- Email: [email protected]
Improvements to the data protection act 1984 that arise from the data protection (Amendment) bill 1988
THE C O M P U T E R LAW A N D S E C U R I T Y REPORT
2 CLSR
No reply I received objected to the removal of Section 27 of the Data Protection Act. Many welcomed the provisions that will bring the personal data used for the purpose of National Security under the Registrar's independent scrutiny.
list). Registration must take place for the personal data these specific categories and purposes, and, as under the current Data Protection Act, it is a criminal offence not to register. The Secretary of State has the power to modify the list, should public concern (or legal precedent) create difficulties at a later stage, amendment c, d)
(8) Subject Access to Domestic Personal Data (Section 33 etc)
(vi) The Bill reduces the need of many businesses (i.e. small Data Users) to register. If they do not process personal data that fall under the categories mentioned in (v) above (see amendment (c) below), then there is no need to register. The Bill does not absolve these Data Users of their responsibilities to proper data processing standards; they will have to provide Subject Access to their personal data, can be sued for damages, and are subject to the enforcement powers of the Registrar should they breach the Data Protection Principles. Note that Bill encourages the production of a Code of Practice for these Data Users to guide them on their responsibilities. Computer Bureau need only register if they provide services to a Data user who needs to register. (amendments c,e,h,o)
I thought a great deal about this. However, at the end of the day I concluded that Subject Access is the general rule, and could not think of reasons (other than inconvenience to the Data User) for excluding Subject Access. If there are convincing arguments the other way, I would be pleased to hear them.
Harry Cohen MP
o0o
(vii) The Bill gives a statutory role to Codes of Practice, which can be developed by trade associations or other representative bodies. These Codes of Practice, which are subject to certification and approval by the Registrar, can cover all the legal requirements of processing of personal data and may be adopted as part of the registration process. The Bill thus allows for a gradual changeover from "registration particulars" to the Codes of Practice that are favoured by industry, commerce and public sector Data Users. The Bill also allows the Registrar to seek further details from a Data User who has to register about any registration particulars. (amendment e,h.o)
ANNEX IMPROVEMENTS TO THE DATA PROTECTION ACT 1984 THAT ARISE FROM THE DATA PROTECTION (AMENDMENT) BILL 1988 (i) The Bill gives Data Subjects an uncomplicated right of access to their own personal data. Where a subject access exemption is claimed, the Bill establishes a consistent and clear legal tests for when those exemptions occur. The Bill closes some loopholes that restrict Subject Access. (see
amendments gl,g2,g3,g4,k,m)
(viii) The Bill allows the Registrar to assist in a limited way (for example with financial, legal or clerical support), if a civil action brought by a Data Subject, should the Registrar's opinion be of sufficient importance to the operation or interpretation of the Data Protection Act. (amendment p)
(ii) In the circumstances when a Data User refuses Subject Access because a Subject Access exemption is claimed, the Registrar can ask to inspect the personal data. Thus the Registrar can properly adjudicate whether to serve an enforcement notice in relation to the seventh Data Protection Principle. To ensure balance in these contentious cases, both the Data User and the Data Subject can appeal to the Data Protection Tribunal to obtain an independent assessment on the Registrar's actions. These changes ensure a fair adjudication of whether Subject Access to personal data is
(ix) The Bill removes the restrictions on the Registrar, on the issuing of enforcement notices in relation to the first, third and seventh Data Protection Principle. As the Bill allows the Data User to appeal to the Data Protection Tribunal, there is no fear that the Registrar will abuse his powers. The effect of the change is to allow contentious issues to be raised by the Registrar and ultimately adjudicated by the Data Protection Tribunal. For example, the many uses of the Electoral Register that take place without the knowledge or consent of the Data Subject, the proposed amalgamation of government data bases via the Government Data Network, and other controversial issues can be aired by the Data Protection Registrar more directly. As a result of new powers, the adjudicating role of the Data Protection Tribunal is increased in importance. (amendments i,r)
allowable. (see amendment k) (iii) The Bill brings personal data held for a national security purpose fully under the ambit of the Act, and allows for one of the Registrar's staff who has sufficient security clearance, or a member of the Security Commission, to investigate complaints in these cases and make reports. This follows the recommendation of the Lindop Committee. (see amendment
c,i) (iv) The Registrar is allowed in the last resort, and subject to the issuing of a warrant signed by a circuit judge, powers of inspection of any Data User's computer installations if a breach of a Data Protection Principle is suspected. Data Users that hold personal data requiring registration can be inspected randomly by the Data Protection Registrar to ensure compliance with the Data Protection Principles. (amendment f)
(x) The Bill removes possible "loopholes" in the legislation redundant sections and subsections (the "non-disclosure provisions", payroll and accounts etc) which are unnecessary under the new registration regime (amendments I,m,n,k) and specifies under what procedure the Ministerial orders made under amendment (c,k) will apply (amendment q)
(amendments a,b,g3,g4),
(v) The Bill allows registration only of specific personal data types or of personal data which are processed for specific purposes (e.g. public sector personal data including police, national security, and other types or uses, e.g. ethnic records, credit agencies.., see amendment (c) below for
o0o
5
2 CLSR
No reply I received objected to the removal of Section 27 of the Data Protection Act. Many welcomed the provisions that will bring the personal data used for the purpose of National Security under the Registrar's independent scrutiny.
