1. This paper supplements the Home Office's 12 August Consultation Paper "Data Protection Act 1998: Subordinate Legislation". It deals with the remaining statutory instrument - notification regulations - which will be needed under the Data Protection Act 1998 to bring into force the new regime required by the EC Data Protection Directive (95/46/EC).
2. The paper reflects initial discussions with the Data Protection Registrar, who is to become the Data Protection Commissioner, about the general form the notification scheme should take. Under the 1998 Act the Data Protection Commissioner will need to submit formal proposals on the content of the statutory instrument to the Secretary of State, and the Secretary of State in turn will need to consult the Commissioner about his final proposals. The present paper gives interested parties the opportunity to make known to both the Government and the Registrar their views on the key issues, to inform the more detailed work.
3. Please send any comments on this paper, as on the previous one, to:
Mr Colin McGrath
Home Office
Data Protection Section
Room 1173
50 Queen Anne's Gate
London SW1H 9AT
(Tel: 020 7273-3386 Fax: 020 7273-3205)
by 30 September 1998.
Please note that the Government will assume that it may make respondents' comments public except where they expressly request it not to do so.
This timetable for comment is fairly tight in order to make good progress with implementation. The Government hopes that respondents will appreciate and make use of the opportunity to comment while understanding the need to avoid a long delay.
4. This paper, which may be freely copied, is available on the Home Office internet website at:
http://www.homeoffice.gov.uk/index.htm
The 1998 Act's provisions
5. Under the 1998 Act, data controllers will be under a direct obligation to comply with the requirements of the data protection regime. By virtue of Part III, except where specifically exempted they will also be obliged before they can process personal data to notify key details of their processing to the Data Protection Commissioner, who in turn will compile a register open to public scrutiny. Those exempted from obligatory notification may choose to make a voluntary notification to the Commissioner leading to a voluntary register entry. (Most of those exempted from obligatory notification choosing not to notify voluntarily will have to make available certain information on request.) Notifications will continue in force provided the details are kept up to date and the appropriate periodic fees are paid.
6. Separately from notification, but linked to it procedurally, controllers who notify their intention to carry out certain processing will be required to wait before they begin processing, normally for up to 28 days, while the Commissioner makes a preliminary assessment of the likely compliance of the relevant processing with the regime requirements. This preliminary assessment system implements the Directive's Article 20 requirement for a `prior checking' scheme.
Objectives
7. The Government considers that the primary purpose of notification under the new data protection scheme should be to promote transparency, that is providing to the public and the Commissioner a clear description in general terms of the processing of personal data. Consistently with proper implementation of the Directive, the Government and the Registrar want the new notification system to be simple, straightforward and readily understandable. It should be useful to members of the public, data controllers and the Commissioner.
8. Where appropriate, use will be made of the valuable experience gained in operating the registration scheme established under the Data Protection Act 1984. However the new proposals reflect the fact that notification will be an element of the main regime rather than triggering application of that regime. They also reflect the principles of better regulation - in particular simplifying procedures and making the result more accessible to all.
Content (Sections 16(1) and 18(2) of the Act)
9. The information to be notified reflects the minimum requirements in Article 19 of the Directive. It is broadly similar to what data users register under the 1984 Act. In summary, it will comprise:
The regulations may require this information to be presented in such a way as to provide a brief description of the controller's business and to identify whether the processing falls into a preliminary assessment category.
10. All this material except the security measures has to be recorded on the Commissioner's register. The regulations may also require inclusion of certain additional information in the register.
Format
11. We propose that notifications and the resultant register entries should be purpose-based, as with the present registration system. Specifying the purposes of processing is a cornerstone of data protection policy and practice. The other information provided would be grouped by purpose.
12. To assist both data controllers and those consulting the register the purposes would be broadly defined (at the level of for example education; credit reference; health administration; and property administration) and related to the type of business. There could be some 30 pre-defined purposes in total. Exceptionally, a short free-text purpose statement could be made for those very rare processing operations which did not fit into one of the pre-defined purposes.
13. The categories of personal data, data subjects and recipients would also be pre-defined at a relatively broad level. For example employment details; customers and clients; and local authorities respectively.
