Tilting at Windmills - Has
the New Data Protection Law failed to make
a Significant Contribution to
Rights of Privacy
Dr David Bainbridge and Mr Graham Pearce
Aston Business
School
Aston
University , Birmingham, UK
[email protected]
Abstract
This article examines the
provisions of the new data protection law which are aimed at
securing and consolidating the rights of individuals with respect
to the processing of personal data relating them. The effectiveness
of the new and enhanced rights of data subjects is considered, with
an emphasis on the impact on individuals' rights of privacy.
Although one of the main thrusts of the Directive underpinning the
new law was to bring transparency to processing operations
involving personal data, the Data Protection Act 1998 is
disappointing in this respect and compromises the spirit of the
Directive in this respect. Furthermore, some of the rights of data
subjects can only be fully effective if individuals are proactive
and take the necessary steps to take advantage of them. The
interaction between data protection law and the Human Rights Act
1998, including the possibility of conflicts between these two
bodies of law is also considered.
Keywords : data protection - privacy -
individuals' rights and freedoms - Data Protection Act 1998 - Human
Rights Act 1998 - processing personal data -
transparency.
This is a Refereed
Article published on 30 June 2000.
Citation :
Bainbridge D et al, 'Tilting the Windmills - Has the New Data
Protection Law failed to make a Significant Contribution to Rights
of Privacy', 2000 (2) The Journal
of Information, Law and Technology (JILT).
<http://elj.warwick.ac.uk/jilt/00-2/bainbridge.html>/. New
citation as at 1/1/04:
<http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_2/bainbridge/>
1. Introduction
That there has been no general law
of privacy in England has drawn adverse comment on many
occasions.[ 1 ] Legal
protection of an individual's privacy can be described as
capricious and sporadic. Where it exists at all, it comes from a
diverse variety of sources, such as the law of breach of
confidence, the torts of defamation and malicious falsehood and, to
some extent, indirectly through copyright.[ 2 ] Of course, the
perennial difficulty for legislators is balancing the rights of
individuals with freedom of expression: an almost impossible task.
So much so that Parliament has seldom been prepared to legislate
specifically to ensure rights to privacy, leaving it to the courts
to develop common law and equitable principles. The courts, whilst
not altogether shirking this responsibility, have proceeded with
extreme, and some would say undue, caution.[ 3 ] Until very
recently, the United Kingdom chose not to ratify the European
Convention for the Protection of Human Rights and Fundamental
Freedoms,[ 4 ]
Article 8 of which provided for the right to respect for an
individual's private and family life, home and correspondence. Now
we have the Human Rights Act 1998 which, inter alia , gives full
effect the rights and freedoms guaranteed by the Convention. This
important Act is due to come into force on 2 October 2000, some
seven months after the main provisions of the Data Protection Act
1998 came into force.
The advent of computer technology
was perceived as a massive threat to privacy and individual
freedoms and the Council of Europe Convention of 28 January 1981
for the Protection of Individuals with regard to the Automatic
Processing of Personal Data was an attempt to impose a regime on
the processing of computer data relating to individuals such that
the risks to privacy and freedom would not be unduly
compromised.[ 5 ] The Data Protection Act 1984 was the United Kingdom's
response to the Convention and can best be described as taking a
minimalist approach. Providing data users[ 6 ] completed the
necessary registration forms reasonably competently and their
disclosed processing activities appeared to comply with the data
protection principles,[ 7 ] their registrations would be accepted and they could
then process personal data in accordance with their registration
with relative impunity.[ 8 ] In many cases, compliance with the 1984 Act has been
seen as little more than a regulatory chore and the Act has done
little to consolidate and reinforce individuals' right and freedoms
in respect of personal data relating to them. Although individuals
were given rights of access to their personal data and rights to
compensation in certain circumstances, most persons who felt
aggrieved complained to the Data Protection Registrar who could
then exercise her powers of investigation and enforcement.[
9 ]
Directive 95/46/EC of the European
Parliament and the Council on the protection of individuals with
regard to the processing of personal data and on the free movement
of such data[ 10 ] (the 'Data Protection Directive') provided a further
opportunity to review and strengthen data protection law. The Data
Protection Directive certainly goes much further than the Data
Protection Act 1984 and has a substantial emphasis on privacy.
Article 1(1) of the Data Protection Directive requires Member
States to '... protect the fundamental rights and freedoms of
natural persons, and in particular their right to privacy with
respect to the processing of personal data'.[ 11 ] In today's
world, the greater use of information technology coupled with the
growing reliance on data and new and sophisticated uses of it make
it imperative to have an effective yet workable data protection
law. Specific dangers are posed to individuals through the
processing of genetic data, lifestyle data, impaired life
databases, through the activities of private investigators and the
growing use of surveillance. Techniques such as data matching and
data warehousing are becoming widespread and have significant
potential to adversely affect individuals' rights and freedoms, for
example, as a result of inaccurate or incomplete data. Furthermore,
much more data of a sensitive nature is being processed by
automatic means than was the case even a short time ago. Nor do all
the dangers stem from computer processing as structured manual
files, where information about a particular individual can be
accessed readily, also present threats to privacy.
The Data Protection Directive, in
addition to extending data protection law to structured manual
files, has two primary thrusts which consolidate and enhance
individuals' rights and freedoms. These are the principles of
transparency and control. By ensuring that individuals have rights
to be informed of processing activity, in respect of disclosures to
third parties of personal data relating to them and by requiring
more information to be supplied in response to subject access
requests, the objective of transparency is achieved. By giving
individuals rights to object to processing, to prevent processing
and, in some cases, requiring their consent, they are given
significantly more control over the processing of personal data
relating to them. How successful the Data Protection Act 1998 will
be in achieving these objectives and thereby advancing the right to
privacy is examined below.
2.
Transparency
The general tenor of the Data
Protection Directive is that processing activity should be as
transparent as possible. For example, obligations are imposed on
data controllers to provide data subjects with information on
collection of the data from the individual or, in other cases, such
as when the data are disclosed to a third party. This is reinforced
by the recitals to the Directive and recital 38 states that '...
the data subject must be in a position to learn of the existence of
a processing operation and, where data are collected from him, must
be given accurate and full information, bearing in mind the
circumstances of the collection'. Where the data have not been
collected directly from the data subject,[ 12 ] the
individual concerned should be informed when the data are recorded
or at the latest when they are disclosed to a third party (Recital
39). Transparency is also effected by giving individuals a right of
access to personal data relating to them. As under the 1984 Act,
individuals have a right to be informed as to whether the data
controller is processing data concerning the particular individual
and, if so, a right of access to that data. The Data Protection
Directive goes further in requiring the provision of additional
information such as the purposes of the processing.
To some extent transparency under
the 1984 Act was achieved by virtue of the data protection
register, a publicly available register of data users and computer
bureaux. However, much of the information contained in the register
was of a generalised nature and not particularly helpful as far as
data subjects were concerned. Furthermore, many organisations had
several register entries and other cumbersome rules existed such as
the requirement for every partner in a partnership to register
separately. Perhaps the worst feature was that, apart from data
controllers such as the individual's employer, bank and central and
local government bodies, general practitioners and the Health
Service, it was impossible to discover the identity of all the
other data controllers who held data relating to a particular
individual. The individual would be alerted that an organisation
held his personal data only when he received his first mailing of
marketing material. The aim of the Directive clearly is to increase
transparency.
