There is no doubt that the new Data Protection Act will have a much greater impact on public sector bodies than it does on private ones because public bodies must now consider the additional impact of the Human Rights Act and the Freedom of Information Act. Public sector bodies have a mountain to climb.
The scope of the Data Protection Act 1998 is enormously wider than that of the Data Protection Act 1984 which it replaces. It has the potential to cover most records going back for a hundred years. Individuals are given greatly enhanced subject access rights. The very keeping of records has fundamentally changed – public sector bodies, as well as private sector bodies, now require legal justification for maintaining any personal records. Crown prerogative, under which so many records have been kept in the past, is now severely circumscribed.
Private sector organisations which benefited from exemptions under the old Act have their own difficulties: they must now achieve full compliance. Those which were compliant under the old Act have little else to do, but those which were not now face a much greater extension of their obligations. All organisations which were previously exempt are now caught - there are now no exemptions for small-to-medium enterprises. The change is considerable for all, and may be overwhelming for some.
In many cases organisations are simply unprepared. There are a number of reasons for this. Sometimes an organisation understands what it has to achieve but, especially in the public sector, may have no resources to allocate to the considerable amount of work involved. "We know what the law is in local authorities, but we simply can’t afford to comply with it" has actually been said. These costs are not small, and in any case provision in the budget is another matter. Pity the poor Data Protection Officer who has warned his superiors in good time but has not been sufficiently senior to insist on budget allocation or preparation.
Not every organisation has yet managed to appoint a Data Protection Officer and it is easy to see why the extent of the impact of the Act has been misunderstood or underestimated.
For any organisation a key step to successful operation under the Act is to give individuals a notice at the time when their personal data are collected, telling them exactly what information the organisation is going to hold, what it is going to do with the information and why, and also whether it will disclose the information to anyone else, and what such third parties might do with it.
The Act does give public bodies exemptions for particular purposes (eg. crime prevention) which means that they do not have to give notices, but if they avail themselves of these exemptions they may find that failing to notify broader purposes circumscribes their wider activities. An example would be the recent claim by the NHS that it could not pass information on cancer patients to cancer charities, and by the police that they could not pass information to victim support groups. The point is that public sector bodies which collect personal information on a statutory basis and have also issued notices to individuals are free to use the personal data for the wider purposes notified. The Act need not be an inhibitor.
If two bodies in the private sector wish to share information with each other then all they have to do is draft a contract which sets out their commercial objectives and make sure that they give the individuals concerned a notice explaining what is happening to their personal data.
The Act divides organisations which use personal data into data controllers and data processors. Data controllers feel the full force of the Act; data processors are not directly affected. Nevertheless the Act requires data controllers to impose on their data processors contractual obligations to keep the personal data safe and secure, and ensuring that the data controller controls what the processor can do with the data. They must also extract a security guarantee, and check that the activities of their data processors are in accordance with the contract, perhaps by undertaking an audit.
We can all expect in the next few weeks a flood of data processor contracts which must be in place by 24 October. If you receive a data processors contract and it says that the data processor must comply with the provisions of the Data Protection Act 1998, you are seeing a mistake. There are no obligations specifically imposed on data processors under the Act; the processor’s obligation is to comply with the terms of the new contract.
Owners of IT systems and software developers must cope with at least 45 consequences of the Act. Top of the list are the rights granted to data subjects and the capturing of source information (insofar as it is available to data controller). The Commissioner has already indicated that records of disclosures will have to be kept.
Even though the Act will in practice target organisations which are data controllers, there is potential for workers to suffer personal criminal liability if they breach the Act by unlawfully obtaining or disclosing personal data. Notwithstanding that the employer does not acquire this liability, employers are certainly going to have to prepare for it because if they fail to provide extensive training they may find themselves in employment tribunals.
That this is no chimera is shown by the fact that complaints and requests for assessment made to the Office of the Information Commissioner (formerly the Data Protection Registrar) have nearly doubled in the last six months.
Subject access enables every individual to apply in writing to any organisation asking whether that organisation is processing information on him, and if so, to obtain a copy of that information. It is a gift for litigators. Early application for a copy of everything an organisation holds on an individual can provide unlooked-for quantities of information to embarrass the other side in a case. This danger seems to have been spotted by the millions of American organisations which have failed to take advantage of the Safe Harbor provisions negotiated with the EU Commission. The danger is that they will have to grant subject access over their own American customers’ and employees’ files and this seems to have put them off.
According to American business guru Professor Gary Hamil we have entered the decade of continual change and innovation for companies who wish to stay profitable. Although companies’ IT spend has increased on average from 16% to 59% of turnover, the increase in efficiency this represents has not fed through to increased profits. Instead, the benefits have been passed on to customers via reduced prices and increased quality. The arrival of the internet has also prevented companies from being able to trade on customer ignorance of their competitors’ prices, which has contributed to pressures on profitability. Continual change and innovation will require companies to exploit every one of their assets to achieve maximum value. Personal data may turn out to be the most important.
This article was contributed by leading data protection expert Shelagh Gaskill.