The draft legislation to implement the framework EU directive on data protection (see endnote 1) was published by the UK Government recently. The draft bill, which will replace wholesale the existing legislation, the Data Protection Act 1984, when it is enacted is expected to make a number of significant changes to the way the protection of personal data is handled in the UK. Certainly, aspects of the draft legislation have already attracted considerable comment. The following is a brief summary of some of the more significant aspects of the bill.

The bill will, once in force, apply to the electronic processing (which includes capturing and viewing) of "personal information". For the first time it will also catch certain paper-based records, if they are sufficiently structured.

The bill will, like the existing rules, give individuals whose data is stored certain specific rights. These include:

  • the right (in certain circumstances) to ask anyone processing information about them for a description of the personal information being processed; the purposes for which that data is being processed and the recipients or classes of recipients to whom the personal data is being disclosed.
  • the right (subject to certain exceptions) to require a data controller to stop or not to begin processing any personal data about them if he/she is likely to suffer substantial damage or distress.
  • the right to prevent the processing for the purposes of direct marketing.

As per the existing legislation companies or persons processing personal data will be expected to register with the data protection registrar, detailing what data they will be collecting and processing and for what purposes.

Similarly, the bill will continue the eight guiding principles which controllers of personal data will have to adhere to. The actual principles will however be subject to significant changes from those presently in use. The principles include the following:

  • Personal data must be fairly and lawfully processed
  • The data must be accurate and, where necessary, kept up to date.
  • Measures must be taken to ensure that there is adequate security to prevent harm, which may arise from unauthorised or accidental loss or destruction of data.
  • Personal data may not be exported from the European Economic Area, unless the importing country has an adequate level of data protection.

The bill includes descriptions of what each of these principles is intended to mean. There are also some exceptions to the principles, most notably to the principle of fair and lawful processing, which may water down their effect (and thus the level of "protection" given to individuals).

The potential restriction on the export of data (established by the last of the principles) is, for obvious reasons, of particular concern to many companies. In deciding whether a country has an "adequate level of protection", the Registrar will look at factors like:

  • Nature of data
  • Security measures taken
  • country of origin and destination;
  • purposes and period of processing of data;
  • the data protection and related laws and international obligations of the relevant country

Many companies are keen to see how these factors are applied in practice, as any serious restrictions on cross-border data flow could have a significant impact. This is particularly true if, as many commentators have suggested, the US will be regarded as not having adequate data protection.

Failure to comply with a number of key aspects of the bill will amount to a criminal offence.

The bill is due to be enacted this October. Although the current draft of the bill does not include any provisions dealing with how it will affect databases of personal data already in place, it is expected that such provisions will be introduced. Almost certainly the Government will allow a fairly lengthy period for companies to bring existing records and procedures into line with the new laws.

There is no doubt that the bill will (even taking into changes that might be made as it passes through Parliament) introduce tighter controls on the use of personal information. However, as many of the more important aspects are open to interpretation we will have to see how it is applied in practice from the end of this year to judge the real impact.

ENDNOTE

1 The Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (95/46/EC).

Further Information

For further information or advice on any of the legal or internal policy issues involved in e-mail use, please contact us.
This bulletin is correct to the best of our knowledge and belief. It is, however, written as a general guide; it is essential that relevant professional advice is sought before any specific action is taken. Garretts is a member of the international network of law firms associated with Arthur Andersen and is regulated by the Law Society in the conduct of investment business.