UK: Data Protection - End of the Exemption on Manual Records

The Data Protection Act 1998 (the Act) has been generally in force since March 2000. Many organisations will therefore be familiar with their obligations to comply with the data protection principles. But until now the Act has not applied to certain types of data or data processing. This exemption ended on 24 October this year.

This article discusses the types data and data processing that are no longer exempt from the Act and explains the impact this may have on organisations.

Under transitional provisions, certain types of data were exempt from the scope of the Act until October this year. The most important aspect exemption applied to manual records. For most businesses, this probably had most relevance to the information held on personnel files. This data will now need to be checked to see if it complies with the Act.

The exemption had been significant because it is often more difficult for businesses to comply with the principles under the Act if the data is contained in manual, as opposed to, electronic records. For instance, it is generally less cumbersome and time consuming to respond to requests for access to personal data held about an individual where the data is held electronically rather than on manual records.

So what exactly will no longer be exempt from the Act?

• manual records containing personal data, which are
• part of a relevant filing system, that was
• subject to processing already under way as at 24 October 1998.

A "relevant filing system" is any filing system which is structured in such a way that information about a certain individual is readily accessible.

A more restricted exemption regime is still in place until 2007. This is relevant where the data was held before 24 October 1998. But for the extended exemption to apply, the processing of the relevant filing system must also have started before October 1998. Also, the 6th, 7th and 8th data protection principles will apply to this type of data in any event. These are discussed below.

The general exemption to 24 October 2001 also applied to types of automated data and not just to manual data. These were:

• automated data processed to calculate salary or pensions or to keep accounts of sales and other transactions;
• automated data processed only to replace other data which may be lost or destroyed (i.e. back up data); and
• automated data processed to compile and distribute mailing lists.

Most organisations will almost certainly have data in the first and second of these categories. They will now need to ensure that they comply with the Act when processing this data.

The biggest impact of the end of the exemption is likely to be found in principles 4,5,6 and 7. These require as follows:

Personal data should be accurate and, where necessary, kept up to date (Principle 4).

Personal data must not be kept for longer than is necessary (Principle 5).

Data should be processed in line with the rights of individuals under the Act (Principle 6).

Personal information must be secure. Organisations must take measures to ensure the only processing of this data is authorised and lawful and that there is no accidental loss or destruction of this data (Principle 7).

One of the main concerns about manual records is ensuring they are accurate and up to date (principle 4) and are kept for no longer than is necessary (principle 5). Procedures need to be put in place to update manual records and to cull unnecessary information.

The security of manual data held, which is enshrined in principle 7, may also be of concern. Large businesses may find it difficult to keep on top of what personal data they hold. Indeed, all sorts of individuals within a business may keep filing systems of manual records containing personal data, especially where they operate from several sites within the organisation. There needs to be an assessment of whether access to these records is properly controlled.

Imagine a business has personnel records for an employee who has been with it for, say, 5 years. Under the ending of the exemption, all the data protection principles will apply to any data on those records from October 1998 onwards. However, under the more limited exemption that continues to October 2007, any personal details for the period before October 1998 will not be subject to all the provisions of the Act. Even then, some principles will apply to this pre-1998 data. In particular, the employee will be able to access the information, which is the right given in the all-important 6th data protection principle.

Another impact is that, not only will current employees have a legal right to see the content of their personal records, but so will past employees and even prospective employees that organisations decide not to employ. So, for example, prospective employees who were not offered a job would have the right to see documents such as scoresheets and psychometric tests if these were used during an interview process. And clients and customers have similar rights as well.

There are also issues concerning the ending of the exemption for certain automated data. Many businesses may outsource some personal data processing, for instance, by engaging a third party to perform the payroll function or to undertake direct marketing using mailing lists. These arrangements will be lawful from 24 October only if they are in some form of writing and contain appropriate data protection clauses guaranteeing the security and integrity of the relevant personal data.

By now most organisations will be familiar with data protection issues. But the ending of the exemption for manual records poses particular problems, mainly because of the difficulty in finding out what and how any relevant personal data is stored.

Forward planning is the key. For example, organisations need to identify the points where they collect personal data. They should also tell the "data subjects" of all uses and disclosures of their data when it is collected. It may also be possible to put manual records onto electronic databases, although this is likely to take time and manpower.

Data protection is a matter of risk analysis and assessment. It can be virtually impossible for any organisation to achieve full an ongoing compliance with the Act. The trick is to develop a strategy that takes you into being substantially risk free. And time to act is now.