Purpose
1. The aims of the Directive are:
Options
2.1 There is no option not to legislate to implement the Directive, as its requirements go beyond those of the Data Protection Act 1984. However, member states have some discretion as to the level of implementation.
2.2 The Government considers that the risks posed to individuals are not appreciably different from those addressed in the 1984 Act which was itself based on an international standard, Council of Europe Convention 108. The use of new technology means that more data can be processed more quickly, but the Directive is intended to set a general framework which will apply whatever technology is used.
2.3 We therefore propose to give full effect to those Directive requirements which afford enhanced protection to data subjects without putting unjustified additional burdens on data controllers.
Benefits
3.1 Implementation of the Directive contributes to the Government's commitment to "bring rights home".
3.2 Data controllers will be able to trade with other EU countries, within a regime which applies to all controllers of personal data. We hope that they will welcome the clarity which the new law is intended to bring, and that all data controllers who notify the Supervisory Authority of the processing operations which they carry out will benefit from a simpler procedure for notification.
3.3 Data subjects will benefit from increased rights, notably in respect of subject access to structured manual records. They will also have increased scope to seek compensation and other redress in the courts.
Consultation
4.1 Public consultation on the implementation of the Directive in the UK was carried out between March and July 1996.
4.2 The Government's proposals were published on 31 July 1997. They were intended primarily for information, but 74 sets of comments were received.
4.3 For the compliance cost assessment 13 organisations were surveyed in August 1996 and again in June 1997. A larger survey of 84 private and voluntary sector organisations, of which 46 responded, was undertaken in July 1997 on the basis of the Government's published proposals.
Costs
5.1 The legislation will affect all sectors of the economy. Total costs for the economy have been calculated at £1,150m in start-up costs and £742m in recurring annual costs. Costs will fall on businesses of all sizes throughout the private sector. The compliance cost assessment shows that the measure is unlikely to have a significant impact on small businesses. There may be cost implications for some organisations within the voluntary sector. Both central and local government will be affected. The compliance cost exercise of August 1997 included a sample of government departments and other bodies.
5.2 Implementation will be phased in over three years from 24 October 1998, with a further six years for some provisions in respect of manual data. Start-up costs will not therefore all fall within one year.
5.3 There will be no direct cost implications for consumers ie data subjects.
Enforcement, sanctions, monitoring and review
6.1 The application of the new law will be monitored and enforced in the UK by the Data Protection Commissioner (formerly the Data Protection Registrar). The enforcement regime will broadly be based on the one which currently applies (ie a mixture of criminal offences and enforcement notices). There will be some stronger powers for the Commissioner.
6.2 Under current law only registered data users can be subject to enforcement for breach of the principles. In the future the principles will apply equally to all data controllers whether they notify their processing operations or not.
6.3 Under the Directive, law and practice in Member States will be monitored by a Working Party of Supervisory Authorities of the Member States. A Committee of Government representatives and the European Commission will have a limited role in enforcement in respect of data exports to third countries.
Home Office
December 1997
A REGULATORY APPRAISAL FOR THE IMPLEMENTATION OF DIRECTIVE 95/46/EC ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA (THE DATA PROTECTION DIRECTIVE).
Section 1: Purpose and intended effect of the proposal
1. With the establishment of a single market imminent and in the context of encouraging the free flow of personal data, a draft Directive was introduced in 1990. The Directive itself was adopted on 24 October 1995 with the following aims:
Section 2: Options
2.1 The Government's aim in implementation is to ensure the required level of protection for individuals without putting additional burdens onto data controllers.
2.2 The Directive has to be implemented by 24 October 1998. It provides a framework for national data protection laws and requires member states to determine more precisely how the provisions should be implemented in national law. At some points the Directive allows discretion as to the level at which protection is set, subject to a requirement that implementation should not result in a lessening of existing protection. There is no option to leave current legislation unchanged, because at some points the Directive goes further than the Data Protection Act 1984.
2.3 Council of Europe Convention 108 of 1981 on data protection established a common standard with which the 1984 Act was designed to comply. Technological innovations such as the internet and the increasingly wide-spread use of personal computers and laptops have made the means of processing personal data more widely available. It is therefore arguable that risks to data subjects have increased since 1984 when the Data Protection Act came into force. However, the Directive does not specifically address new technology. It sets a general framework which will apply irrespective of the technology used.
