1. The Data Protection Act 1998 obtained Royal Assent on 16 July. When it is fully in force the 1998 Act will give effect in the UK to the EC Data Protection Directive (95/46/EC). The Directive is due to be implemented by EU Member States by 24 October 1998.
2. The 1998 Act provides for much of the essential detail for the new regime to be set out in subordinate legislation. Most of it will need to be in place for the UK to properly comply with the Directive. Given the large amount of work involved, the Government has announced that 24 October is no longer a realistic deadline for giving effect to the Directive. It now expects to do so in the New Year. Most other Member States are working to a similar timetable.
3. The Government wishes to be in a position to discharge its Community obligation as soon as possible consistently with ensuring it is sound and effective. It therefore hopes to make early progress in preparing the subordinate legislation. But it needs to have regard to the views of those it is likely to affect.
4. Some relevant information is available from the comments received in response to the July 1997 White Paper "Data Protection: The Government's Proposals"; and from further comments received during the passage of the 1998 Act. But the main focus of attention then was the content of the primary legislation and before the detailed work is done it is important to give an explicit opportunity to comment on the approach the subordinate instruments should take.
5. This paper accordingly seeks comments to help inform the preparation of the subordinate legislation to be made under the 1998 Act. It covers all the instruments which are required for the new regime to work or are being considered for its initial implementation, except for the notification regulations which will be the subject of a supplementary consultation paper. The other instruments the legislation provides for will not be needed at the initial commencement of the new scheme.
6. Please send any comments on this paper to:
Mr Colin McGrath, Home Office, Data Protection Section, Room 1173, 50 Queen Anne's Gate, London SW1H 9AT
(telephone: 020 7273 3386 fax: 020 7273 3205)
by the end of September 1998.
Please note that the Government will assume that it may make respondents' comments public except where they have expressly requested it not to do so.
7. The timetable for comment is fairly tight in order to make good progress with implementation. The Government hopes that respondents will appreciate and make use of the opportunity to comment, while understanding the need to avoid a long delay.
8. This paper (which may be freely copied) is available on the Home Office internet website at http://www.homeoffice.gov.uk/index.htm.
LIST OF PROPOSED ORDERS
Subject Access Fees and Time Limits: Section 7
9. Section 7(2)(b) allows cases in which no subject access fee may be charged to be prescribed by regulations. Section 7(10) allows the maximum subject access fee to be prescribed by regulations. It also allows the period of forty days for responding to a subject access request to be varied by regulations. Section 7(11) allows different amounts or periods to be prescribed in relation to different cases.
10. The July 1997 White Paper said that the Government did not intend to change either the current £10 maximum subject access fee or the 40 day response period. That remains the Government's intention subject to the following points.
11. Where a data user has more than one register entry section 21(3) of the Data Protection Act 1984 requires any subject access fees to be charged separately. Under the 1998 Act data controllers will have only one register entry. The Government would welcome views on whether they should be allowed to charge separate fees for access to different parts of their data holding, and if so how this might be achieved. If as the Government proposes, there are exemptions from the requirement to notify, it will probably not be possible to express any such arrangements by reference to register entries. One approach might be to charge a separate fee for each purpose for which data are processed.
12. The subject access rights under the Consumer Credit Act 1974, the Access to Personal Files Act 1987, the Access to Health Records Act 1990 and the Education (School Records) Regulations 1989, and corresponding enactments in Scotland and Northern Ireland, are brought within the scope of the 1998 Act. The Government intends to use the section 7 powers to maintain their present fees and response periods.
Information Provided in Response to Subject Access Request: Sections 7(7) and 8(1)
13. In response to a subject access request a data controller must provide all the personal data to which the request relates. Similarly, under the primary legislation data subjects may not request only part of the data held about them. Section 7(7) allows the Secretary of State by order to prescribe cases in which a data subject may specify that his request is limited to certain personal data. The Government would welcome views on whether an order should be made at this stage, and if so what categories of case and descriptions of personal data should be prescribed.
14. Section 7(1) sets out a number of different categories of information which individuals are entitled to request from data controllers. Section 8(1) allows the Secretary of State to prescribe by regulations that a request for one such category shall be treated as extending to the others. This reflects the broad approach in section 21(2) of the 1984 Act. This says that a request for information under both section 21(1)(a) and section 21(1)(b) shall be treated as a single request; and that, unless the contrary indication appears, a request for information under section 21(1)(a) shall be treated as including a request for information under section 21(1)(b).