2.1 Providing Information to Data
Subjects
A fundamental right under the
Directive is for an individual[ 13 ] to be
informed of processing activity involving personal data relating to
him. A data subject must be provided with certain information when
data are collected from him or in other cases, for example, where
the data, having originated from the data subject are transferred
to or disclosed to another data controller or where the data have
been generated by a data controller. The only exceptions in the
Directive were '... in particular for processing for statistical
purposes or for the purposes of historical or scientific research
...' where the provision of such information proves impossible or
would involve a disproportionate effort or if recording or
disclosure is expressly laid down by law. In such cases, Member
States must provide appropriate safeguards (Article 11(2)). Unless
within the specific exceptions in the Act,[ 14 ] this should
enable data subjects to know the identity of data controllers
processing personal data relating to them and the purposes for
which they are processing those data. However, the exceptions in
the Act, together with further exceptions from the requirement to
notify contained within the Data Protection (Notification and
Notification Fees) Regulations 2000,[ 15 ] goes well
beyond the right to respect for private and family life in Article
8 of the European Convention on Human Rights. Surely it is
reasonable to assume there should be some synergy between the Data
Protection Act 1998 and the European Convention. If it is made more
difficult or impossible for individuals to discover the identity of
data controllers processing personal data relating to them, then
this prejudices their ability to find out whether their right of
privacy has been infringed.
The express requirement to provide
information to data subjects has no direct equivalent under the
1984 Act except to the extent that processing must be carried out
fairly and lawfully under the first data protection principle. As
interpreted by case law such as Innovations (Mail Order) Ltd v Data Protection
Registrar (29 September 1993, Data
Protection Tribunal) and British Gas
Trading Ltd v Data Protection Registrar , (24 March 1998, Data Protection Tribunal) this
required that data subjects be informed of non-obvious uses of
personal data relating to them at the time of collection and that
data subjects should not be required to expressly object to
non-obvious processing at some time later than when the data were
collected from the data subject. For example, where the data
controller intended to sell his customer database to another
organisation for marketing purposes. Each data subject should be
informed of this at the time he volunteered his personal data and
given an opportunity to object there and then, for example, by
ticking a box on an order form or application form.
The manner in which the Directive
has been enacted in the United Kingdom is somewhat unsatisfactory.
By paragraph 2(1), Part II, Schedule 1 of the 1998 Act,[ 16 ] where the
data are obtained from the data subject, the data controller must
ensure so far as is practicable that the data subject has or is
provided with the 'relevant information' or has made it readily available to him . In any other case, the data controller must ensure so
far as practicable that, before the
'relevant time' or as soon as practicable
thereafter , the data subject has or is
provided with the relevant information or has made it readily available to him. Under paragraph 3, this latter requirement does
not apply where the provision would involve a disproportionate
effort or where the recording or disclosure is necessary to comply
with a legal obligation to which the data controller is subject
(other than a contractual obligation) together with such further
conditions as may be prescribed by regulations. This seems to go
further than the Directive which restricts the 'disproportionate
effort' exception primarily
to statistics or research[ 17 ] and, although
the Directive excuses the provision of information where the data
subject already has it, (Articles 10 and 11) there is no further
allowance for failing to provide the information or delaying its
provision, apart from the limited disproportionate effort
exception. By using a 'practicability' test, in both cases as
regards the provision of information and, in the latter case, also
in the timing of that provision, the Act fails to fully implement
these aspects of the Directive.
The 'relevant time' is when the
controller first processes the data[ 18 ] or, where
disclosure to a third party within a reasonable period is
envisaged, by paragraph 2(2)(b):
(i) if the data are in fact
disclosed to such a person within that period, the time when the
data are first disclosed,
(ii) if within that period the data
controller becomes, or ought to become, aware that the data are
unlikely to be disclosed, to such a person within that period, the
time when the data controller does become, or ought to become, so
aware, or
(iii) in any other case, the end of
that period.
There are a number of problems with
this provision. The Act does not say by whom the disclosure is
envisaged, whether it is the data controller, the data subject or
both. If it is the data controller only, this could result, under
cases (ii) and (iii), in the data subject, who may have had no
inkling that his data were intended to be disclosed to a third
party, being informed that his data are not after all going to be
disclosed to the third party. This is completely unnecessary. It
makes more sense if the disclosure is envisaged by the data subject
or both the data subject and the data controller, for example, if
the data subject has filled out an order form and failed to tick
the box preventing disclosure of his data to other organisations,
for example, in the case of list trading for marketing purposes.
This is a more reasonable interpretation though, as at the time of
completing the form, the data subject is unlikely to know the
specific identity of the third parties to whom his data are to be
disclosed, there seems little point in telling him his data are not
going to be disclosed after all. A further problem is knowing what
a reasonable time is. It is submitted that this may vary according
to the circumstances. For example, it might be different in a
commercial context than in the case of data disclosed by a public
body. However, in either case, it must also be a question of how
long it is likely to be, in an average case, before the data are
unreliable because of changes in the data subject's circumstances,
unless such changes are incorporated in the collection of data in
question.
The objective of transparency is
seriously compromised by the amount of information that must be
provided. It is the identity of the data controller (and
representative, if any), the purpose or purposes of the processing
and any further information, having regard to the circumstances in
which the data are or are to be processed to enable such processing
in respect of the data subject to be fair (para 2(3), Part II
Schedule 1). In respect of 'further information' the White Paper
which preceded the 1998 Act suggested that it would be, in the
first instance, the controller who would decide whether any further
information was required to be given.[ 19 ] The Act is
silent on this point. It is unlikely that data controllers will
volunteer any further information other than his identity for, if
the data controller has notified his processing (as he must do for
automated processing and may do for manual processing), the
notification itself may satisfy the requirement to give information
as to the purposes of processing. Under paragraph 5 of Part II of
Schedule 1, the purpose or purposes for which personal data are
obtained may in particular be specified in a notice informing the
data subject as required by paragraph 2 or in a notification
given to the Commissioner under Part III of the Act. This seems to
defeat the spirit of the Directive as data subjects would have to
obtain a copy of the register entry to discover the purposes unless
the data controller is prepared to volunteer that information. Even
though the register is now available on the Internet,[ 20 ] the vast
majority of data subjects will not consult it.
In many cases, and bearing in mind
the manner in which the requirement for fair processing has been
interpreted under the 1984 Act, requiring data subjects to be
informed of non-obvious processing at the time of obtaining their
personal data, the 1998 Act may do little in practice to increase
transparency of processing, especially when many data controllers
are likely to plead 'disproportionate effort'.
2.2 Subject Access
As regards knowing the identity of
data controllers processing personal data relating to them, apart
from the obvious ones, data subjects may not be much better placed
than is the case under the 1984 Act. However, individuals' right of
access to their personal data has been significantly improved.
