Article - Data Protection Compliance: A Happy Accident?

Data Protection Compliance - A Happy Accident?

The Data Protection Act came into force on 1 March 2000. It is a complicated piece of legislation which places heavy responsibilities onto businesses and organisations with regard to the protection and processing of personal data.

The Act applies to all data that identifies or is capable of identifying a living person – so a list of e-mail addresses can be quite enough to bring you within its ambit, let alone a fully-functioning database. There are very few businesses of any size these days which do not take advantage of the huge power of the technology available for a wide range of communication and marketing uses based on the personal information. The Act is the means by which Government seeks to prevent its misuse, whether intentional or not.

There are eight Data Protection principles enshrined in the Act: Personal data must be –

1. processed fairly and lawfully;
2. processed for a limited purpose;
3. adequate, relevant and not excessive;
4. accurate;
5. not be kept longer than necessary;
6. processed in accordance with the rights of the data subjects;
7. kept secure from accidental damage, loss and destruction; and
8. not be transferred to a country outside the EEA without adequate protection.
   

The person responsible for enforcing and overseeing the Act is the Information Commissioner, Richard Thomas, who has just taken over from Elizabeth France. For various reasons, including understaffing, the Office of the Information Commissioner has until recently usually only investigated breaches committed under the Act if a complaint was filed. However, Elizabeth France indicated last year that in order to enforce the Act efficiently, a pro-active stance has to be taken by the Office. The Office is now intending to double its staff to implement this, and we may therefore expect that there will be much greater activity on the enforcement front.

Whilst there is a good general awareness of the Act across both large and small companies, there is a lack of detailed knowledge and understanding of all its implications for personal record keeping.Moreover the levels of compliance vary depending on the size of a company and the extent to which the business is regulated by an outside body, such as the Institute of Chartered Accountants or the Financial Services Authority.

In light of this, Elizabeth France commissioned a “Study of Compliance with the Data Protection Act 1998 by UK-Based Websites” by UMIST, completed last May. We believe that she focused on this sector as the electronic community is an easily accessible target. It indicates that many UK-based websites do not comply with the Act and that “those who were compliant tended to be so more by accident than by design”. Particular areas of concern highlighted in the report relate to personal data retention, data security and right of access to the personal data. Furthermore, the report stresses that primarily “small companies who have extended their existing business onto the web” are of particular concern.

Whilst the Office of the Information Commissioner accepts that often those who are non–compliant are so unintentionally, ignorance of the law is not a defence. It is also important to realise that notification under the Act is only a very minor element of the work involved in compliance with the Act, as most of it relates to the 8 data protection principles set out in the Act and described above.

Very few websites that collect information will be able to remain outside the ambit of the Act. If your organisation controls any personal data, you need to be vigilant in controlling and processing it in compliance with the Act. Failure to do so is a criminal offence that is punishable by way of a fine or even imprisonment, and while lip service may have been enough up till now, once the Commissioner’s new staff have been trained then ignoring the Act will be foolhardy.

Published 01/03/2000.