Background

In the UK, and indeed other nations, people value their privacy. The ability of information systems to amass personal data on every living person became a source of concern during the seventies and eighties.

A particular source of concern were credit rating agencies. They compiled records of individuals, court orders against them, loan companies' refusals to make loans, details of unpaid debts, disputes with suppliers, and so on.

If their information had been accurate and open to inspection by the individuals, people might have been happy to leave things alone. However, these agencies often mixed people's records, allowed records to go out-of-date, recorded one side of a dispute as simple truth, and refused to allow the individuals to know anything about what was being said about them, much less demand it to be corrected.

Some Europen governments had individual rules and laws to deal with this, but in the interest of harmonisation, a more co-ordinated approach was taken. The Council of Europe Convention on Data Protection in 1981 proposed generic controls. These were enacted in Britain in 1984.


The Data Protection Act 1984

This Act has now been repealed and replaced by the 1998 Act. However, it provided the basis for current legislation. Data "users" had to register what sort of data they held, what they used it for, and who they sent it to. Only computerised data was covered by the 1984 Act, so delineating the requirements of the old Act was fairly easy.

The 1984 Act had eight Data Protection Principles (slightly different from the current ones), and a new organisation to police them was set up: The Office of the Data Protection Registrar.

See the notes on differences between the two Acts.


The nineties

Although the old data protection arrangements were largely satisfacory, some organisations were exploiting loopholes. For example, one reference agency maintained its personal data purely on paper and employed an army of clerks to access and maintain the "database".

Frankly, the main impact on most companies of the 1984 Act was they had to complete a registration form and send it to the Data Protection Registrar (now called the Information Commissioner). New legislation with more bite was needed.

The EC Data Protection Directive 95/46/EC was adopted in 1995. All EU member states had to implement national data protection legislation by October 1998. Even though the old 1984 Act satisfied many of the requirements, there were a number of new requirements placed on the British Government:

To satisfy the EC Directive, the British Government replaced the old Act with a new one in 1998. The new Act is the subject of the rest of these notes.


Cultural differences between Europe and the US

Privacy is valued highly in Europe, but in the US - "The Land of the Conspiracy Theory" - openness is demanded. Legislation to enforce privacy is always opposed vociferously. The US approach prefers voluntary codes and mutuality of interest (Laudon & Laudon, 1998). In 1973 a US federal advisory committee produced a list of five Fair Information Principles:

  1. There should be no personal record systems whose existence is secret.
  2. Individuals have rights of access, inspection, review, and amendment to systems that contain information about them.
  3. There must be no use of personal information for purposes other than those for which it was gathered without prior consent.
  4. Managers of systems are responsible and can be held accountable and liable for damage done by systems for their reliability and security.
  5. Governments have the right to intervene in the information relationships among private parties.

Although these formed the basis of legislation in UK and Europe, the US has never introduced such broad-ranging data protection or privacy legislation. Apart from the US privacy acts of 1974 and 1980, most US privacy legislation is comparatively piecemeal, for example (ibid):

(For a light-hearted insight into the dangers of this approach, check out:
http://www.adcritic.com/interactive/view.php?id=5927
Turn up your speaker volume.)

In at least one way, though, data protection requirements in many states exceed those in the UK: data subjects have to be told if there's been a security breach over personal data. In the UK there's no requirement for data controllers to come clean if they lose unencrypted personal data. In the US, some states insist that data subjects have to be notified. There's a list of such legislation here:
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm


Because few countries have general protection for personal data, the European Commission has decided that personal data can be transferred only within the European Economic Area and to specified nations that have adequate legislation.

At the time of writing, the US is not considered to have adequate safeguards. However, on 1 November 2000 new "Safe Harbor" rules were introduced. European data controllers can now transfer personal data to those US companies that have signed up to the safe harbor rules and are complying with them. In such a situation, it is not necessary to obtain the consent of each data subject to the transfer. However, data controllers must have positive confirmation that the recipient is conforming to the safe harbor rules.

If a data controller wishes to transfer data to other countries that do not have adequate data protection legislation, they must obtain consent from the data subjects and/or sign a contract with the recipient that requires them to abide by european data protection laws.

See Principle #8 under the "Principles" heading for more details.


Recent developments

As identity theft becomes a greater problem, it is becoming increasingly obvious that personal data is being sold for profit - often across international borders. In May 2006 Richard Thomas, The Information Commissioner, proposed custodial sentences for deliberate breaches of the Act. He reports, "Investigations by the ICO and the police have uncovered evidence of a widespread and organised undercover market in confidential personal information."

"Among the ‘buyers’ are many journalists looking for a story. In one major case investigated by the ICO, the evidence included records of information supplied to 305 named journalists working for a range of newspapers. Other cases have involved finance companies and local authorities wishing to trace debtors; estranged couples seeking details of their partner's whereabouts or finances; and criminals intent on fraud or witness or juror intimidation."

Prosecutions under the 1998 Act often result in low penalties. The report cites 22 court cases between November 2002 and January 2006; only two of them resulted in fines above £5000.

"In the report’s central recommendation, the Information Commissioner calls on the Lord Chancellor to bring forward proposals to raise the penalty for persons convicted on indictment of section 55 offences to a maximum two years’
imprisonment, or a fine, or both; and for summary convictions, to a maximum six months’ imprisonment, or a fine, or both"

http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/what_price_privacy.pdf


Important notice

What you read here is only a summary to introduce the concepts. You should not rely on it to build a legal case or safeguard your legal position. The University of Glamorgan and its employees cannot be held responsible for any legal or other redress due to errors in the notes. Seek professional legal advice before acting on what you read here.


UpOther topics Comments please to: dwfarthi@glam.ac.uk © 1999, 2004, 2006, 2007, University of Glamorgan