Under the 1984 Act, data subjects had a right to be informed by the
data controller whether he held personal data relating to them and,
if so, to be given access to such data. Sections 7 to 9 of the 1998
Act deal with data subjects' right of access. Under section 7(1),
subject to sections 8 and 9, a data subject is entitled
(a) to be informed whether personal
data relating to the him are being processed by or on behalf of the
data controller,
(b) if that is the case, to be given
a description of the personal data of which that individual is the
data subject, the purposes for which they are being or are to be
processed and the recipients or classes of recipients to whom they
are or may be disclosed;
(c) to have communicated to him in
an intelligible form, accompanied with an explanation if necessary,
the information constituting any personal data of which that
individual is the data subject (a copy in permanent form unless
this is not possible or would require a disproportionate effort or
if the data subject agrees otherwise), and any information
available as to the source of those data, and
(d) to a description of the logic
involved in any automated decision-taking, likely to constitute the
sole basis for any decision significantly affecting him.
More information must be provided
than under the 1984 Act.[ 21 ] Although a
data subject could previously obtain information as to the
description of the data, the purposes of processing and the
recipients by consulting the register entry, under the 1998 Act,
this information must be provided in response to a subject access
request, together with a description of the source of the data and
of any logic employed in certain types of automated
decision-taking. This is a welcome step. Whilst in respect of
information within (b) above data controllers are likely only to
provide the relevant extracts from their register entries, it must
be remembered that this information must also be given in respect
of manual files caught by the Act.
As under the 1984 Act, the data
controller can refuse to comply with a subsequent identical or
similar request by a particular individual unless a reasonable
interval has elapsed. In determining what a reasonable interval is,
regard shall be had to the nature of the data, the purposes of the
processing and the frequency with which the data are altered. The
information to be given must be as it was when the request was
received apart from deletions or amendments that would have been
notwithstanding the request. The maximum fee that can be charged by
a data controller in respect of a subject access request is GBP 10
in most cases.[ 22 ]
Data controllers who are susceptible
to fraud will be concerned that they are required to provide
information concerning the logic of their automated decision-taking
processes. For example, details relating to an individual applying
for credit, such as postcode, employment and housing status, may be
submitted to computer software which accepts or rejects the
application for credit based upon a weighted assessment of a number
of parameters. On the one hand, providing details of the logic
could facilitate the activities of fraudsters who would simply be
able to discover what the 'right' answers are likely to be. On the
other hand, it is possible for unfair or prejudicial factors or
weightings to be used. The use of factors such as postcodes or the
credit rating of a previous occupant of the dwelling now occupied
by the data subject in question are inherently unfair even if they
are reliable predictors. The dangers were highlighted in
Equifax Europe Ltd v Data Protection
Registrar ((unreported) 28 February
1992, Data Protection Tribunal) where a number of credit reference
agencies were extracting personal data relating to the financial
status of individuals by reference to the current or previous
address of the data subject together with financial information
relating to any other individual who
had been recorded as residing at any time at the same or a similar
address as the data subject. The Data
Protection Registrar issued an enforcement notice prohibiting the
use of such third party data.[ 23 ]
The requirement to be informed of
the underlying logic does not apply to all forms of automated
decision-taking. It applies where the purpose is to evaluate
matters relating to the data subject such as performance at work,
creditworthiness, reliability of conduct and has or is likely to
constitute the sole basis for any decision significantly affecting
him. The 1998 Act closely follows the language in the
Directive[ 24 ] but as the list of circumstances is non-exhaustive, it
is not possible, apart from an application of the esjudem generis rule, to
predict other forms of purposes that will be caught. Again, in the
first instance, the data controller is likely to take his own view
on this matter.
In addressing the concerns of data
controllers about providing information as to the logic in
automated decision-taking, the 1998 Act has unduly compromised this
right to information. Section 8(5) excuses the data controller from
providing such information if, and to
the extent that, the information constitutes a trade
secret . This would appear to allow the
data controller to refuse to provide any information as to the
logic if he claims it is, in its entirety, a trade secret. This
goes further than the Directive which states in recital 41 that the
right to information as to the logic in any automated
decision-taking concerning the data subject must '...not adversely
affect trade secrets or intellectual property and in particular the
copyright protecting the software; whereas these considerations must not, however, result in the data
subject being refused all information '
(emphasis added). It is likely that one of two things may happen.
Data controllers may simply claim all of the logic, and information
relating to it, is a trade secret[ 25 ] or they will
prepare some bland sanitised description of the logic that is
little better than meaningless. If this happens, the only remedy
for an aggrieved data subject will be to ask the Commissioner for
an assessment since automated decision-taking, in common with other
forms of processing, must comply with the principles and, in
particular, the first principle requiring processing to be fair and
lawful.
There are specific provisions
dealing with the situation when compliance with a subject access
request would disclose information relating to another identifiable
individual. These are significantly modified in comparison to the
equivalent provisions under the 1984 Act. Where data relating to
another individual would be disclosed, in order to comply with the
request, the data controller must be satisfied that the other
person has consented to the disclosure of his personal data to the
person making the request or where it is reasonable in all the
circumstances to comply without the consent of the other. (Section
7(4)) References to another individual includes a reference to that
individual as the source of the information sought by the request,
for example, where a social worker or person in charge of a home
for children in care had written a report on the person now making
the subject access request. In determining whether it is reasonable
in all the circumstances to comply without the consent of the
other, factors that may be taken into account include any duty of
confidentiality owed to the other, any steps taken by the data
controller to gain the consent of the other, whether the other is
capable of giving consent and any express refusal of consent by the
other individual. (Section 7(6))
These provisions are intended to
comply with the judgment of the European Court of Human Rights
in Gaskin v United
Kingdom [ 26 ] in which the
applicant, who claimed he had been ill-treated, sought access to
confidential records concerning him whilst he was in care.
Liverpool City Council were required to keep such records. The City
Council resolved to give Gaskin access provided the contributors to
the file consented. Only 19 out of 46 of the contributors gave
their consent and the relevant documents were released to him but
the remainder, where the contributors refused consent or could not
be traced, were not disclosed to him. It was held by the European
Court of Human Rights that this was a breach of his right to
respect for his private and family life under Article 8 of the
European Convention on Human Rights. Although the United Kingdom
could not be said to have interfered with his private life, there
may be certain circumstances where a positive obligation arose
inherent in respect for private life. Whether such an obligation
arose in a particular case was a matter of balance and, on the
basis of proportionality, required that an independent authority
decided whether access should be granted or denied if a contributor
to such records withheld consent or did not answer. That had not
happened in Gaskin , hence the breach of Article 8.
By virtue of the Data Protection Act
1998, it is the data controller who decides in the first instance
whether to grant access in such a case. However, under section 7(5)
the data controller is not excused granting access in respect of so
much of the information sought as can be communicated without
disclosing the identity of the other individual. This may require
omission of the name or other identifying particulars. In terms of
computer files, it may be a relatively easy matter to suppress
names of the other persons such as those who compiled the
information when printing out the data subject's details for him to
see. However, where access to a manual file is requested,
suppressing the names of other individuals could prove very
onerous, requiring masking out the particulars relating to those
other persons before copies are made for inspection by the data
subject making the subject access request, unless, of course, those
persons consent or where it is reasonable in all the circumstances
to comply without the consent of the other.