list). Registration must take place for the personal data these specific categories and purposes, and, as under the current Data Protection Act, it is a criminal offence not to register. The Secretary of State has the power to modify the list, should public concern (or legal precedent) create difficulties at a later stage, amendment c, d)
(8) Subject Access to Domestic Personal Data (Section 33 etc)
(vi) The Bill reduces the need of many businesses (i.e. small Data Users) to register. If they do not process personal data that fall under the categories mentioned in (v) above (see amendment (c) below), then there is no need to register. The Bill does not absolve these Data Users of their responsibilities to proper data processing standards; they will have to provide Subject Access to their personal data, can be sued for damages, and are subject to the enforcement powers of the Registrar should they breach the Data Protection Principles. Note that Bill encourages the production of a Code of Practice for these Data Users to guide them on their responsibilities. Computer Bureau need only register if they provide services to a Data user who needs to register. (amendments c,e,h,o)
I thought a great deal about this. However, at the end of the day I concluded that Subject Access is the general rule, and could not think of reasons (other than inconvenience to the Data User) for excluding Subject Access. If there are convincing arguments the other way, I would be pleased to hear them.
Harry Cohen MP
o0o
(vii) The Bill gives a statutory role to Codes of Practice, which can be developed by trade associations or other representative bodies. These Codes of Practice, which are subject to certification and approval by the Registrar, can cover all the legal requirements of processing of personal data and may be adopted as part of the registration process. The Bill thus allows for a gradual changeover from "registration particulars" to the Codes of Practice that are favoured by industry, commerce and public sector Data Users. The Bill also allows the Registrar to seek further details from a Data User who has to register about any registration particulars. (amendment e,h.o)
ANNEX IMPROVEMENTS TO THE DATA PROTECTION ACT 1984 THAT ARISE FROM THE DATA PROTECTION (AMENDMENT) BILL 1988 (i) The Bill gives Data Subjects an uncomplicated right of access to their own personal data. Where a subject access exemption is claimed, the Bill establishes a consistent and clear legal tests for when those exemptions occur. The Bill closes some loopholes that restrict Subject Access. (see
amendments gl,g2,g3,g4,k,m)
(viii) The Bill allows the Registrar to assist in a limited way (for example with financial, legal or clerical support), if a civil action brought by a Data Subject, should the Registrar's opinion be of sufficient importance to the operation or interpretation of the Data Protection Act. (amendment p)
(ii) In the circumstances when a Data User refuses Subject Access because a Subject Access exemption is claimed, the Registrar can ask to inspect the personal data. Thus the Registrar can properly adjudicate whether to serve an enforcement notice in relation to the seventh Data Protection Principle. To ensure balance in these contentious cases, both the Data User and the Data Subject can appeal to the Data Protection Tribunal to obtain an independent assessment on the Registrar's actions. These changes ensure a fair adjudication of whether Subject Access to personal data is
(ix) The Bill removes the restrictions on the Registrar, on the issuing of enforcement notices in relation to the first, third and seventh Data Protection Principle. As the Bill allows the Data User to appeal to the Data Protection Tribunal, there is no fear that the Registrar will abuse his powers. The effect of the change is to allow contentious issues to be raised by the Registrar and ultimately adjudicated by the Data Protection Tribunal. For example, the many uses of the Electoral Register that take place without the knowledge or consent of the Data Subject, the proposed amalgamation of government data bases via the Government Data Network, and other controversial issues can be aired by the Data Protection Registrar more directly. As a result of new powers, the adjudicating role of the Data Protection Tribunal is increased in importance. (amendments i,r)
allowable. (see amendment k) (iii) The Bill brings personal data held for a national security purpose fully under the ambit of the Act, and allows for one of the Registrar's staff who has sufficient security clearance, or a member of the Security Commission, to investigate complaints in these cases and make reports. This follows the recommendation of the Lindop Committee. (see amendment
c,i) (iv) The Registrar is allowed in the last resort, and subject to the issuing of a warrant signed by a circuit judge, powers of inspection of any Data User's computer installations if a breach of a Data Protection Principle is suspected. Data Users that hold personal data requiring registration can be inspected randomly by the Data Protection Registrar to ensure compliance with the Data Protection Principles. (amendment f)
(x) The Bill removes possible "loopholes" in the legislation redundant sections and subsections (the "non-disclosure provisions", payroll and accounts etc) which are unnecessary under the new registration regime (amendments I,m,n,k) and specifies under what procedure the Ministerial orders made under amendment (c,k) will apply (amendment q)
(amendments a,b,g3,g4),
(v) The Bill allows registration only of specific personal data types or of personal data which are processed for specific purposes (e.g. public sector personal data including police, national security, and other types or uses, e.g. ethnic records, credit agencies.., see amendment (c) below for
o0o
5