In September 2000, some 6 months after the Data Protection Act 1998 came into force, the Home Office carried out a public consultation exercise to help it make an early appraisal of the Act's impact. Work on the appraisal had not been completed when responsibility for data protection was transferred from the Home Office to the Lord Chancellor's Department under the post-election machinery of Government changes. As the appraisal questionnaire explained, part of the purpose of the appraisal was to inform the United Kingdom's approach to the European Commission's first report on the implementation of the EC Data Protection Directive (Directive 95/46/EC), which was due in October 2001. The Commission's report has been delayed. Until the timing of the Commission's report is clearer, the Government is deferring completion of the appraisal of the 1998 Act. This will allow any additional lessons learned from the continuing experience with the 1998 Act, as well as any other relevant developments, to be taken into account.
The Government thinks it would be helpful, however, to make available now a summary of the responses to the consultation exercise. There were about 100 responses including a detailed paper from the Data Protection Commissioner (who has since become the Information Commissioner and is subsequently referred to by that name in this paper). Part A of this paper contains a brief summary of the main points raised in the responses other than that of the Commissioner. Part B summarises the comments made by the Commissioner. Her comments are summarised separately because of her unique position as the supervisory authority for the 1998 Act. A list of all the respondents who offered comments is attached at the Annex.
If you require further information about the responses to the consultation exercise, please contact:
Paul Henery
Freedom of Information and Data Protection Division
Lord Chancellor's Department
Selborne House
54 Victoria Street
London SW1E 6QW
Paul Henery
Tel: 020-7210 8753
(a) Is it clear what manual records are caught?
Some respondents had problems understanding what constituted a "relevant filing system" and felt that further guidance was needed.
(b) Is the definition of "personal data" clear?
Some respondents had difficulty with the definition. For example, how could controllers tell whether identifying particulars were "likely to come into" their possession?
There was a suggestion that personal data protected during a person's life should not lose that protection immediately upon the person's death.
It was also suggested that, like the Data Protection Act 1984, the Act should apply only to data processed "by reference to the data subject".
(c) Is the relationship between the "data controller" and the "data processor" clear?
Some respondents felt that the relationship was unclear, particularly where an organisation was large and complex, such as the National Health Service, or where complex financial and legal relationships exist, such as in the insurance sector. Other areas of difficulty included the relationship between the Crown Prosecution Service and counsel, and that between a pupil master and his pupil.
(a) Are the conditions for processing clear and useful?
There were concerns about the interpretation of a number of the terms used, in particular "consent". Definitions of 'consent' and 'explicit consent' would be welcome.
A number of respondents were uncertain when a condition other than consent, can be relied upon. Some also saw a problem when consent has to be given on behalf of another person, for example, a minor.
Some respondents thought that the conditions were unnecessarily wide. A specific example related to health records where it was suggested that confidentiality and the interests of patients were not best served by the width of the conditions.
(b) Is it clear that satisfying the conditions does not discharge the requirement to comply with the Principles?
The majority of respondents realised that this was the case. However, it was suggested that clarity would be improved if the First Principle requirements to process fairly and to process lawfully were separated.
(c) Is it clear what information has to be provided to data subjects and when?
(d) Are there any practical difficulties with the provision of information?
Definitional problems were raised by a number of respondents: clarification was sought on the meaning of "relevant time", "disproportionate effort", "at that time" (Schedule. 1, Part II, para. 2(2)(b)) and "any further information" (Schedule. 1, Part II, para. 2(3)(d)).
A number of the responses were concerned with procedural matters such as the correct course of action in particular situations. One respondent suggested that there should be a Code of Practice covering this area.
A number of respondents felt that there were real practical problems in meeting some of the obligations imposed by the Act. It was felt that compliance was impracticable when there was a large volume of data and the relationship with the data subject was remote. Even relatively hands-on relationships caused problems. Examples were out-patients and emergency cases in the NHS.
There was concern over the economic impact of the provision of information. As well as the cost of providing the information, the provision of the information on the telephone when selling a service or product measurably resulted in abandoned calls and lost sales; and it was difficult to incorporate the information into written material (e.g. for charitable appeals) in a way which was not off-putting.
(a) Are the categories of sensitive data appropriate?
Some respondents suggested additions to the "sensitive data" category (e.g. sensitive occupations, digital signatures and financial information). There was a suggestion that trade union membership should be removed.
Problems of interpretation included:
(b) Are the conditions for processing sensitive data appropriate?
There was some concern among respondents that the conditions restricted necessary processing. For example, there is an impediment to processing for insurance purposes involving several people (e.g. group travel insurance), since the explicit consent of all the data subjects is needed. It was also unclear whether the processing of data on ethnic origin for the purposes of equal opportunity monitoring is permitted. A case was seen for resolving some of the difficulties through subordinate legislation.