Under the 1984 Act, one difficulty
was that many large organisations had a number of separate
registrations, reflecting their different information systems or
different purposes of processing and, in such cases, a separate
request and separate fee was required in respect of each register
entry. (Section 21(3) of the Data Protection Act 1984.) Unless the
data controller was prepared to be helpful, this could result in a
data subject having to request access in respect of most or all of
the register entries to be confident that he had access to all the
personal data relating to him that were held by the data
controller.[ 27 ] At least, under the 1998 Act, there will be only one
register entry in respect of each data controller and only one
entry will be necessary for partnerships. The maximum length of
time to comply under the 1998 Act will be, initially at least, the
same as before, that is 40 days.[ 28 ] This is an
unnecessarily long period of time. The data controller is not
obliged to comply unless the request has been made in writing and
the fee paid, unless exempt, and he has been supplied with
information as he reasonably requires to satisfy himself as to the
identity of the person making the request.[ 29 ]
It is essential that data
controllers exercise great care in verifying the identity of the
individual making the request but experience shows that this is not
always so. In one case, a private investigator obtained personal
information relating to famous people from British Telecom by
deception, some of which she sold to tabloid newspapers. She was
prosecuted for 6 offences under section 5(6) of the 1984 Act for
procuring the information and 6 offences under section 5(7) of the
1984 Act for selling the information to her clients.[ 30 ] She was fined
a total of GBP 1,200. A relatively small fine compared to the
gravity of the offences which reflects the failure of magistrates
to take data protection offences seriously.[ 31 ] In the last
five years the maximum fine for a single offence was GBP
3,000[ 32 ] but
many fines are much smaller and absolute and conditional discharges
account for a significant proportion of outcomes.[ 33 ]
It is also important that data
controllers ensure that their employee and agents who process
personal data on their behalf are reliable and trustworthy.[
34 ] The dangers
of employees disclosing personal data in an unauthorised manner was
highlighted in a prosecution concluded in July 1998 where a father
and son were found guilty of a number of offences under the 1984
Act.[ 35 ] The
son worked for the National Westminster Bank and was passing on
information concerning some of the bank's customers to his father
who was a private investigator. Total fines of GBP 6,000 in respect
of nine offences were imposed, the son being fined GBP 1,000
only.
Under the 1998 Act, all offences are
triable either way with the exception of search warrant offences
which are triable summarily only. None of the offences carry
custodial sentences and it is unlikely that punishments meted out
by magistrates courts will increase by any significant amount if at
all. That being so and bearing in mind the number of prosecutions
each year is only a few dozen, the teeth of the new data protection
law in terms of criminal liability are not particularly sharp and
do little to encourage full compliance with data protection law
with the result that, in a many cases, individuals' rights under
data protection law may be seriously compromised. As the vast
majority of prosecutions in the past have been for failing to
register, the danger is that a culture of 'register and ignore' the
data protection principles will be tacitly encouraged. The
registrar's civil powers of enforcement are exercised only
infrequently. In the year to 31 March 1998, only three enforcement
notices were served and there were only 22 preliminary notices
served. These are tiny numbers given that there were at that time
no less than 211,992 registered data users.[ 36 ]
2.2.1 Credit Reference
Under section 9 an application to a
credit reference agency is taken to be limited to financial
information relating to the data subject unless a contrary
intention is expressed. The data controller must include a
statement of the data subject's rights under section 159 of the
Consumer Credit Act 1974, to the extent required as prescribed.
Section 62 of the Data Protection Act 1998 modifies section 158 of
the Consumer Credit Act 1974 and the right under that section to
obtain a copy of a file applies only in relation to partnerships.
For other individuals the right to a copy of the file is under
section 9 of the 1998 Act although the right of correction of wrong
information remains under section 159 of the Consumer Credit Act.
Basically, the regime seems much as before but credit reference
agencies present particular problems in terms of personal
data.[ 37 ]
Particular concerns relate to the use and disclosure by credit
reference agencies of 'white data' and 'grey data', the former
being data indicating that a data subject has a good credit record
and the latter being where the data indicate that the data subject
has been in default but not for a period sufficient for the data to
be regarded as 'black data'.
The law of breach of confidence has
long since regulated the disclosure of personal data by financial
institutions. In Tournier
v National Provincial
and Union Bank of England [1924] 1 KB
461, it was held that a bank could disclose information about its
customers where the disclosure was required by law, where there is
a public duty to disclose, where the interests of the bank require
disclosure, or where the customer has consented, expressly or
impliedly. Apart from the duty of confidence and the data
protection principles, particularly that processing must be fair
and lawful, there are further restrictions on disclosures of white
data and grey data. The Tournier principles are
limited in that disclosure may be permitted if it is in the
institution's interests, which it may be if it intends to disclose
white data, for example to a credit reference agency, in return for
subsequent disclosures from the credit reference in respect of
other data subjects. Of course, white data are valuable in relation
to activities other than the decision to grant credit, such as in
targeted marketing. Except where the data subject concerned has
submitted an application for credit, any other disclosure of white
data could be perceived as an infringement of the basic right to
privacy under Article 8 of the Human Rights Convention.[ 38 ]
2.2.2 Enforced Subject
Access
Enforced subject access occurs,
typically, where a prospective employee is required to carry out a
subject access request with the police in order to confirm that the
individual has not previous criminal convictions or police
cautions. This practice has been deprecated by the Data Protection
Registrar for some time.[ 39 ] Indeed, it
can result in serious injustice. For example, in R v Chief Constable of 'B' ex parte R (unreported) 24 November 1997, Queen's Bench Division,
R, who was 29 years old, wanted to travel to a foreign country to
teach English to adults and had to apply for a visa. He was
required by the Consulate General of that country to provide a
certificate of prosecution and conviction history. Unfortunately, R
had a spent conviction for a minor offence of theft committed when
he was 19 years old for which he received a conditional discharge
and was ordered to pay compensation. Although the Chief Constable
supplied a statement to the effect that R had 'no citeable
convictions', it was not on the standard form issued under the Data
Protection Act 1984 as required by the Consulate General. This form
would show R's spent conviction.[ 40 ] However, the
Data Protection Act 1984 contained no discretion to exclude some
information from being provided under a subject access request and,
according to Laws LJ, section 21 of that Act clearly
required all the information constituting the personal data to be
supplied. Any conflict with the Rehabilitation of Offenders Act
1974 was removed by section 26(4) of the 1984 Act which stated that
the subject access provisions apply notwithstanding any enactment
or rule of law prohibiting or restricting disclosure or withholding
information.[ 41 ]
In the above case, Laws LJ said it
was no comfort to the applicant for the enforced subject access
that legislation is in place which is intended to obviate the
problems he had encountered. This was not strictly true as the Bill
was yet to be introduced into Parliament and, in its original form
it had no restrictions on enforced subject access.[ 42 ] Nor did the
Data Protection Directive mention enforced subject access except,
perhaps, obliquely by requiring subject access to be 'without
constraint'. (Article 12(a)) Provisions dealing with enforced
subject access were included in the Bill in an amendment in the
House of Lords.
