[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	United Kingdom Journals
You are here: BAILII >> Databases >> United Kingdom Journals >> Widdison, 'U.K. Data Protection Law: The Key Changes' URL: http://www.bailii.org/uk/other/journals/WebJCLI/1998/issue4/widdis4.html Cite as: Widdison, 'UK Data Protection Law: The Key Changes'

[New search] [Help]

UK Data Protection Law: The Key Changes

Robin Widdison*

Director, Centre for Law and Computing
University of Durham
<Robin.Widdison @durham.ac.uk>

* Many thanks to Professor Ian Lloyd of Strathclyde University Law School for his very helpful comments.

Copyright © 1998 Robin Widdison
First published in Web Journal of Current Legal Issues in association with Blackstone Press Ltd.

Summary

This article takes the form of an examination of the important new and revised rights and obligations that will be introduced into United Kingdom law when the Data Protection Act 1998 is brought into force later this year or early in 1999.

Contents

Introduction
The Table of Changes
Commencement
Conclusion

Introduction

The Data Protection Act 1998 received Royal Assent on 16 July of this year.⁽¹⁾ Its primary purpose is to implement the European Union Data Protection Directive (95/46/EC). In doing this, it will completely replace the existing scheme which is currently embodied in the Data Protection Act 1984. A substantial proportion of the present law is preserved in the 1998 Act. However, even a crude quantitative analysis indicates that a great deal is about to change. The 1984 Act comprised 43 sections and 6 schedules. The 1998 Act, by contrast, weighs in with 75 sections and 16 schedules.
How will data protection law change? A great deal of the existing law will be revised and overhauled. A good example is that of the regulation of trans-border data flows. Appearing as almost an after-thought in s 12 of the 1984 Act, the control of such data flows will be elevated to the rank of a data protection principle in the new Act. This principle will then qualified by a whole range of new exceptions to be found in Schedule 4 of the 1998 Act.

The new Act does much more than just revise existing law, though. It also creates many important new rights and obligations. One of the most attention-catching changes is the extension of data protection law to manual data in 'relevant filing systems' by virtue of s 1(1) of the 1998 Act. However, as we shall see, the impact of this momentous change will be lessened by comparatively long lead-in periods.

This article examines the important changes that are about to be introduced - whether in the form of substantial revisions to the old law or brand-new law. It takes the form of a table in which the old provisions are compared with the corresponding new provisions. The topic headings used are taken from the labels used in the new Act. ⁽²⁾

It is important to note, though, that this table is not intended to be a complete and comprehensive analysis of the new law. Rather, it is merely an introduction to the key changes - a brief guide for those who want or need to know what is about to happen

