The Data Protection Act comes into force next week with the
registrar promising a period of grace before getting tough.
Computer Weekly reviews some of the challenges facing IT and looks
at some recent cases
Lindsay Clark & Caroline Davis
IT managers face a challenge convincing business to comply with
the new data protection legislation, according to the data
protection registrar.
The 1998 Data Protection Act comes into force next Wednesday (1
March) after secondary legislation proposed by home secretary Jack
Straw is given the nod by parliament.
The new Act is more stringent than the 1984 Act, as it covers
paper-based and electronic records, forces businesses to keep
records up-to-date and accurate, and stipulates security
standards.
IT managers will have to work with other divisions, such as
marketing, finance and personnel to ensure this, said Elizabeth
France, the data protection registrar. "My concern is that they
realise that they have to engage people outside their department.
Data protection is not just about IT departments - they cannot be
successful by themselves."
However, IT can be used as a tool to ensure businesses comply
with the new Act, France said. Business policies surrounding data
protection rules can be enforced using computer systems, preventing
people without the appropriate business needs from accessing
personal data, France said.
One aspect of the new law that does affect IT involves
information security. The seventh principle of the new Act says
that businesses handling personal data must take "appropriate
technical and organisational measures" to prevent hacking and data
loss through system crashes.
The security standard BS7799 is a good starting point to
facilitate compliance with the Act, France said. Some business may
require higher security proportionate to the level of risk and
sensitivity of the data. For smaller businesses, BS7799 may be too
extreme, she said.
The Act also covers the movement of personal data over
international boundaries and allows business to only move data to
countries that have adequate protection for the rights of data
subjects.
A rift between Europe and the US leaves business in the lurch
over whether it is legal to export personal data to the US, despite
the efforts of authorities both sides of the Atlantic to agree
solutions.
France, who will become data protection commissioner when the
Act comes into force, said her office would issue interim guidance
to help companies operate within the law while carrying out their
business.
Although it is a criminal offence not to register under the new
Act, and aggrieved individuals can seek damages from companies,
France said she would take a gradual approach to enforcing the new
law. "We will give companies a grace period to get used to the new
law, and then start publicising the new Act, informing individuals
of their new rights."
Non-registration: the penalties
July 1998 - A company owned by a father and his son was
successfully prosecuted by the data protection registrar. With the
assistance of the NatWest bank, the registrar found Kingscliffe
guilty of one charge of non-registration, two charges of unlawful
procuring of personal data and two charges of unlawful sale. The
company was fined £1,000 on each charge. Kingscliffe's owner
Michael Larbey was fined £2,000, while his son was fined £1,000.
Costs of £1,215 were awarded.
Local authorities overstep the mark
July 1998 - data protection registrar Elizabeth France voiced
serious concerns about the actions of a number of local authorities
that have demanded the wholesale disclosure of staff payroll
information from local employers. The councils in question appear
to have been acting in the mistaken belief that the Social Security
Administration (Fraud) Act 1997 gives them an automatic right to
this information.
Limiting utilities on direct mail
Southern electric
- April 1997 - Southern Electric was given 28 days to respond
before the data protection registrar issued a formal enforcement
notice, after the utility mailed its 2.6 million customers
promoting its electrical contracting services. The electricity
company is still in negotiations with the registrar who did not
issue the notice. But a court ruling has forced Southern Electric
to modify its marketing materials.
Centrica
- September 1997 - France instructed Centrica, the de-merged
domestic supply business of British Gas Trading, not to use its
database of 19 million customers to market new services without
customers' positive consent. The enforcement notice followed the
breakdown of talks between the two organisations on what type of
direct mail is permitted by the Data Protection Act.