Keenan and Riches’BUSINESS LAW

(nextflipdebug2) #1

in this country would have led some British businesses
with international interests to face a boycott.
The government’s response to these developments was
the enactment of the Data Protection Act 1984, which
became fully operational from 11 November 1987.


The background to the 1998 Act


We have noted how the 1984 Act was enacted to imple-
ment the Council of Europe Convention ‘for the protec-
tion of individuals with regard to automatic processing
of personal data’. Both the Convention and the 1984
Act were limited in scope to data which are processed
automatically, i.e. by computer. In October 1995, the
EC adopted a Data Protection Directive, which had to
be implemented by member states by October 1998.
Although the 1984 Act met many of the requirements of
the directive, there were some important differences
which necessitated changes in the UK legislation. The
DPA 1998, which came into force on 1 March 2000,
introduces a new framework for the protection of data.


The 1998 Act itself


The DPA 1998 establishes a legal framework to regulate
the storage and processing of personal information.
Most persons who process, or have processed for them,
personal information are affected by the legislation. At
the centre of the scheme of regulation is the Information
Commissioner (previously known as the Data Protec-
tion Registrar). The Commissioner is responsible for
maintaining a public register of those involved in pro-
cessing personal information, promoting good practice
by data controllers and observance of the requirements
of the DPA 1998, and disseminating information about
the DPA 1998.
The DPA 1998 gives rights to individuals, including
the right to obtain details of information held about
them and a right to obtain compensation for damage
suffered as the result of any contravention of the re-
quirements of the DPA 1998 by a data controller. The
DPA 1998 does not establish blanket regulation of all
personal data: there are exemptions from some or all of
its provisions.


Terminology


The terms used in the DPA 1998 are described below.
Data.This term refers to:


■information which can be processed automatically,
i.e. by computer; or
■information which is recorded as part of a ‘relevant
filing system’, that is a set of information in which
the records are structured either by reference to indi-
viduals or by criteria relating to individuals; or
■information which does not fall within the two points
above but which forms part of an ‘accessible record’,
e.g. school pupil, housing, social services and health
records.

The definition of data in the 1998 Act broadens the
scope of regulation and protection to include not only
information held on computers but also some manual
information, i.e. paper records. It is important to note
that not all manual information is covered by the DPA
1998; only manual information which falls within the
definition of ‘data’ set out above is subject to regulation.
It should also be noted that transitional arrangements
exempt manual information kept in a relevant filing sys-
tem before 24 October 1998 from full compliance with
the DPA 1998 until 2007. However, individuals have the
right to gain access to information held in paper records
from 24 October 2001 irrespective of the date from
which the information was held.
Personal data.These are items of information about a
living individual who can be identified. ‘Personal data’
include factual information about the person, expressions
of opinion about him and any indications of the inten-
tions of the data controller in respect of that individual.

Data controller.This is a person who (either alone or
jointly or in common with other persons) determines
the purposes for which and the manner in which any
personal data are, or are to be, processed.

Data processor.This refers to a person (other than an
employee of the data controller) who processes personal
data on behalf of the data controller.

Data subject.A data subject is an individual who is the
subject of personal data. Information about corporate
bodies is not covered.

Processing.In relation to information or data, this means
obtaining, recording or holding the information or data
or carrying out any operation on the data including:

■organisation, adaptation or alteration of the data;
■retrieval, consultation or use of the data;
■disclosure of the data;

Part 4Business resources


444

Free download pdf