15. With more categories of information disclosable under the 1998 Act, the scope for linking requests is considerably greater than under the 1984 Act. The Government would welcome views on what linkages would be desirable.
Consumer Credit: Statement of Individuals' Right Section 9(3)
16. Section 9(3) requires credit reference agencies' responses to subject access requests to include a statement of individuals' rights under section 159 of the Consumer Credit Act 1974 and the 1998 Act. The Secretary of State may prescribe in regulations the form of the statement and, in the case of 1998 Act information, the extent of the rights to be explained.
17. This provision consolidates and extends a similar provision in the Consumer Credit Act 1974. The opportunity will be taken to review the form of the statement which has been prescribed under that Act. The Government is consulting separately within the relevant sector on its proposals for revising the form.
Copy of Register Entry: Section 19(7)
18. Section 19(7) allows the Data Protection Commissioner to charge such fee as may be prescribed by regulations for providing a certified copy of an entry in the register of notifications. This replicates the provision made by section 9(2) of the 1984 Act. The fee prescribed by the Data Protection (Fees) Regulations 1986 is £2. The Government intends to prescribe the same amount under the 1998 Act.
Preliminary Assessment: Section 22(1)
19. Section 22 provides for certain processing to be assessed by the Data Protection Commissioner for compliance with the provisions of the Act before the processing may begin. The processing is that which is specified by order under section 22(1) and which appears to the Secretary of State to be particularly likely:
20. This follows a Directive requirement for certain processing to be subject to what it describes as "prior checking". The July 1997 White Paper identified three possible categories:
21. The Government proposes to apply the preliminary assessment arrangements to these categories, either generally or in certain areas. It will develop the detail in the light of the comments which were made in response to the White Paper, and any further ones made in response to this paper. Respondents might wish to consider in particular whether the preliminary assessment arrangements should be restricted to certain processing operations within the three main categories, and if so which ones.
22. What preliminary assessment involves: the Government is aware of some misunderstanding and concern about the implications of preliminary assessment. Some clarification of what it will involve might be helpful.
23. The arrangements will be part of the notification arrangements. Controllers wishing to process material in the preliminary assessment categories will be required to notify the Commissioner as with any other processing. The difference is that the controller will then have to wait for a certain period before starting processing. (As under the 1984 Act, the normal rule for notification in non-preliminary assessment cases will be that controllers will be able to start processing as soon as they have notified the Commissioner.) The waiting period will be 28 days (extendable once by the Commissioner for a further period of 14 days) or, if sooner, the time until the Commissioner has given an opinion on likely compliance with the Act.
24. Two important points are worth stressing. First, preliminary assessment will not require data controllers to approach the Commissioner about individual processing acts. Provided that the data controller has notified the Commissioner about that form of processing no further approach to the Commissioner will be necessary.
25. Secondly, preliminary assessment involves no power for the Commissioner to prohibit processing. She will be able only to give an opinion about likely compliance with the Act, and if she wishes to use her general enforcement powers (for example to issue an enforcement notice). It will then be for the data controller to decide whether to go ahead or not.
Subject Information Exemptions: Sections 30 and 38 and Schedule 10
26. Section 30(1) and (3) allows the Secretary of State by order to provide exemptions from or modify the subject information provisions (defined in section 27(1)) in relation to data about, very broadly, data subjects' health (subsection (1)), and social work involving data subjects or others (subsection (3)). Comparable power exists in section 29(1) and (2) of the 1984 Act. The Government proposes to make orders broadly preserving the effect of the Data Protection (Subject Access Modification)(Health) Order 1987 and the Data Protection (Subject Access Modification)(Social Work) Order 1987 which have been made under section 29 of the 1984 Act.
27. Section 30(2) contains an order-making power for exemptions from or modification of the subject information provisions for personal data consisting of certain records about school pupils. The 1998 Act brings within its scope the subject access right currently provided by the Education (School Records) Regulations 1989 and education Regulations in Scotland and Northern Ireland. The Regulations contain certain savings from that access right. The Government intends to make an order broadly preserving their effect. The Government will consult separately within the relevant sector on its proposals.