2.4 The risks currently posed to individuals by the processing of their data are not identifiably different in nature from those addressed in Council of Europe Convention 108 and the 1984 Act.
2.5 The main area in which the Directive differs from our current law is its inclusion of some manual records. As organisations increasingly computerise their records any risk posed by this means of processing is likely to diminish. The implementing measure will provide the additional protection required for manual records without creating unnecessary burdens.
Section 3: Benefits
Benefits for the Government
3.1 Through implementing the Directive the Government will benefit by contributing to its commitment to "bring rights home".
Benefits for the data controller
3.2 Implementation of the Directive will allow freedom to trade with other EU member states within a regime which applies to all controllers of personal data.
3.3 The Data Protection Commissioner's ability to enforce the data protection principles in respect of all controllers, not just those which are registered, should mean a more equitable system within the UK.
3.4 Compliance with good data protection practice should help organisations to improve their information management.
3.5 The current planning for a new system of notification is intended to produce a simpler procedure for those controllers who will be obliged, or who choose, to notify. There is some evidence from our survey that this could improve the viability of smaller organisations.
Benefits for the public i.e. data subjects
3.6 A stricter data protection regime should give data subjects increased confidence that their data are being appropriately handled within the UK, the EU and third countries.
3.7 Data subjects will have enhanced rights in some areas. These include:
3.8 The legislation will also bring within data protection law manual filing systems which are structured according to specific criteria relating to individuals and which allow easy access to the personal data. This definition will cover microfiche collections and sound and image data which are structured in this way.
3.9 Data subjects will also benefit from enhanced rights of compensation and redress in the courts when breaches of the law occur.
3.10 The new regime will also encourage good data protection practice. It will be a duty on the Supervisory Authority to promote this.
Section 4: Results of consultation
4.1 Initial consultation on the implementation of the Directive in the UK was by means of a Consultation Paper published in March 1996. The responses were used to inform the preparation of policy proposals.
4.2 The Government's proposals for legislation were published on 31 July 1997 by the Stationery Office.
4.3 To assess the costs to the private and voluntary sectors, and local government of compliance with the Directive, a sampling exercise was carried out in three separate stages.
The 13 organisations sampled in the first two stages ranged from sole traders with between two and seven staff to large organisations with several thousand employees. Also one trade body replied on behalf of its members. Sectors represented were manufacturing, services, retail businesses and charities.
4.4 The first stage in August 1996 was conducted through face-to-face interviews and over the telephone; the basis of the questions was the 1996 Consultation Paper. The second stage in June 1997 was conducted by telephone and took account of the Government's developing proposals.
4.5 The final stage used a questionnaire based on the proposals published on 31 July 1997. This time a wider range of organisations was sampled. The questionnaire was sent to 84 organisations chosen to give a representative sample of the private and voluntary sectors and of local government. 46 of them responded. The results of the Compliance Cost Assessment are summarised in paragraph 5.2 below, and set out more fully in the Annex to this appraisal.
4.6 In parallel with the main CCA exercise cost information was obtained from other Government Departments. These costs are also in the Annex.
Section 5: Compliance Cost Assessment
Sectors affected
5.1 The legislation will affect all organisations in the public, private and voluntary sectors which process personal data held either on a computer or in a structured manual filing system.
Compliance costs
5.2 Total compliance costs for the economy are estimated at £1,150m in start-up costs and £742m in recurring costs. A breakdown by different sectors is given in the Annex.
5.3 It should be noted that a 3 year transitional period is allowed after 24 October 1998 for compliance with the Directive in respect of existing processing, with a further 6 years for some provisions relating to manual data. The start-up costs are therefore unlikely to all arise in one financial year.
Section 6: Impact on small businesses
6.1 A sample of small businesses were consulted at every stage of the Compliance Cost Assessment. These included retailing, services and manufacturing organisations.
6.2 The consultation showed that the impact on small businesses was not likely to be significant. In particular many small businesses would not be required to notify their processing operations to the Data Protection Commissioner.
Section 7: Other costs
7.1 The legislation will not impose direct costs on consumers in their capacity as data subjects. However, businesses whose costs are significantly increased may pass them on in the form of higher prices to consumers. It is too soon to give any estimates of this. There may be increased costs for some voluntary organisations.
