Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more


  • Comment
The Data Protection Registrar has welcomed the publication of a Bill which should strengthen significantly the degr...
The Data Protection Registrar has welcomed the publication of a Bill which should strengthen significantly the degree of control individuals have over the use of their information.

'This measure is timely as there is increasing capacity to hold and manipulate computerised information' said registrar Elizabeth France. 'In both the public and private sectors there is great impetus to deliver services electronically and to use computerised personal information to inform decisions affecting individuals.

I am pleased that in producing the Bill to implement the EC Data Protection Directive (95/46/EC) the home office has listened to my concern that they should adopt a practical approach to seek to ensure that what we have is workable legislation.

There are still a number of significant matters which will have to be addressed. These include whether it is possible to provide a clearer definition of those manual records that will be covered by the new Act, the detailed provisions for the new system of notification to replace registration and the transitional provisions.

The latter are particularly significant as the government has made it clear that it intends to take full advantage of the provision in the Directive which allows a period of grace of up to 3 years in respect of processing operations that are already underway.

However, there are a couple of matters regarding which the Registrar continues to have significant concern. Clause 28(4) provides an order

making power which would allow the secretary of state to exempt personal data of a specified description not only from subject access

but also from the requirement to process personal data fairly and lawfully. I see no justification for making provision for the blanket exemption of certain types of data for law enforcement and tax raising purposes. I am not aware that there is any evidence that the absence of such a provision in the current UK Act has had a significant adverse affect on law enforcement and tax collection. A democracy that properly respects the privacy of its citizens should be wary of providing for such a blanket exemption from rules designed to ensure the fair and lawful processing of personal information'.

The new Bill includes a power for the commissioner to require information from data controllers in order to enable him to decide

that their processing activities conform to the law. 'This is a great step forward' said Mrs France. 'At the moment I need evidence of non-compliance in order to obtain a warrant to demand access to personal data. It is common for regulators to have information gathering powers in order to enable them to carry out their

functions'. However, the Registrar has expressed her very serious concern that an Information Notice can be appealed to the Data Protection Tribunal. 'I entirely appreciate that controllers should

not be obliged to respond to an onerous requirement for information and suggested therefore that appeals against Information Notices should be limited to deal with this point'. The practical effect of the current provisions is that ascertaining whether a data user had properly responded to a subject access request could take a number of months involving the issuing of a formal Information Notice, an appeal against such a notice and a tribunal hearing. Where a controller was simply seeking to delay the provision of information to an individual data subject this could be achieved by an appeal which the controller could withdraw just before an appeal hearing. 'I have urged the Government to reconsider this matter'.

Overall, however, the Registrar is pleased with this Bill. 'Though I have a few concerns about the Bill in its current form I believe that overall it provides an excellent framework for seeking to achieve the right balance between individuals' entitlement to privacy in the handling of information about them and information users' needs in processing information to provide the services which individuals require'.


1. The Data Protection Bill to give effect to the 1995 EC Data Protection Directive (95/46/EC) was published last week.

The Directive must be implemented by 24 October 1998.

2. The Registrar published her views on implementing the Directive as 'Our Answers' in July 1996.

  • Comment

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions.

Links may be included in your comments but HTML is not permitted.