28. Section 38(1) empowers the Secretary of State in certain circumstances to exempt by order from the subject information provisions personal data whose disclosure is statutorily prohibited or restricted. Comparable provision is made in section 34(2) of the 1984 Act. The Government proposes to make an order broadly preserving the effect of the existing Data Protection (Miscellaneous Subject Access Exemptions) Order 1987.
29. Section 35A of the 1984 Act provides a subject access exemption in relation to personal data showing that an identifiable individual was or may have been born in consequence of treatment services except where the disclosure is made in accordance with section 31(2) of the Human Fertilisation and Embryology Act 1990. The 1998 Act does not preserve this exemption. The Government intends instead to make equivalent provision in an order under section 38(1). At the same time other information covered by section 31(2) of the 1990 Act will also be included - that is about the provision of treatment services for identifiable individuals and about the keeping or use of the gametes of any identifiable individual or an embryo taken from any identifiable woman. Provision will also be made in respect of certain personal data in connection with parental orders under section 30 of the 1990 Act.
30. Paragraph 4 of Schedule 7 empowers the Secretary of State to exempt by order from the subject information provisions personal data processed for the purpose of assessing any person's suitability for certain Crown or Ministerial employment or office. The Government is considering what exemptions need to be made under this provision.
31. Paragraph 6 of Schedule 7 exempts from the subject information provisions personal data processed for the purposes of or in connection with the provision of corporate finance services in certain circumstances. Paragraph 6(2) empowers the Secretary of State to make certain complementary provision by order. The Government proposes to make such an order. It is consulting separately within the relevant sector on its proposals.
Special Purposes Codes of Practice: Section 32(3)
32. Section 32 makes special arrangements in respect of the processing of personal data for the special purposes (ie journalistic, artistic or literary purposes). One is that the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication of special purposes material would be in the public interest.
33. Section 32(3) provides that, to determine whether this belief was reasonable, regard may be had to any relevant code of practice which has been designated by the Secretary of State by order. The Government would welcome views on which codes of practice might be designated under this provision.
International Cooperation: Section 54
34. Section 54(2) allows the Secretary of State by order to provide for the Commissioner's functions as the United Kingdom designated authority for the purposes of Article 13 of the 1981 Council of Europe Convention on Data Protection. Section 37 of the 1984 Act makes comparable provision in respect of the Data Protection Registrar. The Government proposes to make an order broadly preserving the effect of the Data Protection (Functions of Designated Authority) Order 1987 made under section 37 of the 1984 Act.
35. Section 54(3) allows the Secretary of State by order to make provision as to the co-operation by the Commissioner with the European Commission and the data protection supervisory authorities in the other EEA States. Section 54(4) allows the Secretary of State by order to direct the Commissioner to carry out data protection functions for the purpose of giving effect to any of the UK's international obligations. The Government is considering what provision will be needed under these powers.
Informing the data subject: Paragraph 3 of Part II of Schedule 1
36. Paragraph 2 of Part II of Schedule 1 requires a data controller to ensure that the data subjects whose personal data he obtains have or are provided with certain information about the controller and the processing of the data. Paragraph 3 of Part II of Schedule 1 exempts from this requirement in the case of data not obtained from the data subject, specifically where:
providing the information would involve disproportionate effort; or
recording or disclosure by the controller is required by law; and, in either case,
any further conditions prescribed by the Secretary of State by order are met.
37. The latter allows the UK to meet Article 11.2 of the Directive, which requires that Member States provide "appropriate safeguards" for exemptions from the requirement to provide information to data subjects.
38. The July 1997 White Paper identified as a possible safeguard a requirement on the controller to provide the information when he first makes contact with the data subject. The Government would welcome any further comments on this possible safeguard, and suggestions for alternatives.
General Identifiers: Paragraph 4 of Part II of Schedule 1
39. Paragraph 4 of Part II of Schedule 1 allows the Secretary of State by order to prescribe descriptions of general identifiers which may be processed only in accordance with specified conditions. The Government is considering whether there are any general identifiers which might be prescribed, and if so what conditions might be prescribed.