The Data Protection Act 1998 makes
enforced subject access a criminal offence. It applies, under
section 56, in relation to the recruitment of another as an
employee, the continued employment of another person, any contract
for the provision of services by
another person , or the provision of
goods, facilities or services to any
person (this extends also to the supply
of a relevant record by a third party). It covers 'relevant
records', being those showing convictions and cautions where the
data controller is a chief officer of police or the Secretary of
State. Also included are details of the detention of young persons
for long periods of time for grave crimes under section 53 of the
Children and Young Persons Act 1933, the Secretary of State's
functions under the Prison Act 1952, under the Social Security
Contributions and Benefits Act 1992, the Social Security
Administration Act 1992, the Jobseekers Act 1995 or in relation to
certificates of criminal records under Part V of the Police Act
1997 (with necessary amendments for Scotland and Northern
Ireland).
The offence is one of strict
liability. However, the provisions do not apply where the
requirement is authorised or required by law or court order or
justified as being in the public interest but this does not include
the ground that it would assist in the prevention or detection of
crime. Specific provision will be made to allow enforced subject
access in specific cases such as where a person is to be appointed
to work in a children's home.[ 43 ]
Unfortunately, section 56 will not be brought into force until
certain provisions of the Police Act 1997 dealing with certificates
of criminal records and the like.[ 44 ] Bearing in
mind the unhappy outcome of the above case, it is regrettable that
there will be any further delay to bringing section 56 into
force.
Under section 57, any term or
condition in a contract is void in as much as it purports to
require the supply of, or producing to another person, a record,
copy or part of a record consisting of information contained in any
health record as defined in section 68(2).[ 45 ] There is no
criminal offence for enforced subject access to health
records.
The inclusion of restrictions on
enforced subject access is a welcome step in terms of privacy and
the introduction of criminal penalties indicates the seriousness
with which it is viewed. Without such restrictions, there was a
danger that, eventually, the provision of a certificate of criminal
prosecution and conviction history would become a prerequisite for
most jobs and appointments. However, where the subject access is
required by an organisation outside the European Economic Area, as
in the above case, the Act is of no assistance.[ 46 ] It does not,
for example, allow a data controller receiving a subject access
request to refuse to comply if he has good reason for believing
that it is enforced.
3.
Individuals' Control over Processing
Before the Data Protection Act 1998,
individuals had very little control over processing of personal
data relating to them. Areas of law other than data protection law
may have been useful in some cases, such as the law of breach of
confidence, copyright and defamation but, generally, the 1984 Act
had very little impact in this respect, other than by an individual
signifying his disapproval to disclosure of data to third parties
by ticking the ubiquitous box on a pro forma. Providing that a data
user kept his processing within the principles and his registered
particulars, the data subject had little effective control. The
Data Protection Act 1998, in line with the Directive has changed
this and has, at first sight, empowered the data subject. Now, he
can object to processing likely to cause substantial damage or
substantial distress, he can prevent processing for the purposes of
direct marketing and can prevent certain forms of automatic
decision-taking. For some forms of processing, the data subject's
consent may be required and, in some cases, the traditional
'tick-box' approach may not be sufficient. A further factor
increasing the data subject's muscle-power is that the meaning of
'personal data' and 'processing' are very much wider than was the
case under the 1984 Act.
A major concern for data controllers
during the lead up to the new law was the inclusion of provisions
allowing data subjects to object to or prevent processing of their
personal data or to withhold consent to the processing of their
personal data. The spectre of individuals interfering with
processing of personal data relating to them was raised whereas,
under the 1984 Act, provided personal data was processed in
accordance with the registered details and the data protection
principles, there was nothing data subjects could do to obstruct or
restrict the processing of their data. Under the new law, apart
from data subjects having new rights to object to processing, in
some cases the consent of the data subject must be obtained which
must be express or unambiguous. However, the substance of the new
law is less fearsome for data controllers than the embryonic model
set out in proposals for the Directive.
3.1 Right to Prevent Processing Likely to
Cause Substantial Damage or Substantial
Distress
A data subject can require the data
controller to cease or not to begin processing for a specified
purpose or in a specified manner on the ground that, for specified
reasons, it is unwarranted as causing or being likely to cause
substantial damage or substantial distress to him or another.
(Section 10(1) of the Data Protection Act 1998.) This right does
not apply to processing under conditions 1 to 4 in Schedule 2,
being processing where the data subject has given consent, where
necessary in relation to a contract, where necessary for compliance
with a legal obligation or where necessary to protect the vital
interests of the data subject. The Secretary of State may order
other exceptions to this right. It is difficult to think of an
example where this might apply bearing in mind that the first data
protection principle requires processing to be fair and lawful. It
is self-evident that processing that is fair is unlikely to cause
damage or distress. The government Consultation Paper gave an
example, being where personal data might be disclosed in such a way
that in practice it might come into the hands of a person known to
the data subject.[ 47 ] It did not elucidate further. Presumably an example
could be where the data subject in question has an embarrassing
illness, is terminally ill or has a criminal record. (Subject, of
course, to the provisions on enforced subject access.)
Where the right was most likely to
have proved important is where processing is for journalistic
purposes but it is severely curtailed in this respect. There are
numerous exemptions from the new law for processing is for the
'special purposes' being, under section 3, the purposes of
journalism and artistic and literary expression.[ 48 ] By virtue of
section 32(2), exemption is from all the principles, except the
seventh on security measures, subject access, the right to prevent
processing likely to cause substantial damage or substantial
distress, rights in relation to automated decision-taking and some
of the rights of rectification, blocking, erasure or destruction of
personal data. The exemptions apply only if compliance is
incompatible with the special purposes and the processing is
undertaken with a view to publication and the data controller
reasonably believes that publication is in the public
interest.[ 49 ] Otherwise, the exemptions do not apply and,
importantly, individuals may still have a right to compensation for
damage and/or distress as discussed in the following section.
Although an individual may not be able to prevent processing for
the special purposes, he may be entitled to compensation if he can
show that the exemption from the right to prevent processing was
wrongly relied on by the data controller.
To effect the right to prevent
processing likely to cause substantial damage or substantial
distress, the data subject has to give notice in writing to the
data controller, specifying the purpose or manner of processing
objected to and the reasons why he or another is likely to be
caused substantial damage or substantial distress. Within 21 days,
the data controller must give written notice stating that he has
complied with the data subject's notice or intends to do so or
stating why he considers the notice unjustified to any extent and
the extent, if any, to which he has complied or intends to comply.
As with the other provisions involving data subjects' rights, the
right is backed by the power of the court to order
compliance.
3.1.1 Laws of Defamation and Passing off
Supplemented?
