There is no doubt that the new Data Protection Act will have a
much greater impact on public sector bodies than it does on private
ones because public bodies must now consider the additional impact
of the Human Rights Act and the Freedom of Information Act. Public
sector bodies have a mountain to climb.
The scope of the Data Protection Act 1998 is enormously wider
than that of the Data Protection Act 1984 which it replaces. It has
the potential to cover most records going back for a hundred years.
Individuals are given greatly enhanced subject access rights. The
very keeping of records has fundamentally changed – public sector
bodies, as well as private sector bodies, now require legal
justification for maintaining any personal records. Crown
prerogative, under which so many records have been kept in the
past, is now severely circumscribed.
Private sector organisations which benefited from exemptions
under the old Act have their own difficulties: they must now
achieve full compliance. Those which were compliant under the old
Act have little else to do, but those which were not now face a
much greater extension of their obligations. All organisations
which were previously exempt are now caught - there are now no
exemptions for small-to-medium enterprises. The change is
considerable for all, and may be overwhelming for some.
In many cases organisations are simply unprepared. There are a
number of reasons for this. Sometimes an organisation understands
what it has to achieve but, especially in the public sector, may
have no resources to allocate to the considerable amount of work
involved. "We know what the law is in local authorities, but we
simply can’t afford to comply with it" has actually been said.
These costs are not small, and in any case provision in the budget
is another matter. Pity the poor Data Protection Officer who has
warned his superiors in good time but has not been sufficiently
senior to insist on budget allocation or preparation.
Not every organisation has yet managed to appoint a Data
Protection Officer and it is easy to see why the extent of the
impact of the Act has been misunderstood or underestimated.
For any organisation a key step to successful operation under
the Act is to give individuals a notice at the time when their
personal data are collected, telling them exactly what information
the organisation is going to hold, what it is going to do with the
information and why, and also whether it will disclose the
information to anyone else, and what such third parties might do
with it.
The Act does give public bodies exemptions for particular
purposes (eg. crime prevention) which means that they do not have
to give notices, but if they avail themselves of these exemptions
they may find that failing to notify broader purposes circumscribes
their wider activities. An example would be the recent claim by the
NHS that it could not pass information on cancer patients to cancer
charities, and by the police that they could not pass information
to victim support groups. The point is that public sector bodies
which collect personal information on a statutory basis and have
also issued notices to individuals are free to use the personal
data for the wider purposes notified. The Act need not be an
inhibitor.
If two bodies in the private sector wish to share information
with each other then all they have to do is draft a contract which
sets out their commercial objectives and make sure that they give
the individuals concerned a notice explaining what is happening to
their personal data.
The Act divides organisations which use personal data into data
controllers and data processors. Data controllers feel the full
force of the Act; data processors are not directly affected.
Nevertheless the Act requires data controllers to impose on their
data processors contractual obligations to keep the personal data
safe and secure, and ensuring that the data controller controls
what the processor can do with the data. They must also extract a
security guarantee, and check that the activities of their data
processors are in accordance with the contract, perhaps by
undertaking an audit.
We can all expect in the next few weeks a flood of data
processor contracts which must be in place by 24 October. If you
receive a data processors contract and it says that the data
processor must comply with the provisions of the Data Protection
Act 1998, you are seeing a mistake. There are no obligations
specifically imposed on data processors under the Act; the
processor’s obligation is to comply with the terms of the new
contract.
Owners of IT systems and software developers must cope with at
least 45 consequences of the Act. Top of the list are the rights
granted to data subjects and the capturing of source information
(insofar as it is available to data controller). The Commissioner
has already indicated that records of disclosures will have to be
kept.
Even though the Act will in practice target organisations which
are data controllers, there is potential for workers to suffer
personal criminal liability if they breach the Act by unlawfully
obtaining or disclosing personal data. Notwithstanding that the
employer does not acquire this liability, employers are certainly
going to have to prepare for it because if they fail to provide
extensive training they may find themselves in employment
tribunals.
That this is no chimera is shown by the fact that complaints and
requests for assessment made to the Office of the Information
Commissioner (formerly the Data Protection Registrar) have nearly
doubled in the last six months.
Subject access enables every individual to apply in writing to
any organisation asking whether that organisation is processing
information on him, and if so, to obtain a copy of that
information. It is a gift for litigators. Early application for a
copy of everything an organisation holds on an individual can
provide unlooked-for quantities of information to embarrass the
other side in a case. This danger seems to have been spotted by the
millions of American organisations which have failed to take
advantage of the Safe Harbor provisions negotiated with the EU
Commission. The danger is that they will have to grant subject
access over their own American customers’ and employees’ files and
this seems to have put them off.
According to American business guru Professor Gary Hamil we have
entered the decade of continual change and innovation for companies
who wish to stay profitable. Although companies’ IT spend has
increased on average from 16% to 59% of turnover, the increase in
efficiency this represents has not fed through to increased
profits. Instead, the benefits have been passed on to customers via
reduced prices and increased quality. The arrival of the internet
has also prevented companies from being able to trade on customer
ignorance of their competitors’ prices, which has contributed to
pressures on profitability. Continual change and innovation will
require companies to exploit every one of their assets to achieve
maximum value. Personal data may turn out to be the most
important.
This article was contributed by leading data protection expert
Shelagh Gaskill.
