The new European data protection laws was completed by the introduction of the new Data Protection Act on 1 March 2000.
The UK's introduction of new European data protection laws will be completed by the introduction of the new Data Protection Act on 1 March 2000. Already in force (as of 1 May 1999) are new data protection laws which specifically regulate telephone and fax direct marketing activities.
James Mullock and Piers Leigh Pollitt, respectively members of Osborne Clarke's specialist IT & Telecoms and Employment departments, have written a plain English guide to the Data Protection Act 1998. Published (at £25) by the Stationery Office it includes a full version of the Act together with expert commentary of significant sections, together with a full overview of UK data protection.
Why are new data protection laws required?
The existing laws were widely considered to provide inadequate protection for individuals in relation to others use of their information. The importance of information to business and the resulting growth of the information industry made it somewhat inevitable that data protection laws would therefore be overhauled. Like the Data Protection Act 1984, the new Act must be passed in the UK to implement a European Directive. Similar obligations are being imposed upon all businesses throughout the European Union which hold or use information about a living individual.
What activities are covered by the new laws?
Any processing (i.e. holding or any use made) of information from which it is possible to identify a living person whether directly from that information or when it is combined with other details in the processor's possession, or which might conceivably come into its possession must comply with obligations imposed by the new Act. The use of certain types of information are exempt from these obligations (e.g. certain confidential references and management forecasts.)
Am I right in thinking that only the use of computerised information will be regulated?
No. Although the 1984 Data Protection Act only regulated the use of machine readable data the new Act will regulate the use of information stored on any form, including paper files in certain instances.
Which departments in my business will be affected?
Any which use personal information covered by the new Act. Employment records, marketing information, business contacts and customer databases are all likely to fall into this category.
What are the consequences for businesses which fail to meet the requirements of the new Act?
The Data Protection Registrar (who from March 2000 will be known as the Data Protection Commissioner) can bring criminal proceedings through the courts. Penalties of up to £5000 may be imposed either against organisations, or personally against directors, managers or partners of businesses who are held responsible for a breach of the Act. Individuals who suffer damage (and in some instances distress) as a result of a breach may also seek damages to compensate for that damage/distress.
Do we still have to register with the Data Protection Registrar?
Yes. Existing registrations will run until their 3 year terms expires. It is likely that new registrations will have to be renewed annually.
Apart from registering, is there anything else that we have to do before processing information?
Yes. The most significant obligation under the new Act is that you must have explained or made available to the subject of the information details of:
(a) who will be processing their details (presumably your business), and
(b) the purpose(s) for which that processing will be carried out.
If the purpose(s) detailed pursuant to (b) are not related to a contractual obligation which either you have with regard to the subject of the information or vice versa, then those individuals must also consent to their information being used for those purposes. If the information is deemed by the new Act to be sensitive then explicit consent for such use must be obtained from those individuals.
Information will be deemed sensitive if it identifies the individual's racial/ethnic origin, sexual orientation, political opinions, religious (or similar) beliefs, state of health, details of criminal convictions or charges or trade union membership.
Therefore you should prominently include tick box wording or a contractual term within any document or electronic form via which individuals are to provide personal information to your business. Such wording/term should supply the information set out at (a) and (b) above and obtain any necessary consent to process.
Can we transfer information abroad?
No. The new Act prohibits information from being transferred outside the European Economic Area in certain circumstances (e.g. if the individual has not consented to the transfer, or the transfer is not made pursuant to a contractual obligation towards the individual). If you plan to sell or otherwise transfer an individual's personal information abroad you should consider this obligation in detail. This will be particularly relevant to companies with a non-EEA based parent or subsidiary.
What obligations are specifically relevant to the marketing operations of my business?
The new Act entitles individuals to require third parties to stop sending direct marketing communications to them. This right exists even if such individual has previously consented to processing being carried out for marketing purposes.Additional UK legislation also entitles individuals (and companies) who do not wish to receive unsolicited direct marketing faxes or telephone calls to either directly notify this fact to anyone who markets them via these means, or to register their telephone or fax numbers with a central register run by the Telephone Preference Agency (a subsidiary of the Direct Marketing Association). Continued marketing in breach of any such request, or made to anyone whose numbers appear on the TPA's list entitles individuals/companies to claim damages, or the Data Protection Registrar to commence proceedings against errant marketers.
Can people still use the Data Protection Act to access details which we hold about them?
Yes. Given that certain paper records will now be covered by the Act, individuals potentially can access more information held by you about them. Businesses might want to review what information is recorded in previously confidential employment records, for example, as employees may now be able to gain access to what is said about them.
I understand that the new Act prevents companies from taking automated decisions. What is prohibited?
Automated decisions (i.e. those made in a way which involves no human input) are not prohibited. The new Act requires any organisation on taking such a decision which will significantly affect an individual to notify that individual of the fact that an automated decision has been made in respect of him/her. Such individuals will then be entitled to ask the organisation to reconsider its decision.This requirement is most likely to affect credit reference agencies or perhaps companies who recruit based purely upon psychometric tests.
How do I contact the Office of the Data Protection Registrar/Commissioner?
Their web site is at http://www.dataprotection.gov.uk/ Full contact details are included.