The Data Protection Act – what you need to know

In January a number of firms contacted the Society concerned about a letter they had received from a firm called ‘Data Protection Agency Services’.

The letter, headed ‘final notice’ used assertive language, requesting the firm send a cheque for £95 ‘to commence registration’ with the Information Commissioner, as ‘the Data Protection Act 1998 requires every business processing personal data to register or face a maximum fine of £5,000’.

The Society checked the position with the Information Commissioner and immediately contacted all firms by fax informing them about the actual fee which should be paid to the Commissioner and urging caution should they receive a letter from organisations other than the Commissioner’s office.

The Commissioner makes it clear on his website that there is no connection with Data Protection Agency Services. The OFT are aware of this organisation having received “hundreds of complaints”, whilst the BBC Watchdog programme carried out an investigation last September.

The Society recommends that all firms notify the Commissioner as a matter of best practice (regardless of whether an exemption may exist). The annual fee is £35 and should be paid directly to the Commissioner’s office. Firms should automatically receive an annual reminder letter.

The letter resulted in a large response from members, welcoming the Society’s actions but raising questions about the Data Protection Act and its requirements. In particular, members wanted to know:

• Definitions within the Act
• The requirement and process of notification
• The Principles of the Act
• Subject Access Requests and guidance on how to handle and prepare for them

This article considers the first two points and a follow-up article will address the second two points.

While the articles address the issues most frequently raised, they are introductory. A fuller understanding of the Act is always to be encouraged. The Act is a complex piece of legislation with complex rules and it may be necessary to seek expert advice from time to time.

Definitions

In understanding the 1998 Act it is essential to understand the definitions it sets out. By doing so the Act will make more sense.

“Data controller” the person (or firm or organisation) that decides what personal data is held and how it is used (e.g. the Society is a data controller)

“Data subject” a living individual who is the subject of the personal data held. Note the inclusion of the word ‘living’ (e.g. a client or a member of staff)

“Personal data” means information from which a living individual can be identified, including expressions of opinion and records of intentions towards that person (e.g. a client file or a staff file)

“Sensitive personal data” means personal data about intimate personal details, including ethnic origin, political opinion, physical or mental illness, and any criminal record (e.g. health information on a client)

“Processing” has a very comprehensive meaning, and covers any activity which can be carried out using personal data, from collecting and obtaining through holding and organising to modifying and destroying that data (e.g. shredding paperwork)

Notification

Members expressed uncertainty as to the need to notify. Notification is the process by which a data controller’s details are added to the public register of data controllers, maintained by the Information Commissioner.

Basic information on the data controller is included, such as the name and address together with a general description of what personal data processing is carried out. Anyone can inspect the register on line at www.dataprotection.gov.uk and will find out about the processing of personal data by a given data controller.  

The Society carried out research to find out how many firms (data controllers) have notified. It randomly selected 154 firms. They were selected on the basis of number of partners: 1-5 (108 firms), 6 - 14 (27 firms) and 15+(19 firms) and geographical spread of 50 from the Central Belt and 104 from around Scotland. The results are shown in figures 1 and 2:

Figure 1. Breakdown of firm size in sample showing notification status against firm size

Figure 2. Geographical spread of firms in sample showing notification status against geographical area

The research showed that only 54% of firms have notified, whilst 46% have not.  This bears out the feedback to the Society from firms unsure about whether they should notify or not.

The Society strongly recommends all firms to notify. While forms and full guidance on notification can be found at www.dataprotection.gov.uk or by telephoning the Information Commissioner’s help line 01625 545 740, set out below is a very simple step-by-step guide:

• s17 (1) [of the Act] requires that a data controller notify prior to processing data
• s17 (2) permits an exception if data processed is neither “processed by means of equipment operating automatically in response to instructions given for that purpose” or “is recorded with the intention that it should be processed by means of such equipment”
• Virtually any kind of computer equipment, from a simple word processor through to a complex client relations management system, falls within the s17 (2) definition
• The processing mentioned in s17 (1) is far reaching and will include normal day-to-day usage of a computer in a solicitor’s office – writing letters, drafting deeds etc
• Unless a solicitor uses no computer equipment whatsoever notification is mandatory. (Further information on exemptions can be found at www.dpr.gov.uk/downloads/selfassess.doc )
• Even where there is doubt, the Society considers it best practice to notify. The cost is minimal, whereas the consequences for failing to notify are potentially damaging

Note that the Society does not have a collective notification policy to cover all firms as some members have suggested might be in place. Under the definitions of the Act, firms are data controllers in their own right and it is therefore their responsibility to notify.

Some firms will have been registered (as it was previously called) under the Data Protection Act 1984, paying £75 every three years.  Given that the 1998 Act came into force on 1st March 2000 some firms may still just, have their 1984 Act registration in place (one firm for example that the Society spoke to, have a registration in place until May 2003).  Firms in this position should ensure they notify at the appropriate time (reference should be made to www.dataprotection.gov.uk on the exact process in moving from 1984 Act registration to 1998 Act notification).

In any event, while there may be a notification exemption there is no escape from compliance with the eight Data Protection Principles and the provisions of the Act. The Information Commissioner can enforce these against a data controller who is in contravention of them.  Confusion is possible as this is a different position from that which existed under the 1984 Act, which allowed non-compliance if there was no need to register. It is essential that all firms comply with the Principles and provisions of the Act.

In the second article the Principles of the Act will be considered and in particular one and seven. That article will also provide guidance on handling and preparing for subject access requests.

Gordon Brewster is Director of IT at The Law Society of Scotland