7.2 Implementation of the Directive will impose costs on both central and local Government. The earlier consultation referred to in paragraph 4.6 above suggested that the most significant cost impact would come from the inclusion of manual files within the scope of the legislation. However, this was on the assumption that all manual records containing personal data would be covered. In practice the definition of manual data in the Government's proposals follows the Directive more closely by covering only files structured by reference to the individual and capable of easy access. This will limit the cost implications of covering manual data.
Section 8: Enforcement, sanctions, monitoring and review
8.1 The Directive requires a judicial remedy for individuals for any breaches of the rights guaranteed in the legislation, and compensation for any damage suffered because of unlawful processing.
8.2 The Government intends to make limited changes to the current enforcement regime; responses to consultation suggest general support for the present approach.
8.3 The most significant change will be separating enforcement from notification. Under current legislation, only registered data users can be subject to enforcement action for breach of the data protection principles. In the future the principles will be enforceable against all data controllers, whether or not they notify their processing operations to the Data Protection Commissioner.
8.4 In accordance with the Directive's requirement for a supervisory authority, the law will be monitored in the UK by the Data Protection Registrar who will be renamed the Data Protection Commissioner. The Commissioner will have powers to investigate and to collect all the information necessary to perform his supervisory duties, and to issue enforcement notices, as now, where the principles are breached. He will also be able to engage in legal proceedings. There will also be a new power to issue information notices. Under this the Commissioner will be able to request information about a controller's processing operations, either where he has reasonable grounds for believing that the principles are or are likely to be breached or where he has received a request from a data subject to do so.
8.5 Enforcement notices will be more widely available for breaches of the principles. Enforcement notices against a data controller will, as now, be appealable to the Data Protection Tribunal and after that to the courts.
8.6 At a European level two bodies will be established. One, the Working Party referred to in Article 29 of the Directive will have members designated by the Supervisory Authorities of the member states. It is to have monitoring and advisory status and act independently. It will examine questions covering the application of national measures adopted to implement the Directive and give opinions on the level of protection in the Community and elsewhere. The other, the Committee referred to in Article 31 of the Directive, will have Government representatives from Member States and be chaired by a representative from the Commission. Its function will be to assist the Commission. It will have a limited enforcement role in respect of data exports to third countries.
Section 9: Summary and recommendations
9.1 The UK is obliged to implement Directive 95/46/EC by 24 October 1998. It already has working data protection legislation in the form of the 1984 Data Protection Act. This appraisal has addressed only the additional costs of implementing the Directive as set out in the Government's proposals published on 31 July 1997.
9.2 Implementation costs will fall on all sectors of the economy. The corresponding benefits for data subjects of subject access to some manual records, new rights to object to processing and new avenues for seeking redress will all be provided for in the new law.
9.3 The Government intends to keep the burdens on businesses and other organisations as light as possible, giving organisations clarity and certainty where possible but beyond that allowing them the freedom to operate efficiently.
9.4 The recommendation of this appraisal is that implementation should proceed following the proposals published on 31 July 1997.
Home Office
December 1997
ANNEX TO REGULATORY APPRAISAL FOR THE IMPLEMENTATION OF DIRECTIVE 95/46/EC ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA (THE DATA PROTECTION DIRECTIVE)
This annex contains estimates of the recurring and non-recurring costs to businesses, voluntary organisations, local government and central government of implementing the Directive. These costs are additional to those incurred in applying the existing law on data protection. They are based on a sample of 46 organisations from various sectors and of different sizes within the private and voluntary sectors and local government. Our survey of central government costs was carried out separately; details are given in paragraph 13.
Sampling base
2. The organisations surveyed were: six local authorities:
Costs to Business
3. These have been estimated at £ 630m p.a. recurring and £836m non-recurring. This compares with costs identified to business from the questionnaires of £ 45.1m p.a. recurring and £ 58.6m non-recurring. Five business sectors have been identified separately as likely to experience significant cost pressures. These are (a) manufacturing by large firms, (b) manufacturing by small firms, (c) financial service organisations dealing with individuals, (d) large organisations such as utilities, transport companies and large retailers which go in for "active marketing" as well as direct marketing firms and (e) retail newsagents.
4. The largest component of costs to business appears likely to fall on (d) with an estimated recurring cost of £ 302m p.a. and a non-recurring cost of £ 451m, both arising from contacts with customers ie through the Directive's requirements to give information to data subjects and to grant subject access. This estimate needs to be regarded with particular caution because of the low response rate from utilities, to offset which the total reported for them was inflated by a factor of ten.