The law of defamation gives a person
a cause of action in respect of published information or words
concerning him, directly or by innuendo, which 'tend to lower the
plaintiff in the estimation of right thinking members of society
generally'.[ 50 ] Although there is no satisfactory single definition of
defamation, it is tested through the eyes of the ordinary,
reasonable person and there will be no remedy where some people see
or read the information carelessly on incompletely. In Charleston v
News Group Newspapers [1995] 2 AC 65, a Sunday newspaper carried a photograph
of a man and a woman who appeared to be engaged in sexual
intercourse. Superimposed on the photographs were images of the
faces of the plaintiffs, actors who played Harold and Madge Bishop
in the television 'soap' 'Neighbours'. The captions ran 'Strewth!
What's Harold up to with our Madge?' and 'Porn Shocker for
Neighbours Stars'. The text underneath made it clear that the image
had been produced as part of a pornographic computer game which had
used the images of the claimants without their
permission.
The House of Lords held that the
article as a whole was not defamatory, rejecting the argument that
the headlines and photographs could found a claim in libel in
isolation from the related text even though Lord Bridge accepted
that some readers would not read the text. These readers, who might
not take the trouble to read the text to discover what the article
was about, according to Lord Bridge, could hardly be described as
'ordinary, reasonable, fair minded readers'. This case shows a
serious failing in the law of defamation as, although held not to
be defamatory, the publication would almost certainly have caused
the claimants plaintiffs substantial distress.[ 51 ]
The law of passing off is unlikely
to be much help in such situations either because of the
requirement for a common field of activity[ 52 ] or because no
account is taken of whether 'a moron in a hurry' might be fooled by
the defendant's misrepresentation.[ 53 ] However,
in Alan Kenneth McKenzie
Clark v Associated Newspapers Ltd [1998] RPC 261, the late Alan Clark MP was successful in
a passing off action (and also in respect of false attribution of
authorship under copyright law) after complaining about a spoof
diary which appeared in the London Evening Standard based on what a
journalist imagined Alan Clark might record in his Diary. The
newspaper column was headed 'Alan Clark's Secret Political Diaries'
and included a photograph of Alan Clark. Below was a statement
identifying the journalist as the author and the basis for the
articles. Nevertheless, the court held that, to be actionable as
passing off, the deception had to be more than momentary and
inconsequential and the article had to be looked at as a whole to
decide whether a substantial number of readers would think that the
articles were written by Alan Clark. Nor was it a defence to claim
that readers of the column would not be misled had they been more
careful. In the event, the defendant was permitted to continue to
publish the 'diaries' providing the identity of the true author was
made sufficiently clear. Of course, as Alan Clark had written his
own diaries, there was a common field of activity.[ 54 ]
With the advent of information
technology it is very easy to manipulate text and images.
Situations such as the Neighbours and
Alan Clark cases
will become more and more common. Such material may be placed on a
Web page on the Internet, making it available on an unprecedented
scale. The new data protection law may provide some control over
this, particularly where the material is placed on a computer
situated within the European Economic Area (EEA). The definition of
personal data under the Data Protection Act 1998 extends to data
(information) which relates to a living individual who can be
identified from those data, or from those data and any other
information which is in the possession of, or is likely to come
into the possession of, the data controller. This includes any
expression of opinion about the individual and any indication of
the intentions of the data controller or any other person in
respect of the individual; section 1(1). 'Information' is not a
precise term,[ 55 ] but Article 2(1) of the Directive is more helpful in
that personal data is defined by reference to identifiers such as
identification number or one or more factors specific to the
individual's physical, physiological, mental, economic, cultural or
social identity and recital 14 confirms that processing sound and
image data are within the scope of the Directive.[ 56 ]
If sound and image data are
processed automatically, that is, by computer, or are intended to
be so processed, or are or are intended to form part of a relevant
filing system (manual files caught by the new law) they will fall
within the scope of the new data protection law and will be subject
to the rights given to individuals. These rights include a right to
prevent processing causing or likely to cause substantial damage or
substantial distress to the individual concerned.[ 57 ] That would
certainly be applicable to the Neighbours case.
Although the right to prevent processing is suppressed where the
processing is for the special purposes which include journalism, it
is still available unless the publication is in the public
interest. That would not appear to be the case here. If the
exemption is lost, then the right to compensation under section 13
is available and, where processing is for the special purposes,
compensation for distress is recoverable in the absence of damage.
In a situation analogous to passing off as in Sim v H J Heinz Co Ltd ,
damages for distress may be awarded if damage can be proved, for
example, if the plaintiff can show that he has lost work or orders
because of the defendant's misrepresentation. There is no need to
show a common field of activity. If a 'disclaimer' is included in
the publication or misrepresentation, it would have to be very
prominent. In any case, there is no provision for disclaimers in
the new law and it would simply be a question of the individual
proving that he has suffered or is likely to suffer distress and,
where appropriate, damage.
Another concern is the use of images
and, perhaps, voices of famous deceased persons. The technology
already exists to create new films, photographs and advertisements
using images and voice patterns belonging to actors such as Marilyn
Monroe and Sidney James. Relatives and friends may find these
activities particularly distressing. The Data Protection Act 1998
is unhelpful in that 'personal data' are defined as data which
relate to a living individual (Section 1(1)) and, therefore, the
Act does not apply to deceased persons, although the Directive is
ambivalent on this point although it does define data in relation
to 'natural persons'.[ 58 ] There is a precedent for giving 'rights' to deceased
persons as, under copyright law, there is a right not to have a
work falsely attributed to a person as author or film
director.[ 59 ] This right endures for 20 years after the death of the
person falsely attributed and is exercisable by his personal
representatives.[ 60 ] It is clear that trade mark law is unhelpful in this
respect and attempts to register images of Diana, Princess of Wales
as trade marks have been unsuccessful thus far. Providing limited
data protection rights for a number of years in respect of recently
deceased persons should have been included in new Data Protection
Act, especially as such rights would not be onerous to respect,
excepting persons with an unsavoury wish to capitalise on the
reputation of recently deceased persons.
3.2 Right to Prevent Processing for Direct
Marketing
Direct marketing is perceived as a
scourge by some people whilst others may think it a minor
annoyance. Yet others may positively welcome it. Regardless of
one's own individual view, it is, nevertheless, an effective manner
of marketing and direct marketing in the United Kingdom is a major
industry and likely to grow in importance as it becomes more
targeted, focusing on individuals' lifestyles, spending profiles
and other characteristics and idiosyncrasies. The Directive
contained two ways of controlling direct marketing from the data
subject's point of view. One possibility was the right to object,
on request and free of charge. The other was to be informed before
personal data are disclosed for the first time to third parties or
used on their behalf for the purposes of direct marketing, and to
be expressly offered the right to object free of charge to such
disclosures or uses.[ 61 ]
The Data Protection Act 1998 elects
the former approach, giving the data subject a right, by giving
written notice, to require a data controller to cease within a
reasonable time in the circumstances or not to begin processing his
personal data for the purposes of direct marketing; section 11.
'Direct marketing' is defined as the communication by any means of
any advertising or marketing material which is directed at
particular individuals. The right to object is an absolute one,
notwithstanding the existing of the Mailing Preference Scheme in
the United Kingdom.[ 62 ] The data controller must give the data subject a
written notice within 21 days of receipt of the data subject's
notice stating what steps he has or will take to comply.
