Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

D-DAY DAWNS FOR DATA PROTECTION

  • Comment
Individuals' data protection rights have been extended and enhanced ...
Individuals' data protection rights have been extended and enhanced

under The Data Protection Act 1998 which comes into force today.

The legislation provides an important range of new measures including

a specific right to prevent personal data being used for direct

marketing purposes and the right to prevent processing likely to

cause damage and distress.

Other rights have been enhanced, such as an individual's right to

claim compensation for breaches under the Act. This has now been

extended to allow claims for damage caused by any breach of the new

Act and associated distress.

Key changes under the new Act include:

- Certain manual records are being brought within data protection

rules for the first time

- The introduction of stricter conditions on the processing of

sensitive data - information about racial or ethnic origin, political

opinions, religious or other beliefs, trade union membership, health,

sexual life, and criminal convictions and offences

- The right not to have significant decisions, for example credit

scoring, based solely on the results of automatic processing

- New exemptions from notification (registration)

- A direct requirement on data users to comply with the Data

Protection Principles whether they are registered or not

- The Data Protection Registrar will now be called the 'Data

Protection Commissioner' and have wider powers of enforcement, a new

duty of promoting good practice and a power to issue codes

Home office minister Mike O'Brien said:

'This change in the law provides important new rights for everyone

whose personal information is being held by any company or

organisation.

'Data protection legislation requires a balance between protecting

individuals' rights to privacy and the legitimate needs of business

and other organisations to process personal information. The new Act

strikes that balance.

'Taken together with the proposed Freedom of Information Bill, it

gives people new rights to know what information organisations know

about them. It enables people to protect their privacy.

'Junk mail is one of people's biggest concerns. The Act specifically

allows individuals to prevent their personal details being used for

direct marketing purposes.

'And, for the first time, individuals whose personal information is

recorded manually will, in some cases, have a right to see that

information and make corrections if necessary.

'The Data Protection Act 1998 implements an EU Directive and will

help ensure equal data protection rights throughout the European

Union.'

NOTES

1. The Data Protection Act 1998 received royal assent on 16 July

1998. The Act gives effect to the 1995 EC Data Protection Directive

(95/46/EC) and replaces the Data Protection Act 1984.

2. The Data Protection Act 1998 is available on the Stationery Office

internet site at: http://www.hmso.gov.uk/acts/acts1998/19980029.htm

3. The Office of the Data Protection Commissioner's internet site

address is: http://www.dataprotection.gov.uk

DATA PROTECTION ACT 1998

General

The Data Protection Act 1998 comes into force on 1 March 2000. It

gives effect in UK law to the 1995 EC Data Protection Directive. The

Act strengthens and extends the data protection regime created by the

Data Protection Act 1984, which it replaces. This note summarises

the main provisions.

Scope

The 1998 Act applies to:

- computerised personal data (like the 1984 Act)

- personal data held in structured manual files (new)

It applies to anything at all done to personal data ('processing'),

including collection, use, disclosure, destruction and merely holding

data.

An Enforceable Good Practice Code

Organisations processing personal data ('controllers') must comply

with the data protection principles. These require data to be:

- fairly and lawfully processed

- processed for limited purposes

- adequate, relevant and not excessive

- accurate

- not kept longer than necessary

- processed in accordance with individuals' rights

- kept secure

- not transferred to non-EEA countries without adequate protection

The principles are similar to those in the 1984 Act. But the 1998

Act creates some express new requirements. Controllers must:

- meet one of six conditions in order to process personal data

- meet further conditions in order to process sensitive data*

- inform individuals when their data are collected

- Sensitive data are data about a person's ethnic origins, political

opinions, religious beliefs, trade union membership, health, sexual

life and criminal history.

Individuals' Rights

The Act strengthens individuals' rights to:

- gain access to their data

- seek compensation

It creates new express rights for individuals to:

- prevent their data being processed in certain circumstances

- 'opt-out' of having their data used for direct marketing

- 'opt-out' of fully automated decision-making about them

The Supervisory Authority

The Data Protection Registrar becomes the Data Protection

Commissioner. She:

- enforces the Act's requirements (with strengthened powers)

- promotes compliance and good practice

- manages the notification scheme

Notification

Registration under the 1984 Act is replaced with notification.

- Controllers must tell the Commissioner about their processing

(unless exempt).

- Exemptions cover:

- manual records

- core business activities

- charities' membership records

- Schools and partnerships only notify once

- There is provision for voluntary notification

Exemption from notification does not exempt from the data protection

principles.

Transitional Periods

There are transitional exemptions:

- until 24 October 2001, for certain automated and manual processing

- until 24 October 2007 (more limited) for certain manual processing

  • Comment

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions.

Links may be included in your comments but HTML is not permitted.