Protection of personal data: the United Kingdom perspective: the U.K.'s new Data Protection Act sets up a comprehensive and detailed regime to which multinationals must conform for the transfer of personal data.

• Author: Harbour, Laurel J.

THE EXPLOSION of information power has become a fundamental feature of business worldwide. The operational and commercial success of many organisations depends on their ability to obtain, process and store vast quantities of information about employees, customers and the general public. The same technological progress that has made this possible has, however, brought with it a growing concern on the part of European law makers that its use might weaken or undermine individual human rights, particularly the right to privacy.

The Data Protection Act 1998 (DPA), which came into effect on March 1, 2000, is the latest piece of United Kingdom legislation to regulate the use of personal data. (1) The DPA implements the Directive 95/ 46/EC 24 October 1995 of the European Parliament and the Council of the European Union on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data. (2) The European data protection regime is an attempt to balance the interests of the freedom of the individual, the free movement of information and the freedom to trade.

The U.K. approach to data protection is one of the more liberal in Europe, yet the DPA nonetheless imposes wide-ranging obligations on organisations in relation to their use of personal data. These obligations are far-reaching and, with a few exceptions, apply to all organisations, both public and private, no matter how big or small and regardless of the nature of their operations.

The provisions of the DPA are implemented and enforced by the Information Commission, an independent supervisory body appointed by the Crown. Richard Thomas has been appointed Information Commissioner effective 1 October 2002, to succeed Elizabeth France, the first commissioner. The DPA gives the commissioner investigative powers, including the power to obtain search warrants and to take action against organisations in breach of the statutory regulations. The commissioner's office has traditionally viewed itself as more of an educator than a regulator and pursued enforcement procedures only in cases of flagrant breach. In 2002, however, it launched a high-profile advertising campaign informing individuals of their rights under the DPA, and it is currently reviewing its enforcement procedures.

This article summarizes the key provisions of the U.K. data protection regime, including the central statutory definitions, the main duties imposed on organisations that process personal data ("data controllers"), the rights of individuals about whom personal information is being processed ("data subjects"), and the regulation of transborder data flows.

SCOPE OF THE DPA

The DPA regulates the "processing" of "personal data." "Data" is defined as computerized information as well as personal data in manual files, provided the data are "recorded as part of a relevant filing system." A "relevant filing system" is defined as "any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible." This would include, for example, paper files or card indexes that permit ready access to specific information relating to particular individuals.

Personal data are any "data which relate to a living individual who can be identified--(a) from those data, or (b) from those data and any other information which is in the possession of, or is likely to come into the possession of, the data controller." This concept is interpreted broadly. It covers information concerning an individual in both a personal and business capacity (as in the case of a sole trader) and also includes any expression of opinion or intention about the data subject, which is clearly relevant in the personnel context.

Contact names and addresses, e-mail addresses and clinical data, for example, are all considered personal data. An additional category of "sensitive" personal data under the DPA includes, among other things, data relating to the racial or ethnic origin, political opinions, religious beliefs and physical or mental health of an individual. More stringent regulations apply to the processing of personal data categorized as "sensitive."

The DPA applies to personal data that are "processed." This is an extremely broad provision, so broad, in fact, that the commissioner in a legal guidance has stated that "it is difficult to envisage any action involving data which does not amount to processing within this definition." The statute defines "processing" as

obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making it available, or (d) alignment, combination, blocking, erasure or destruction of the information or data. Under this definition, processing includes virtually any activity performed on data from holding personal data, to pulling up information on a computer screen, to storing personal data on a computer hard drive.

DPA DATA PROTECTION PRINCIPLES

1. The Principles

   The DPA imposes an obligation on data controllers to comply with statutory principles of good information handling, known as the Data Protection...