CS 302 Professional Issues

Chapter 10 - Data Protection Legislation

§10.0 Introduction - UK Overview §10.3 Data Protection Developments
§10.1 Evolution of UK Act §10.4 Freedom of Information
§10.2 The Data Protection Principles

Previous Reading: Computer Misuse Legislation

§10.0 Introduction - UK Overview

When we talk about data protection, what we mean is the protection of data which is personal to one individual; we are not concerned with data which details other matters ... animal breeding programmes, companies, nor even partnerships or (with certain restrictions) persons acting as sole traders. Individuals only - people! And only living people at that, not the dead.

The Computer Misuse Act became law because of the determination of one individual Westminster MP who had previously been a computing professional ...

... but the UK history of data protection legislation is very much otherwise, with the UK government very reluctantly moving (for trade protection reasons) to adopt European ideas.

Curiously, there were two very different forces driving the European ideas of data protection:

Eventually the United Kingdom passed its Data Protection Act in 1984. That act is now repealed and superseded by the similarly titled 1998 Act ... though the final details of that act will be along time coming: the first sections were immediately applicable, but the last ones were not scheduled to be mandatory until 2007!

Many of the changes made under the 1998 Act (by comparison with its predecessor) are as yet poorly understood, even though it has been essentially in force since 1998 (as just remarked, some of the provisions were deferred for quite a long time before they came into effect).

§10.1 Evolution of the U.K Act

The widespread concerns of the 1960's about privacy led eventually to the Younger Report of 1972

But things changed, relatively quickly, so far as the availability and deployment of computers was concerned ... suddenly, long gone were the 1940's days of " six computers being sufficient for the world's needs" and the startling 1950 deployment of LEO (Lyons' Electronic Office). Ask yourself, just why those changes were so sudden and so marked!

Within a very few years, and in response to a 1975 White Paper [UK government proposal for legislation], the Lindup Report of 1978 supported the idea of computer legislation and identified relevant aspects of privacy for which provision ought to be made.

Many countries acted on these and related ideas, including in particular the European Union, but the UK government was reluctant and slow to act ... which brings us to the international pressure described at the beginning of the chapter, the pressures which eventually compelled the UK government to bring forward what became the Data Protection Act 1984.

What did the 1984 Act provide for?

The 1984 Act has now been repealed and superseded by the 1998 Act; from now on we will concentrate on the latter. We have already commented on one major difference between the two acts, the fact that the later one covers manual as well as computer-based filing systems. A second point - in one sense immaterial, but from another viewpoint essential knowledge! - is that the Data Protection Registrar was restyled Data Protection Commissioner, and subsequently Information Commissioner. And a third is that the system of registration with the Data Protection Registrar has been superseded by a system of notification of data held, the principal difference being that a much reduced amount of detail is held on the central register.

From a practical point of view, note also and in particular that

There is much guidance available on 1998 Act (and also, if you need it, on that of 1984).

In particular, you must be familiar with the Data Protection Principles, which were originally defined in schedule 1 to the 1984 Act but were subsequently extended and refined in the 1998 Act.

§10.2 The Data Protection Principles

The heart of the UK Data Protection Act 1998 is the set of data protection principles defined in it, principles which closely derive from the relevant EU directive. They closely resemble those of the 1984 Act, although there are some interesting if small differences.

There are eight principles defined - and the Information Commissioner now summarises them (on the web site and elsewhere) as follows:

[Personal] Data must be:
1. fairly and lawfully processed;
2. processed for limited purposes;
3. adequate, relevant and not excessive;
4. accurate;
5. not kept for longer than is necessary;
6. processed in line with the subject's rights;
7. secure; and
8. not transferred to other countries without adequate protection.

Beware: as has already been said, these are eight points for professionals to have mastered! Start by understanding them, then gradually move to the point where you know the principles and can automatically apply them.

We need to examine these principles more closely, but it is also interesting, and - more to the point - instructive, to examine them in the context of what has been changed since the original, 1984 Act. It is also important to remember that we are talking about personal data; no matter how senstitive or confidential other materials may be - referring, for example, to religious organizations or to commercial or security arrangements - they are not protected by the Act - although of course other legislation may be applicable, such as that on prejudice or on official secrets.

  1. fairly and lawfully processed:
  2. processed for limited purposes:
  3. adequate, relevant and not excessive:
  4. accurate:
  5. not kept for longer than is necessary:
  6. processed in line with the subject's rights:
  7. secure:
  8. not transferred to other countries without adequate protection:

§10.3 Data Protection Developments

Not likely to be discussed within the present lecture series!

§10.4 Freedom of Information

In the context of rights of access to personal data, one of the key features of data protection legislation, it is right to refer to the various developments there have been within the European Union as a consequence of the human rights legislation. This has impinged on many aspects of law: for example, one particular point in the context of the Scottish system was the independence of the judiciary - until very recently it was possible to argue that the judiciary in Scotland was not wholly free of political control, as is required by EU human rights legislation, because many cases were heard before temporary sheriffs ... and temporary sheriffs were appointed from the ranks of the senior lawyers, at the discretion of the government's politically appointed senior law officers.

On the data protection side, there is now legislation which gives a citizen a right of access to almost all material held on him or her, and to much related government (or local government) material besides - and there are associated codes of practice. This is moving away from strictly computer-related legislation, although there is the obvious link of the retitling of the former Data Protection Registrar / Commissioner as the Information Commissioner.

Be careful, however, for the details of the information legislation change as you move across the United Kingdom. For England and Wales the relevant act is the one promoted by the Information Commissioner, the Freedom of Information Act 2000.

The act applicable in Scotland (and there is also an act for Northern Ireland, as indeed for the Republic of Ireland) is the Freedom of Information (Scotland) Act 2002. Amongst other things, the Scottish act requires the appoinment of a Scottish Information Commissioner; details are available from the Scottish Commissioner's website, www.itspublicknowledge.info. You may care to smile wryly over the fact that, although Scottish universities are not government bodies - they are independent, charitable bodies, existing by royal or other charter, or as a consequence of a series of acts of parliament - they have the dubious privilege of being specifically incorporated amongst those bodies to which the act is applicable. It is tempting to ask the old, lawyer's question, cui bono? "To whose good?"

© Paul Goldfinch 2008 Next Chapter Return to CS 302 Menu