I have just received a note from one or two people informing me that the
encoded facts sheet was incomprehensible- so here it is in its full
format.
Thanks
Gillian
NEW DATA PROTECTION ACT
BACKGROUND
This factsheet has been prepared by BSI/DISC in conjunction with the
Office of the Data Protection Registrar (ODPR) in response to a demand
from UK businesses and organisations for advice on the new Data
Protection Act.
The new Act will implement the EU Data Protection Directive, which has
effect in the UK from 24 October 1998, and will lay down detailed
conditions for the processing of personal data and sensitive personal
data, strengthen the rights of the individual, extend data protection to
certain manual records and set new rules for the transfer of data
outside the EU. Due to the need for supporting secondary legislation
there will be a delay between the date for implementation of the
Directive and the new Act being brought into force, which is now likely
to be early 1999.
WILL THE NEW ACT APPLY TO YOU?
The new Act applies to anyone holding data about living individuals on
computer or on some manual records. Those holding such personal data
(i.e. data controllers) must comply with the eight data protection
principles, and, with some exceptions, register with the Data Protection
Commissioner (formerly the Registrar).
WHEN WILL THE NEW ACT APPLY?
The new Act is likely to come into force early in 1999. If processing
begins after 23rd October 1998, then it must comply with the new Act as
soon as it comes into force. For data controllers whose processing is
'already under way’ immediately prior to 24th October 1998 there is a
transitional period in which to bring their processing into line with
its requirements as follows:
· Data controllers who hold computerised information will have
transitional relief until 24 October 2001.
· Data controllers holding manual data will enjoy an extensive exemption
until 24 October 2001. There will be more limited additional exemptions
for a further six years although data controllers will have to provide
subject access and ensure that their data are accurate on a case-by-case
basis. Special provisions exist in relation to manual data consisting
of health, social work, education and housing records, and credit files.
· Data controllers who are registered under the 1984 legislation will
not have to notify under the new Act until their existing register entry
expires. Some manual records will be exempt from notification, unless
they fall under one of the preliminary assessment categories which will
be specified in an order made by the Secretary of State.
KEY FEATURES
The Data Protection Principles
The new Act contains eight enforceable data protection principles.
However, there are a number of significant differences from those in the
1984 Act:
· As now, personal data must be processed fairly and lawfully. There
are important new conditions that must be satisfied for the processing
of personal data. Data can only be processed for example with consent
or where it is “necessary” in certain specified circumstances.
· There are stricter conditions for the processing of “sensitive” data.
· As now data must be relevant, adequate and not excessive, accurate and
up to date and kept for no longer than is necessary. These principles
will, however, also apply to manual records.
· The security principle is strengthened with a specific requirement
that data controllers have a formal contract with third party
processors.
· A new principle restricts exports of data outside the EEA unless an
“adequate level of protection'' can be guaranteed.
Notification
The 1984 Act system of registration will by replaced by notification.
The details of the notification scheme do not appear in the new Act but
will be specified in regulations:
· For most data controllers notification should be simpler than
registration
· The fee will be paid annually
Manual records
Two categories of manual records will be covered by data protection
legislation for the first time:
· Filing systems structured by reference to individuals allowing ready
access to particular information about those individuals, for instance
some paper files, card index systems and microfiche records
· Health, education, social work and housing files, even though less
highly structured, which are currently subject to legislation such as
the Access to Personal Files Act will be caught by the new law including
the requirement to comply with the data protection principles
Enhanced data subject rights
· The right of subject access to your own personal data has been
retained and expanded
· Explicit rights to object to processing for example, for the purpose
of direct marketing
· The right not to be subject to purely automated decisions
· Increased rights to seek compensation for breaches of the Act
HOW BUSINESSES CAN PREPARE FOR THE NEW ACT
The new Act presents a number of significant challenges to data
controllers. For automated processing the transitional period is less
than three years. Changes may be required not only to I.T. systems but
also to business processes. These may include:
· Development of privacy enhancing technologies
· Development of new standards for manual filing systems
· Development of model contracts for data exports and third party
processing
· Insurance against risk of legal challenge by data subjects
NEW BSI/DISC GUIDES TO DATA PROTECTION REQUIREMENTS
BSI/DISC, in association with the ODPR, are currently evaluating the
requirements for a Guide to Data Protection Transitional Requirements.
This guide is intended to provide practical advice to businesses and
organisations on managing transition requirements. It is expected that
this Guide would be published early in 1999 and would build on the core
advice which will be issued by the ODPR.
Further information on the Data Protection Act 1998 can be found on the
Registrar’s web site (http://www.open.gov.uk/dpr/dprhome.htm) or by
telephoning 01625 545745
For information on the prospective DISC Guide, please contact the
Project Manager by email at [log in to unmask], Tel No.
0181 996
--
Gillian Moore
tel: +44 (0)1923 201367
fax: +44 (0)1923 201300
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|