3.3 Rights in Relation to Automated
Decision-taking
Automated decision-taking has the
potential for being very prejudicial to individuals. For example, a
person may be denied credit or some other advantage simply because
of his post code or because the previous occupant of his dwelling
had a bad record.[ 63 ] Statistically predictive measures which may find their
way into automated decision systems may operate unfairly in
individual cases. In its initial form the Data Protection Bill,
following the Directive, only allowed decision taken solely by
automated means which significantly affects the data subject and
which is intended to evaluate certain personal aspects relating to
him, such as his performance at work, creditworthiness, reliability
or conduct in the context of a contract with the data subject or
where authorised by law. (Article 15.)
Under section 12(1) of the Act an
individual is entitled at any time, by notice in writing to any
data controller, to require the data controller to ensure that no
decision taken, by or on behalf of the data controller which
significantly affects that individual is based solely on the
processing by automatic means of personal data in respect of which
that individual is the data subject for the purpose of evaluating
matters relating to him as above-mentioned. This does not apply to
all automated decision-taking and there are some decisions exempt
from this right. They are where the decision is taken in the course
of steps taken for the purpose of considering whether to enter into
a contract with the data subject, with a view to entering into such
a contract, or in the course of performing such a contract, or
where the decision is authorised or required by or under any
enactment. In terms of these exempt decisions, if the decision is
not to grant a request of the data subject, steps must be taken to
safeguard the legitimate interests of the data subject, for
example, by allowing him to make representations. Where the
decision is not an exempt one and the data subject has not
exercised his right to prevent such decisions being taken, the data
controller must as soon as reasonably practicable notify the
individual that the decision was taken on that basis, and give the
individual, within 21 days of receiving that notification from the
data controller, the right by notice in writing to require the data
controller to reconsider the decision or to take a new decision
otherwise than on that basis. In other words, the data subject can
insist that the data controller reconsider the decision by other
means, for example, by involving some direct human input in the
decision process.
Few data subjects are likely to
exercise their right to prevent automated decision-taking. Indeed,
it is difficult to think of examples outside contract where the
right would be valuable. Of course, the vast majority of such
decisions will be in the context of a contract, for example a
credit agreement where the right does not apply and is replaced by
a right to be informed together with, for example, a right to make
representations. The Act does not specifically require the data
controller to do anything further although it could be argued that,
if a data subject's legitimate interests are to be safeguarded, it
implies that the representations he makes are taken seriously and
action is taken if, for example, the processing would otherwise be
unfair. Of course, if the data subject suspects that the processing
is unfair, he could apply to the Data Protection Commissioner for
an assessment under section 42.
3.4 Requirements for Individuals'
Consent
For processing to be within the
first Data Protection Principle, one of the conditions in Schedule
2 to the Act must be met and, in the case of sensitive
data,[ 64 ] one
of the conditions in Schedule 3 must also be met. In both
Schedules, one of the conditions is the data subject's consent.
Therefore, if the data controller has that consent, in either case,
this requirement is satisfied. For non-sensitive data, the wording
is simply that the data subject has given his consent to the
processing, whilst for sensitive data, the expression used is that
the data subject has given his explicit consent to the processing
of the personal data. From this it would seem that consent may be
implied for non-sensitive processing, for example, by the data
subject failing to tick the ubiquitous box of a form, but for
sensitive personal data express and informed consent appears to be
required.
In reality, however, one or more of
the other conditions in the Schedules are likely to be applicable
in the vast majority of cases. For example, for processing
non-sensitive data, many data controllers will be able to rely on
the condition that processing is necessary for the purposes of the
legitimate interests of the data controller or a third party to
whom the data are to be disclosed, although this must not be
unwarranted in any particular case by reason of prejudice to the
rights and freedoms or legitimate interests of the data subject.
This is unlikely to be particular problem in many cases. Of course,
one may question what the word 'legitimate' means in this context.
Presumably, in the context or a body such as a company or public
authority, this could simply mean that the processing is
intra vires the
powers of the organisation and not otherwise unlawful.
Processing with appropriate
safeguards by a non-profit making body which exists for political,
philosophical, religious or trade-union purposes is one of the
conditions for processing sensitive data, which is defined as
including personal data relating to political opinions, religious
beliefs or other beliefs of a similar nature and trade union
membership. (Section 2.) However, the data may not be disclosed to
a third party without the consent of the data subject. Considering
that explicit consent is one of the conditions for processing
sensitive data, it seems reasonable to assume that consent here
also ought to be explicit, that is, express and informed
consent.
Another situation where the data
subject's consent may be required is in the context of transfers of
personal data to third countries[ 65 ] not having an
adequate level of protection. The basic rule is that personal data
must not be transferred to such countries, but it was possible for
Member States to derogate from this in certain circumstances.
(Article 26(1)) Again, there are a set of conditions and the data
controller has to satisfy only one. These are set out in Schedule 4
to the Act. The data subject's consent is one possibility. However,
again the ability of the data subject to prevent transfers of data
outside the European Economic Area is seriously prejudiced because
one of several other conditions may be relied on by the data
controller instead of seeking consent. An important one is where
the transfer is necessary for the performance of a contract between
the data subject and the data controller, or for taking steps at
the request of the data subject with a view to his entering into a
contract with the data controller or where the transfer is
necessary for the conclusion of a contract between the data
controller and a person other than the data subject entered into at
the request of the data subject, or is in the interests of the data
subject, or for the performance of such a contract. (paragraphs 2
& 3 of Schedule 4.)
Other conditions include where the
transfer is necessary for reasons of substantial public interest or
for the purpose of, or in connection with, any legal proceedings
(including prospective legal proceedings) or obtaining legal advice
or is in order to protect the vital interests of the data subject
or the data is on a public register or is authorised by the
Commissioner.
A further condition is where the
transfer is made on terms which are of a kind approved by the
Commissioner as ensuring adequate safeguards for the rights and
freedoms of data subjects. (paragraph 8 of Schedule 4.) A working
party and committee (Articles 29 to 31.) is established under the
Directive and where the Commission decides, in accordance with the
committee procedure, (Article 31(2)) that certain standard
contractual clauses offer sufficient safeguards as required by
Article 26(2), Member States shall take the necessary measures to
comply with that decision. The Commission should be in a position
to hand down standard contractual terms which can be incorporated
into the contract between European data controllers and the
recipient of the data in the third country concerned. First
impressions are that the terms will attempt to impose on the
recipient in the third country, by contractual means, a data
protection regime equivalent in important respects to that set out
in the Directive.[ 66 ] The details of such terms will be communicated to data
controllers via the Data Protection Commissioner.
Although various forms of processing
will be subject to the data subject's consent, this will be so only
in a minority of cases as consent is generally only one of a number
of alternative conditions. In most cases, except in the case of
disclosures by non-profit making bodies where there is no
alternative to consent, an alternative ground for processing can be
relied upon by the data controller. That being so, the data
subject's right to prevent processing by withholding his consent
is, in the vast majority of cases, merely illusory.
