Collaboration key to data law

The Data Protection Act comes into force next week with the registrar promising a period of grace before getting tough. Computer...

The Data Protection Act comes into force next week with the registrar promising a period of grace before getting tough. Computer Weekly reviews some of the challenges facing IT and looks at some recent cases

Lindsay Clark & Caroline Davis

IT managers face a challenge convincing business to comply with the new data protection legislation, according to the data protection registrar.

The 1998 Data Protection Act comes into force next Wednesday (1 March) after secondary legislation proposed by home secretary Jack Straw is given the nod by parliament.

The new Act is more stringent than the 1984 Act, as it covers paper-based and electronic records, forces businesses to keep records up-to-date and accurate, and stipulates security standards.

IT managers will have to work with other divisions, such as marketing, finance and personnel to ensure this, said Elizabeth France, the data protection registrar. "My concern is that they realise that they have to engage people outside their department. Data protection is not just about IT departments - they cannot be successful by themselves."

However, IT can be used as a tool to ensure businesses comply with the new Act, France said. Business policies surrounding data protection rules can be enforced using computer systems, preventing people without the appropriate business needs from accessing personal data, France said.

One aspect of the new law that does affect IT involves information security. The seventh principle of the new Act says that businesses handling personal data must take "appropriate technical and organisational measures" to prevent hacking and data loss through system crashes.

The security standard BS7799 is a good starting point to facilitate compliance with the Act, France said. Some business may require higher security proportionate to the level of risk and sensitivity of the data. For smaller businesses, BS7799 may be too extreme, she said.

The Act also covers the movement of personal data over international boundaries and allows business to only move data to countries that have adequate protection for the rights of data subjects.

A rift between Europe and the US leaves business in the lurch over whether it is legal to export personal data to the US, despite the efforts of authorities both sides of the Atlantic to agree solutions.

France, who will become data protection commissioner when the Act comes into force, said her office would issue interim guidance to help companies operate within the law while carrying out their business.

Although it is a criminal offence not to register under the new Act, and aggrieved individuals can seek damages from companies, France said she would take a gradual approach to enforcing the new law. "We will give companies a grace period to get used to the new law, and then start publicising the new Act, informing individuals of their new rights."

Non-registration: the penalties

July 1998 - A company owned by a father and his son was successfully prosecuted by the data protection registrar. With the assistance of the NatWest bank, the registrar found Kingscliffe guilty of one charge of non-registration, two charges of unlawful procuring of personal data and two charges of unlawful sale. The company was fined £1,000 on each charge. Kingscliffe's owner Michael Larbey was fined £2,000, while his son was fined £1,000. Costs of £1,215 were awarded.

Local authorities overstep the mark

July 1998 - data protection registrar Elizabeth France voiced serious concerns about the actions of a number of local authorities that have demanded the wholesale disclosure of staff payroll information from local employers. The councils in question appear to have been acting in the mistaken belief that the Social Security Administration (Fraud) Act 1997 gives them an automatic right to this information.

Limiting utilities on direct mail

Southern electric

  • April 1997 - Southern Electric was given 28 days to respond before the data protection registrar issued a formal enforcement notice, after the utility mailed its 2.6 million customers promoting its electrical contracting services. The electricity company is still in negotiations with the registrar who did not issue the notice. But a court ruling has forced Southern Electric to modify its marketing materials.
  • Centrica

  • September 1997 - France instructed Centrica, the de-merged domestic supply business of British Gas Trading, not to use its database of 19 million customers to market new services without customers' positive consent. The enforcement notice followed the breakdown of talks between the two organisations on what type of direct mail is permitted by the Data Protection Act.
  • Read more on IT risk management