14. A recent innovation by the Registrar under the 1984 Act has been the development of `templates' or draft notifications. Applicants identify the nature of their business and may be issued with partially completed application forms which reflect the relevant standard forms of processing. The data user retains ultimate responsibility for the content of his registration; and must either confirm that the forms as issued accurately reflect his processing or make any necessary amendments. This approach has proved helpful to data users and we propose it should be used in notification.
15. Large organisations The Act provides for data controllers to have only one register entry (section 19(1)). The Registrar is considering how those for large organisations should be subdivided in the interests of clarity. The system needs to be robust and generally applicable. Possible options under consideration are, for the private sector, division by reference to organisational structure or business subdivision and, for central Government separate identification of Agencies within Departments, for example. We would welcome views on this approach and on how it could be applied to the local government, other public and voluntary sectors.
16. Security (Section 18(2)(b)) The Act requires data controllers to include in their notification `a general description of measures to be taken for the purpose of complying with the seventh data protection principle'. This information, whose notification reflects a Directive requirement, will not feature in their register entries.
17. We would welcome views on how this requirement should best be met. Possible approaches are to enable data controllers to indicate their adherence to the BS7799 Information Security Standard and Certification Scheme; or to use a short series of questions to elicit a general description of the security measures being taken.
18. Additional information (Section 19(2)(b)) The notification regulations may authorise or require the Data Protection Commissioner to include additional material in the register. Ministers have undertaken in Parliament to confine this to material which should be helpful to those consulting the register. We consider that it would assist data subjects to have recorded on the register convictions and current prosecutions under data protection legislation and enforcement notice information.
19. We would welcome views on these suggestions, and any others which would add value to without over-complicating register entries.
Process
20. We envisage that notification procedures should be similar to those for registration. Initially most enquiries are likely to be made by telephone. The controller would be sent a set of personalised forms (including templates or blank spaces depending on what initial information had been given). He would endorse or complete these, as appropriate, and return them to the Commissioner, who would confirm their validity (completeness, consistency, receipt of fee). The notification will form the basis of the controller's register entry. The controller may only begin processing once he has an entry on the register. We are considering at which point in the process after return of the forms by the controller a register entry should be deemed to have been made.
21. Increasingly, business is being done by electronic means. The Commissioner
hopes to provide in due course a template-based website allowing interactive
notification wholly by electronic means.
22. All data controllers must notify before processing unless their processing is covered by a relevant exemption. The Act itself exempts from notification:
23. The notification regulations may make further exemptions where it appears to the Secretary of State that the specified processing is unlikely to prejudice the rights and freedoms of data subjects. To comply with the Directive, such exemptions must specify:
24. The Government will develop its proposals with several broad objectives in mind. First, it must meet the Directive's test of the processing being unlikely to prejudice data subjects' rights and freedoms. Secondly, even with a simpler notification process exemption for certain standard business processes could help to reduce smaller organisations' costs and administrative effort without any significant harm to data subjects' interests. Thirdly, the cost of the Commissioner's operations should be borne by data controllers and the necessary charges should be spread reasonably equitably between them.
25. In principle this points to making a limited number of general exemptions, provided they can be defined clearly enough to give data controllers confidence in relying on the exemptions.
26. We are therefore considering exemption of four standard business operations together with more specific processing by particular organisations.
27. Together these would be :
28. Without prejudice to the definitional issue referred to in paragraph
25, on which further work needs to be done, we invite comments on these
proposals both in general and on the specific content of individual categories
such as payroll, personnel and work planning.
29. Section 22 provides for an order to be made designating certain processing for preliminary assessment. The choice of this `assessable processing' is discussed in the 12 August consultation paper. This one considers the procedure.
30. The Act requires the Data Protection Commissioner to assess the relevant processing for compliance with the provisions of the Act before it begins. It applies only to new processing starting after 24 October 1998.
31. When a notification is received it will be necessary to identify whether it falls into the assessable processing category. Clearly it would be helpful if the data controller himself was able to identify this. The most straightforward way of achieving this would be to ask appropriate questions on the notification forms. We propose that these should appear on all forms, or possibly be included solely on relevant templates.
32. Section 22 of the Act makes clear that the Commissioner will have
28 days, extendable once in certain circumstances, to make the preliminary
assessment. The notification will take effect, and processing can start
if the controller so chooses, only when this 28 day period is complete
or when the Commissioner gives notice of his opinion to the controller,
whichever comes first.
