at national boundaries
The eighth data protection principle is entirely new and deserves special attention. It prohibits the transfer of personal data to a country outside the European Economic Area (the 15 member states of the European Union plus Iceland, Norway and Liechtenstein) unless that country has an adequate level of protection for personal data. Certain matters are to be taken into account in determining whether the level of protection is adequate and these include the laws of the country of destination, the period of time that the data may be there and the processing that will be undertaken in that country. If a country is the subject of a ‘Community Finding’ it is assumed to have an adequate level of protection but so far this only applies to Hungary and Switzerland. It was hoped that the US would be found to have adequate protection but this has not happened. Talks are now back on track (the so-called ‘safe harbour’ talks) to try to reach agreement with the US government on data protection.

Since data transfer outside the EEA is often crucial for companies in the normal course of their business, certain ways to simplify the exercise whilst complying with the Act have been envisaged:

Good Practice Approach - set out by the Data Protection Commissioner

• First you need to consider the type of transfer – can it raise a presumption of adequacy? – and this arises where, for example, the UK company keeps control of the data whilst it is outside the EEA or the sender and recipient are subject to binding codes of secrecy such as solicitors and accountants. An outright sale of personal data will raise a presumption of inadequacy.
• Secondly you need to undertake a risk assessment taking into account factors such as the laws of the country and any binding codes of conduct and security measures in place in respect of the data. This test would probably involve obtaining a detailed legal opinion on the data protection laws of the recipient country.
• Thirdly you need to consider whether any exemptions are available under the Act, for example, if the individual's consent has been obtained or if the passage of data outside the EEA is necessary for the performance of a contract. Consent in this context must be ‘freely given, specific and informed’ (this wording derives from the Data Protection Directive on which the new Act is based). Although it is not entirely clear, this is likely to mean that the individual must be aware of the risks of the transfer before providing consent and this could involve providing the individual with an analysis of the data protection laws of the recipient country before obtaining their consent.

Contracts - May a contract between sender and recipient provide ‘adequacy’ where the laws of the country provide inadequate protection? This will require clarification; the Act does not mention contractual arrangements in the matters to be taken into account and it is thought that this omission was deliberate. The Confederation of British Industry has produced model clauses to cover these circumstances but these are likely only to afford adequacy where the transfer itself raises a presumption of adequacy or where the laws of the recipient country provide adequate protection in almost all respects. The contract would usually have to provide that liability for any breach of data protection regulations would remain with the UK company and this may be a commercially unacceptable risk for the UK company to take.

Individuals have specific rights to check, stop the use and obtain destruction of information held about them
The new Act now affords specific rights to individuals. These are the corollary of the principles described above, in that they give individuals specific rights and remedies to ensure that they effectively benefit from the protection set out by those principles.

The Right to Prevent Processing – If processing is likely to cause unwarranted or substantial damage or distress the individual concerned may request that the processing of the data ceases. The company processing the data has 21 days to respond to such a request either by ceasing to process the data or challenging the request. A new right is provided to individuals to prevent processing for the purposes of direct marketing and there is no need to show damage or distress. Direct marketing includes the communication of any advertising or marketing material directed to an individual including direct junk mail, junk email and host mailing (such as junk mail sent with a gas bill). The prohibition on processing will probably also cover indirect activities such as profiling and data-mining even if this does not result in the arrival of marketing material at the door of the individual.

The Right of Access to Data – An individual may make a subject access request to anyone holding information about them. The holder of the information must provide a copy of all information held in respect of that individual and reveal the source and any likely recipients. Some information may be subject to an obligation of confidentiality to a third party but this does not absolve the data controller from an obligation to comply with a subject access request. The controller will need to consider whether, in the circumstances, the third party’s right to confidence outweighs the individual’s right to know. The result of this is that the controller could find they are obliged to disclose information but in doing so they will be in breach of confidentiality obligations. You will need to be very wary of accepting information about individuals, which is subject to confidentiality obligations, such as employment references, unless it is clear you are able to disclose them in response to a subject access request.

Accuracy of Data – If data held is inaccurate or misleading the court can order that the information is rectified, blocked or destroyed. This can cover any expression of opinion or decision, which is based on the inaccurate data.

Compensation – An individual has the ability to enforce rights in various ways, the most effective being a claim for compensation. The grounds on which compensation can be claimed have been significantly extended under the new Act. Compensation can be awarded for any breach of the Act which has caused damage to the individual and ‘damage’ is widely construed to cover loss of profits, earnings and reputation as well as pain and suffering. It will be a defence to show that the controller took all such care as was reasonable in the circumstances.

The individual has other specific rights including in relation to the automatic processing of data.

Unlawful disclosure of personal data may be criminal
If nothing else, the sanctions for breach of the Act should persuade those processing information to ensure they are complying with the Act. In addition to the right to compensation, the Act creates a number of criminal offences including unlawfully obtaining, disclosing or selling personal data without the consent of the data controller, processing data without the requisite register entry or failing to notify changes to the registrable particulars and also requiring an individual to produce certain records including criminal records as a condition of recruitment or continuation of employment of that person. It is also worth bearing in mind that a corporate officer including a director, manager or secretary are liable to be punished for the same offence as that which is proved against their company if the officer was involved in the offence by virtue of some connivance or neglect.

Emma Shipp Partner, Company / Commercial Department 020 7544 5550 emmas@sghlaw.com