5. Costs to financial service providers have been estimated at £ 149m p.a. recurring and £ 132m non-recurring. These too would arise from their contacts with customers. A similar but less powerful caution applies to these numbers as to those in the preceding paragraph.
6. Costs to small manufacturers arise from their relationship with employees. They have been estimated at £122m p.a. recurring and £ 153m non-recurring.
7. Recurring costs to retail newsagents appear to be small (£140,000 p.a.). However, non-recurring costs have been estimated at £ 11m.
8. Recurring costs to large manufacturers appear to be small (£320,000 p.a.). However non-recurring costs have been estimated at £ 12m.
9. It has been assumed that costs to other sectors will amount to 10% of the combined total for the five sectors identified separately. This reflects professional judgement necessary because firms in a number of sectors did not respond to repeated requests for information. This may reflect perceptions that the costs of the Directive to them are not significant. This calculation yielded the grand total for costs to business of £630m p.a. recurring and £836m non-recurring referred to in paragraph 2.
Small Business "Litmus Test"
10. 15 of the respondents were small businesses. They fell into three categories; small manufacturers, retail newsagents, and other small businesses (pharmacists, other retailers and providers of IT services). There was no evidence of additional costs in the last category. By contrast, some small manufacturers appeared to expect costs; these appeared to be unrelated to the relative size of the organisations concerned. (The figures in paragraph 5 reflect this, being derived from the mean estimate of costs from small manufacturer respondents multiplied by the 150,000 manufacturing enterprises with fewer than 500 employees recorded in Table 6 on pages 60 and 61 of Size Analysis of United Kingdom Businesses - approximately 150,000; the same approach was applied to large manufacturers to produce the estimates in paragraph 7). Similarly, newsagents' costs were estimated by applying the mean cost reported to all 25,000 members of the Federation of Retail Newsagents. It should be noted that no small business predicted costs in excess of £ 10,000 p.a. recurring or £ 10,000 non-recurring and the majority expected no costs at all.
Charities/Voluntary Organisations
11. 5 charities responded to the questionnaire. 3 did not identify any cost implications. Informal advice from the Charity Commission was that around 1,200 charities (out of a total of 182,000) would experience significant cost pressures. Accordingly, to provide a rough estimate of the costs to the sector as a whole, the figures from the other two have been multiplied by 600. This yielded a recurring cost of £37m p.a. and a non-recurring cost of £120m. These costs appear to be significant though not disproportionate in relation to those incurred by business.
Local Government
12. Costs to local government were estimated through two routes. Six local authorities of varying sizes returned questionnaires and the mean estimate was adjusted to cover all 471 local authorities. This gave recurring costs of £ 26.9m p.a. and non-recurring costs of £ 97.3 m. In addition an estimate was supplied by an organisation representing secondary schools . This was multiplied by three to include primary schools. The combined totals were £ 29.1m p.a. recurring and £ 104m non-recurring. These do not appear to be disproportionate as against the cost to business of £ 630m p.a. recurring and £836m recurring set out above or, indeed, those to central government set out below.
Central Government
13. Total start-up costs for central government were estimated at £89.7m, with recurring annual costs of £45.9m. The sampling base was 29 Government Departments, including those with the largest budgets and staff numbers. The estimates included costs to executive agencies and NDPBs where appropriate. The highest start-up cost was £59m and the lowest £0.010m; 12 departments were below £1m. The highest recurring cost was £23m and the lowest was nil; 13 departments were below £0.2m. Some departments submitted a range of figures reflecting uncertainties about the implications of the legislation. The figures used reflect the lower figures based on the more restrictive definition of manual data included in the Bill. The higher end of the ranges was 3% above this.
Overall Economic Costs
14. These are set out in the table below by broad sector. The annual recurring cost is £742m p.a. and the non-recurring costs are £1,150m.
Overall Economic Costs of Implementation
| Sector | Recurring Costs £M p.a. | Non-recurring Costs £M |
| Business | 630 | 836 |
| (of which attributable to small business) | (122) | (164) |
| Charities/ Voluntary Organisations |
37 | 120 |
| Local Government | 29 | 104 |
| Central Government | 46 | 90 |
| Total | 742 | 1,150 |