TOPIC	THE DATA PROTECTION ACT 1984	THE DATA PROTECTION ACT 1998
PRELIMINARY	'Data user' - s 1(5)	In future to be known as 'data controller' - s 1(1)
	'Computer bureau' - s 1(6)	There will be a new, wider concept of 'data processor' - s 1(1)
	'Data' means data recorded in order to be automatically processable by equipment in response to instructions - s 1(2)	'Data' will also include manual data in a 'relevant filing system' structured so that 'specific information relating to a particular individual is readily accessible' - s 1(1)
	'Processing' of personal data requires the performance of operations by reference to a data subject - s 1(7)	'Processing' of personal data will no longer require the performance of operations by reference to a data subject - s 1(1)
	'Personal data' does not cover indications of intentions - s 1(3)	'Personal data' will also cover indications of intentions - s 1(1)
	'Data Protection Registrar' - s 3	In future to be known as 'Data Protection Commissioner' - s 6
	The first data protection principle is rather loose and open-ended in tone - Schedule 1	By Schedule 1, The first data protection principle will require a data controller to justify processing by reference to detailed and restricted criteria to be found in: Schedule 2 in the case of ordinary personal data; and Schedule 3 in the case of sensitive personal data
	No equivalent	The second and third data protection principles will be merged into a new second principle - Schedule 1
	The Registrar can serve a 'transfer prohibition notice' to prevent transfer of data in order to protect the interests of data subjects - s 12	A new eighth data protection principle will ban trans-border data flows unless the target country 'ensures an adequate level of protection for the rights and freedoms of data subjects' - Schedule 1. Schedule 4 then contains a number of important detailed exceptions to this principle.
RIGHTS OF DATA SUBJECTS	Right to be informed and provided with a copy of data - s21(1)	There will also be a right to be: Provided with data 'in an intelligible form'; and In certain circumstances, told of logic involved in automated decision-taking - s 7(1)
	A data user does not have to provide information if a third person would be identified unless the third person has consented - s 21(4)(b)	By s 7(4) data controller will also have to provide information even if a third person would be identified if: It is health information compiled by a health professional; or It is reasonable to comply without the consent of the third person
	No equivalent	There will be a new right to prevent processing likely to cause damage or distress - s 10
	No equivalent	There will be a new right to prevent processing for purposes of direct marketing - s 11
	No equivalent	There will be a new right to prevent decision-making based solely on automatic processing - s 12
	There is a right to ask a court for an order rectifying or erasing inaccurate data - s 24	There will be a wider right to ask a court for the 'rectification, blocking, erasure or destruction' of inaccurate data - s 14(1)
	No equivalent	Where a court exercises its power to make an order under s 14(1) it will also be able to order that third parties that have already received data be notified - s 14(3)
NOTIFICATION	There is a near universal duty on data users to register data holdings - s 5(1)	There will be a duty on data controllers to notify data holdings (s 17(1)) unless: Processing is 'unlikely to prejudice rights and freedoms of data subjects' - s 17(3); or The data controller has an approved 'in-house' supervision scheme - s 23(1)
	The Registrar has a general power to refuse registration where she 'is satisfied that the applicant is likely to contravene any of the data protection principles' - s 7(2)(b)	The Commissioner will have no power to refuse registration but may use an enforcement notice instead (see 'Enforcement' below)
	Processing pending entry in the register is generally permitted - s 7(6)	Processing pending registration will be banned (s 22) where it is likely to cause: 'Substantial damage or substantial distress to data subjects'; or 'Otherwise significantly prejudice the rights and freedoms of data subjects' The Commissioner must make a speedy preliminary assessment
EXEMPTIONS	There is a total exemption in respect of national security data if a Minister issues a certificate. Such a certificate is not challengeable - s 27	A person 'directly affected' will have a right to appeal to the Data Protection Tribunal against such a certificate - s 28
	Exemption in respect of the regulation of financial services - s 30	There will be a much wider exemption in respect of regulatory activities - not only financial but also many non-financial activities too - s 31
	Exemption in respect of payrolls and accounts - s 32	This provision will be removed but is likely to fall into the 'unlikely to prejudice rights and freedoms of data subjects' category of data (see 'Notification' above)
	No equivalent	Exemption in respect of processing for the purposes of journalism, literature or art where the data controller reasonably believes that 'publication would be in the public interest' - s 32
	No equivalent	There will be a new exemption from subject access for education and employment references - Schedule 7(1)
	No equivalent	There will be a new exemption from subject access for data concerning honours and public appointments - Schedules 7(3) + (4)
	No equivalent	There will be a new exemption from subject access for management forecasts and plans - Schedule 7(5)
	No equivalent	There will be a new exemption from subject access for intentions formed in relation to negotiations - Schedule 7(7)
	No equivalent	There will be a new exemption from subject access for examination scripts - Schedule 7(9)
ENFORCEMENT	The Registrar can serve: Enforcement notices - s 10; De-registration notices - s 11; and Transfer prohibition notices - s 12	The Commissioner will be able to serve: Enforcement notices - s 40; Information notices - s 43; and Special information notices- s 44
MISCELLANEOUS AND GENERAL	The Registrar can only encourage other bodies to prepare and disseminate codes of practice - s 36(4)	The Commissioner will also be able to prepare and disseminate codes of practice herself - s 51(3)
	No equivalent	There will be a new ban on enforced access by subjects to data - s 56
	No equivalent	Any contract term that purports to require a data subject to obtain and/or reveal health records will be void - s 57

Commencement

The Data Protection Directive requires Member States to implement the new law by 24 October 1998. However, the Home Office has already indicated that it cannot meet this deadline.⁽³⁾ It seems likely that commencement will not now occur until the end of 1998 'at the earliest' and probably not until the early part of 1999.

Beyond this, Schedule 8 of the 1998 Act itself contains 'transitional relief' in respect of the new rights and obligations. This schedule has the effect of phasing in some of the changes by giving temporary exemptions from the full rigor the new law. Here is an example of the phasing provisions at work in the case of manual data. All manual data held in a 'relevant filing system' will be exempt from the main operative provisions of the new Act during the 'first transitional period' - i.e. from commencement until 23 October 2001. Manual data held on a 'relevant filing system' prior to 24 October 1998 will be exempt from control during the 'second transitional period' - i.e. from commencement until 24 October 2007.

Conclusion

Those who begin studying data protection law from now on are lucky. For them, there is a brand-new, clear and comprehensive code to work from. For those who were brought up with the existing law, however, there is a grueling upgrading process ahead. Hopefully, the above table of changes will make that process a little easier - at least at the outset. There is one great consolation for those who do need to 'unlearn' the old law and replace it with the new law, though. Given the intense and prolonged discussion and debate about the new code across the whole of the European Union, the Data Protection Act 1998 is likely to remain largely unchanged for a many years to come...we hope!

Footnotes

(1) The full text of the new Act can be found at <http://www.hmso.gov.uk/acts/acts1998/19980029.htm>

(2) For a much fuller description and analysis of the new law, see Lloyd I, Guide to the Data Protection Act 1998 (Butterworth, 1998).

(3) Gibb F, 'Data Protection Law Delayed' The Times 20 July 1998.