Protection Act Delayed

We reported on the new data protection last autumn, expecting the main provisions to be in force by the end of October 1998. Following the UK's delayed implementation of the European Data Protection Directive, however, the introduction of the new Data Protection Act 1998 has also been put back. Ken Cooke of Masons Solicitors examines the key provisions that will affect facilities managers.
The Data Protection Act 1998 received its royal assent on 16 July 1998. It is intended to, and will eventually, replace the old regime under the 1984 Act. At present we are still waiting for the operative provisions of the new Act to be brought into force.
A reflection of the eventual sweeping nature of the change is that it will take place gradually over two statutory transitional periods up to 2007. However, important parts of the new Act, once in force, will apply to processing of personal data under way now, and careful preparation needs to be made for future requirements and obligations before they begin to bite.
Two fundamental new elements are that certain manual (non-computerised) personal data are for the first time brought within the data protection regime and that a much wider class of operations carried out on data ("processing", as defined under the new Act) are now regulated.

Scope of the Act

Not all manual data are subject to the new Act. Those which constitute a "relevant filing system" are caught. This means, briefly, a set of information which is structured either by reference to individuals (by name, for example) or by criteria relating to them so that specific information relating to a particular individual is readily accessible. A file of paper documents containing personal data but structured only by reference to their date would not fall within the scope of the Act. Otherwise, only manual information forming part of certain health, education or local authority records is caught.
The operations which are regulated by the Act are now much extended. "Processing", a narrow and precisely defined concept under the old Act, now means obtaining, recording or holding data or carrying out any operation including organisation, amendment, retrieval, consultation, use, disclosure, transmission, combination and destruction. A glance at the full definition in the Act challenges one to think of an activity which would not be covered.
Some superficial similarities between the old and new Acts are misleading. For example there is still a set of eight fundamental data protection principles at the heart of the new Act, but some of the eight are new, others are newly formulated and others again have a similar form but a different meaning (mainly because they refer to "processing").
The familiar right of individuals to obtain a copy of information relating to them is retained, but the information to which they are entitled goes beyond what was previously the case (including the purpose for which the information is processed, to whom it may be disclosed, the sources from whom it was obtained and the logical basis of any automated decision-making using the information). Individuals also have new rights (including a right to put a stop to processing likely to cause them or others substantial and unwarranted damage or distress, and to sue in the courts for compensation for any breach of the Act causing them damage. The Data Protection Registrar (now redesignated "Commissioner") has new powers, including a right to be consulted about, and to ban, some processing before it starts.

Registration

There will be a new system of registration (renamed "notification") which has yet to be formulated, and we know there will be a different basis for determining whether or not an overseas transfer of data is permissible. However, any user of personal data under the old Act is likely to have additional and more complex obligations and exposures under the new one.
Some aspects of the new Act still remain unclear. In order to get the Act onto the statute book within the parliamentary time available, much of the essential content had to be left to be filled in later by subordinate legislation. That subordinate legislation is still awaited. If the Government had complied with its obligations under the European Data Protection Directive, the Act would have been in force by 24 October of last year, but the hole left by the necessary subordinate legislation means that much of the Act is still without effect.

Delayed introduction

In August last year the Home Office published two consultation papers on subordinate legislation, one on notification (the procedure to replace the current system of registration) and the other on the remaining proposals. The closing date for responses to both was the end of September, but the second of the consultation papers stated that 24 October was no longer considered as a realistic deadline for bringing the necessary legislation into force.
Since then, we have been waiting patiently to know the outcome of the consultation exercise. "Early in the New Year" had been suggested, later modified to February/March, and now it is becoming less and less likely that anything will appear until after the Easter parliamentary recess.
This document is for general guidance and research purposes only, and does not purport to give professional advice. Please check the date at the top of the article; the Workplace Law Network retains historic articles for general research.