Processing of sensitive data: Paragraph 10 of Schedule 3
40. The 1998 Act places restrictions on the processing of sensitive data, defined in section 2 as personal data on:
41. Paragraphs 1 to 9 of Schedule 3 set out a number of conditions, at least one of which must be met (in addition to at least one of the basic pre-conditions of processing in Schedule 2) if sensitive data are to be processed. Paragraph 10 of Schedule 3 allows the Secretary of State by order to specify further circumstances in which sensitive data may be processed. The Directive requires any such processing to be accompanied by suitable safeguards. Except for offences and convictions data, it also permits the processing of sensitive data only for reasons of substantial public interest.
42. The Government proposes to make an order under paragraph 10 of Schedule 3 permitting the following types of processing, subject to suitable safeguards:
43. The Government invites respondents to identify any other circumstances where paragraph 10 needs to be used. If you do so, please:
Tribunal Rules: Schedule 6
44. Schedule 6 sets out the arrangements for hearing appeals to the Data Protection Tribunal. Paragraph 7 allows the Secretary of State to make rules for regulating the exercise of appeals and the procedure of the Tribunal. Similar provision is made in Schedule 3 to the 1984 Act. The Government intends to make fresh rules based on the Data Protection Tribunal Rules 1985 but reflecting the changes to the appeal arrangements made by the 1998 Act.
| REGULATORY IMPACT ASSESSMENT (Formerly known as Regulatory
Appraisal and Compliance Cost Assessment) The statutory instruments proposed in this consultation paper will set out detailed aspects of the new data protection regime provided for in the Data Protection Act 1998. Their costs will form part of its overall costs. They were estimated in the Explanatory and Financial Memorandum of the Bill as introduced in Parliament: an extract of the relevant section is set out below. As was made clear in the Memorandum, the Home Office also drew up a more detailed Regulatory Appraisal and Compliance Cost Assessment. Copies were placed in the Libraries of both Houses of Parliament, and additional ones are available on request from Colin McGrath, Room 1173, Home Office, 50 Queen Anne's Gate, London, SW1H 9AT; telephone number 020 7273 3386. Alternatively, they are also available on the Home Office internet website at http://www.homeoffice.gov.uk/index.htm. EXTRACT FROM THE EXPLANATORY AND FINANCIAL MEMORANDUM FOR THE DATA PROTECTION BILL Financial effects of the Bill The costs in a full year of the Data Protection Commissioner and his office, together with the Tribunal, are estimated to be £3.7m at current prices. The transitional costs could be up to £0.8m. These expenses will be met from the Home Office budget and recovered through notification fees under Part III and other charges. The Bill will impose costs on central and local government. The start-up element is estimated to be £194m, including £104m for schools and other local authority expenditure. Their recurring annual costs are estimated at £75m, including £29m for schools and other local authority spending. The estimates depend on assumptions about how the provisions will apply in a large number of particular cases. The most significant public sector costs are expected to arise from Clause 1(1) extending the law to some manual data, the requirement to give information to data subjects when data are collected imposed by paragraph 3 of Part II of Schedule I and the criteria for processing sensitive data established by Schedule 3. The additional costs will be absorbed within existing resources and therefore will not lead to an overall increase in public expenditure. Effects on public service staffing Implementing the Bill will require diversion of up to three Home Office staff years from other duties. No continuing increase in the Department's staff is expected to be necessary. The additional transitional work of the Office of the Commissioner is likely to require up to six staff years. Existing staff would be deployed from other functions, and replaced meanwhile by temporary staff. No continuing manpower implications are expected. Increased use of the Data Protection Tribunal is not expected to have significant staffing implications. The Chairman, deputy chairmen and members are called upon only as necessary and paid a daily rate plus expenses. Business Compliance Cost Assessment The Bill has cost implications for the private and voluntary sectors. The start-up costs for business are estimated at £836m and the recurring costs at £630m. For the voluntary sector the estimated costs are £120m start-up and £37m recurring. A Regulatory Appraisal including a Compliance Cost Assessment has been drawn up by the Home Office and will be placed in the Libraries of both Houses. Copies are available to the public from Colin McGrath, Room 1173, Home Office, Queen Anne's Gate, London SW1H 9AT. |
Regulatory Impact Assessment (formerly known as Regulatory appraisal and compliance cost assessment)
Data Protection Act 1998 is available on The Stationery Office Website