'This measure is timely as there is increasing capacity to hold and manipulate computerised information' said registrar Elizabeth France. 'In both the public and private sectors there is great impetus to deliver services electronically and to use computerised personal information to inform decisions affecting individuals.
I am pleased that in producing the Bill to implement the EC Data Protection Directive (95/46/EC) the home office has listened to my concern that they should adopt a practical approach to seek to ensure that what we have is workable legislation.
There are still a number of significant matters which will have to be addressed. These include whether it is possible to provide a clearer definition of those manual records that will be covered by the new Act, the detailed provisions for the new system of notification to replace registration and the transitional provisions.
However, there are a couple of matters regarding which the Registrar continues to have significant concern. Clause 28(4) provides an order
making power which would allow the secretary of state to exempt personal data of a specified description not only from subject access
but also from the requirement to process personal data fairly and lawfully. I see no justification for making provision for the blanket exemption of certain types of data for law enforcement and tax raising purposes. I am not aware that there is any evidence that the absence of such a provision in the current UK Act has had a significant adverse affect on law enforcement and tax collection. A democracy that properly respects the privacy of its citizens should be wary of providing for such a blanket exemption from rules designed to ensure the fair and lawful processing of personal information'.
The new Bill includes a power for the commissioner to require information from data controllers in order to enable him to decide
that their processing activities conform to the law. 'This is a great step forward' said Mrs France. 'At the moment I need evidence of non-compliance in order to obtain a warrant to demand access to personal data. It is common for regulators to have information gathering powers in order to enable them to carry out their
functions'. However, the Registrar has expressed her very serious concern that an Information Notice can be appealed to the Data Protection Tribunal. 'I entirely appreciate that controllers should
not be obliged to respond to an onerous requirement for information and suggested therefore that appeals against Information Notices should be limited to deal with this point'. The practical effect of the current provisions is that ascertaining whether a data user had properly responded to a subject access request could take a number of months involving the issuing of a formal Information Notice, an appeal against such a notice and a tribunal hearing. Where a controller was simply seeking to delay the provision of information to an individual data subject this could be achieved by an appeal which the controller could withdraw just before an appeal hearing. 'I have urged the Government to reconsider this matter'.
Overall, however, the Registrar is pleased with this Bill. 'Though I have a few concerns about the Bill in its current form I believe that overall it provides an excellent framework for seeking to achieve the right balance between individuals' entitlement to privacy in the handling of information about them and information users' needs in processing information to provide the services which individuals require'.
1. The Data Protection Bill to give effect to the 1995 EC Data Protection Directive (95/46/EC) was published last week.
The Directive must be implemented by 24 October 1998.
2. The Registrar published her views on implementing the Directive as 'Our Answers' in July 1996.