Lindsay Jordan and Stephen Avila of Birkett Long Solicitors look at the significance of the Act.

'We inhabit the information age. Information can be gathered, manipulated and disseminated more quickly now than ever in our history.' There is nothing new in those words, spoken by Lord Williams of Mostyn when introducing this Act to the House of Lords. This Act has now been in force since March 2000 and affects virtually every organisation and every individual in the UK, yet some organisations have still not addressed its requirements.

The law

The Data Protection Act 1998 ('the Act') regulates how and when information relating to individuals may be obtained, used and disclosed. The Act also allows individuals access to personal data relating to them, to challenge misuse of it and to seek redress. Enforcement of the Act is through the Information Commissioner ('the Commissioner').

The Act places a duty on any person or organisation that holds personal information about living individuals (i.e. personal data) on computer or in certain manual data systems (or has such information processed on computer by others) to comply with the eight data protection principles and to notify the Commissioner about the processing carried out.

Failure to notify is a criminal offence. However there are a number of exemptions from the notification requirement of the Act for individuals and organizations that make only limited use of personal data. The Commissioner has produced a self-assessment guide to determine whether notification is necessary.

Remedies for misuse of personal data include compensation if the individual has suffered damage, rectification or destruction of inaccurate data and the right to request a review by the Commissioner of whether the Act has been contravened.

The eight Data Protection Principles ('Principles')

Within any organisation the person who controls the purpose for which personal data can be held and the manner in which it is processed (the Data Controller) has the responsibility of ensuring compliance with the Principles.

These form an enforceable code of practice, which must be complied with, regardless of whether the organisation controlling the personal data has to notify the Commissioner of their use of personal data.
The eight principles require personal data to be:

  • fairly and lawfully obtained;
  • held only for specific and lawful purposes and not processed in any manner incompatible with those purposes;
  • adequate, relevant and not excessive for those purposes;
  • accurate and where necessary kept up-to-date, not kept for longer than necessary;
  • processed in accordance with the rights of the person to whom the data refers;
  • kept securely to ensure data is not lost, disposed of or misused;
  • not transferred out of the European Economic Area unless the destination has an adequate level of data protection.

The statutory fee for notifying the Commissioner is just £35 per year. Recently the Commissioner has warned UK businesses not to be misled by bogus agencies that continue to send notices demanding money to register under the Act. Over 200 businesses a month fall victim to fake data protection agencies posing as official government bodies who are requesting sums of £95-135 to register under the Act. If your business receives such a letter it should be thrown straight in the bin.

Criminal offences

An understanding of the Act enables organisations to comply with it and to avoid unwitting infringement. This is especially important if the threat of criminal proceedings for unlawful processing is to be avoided.

The Act creates a number of criminal offences. They include:

  • notification offences;
  • procuring and selling offences;
  • enforced subject access;
  • other offences.

Notification offences

Such an offence is committed where a Data Controller who is processing personal data has failed to notify the Commissioner of use of personal data when required to do so. Failure to notify is a 'strict liability' offence for which the penalty is a maximum of £5,000 in the Magistrates Court and is unlimited in the Crown Court.

Procuring and selling offences

It is an offence to obtain, disclose, sell or advertise for sale, or bring about the disclosure of personal data, without the consent of the Data Controller. It is also an offence to access personal data or to disclose it without proper authorization. This offence covers unauthorized access to and disclosure of personal data.

A recent case involved the successful prosecution for the offence of procuring information illegally. On 18 December 2001 two directors were prosecuted in relation to the company's attempts to unlawfully procure information from various sources.

The prosecution at Chichester Crown Court resulted in the directors being conditionally discharged for two years and ordered to pay costs of £1,000 each. This was the most common offence between 2002 and 2003.

Enforced subject access

Unless one of the limited statutory exceptions apply it is an offence for a person to ask another person to make a subject access request in order to obtain personal data about that person for specified purposes, such as a precondition to employment.

Other offences

It is an offence to fail to respond to an information notice or to breach an enforcement notice. A recent appeal case found that where a corporate body such as a Local Authority failed to renew its registration under the Act, notwithstanding reminders to do so, it could reasonably be inferred that the body was aware of its omission, so that its continued use of personal data contravened the Act.

Thirty-three convictions were made under the Act in 2001/02 with fines ranging between £50-5,000, whilst 80 convictions were made under the Act in 2002/03. In 2003/04, 47 convictions were made under the Act including one conviction that resulted in a fine of £10,000 and a costs order of £5,000. This is one of the largest financial penalties imposed by a court on an individual for offences under the Act.

Trading online

The increasingly widespread use of internet services creates particular problems and care needs to be exercised by website operators. The information collected by 'cookies', which are used to develop profiles of website users and to deliver targeted marketing messages to particular individuals, is personal data.

Cookies are small pieces of software that are placed on a user's computer by a website that identify and provide other information to that website when it is revisited. Any web operator using a cookie will probably need to notify the Commissioner.

A site visitor should be informed wherever a cookie or other tracking system enables the collection of personal data; otherwise the information may breach the principle requiring that it should be fairly obtained. Users should be informed online, before data collection begins.

Similarly the use of web bugs by website operators may well result in personal data being processed. A web bug is a graphics file, generally only 1x1 pixel in size, designed to monitor who is reading a web page or email message.

The use of web bugs is not necessarily prohibited by the Act, however the collection of personal data through the use of such a device can hardly be done fairly if it is invisible to the person whose online activities it is monitoring.

Individuals being monitored should be informed that monitoring is taking place, who the monitoring is being performed by and the purposes for which it is taking place. The Commissioner also suggests that an individual should be given the opportunity of refusing or disabling the device prior to the collection of any personal data through it.

On 11 December 2003 the Privacy and Electronic Communications Regulations came into force. These Regulations acknowledge that electronic communications over the internet opens new possibilities for users but also new risks for their personal data and privacy.

This has the effect of tightening the data protection obligations affecting most ebusinesses, particularly in the field of 'unsolicited communications' or SPAM which are likely to be subject to an 'opt-in' requirement. This makes the sending of such a communication unlawful unless the recipient has previously given their consent to receive such communications. What will qualify as 'consent' still remains to be seen.

The Regulations do however take a soft approach with regard to the use of cookies, web bugs, hidden identifiers and similar devices.

These are allowed provided that the individuals concerned receive clear and comprehensive information (but not necessarily in advance) about the use of that type of technology and are offered the right to refuse it. Most UK-based e-businesses will need to review their privacy policies to ensure that the use of cookies is properly explained.

Full details on the Regulations are available from the Department of Trade and Industries website.

Conclusion

The maintenance of an individual's privacy and the protection of personal data from abuse are under close scrutiny and in order to avoid breaches of the Act it is suggested that every organisation take the following action:

  • Establish whether you should 'notify' the Commissioner of your data processing. If in doubt notify, since many types of processing are covered by the Act and a payment of £35 per year will avoid a £5,000 fine!
  • Audit all manual filing systems and automated records, including personnel files, to check compliance with the Principles.
  • Ensure your notification entry in the register stays up-to-date. The register is publicly accessible and can be scrutinised online.
  • Audit the activities involving personal data; is it being processed and for what purposes?
  • Audit the occasions on which personal data is collected and from whom. Consider if the consent of the data subject is required to such collection and processing.