Department for Constitutional AffairsPeople's rights

| People's rights | Human rights | Freedom of information | Data protection | FAQs | Contact details | Legislation | European Union & International | The Information Commissioner | Publications | Useful links | Data sharing | Elections | Transsexual people | Your rights - DCA

|© Crown Copyright & Disclaimer

Home > People's rights > Data protection > Data Protection Act 1998: Post-Implementation Appraisal

Data Protection Act 1998: Post-Implementation Appraisal - Questionnaire

Introduction

1. Scope and Definitions

2. Data Protection Principles

3. Sensitive Data

4. Data Subjects' Rights

5. Notification

6. International Transfers

7. Compliance

8. New Technology

9. Other comments?

This paper seeks views on the UK's new data protection regime in the light of early experience of its operation. It is too soon to carry out a comprehensive evaluation of the new legislation, especially since the Act's transitional provisions are still in force. However, the Government wishes to make an early appraisal of the new regime. This will help inform the UK's position on the European Commission's report on implementation of the 1995 EC Data Protection Directive which is due by October 2001.

The paper identifies those issues on which the Home Office would particularly welcome comments. The focus is on the practical effect of those provisions of the 1998 Act, or the subordinate legislation made under it, which are either new to UK data protection legislation or substantially different from the provisions of the Data Protection Act 1984. Please feel free to comment on any other issue.

 

1. SCOPE AND DEFINITIONS

The Act brings certain manual records within the scope of data protection legislation for the first time. It also changes some definitions familiar from the 1984 Act and introduces some new concepts.

  1. Is it clear which manual records are caught? If not, what causes the difficulty?
  2. Is the definition of "personal data" clear? If not, what changes might be made?
  3. Is the relationship between the "data controller" and the "data processor" clear?

 

2. DATA PROTECTION PRINCIPLES

A new principle on data exports has been added. Otherwise the data protection principles themselves are similar to those in the 1984 Act. But some express new requirements have been added. These relate to the conditions for processing (Schedules 2 and 3) (see also Question 3); and the provision of information to data subjects (Part II of Schedule 1).

  1. Are the conditions for processing clear and useful?
  2. Is it clear that satisfying the conditions does not discharge the requirement to comply with the principles themselves?
  3. Is it clear what information has to be provided to data subjects, and when?
  4. Are there any practical difficulties with the provision of the information?

 

3. SENSITIVE DATA

The Act regards information about race, political opinions, religion, trade union membership, health, sex life and offences as "sensitive data" and subjects it to special rules.

  1. Are the categories of sensitive data appropriate? If not, what changes might be needed?
  2. Are the conditions for processing sensitive data too narrow/too broad? If so, what changes might be needed?

 

4. DATA SUBJECTS' RIGHTS

The 1998 Act enhances individuals' rights. It creates some new ones and strengthens existing ones. It also incorporates access rights previously provided under other non-data protection legislation. It also introduces some new exemptions from the right of subject access (or, in some cases, subject information).

  1. Are the new rights clear? If not, what improvements might be made?
  2. Are the revised arrangements for subject access (in particular the fee structure and response times) satisfactory? If not, what improvements might be made?
  3. Is the scope of the exemptions from subject access/information (including those in subordinate legislation) satisfactory? If not, what changes might be made?

 

5. NOTIFICATION

The 1998 Act requires data controllers to notify the Data Protection Commissioner of the processing which they do. Notification is different from registration under the 1984 Act. The Act also provides for exemptions from notification. The exemptions do not provide exemptions from the data protection principles. Again, this differs from the position under the 1984 Act.

  1. Are there any problems with the categories of information to be notified to the Commissioner?
  2. Do the procedural arrangements as provided for in the legislation work? If not, what improvements might be made?
  3. Is it useful to have exemptions?
  4. Is it easy to decide whether you benefit from an exemption?
  5. Are the "standard business purposes" exemptions sufficiently broad to cover all routine processing? If not, what else should be covered?

6. INTERNATIONAL TRANSFERS

Subject to some exemptions, the Act prohibits the transfer of personal data to countries outside the European Economic Area which do not provide an adequate level of data protection. In the first instance it is up to data controllers to decide whether they can make transfers.

  1. Has this rule restricted your transfers of personal data outside the EEA, including via the Internet?
  2. Do you find assessing "adequacy" difficult? If so, what improvements could be made?
  3. Are the exemptions clear and useful?

 

7. COMPLIANCE

The Data Protection Commissioner has stronger powers to promote compliance with and enforce the 1998 Act.

  1. Are the Commissioner's powers appropriate? If not, what changes might be needed?

8. NEW TECHNOLOGY

The data protection regime applies to Internet transactions.

  1. Aside from international transfers (see Question 6) have you found any difficulties in meeting the Act's requirements when using the Internet?
  2. What changes might be made to make compliance easier?

 

9. OTHER COMMENTS?

If you have any other comments to offer on the new data protection regime we should be pleased to have them. We should also welcome any available information about the financial implications of the new regime.

 

Please send your comments by post, fax or e-mail to:

Paul Henery
LGDP Unit
Room 1173
Home Office
50 Queen Anne's Gate,
London SW1H 9AT

Fax: 020 7273 3205

E.mail: Paul.Henery@homeoffice.gsi.gov.uk

The closing date for responses is 27 October 2000

The 1998 Act and its subordinate legislation are also  available 

If you have any queries about this review, please ring Paul Henery on 020 7273 3723.

We may wish to make your response publicly available. Please make clear in your response if you do not wish us to do so.

 

 

Data Protection Act Post Implementation Appraisal letter

 

 

 

© Crown Copyright