3.5 Impact of the Human Rights Act 1998 on
Data Protection Law
Alongside implementing the new data
protection law, the United Kingdom government has chosen to embark
upon a major constitutional change by incorporating into United
Kingdom law the rights and freedoms guaranteed under the European
Convention on Human Rights. Section 1 of the Human Rights Act 1998
lists the key rights stemming from the Convention and associated
Protocols, which includes the presumption that each individual has
a right to privacy. Article 8, of the Human Rights Convention is
most relevant to individual privacy and, therefore, of the utmost
importance in the field of data protection. It requires that
everyone has a right to respect for an individual's private and
family life, his home and his correspondence. If personal data are
processed in a manner which conflicts with this basic principle of
privacy then it will be deemed to be unlawful notwithstanding the
provisions of the Data Protection Act 1998 and associated
subordinate legislation.
Indeed, the Human Rights Act 1998,
incorporating in Schedule 1 the main provisions of the European
Convention on Human Rights, is an important platform from which
other United Kingdom legislation can be challenged. This is
particularly so where laws relating to privacy are concerned.
Section 3 of the Human Rights Act 1998 states that:
So far as is possible to do so,
primary legislation and subordinate legislation must be read and
given effect in a way which is compatible with the Convention
rights.
This is quite a sea change in
English jurisprudence - that one Act of Parliament is deemed
superior to another Act of Parliament. However, this is in terms of
interpretation only and can be seen as an example of Parliamentary
supremacy at work - Parliament has deemed it so. Nevertheless, it
is possible that such a brief and seemingly innocuous legislative
provision may prove to be a can of worms. Worse still it applies
retrospectively.[ 67 ] Already there are serious problems raised by Article 6
of the Convention in respect of the appointment of sheriffs in
Scotland and potentially similar issues relating to the appointment
of recorders, assistant recorders and stipendiaries in England and
Wales.[ 68 ]
Paragraph 2 of Article 8 of the
European Convention on Human Rights allows derogation from the
basic principle contained in paragraph 1 in accordance with law 'if
necessary in a democratic society in the interests of national
security, public safety or the economic well-being of the country,
for the prevention of crime, for the protection of health or
morals, or for the protection of the rights and freedoms of
others'.
Matching this up with the Data
Protection Act 1998 (which takes near maximum advantage of the
possible exemptions permitted under the Directive) could be a
source of conflict. Some exemptions under the Data Protection Act
1998 could fall foul of Article 8, examples being exemptions under
the heads of education, social work, domestic purposes, management
forecasts and negotiations. This is notwithstanding that the scope
of derogations permitted by the Convention may not precisely match
those under data protection law. The potential for legal challenges
to the United Kingdom's version of data protection law, bearing in
mind the Convention will very soon by justiciable in domestic
courts in England, is immense. Furthermore, the Convention may be
used as a shield or a sword. Data controllers finding themselves in
trouble for apparent breaches of the Data Protection Act 1998 will
be tempted to look at the Convention and case law under it to
deflect any enforcement actions brought by the Data Protection
Commissioner or individuals. On the other hand, individuals seeking
redress may try to use the Convention to drive a coach and horses
through the provisions of the Data Protection Act 1998 - a complex
piece of legislation in its own right.
From the Data Protection
Commissioner's point of view the introduction of the European
Convention on Human Rights could give her a welcome second string
to her bow. One example is in the context of data matching. The
Social Security Administration Fraud Act 1997 facilitates the
exchange of personal data about benefit claimants between relevant
Government Departments and Local Authorities if the data are for
use in the prevention, detection, investigation or prosecution of
offences relating to social security, or are for use in checking
the accuracy of information relating to benefits. These provisions
permit the interference by a public authority with the right to
respect to private life and may constitute a violation of that
right unless they fall within the proviso contained in Article 8.
The discretion bestowed by the Data Protection Act 1998 and the
lack of safeguards for the prevention of abuse of its provisions
could result in the violation of rights guaranteed by the
Convention.
4.
Summary
The Data Protection Act 1998
attempts to address and reconcile the tensions between rights to
privacy and the goals pursued by persons processing personal data.
Those goals cover an enormous number of purposes. They may be
related to business, economic or social needs and be of a
commercial, governmental or public service nature. Given the
diversity of information processing, trying to achieve a fair
balance which will work well across all sectors is ambitious to say
the least. To some extent the legislators have not been completely
free to draw up a new model of data protection law and the now
withering hand of the European Convention of the protection of
personal data can be seen at work in the Directive. That Convention
is nearly 20 years old and the data protection principles contained
within it are a reflection of what is now incredibly dated
technology. Current computer technology is light years ahead of
what was around in the early 1980s and of particular importance is
the phenomenal growth of global networks such as the
Internet.[ 69 ] Other factors include the massive improvements in
storage capacity and processing speed.
From the perspective of rights of
privacy, some aspects of the new law are to be welcomed. These
include the extension of data protection law to certain types of
manual files and the right to prevent processing for direct
marketing together with the greater emphasis on security. Some
provisions appear cumbersome and unwieldy, an example being the
provisions relating to data subjects and automated decision-taking.
Others will be rarely used, for example, the right to prevent
processing likely to cause substantial damage or substantial
distress and rights to compensation. The greater weight given to
the principle of transparency is a central plank of the new law but
it has been compromised somewhat, first by the numerous exemptions
from the subject information provisions and from the requirement to
notify and, secondly from the paucity of information to be provided
by the data controller to the data subject on collection of
personal data or otherwise.
It could be argued that transparency
could be better achieved by self-regulation[ 70 ] together with
the imposition of duties, enforceable by data subjects, to provide
more information giving a full and frank disclosure of the nature
of the processing activity including disclosures to third parties
and transfers to other countries, including countries within the
European Economic Area.[ 71 ] Of course,
codes of practice may be helpful in some circumstances in
encouraging data controllers to increase transparency. In return
for data controllers making full and frank disclosures to data
subjects, they could be freed from the burden of the formal
notification and annual renewal of the register entry.[ 72 ]
The Human Rights Act 1998 is likely
to have a significant impact on data protection law. Article 8 of
the European Convention on Human Rights and Fundamental Freedoms is
specifically mentioned in the recitals to the Directive (recital
10) in terms showing that it underpins the level of protection for
individuals set out in the Directive. Although, at this stage, it
may be difficult to predict the impact of Article 8 of the
Convention, some flavour of its application may be derived from
case law before the European Court of Human Rights which also has
to grapple with balancing the right to privacy with the exceptions
contained in Article 8(2).[ 73 ]
Unfortunately, the new and enhanced
rights for data subjects are illusory unless individuals are
prepared to be proactive and take appropriate action, by serving
notices on data controllers, by commencing legal proceedings
against data controllers or by making a complaint to the Data
Protection Commissioner. This latter approach appears to be the
most favoured in 1998/99, a total of 3,653 complaints were received
by the Registrar.[ 74 ] It is important that the process of raising awareness
amongst data subjects continues. In the year 1998/99 only 21 per
cent of data subjects were aware of their rights under data
protection law.[ 75 ] Although much has been done in the past to publicise
the rights of data subjects, much more must be done if the full
benefit of the new and enhanced rights for data subjects are to be
realised.
|