33. We propose to set the fee level(s) for notification in the notification regulations.
34. The Government Proposals of July 1997 made clear that fees would be determined by reference to the likely costs of the supervisory authority, and that the average fee would be kept as low as possible. That remains the Government's approach.
35. Unlike the 1984 Act the 1998 Act allows differential fees. We would like a structure which took some account of the relative size of the organisation, but it must also be simple to administer. We would welcome views on possible options. Those we are considering are:
Frequency (Sections 19(4) and (5))
36. Notifications will be converted into entries on the register of notifications and retained there for the `relevant time'. This is currently set in the Act at twelve months. When it expires the entry will remain in force provided a continuation fee is paid for the next 12 months.
37. We have no current proposals to use the power in the regulations to alter the twelve month period. However we are considering whether the regulations should provide some flexibility to cover slightly late payments of the fee for retaining the entry on the register.
Refunds (Section 18(6))
38. The notification regulations may provide for the refund of any initial
notification fee or continuation fee. We would welcome views on the circumstances
in which and the basis on which this should be done. An example is where
it is subsequently discovered that a data controller not obliged to notify
has done so by mistake.
39. Controllers not obliged to notify may nevertheless choose to do so. They would then be exempt from the duty where relevant to make certain information available direct to enquirers (Section 24).
40. The Act provides one notification scheme which will apply to all. So those notifying voluntarily will do so on the same terms as those notifying compulsorily, ie:
41. Fees will be charged and we are considering the appropriate level.
42. The regulations will set out the data controller's duty to notify changes. Given the proposed broader categories of information, changes should need to be notified less frequently than in the past; but it is still necessary to strike a reasonable balance between ensuring that key information is fully up to date and keeping administration simple for data controllers and the Commissioner.
43. We think the main options are:
Taking account of the principles in paragraph 42, we would welcome views
on the choice of approach and the detail of the second approach.
44. Section 18(4) enables the regulations to make special provision for:
We would be grateful for details of any situations which ought to be specified
under the latter provision.
45. The Government made clear in the July 1997 proposals and again when the Bill was in Parliament its intention to end the existing requirement for headteachers and governors of schools to register separately. We are considering how to achieve this.
From registration to notification
46. Those who immediately before the notification provisions come into force are:
47. The registration period for those with a single register entry will expire when their entries would have expired under the 1984 Act.
48. The registration period for those with multiple register entries will expire at the time their last register entry under the 1984 Act would have expired. We are considering the precise mechanism. One approach would be to retain existing separate 1984 Act register entries (without requiring a renewal fee) until the final entry expires. Another would be to consolidate registrations as they expire into the register entry due to expire last. Subject to any overriding system requirements which emerge from more detailed work, we welcome comments on the best approach.
Notifying changes: 1984 Act registrations
(Schedule 14, paragraph 2(7))
49. 1984 Act registrations which continue during the transitional period may be regarded as a staging post on the route to notification. We propose to take the same basic approach, but with some modifications, to the requirement to notify changes as with notifications.
50. Where a data controller starts new processing not covered by a 1984 Act register entry, he will need to notify that new processing to the Commissioner. We propose that any existing registrations he has should continue to run their course. So information about the new processing would be added to the existing registered details as if it were a change.
Early notification
(Schedule 14, paragraph 2(5))
51. We propose that if they wish data controllers should be able to move from registration to notification earlier than required to by the transitional provisions. However if they do so they would have to comply fully with the notification requirements. They would not be able to rely on the transitional arrangements relating to 1984 Act register entries in respect of any processing.
52. Section 23 enables the Secretary of State by order to introduce a system of appointed data protection supervisors within data controllers' organisations. He could also exempt those organisations from notification.
53. However few respondents to the March 1996 Consultation Paper expressed
interest in making use of such a scheme. We have concluded that for the
initial implementation of the Directive it would be best to concentrate
work on establishing the main notification regime. So we propose no early
order under Section 23.
54. The notification regulations will form part of the general data protection regime introduced under the Data Protection Act 1998. Their impact is covered by the general Compliance Cost Analysis and Regulatory Appraisal carried out when the Bill was introduced. The details are given in the main consultation paper on the statutory instruments, "Data Protection Act 1998: Subordinate Legislation", published on 12 August.
Data Protection Act 1998 is available on The Stationery Office Website