There was a suggestion that a problem arises when information is spontaneously provided by the data subject. It was felt that the fact that the data subject had provided them should be a sufficient ground for processing the data (i.e. there should be no need to seek "explicit" consent).
(a) Are the rights of data subjects sufficiently clear?
The majority of respondents felt that the rights of data subjects were sufficiently clear. Some controllers were concerned about being swamped by subject access requests. However, other respondents thought that the rights were not sufficiently publicised.
Clarification was sought of certain terms and concepts: "reasonable" (s.7 (4) - (6)); "unwarranted substantial damage or substantial distress" (s.10 (1)); and the scope of the right to prevent direct marketing.
Some extension of existing rights was suggested. For example, data subjects should be entitled to be informed of their right to object to fully automated decisions being made about them. There should be a right to compensation where breaches of the Act result in distress.
(b) Are the revised arrangements for subject access satisfactory?
There was concern about the level of the subject access fee. Some respondents felt that the present fee was too low compared to what was often a large amount of work involved in providing access. There was particular concern about the arrangements in the health sector. Some felt the £50 maximum for access to manual health records disadvantaged data subjects. Others were concerned about the possible reduction to £10 from October 2001. [NOTE: An order has been made retaining the fee at £50 for the time being. The Government will work with the Information Commissioner, in consultation with other key interests, with the aim of finding a long-term solution.]
(c) Is the scope of the exemptions from subject access satisfactory?
Suggestions were made for clarification and/or extension of the present arrangements for:
(a) Are there any problems with the categories of information to be notified to the Commissioner?
Most respondents felt that there were no significant problems.
(b) Do the procedural arrangements as provided for in the legislation work?
Again, respondents were generally content, but one suggestion was that the notification period (one year) should be the same as the previous registration period (3 years)
One respondent suggested that notification did not contribute to the protection of personal data.
(c) Is it useful to have the exemptions?
The majority of respondents approved of the exemptions. Concern was expressed about whether small sports clubs were exempt; and that barristers were not.
(d) Is it easy to decide whether you benefit from an exemption?
While both the information about exemptions on the Information Commissioner's website and in the notification handbook issued by the Commissioner were thought to be helpful, some respondents still felt that there was a lack of clarity.
(e) Do the standard purposes cover all routine processing?
The majority of respondents were content that all routine processing was covered, but it was suggested that 'research' should be added.
(a) Has the rule in relation to international transfers restricted your transfer of personal data outside the EEA, including via the Internet?
It was felt by some respondents that the rules in this area were not easily understandable and that problems were likely to increase with the growth of e-business. However, the 'safe harbour' agreement with the USA was welcomed.
It was suggested that a model contract for data exports should be available on a website. [NOTE: Information about the European Commission's work on standard contractual clauses for data exports is available]
(b) Do you find assessing adequacy difficult?
It was suggested that there was a need for guidance on the assessment of adequacy. Against this, there was a view that controllers should not be circumscribed in making decisions about adequacy.
(c) Are the exemptions clear and useful?
Most respondents found the exemptions to be clear and useful.
Are the Commissioner's powers appropriate?
Most respondents who commented on this question felt that the Commissioner should have stronger powers (and more resources). A number of the specific suggestions related to her powers to conduct assessments.
One respondent suggested that the Commissioner's powers to issue Codes of Practice diminished controllers' freedom to interpret the legislation.
(a) With the exception of international transfers, have you found difficulties in meeting the Act's requirements when using the Internet?
(b) What changes are needed to make compliance easier?
The main concern expressed by respondents in this area related to the speed with which technology may have overtaken the provisions of the Act. This was reflected in a number of practical problems being highlighted with regard to encryption and security, and the way in which sensitive information can be routinely processed on the Internet.
Other points made included:
concern about the inherent complexity of the Act;
a request for clarification of what constitutes processing for 'personal, family or household purposes';
a suggestion that the Act restricts the flow of information to the media;
concern about the wide scope of the exemption for processing for "special purposes";
concern that the Act fails to take account of the way in which the very large number of small voluntary organisations work;
concern about possible conflict with the Human Rights Act;
concern about differential implementation of the Directive within the EU;
a suggestion that the Act should not apply to "transient" data generated while a document is being word processed if the Act would not apply when the document is subsequently stored.
Since the specific questions asked by the Home Office appear to be directed primarily to data controllers, the Commissioner's response follows a different format. It looks first at the Directive, then at the form of the UK law implementing the Directive, and finally at some specific problems with the 1998 Act. The Commissioner makes clear that there is much that she welcomes in the new law.
The Directive does not always protect privacy in the most effective or efficient way. The Commissioner favours a simpler, more flexible and less prescriptive instrument.
Article 4: The extra-territorial provision is hard to justify and makes little sense.
Article 8: The concept of "sensitive data" is misguided. Sensitivity depends on context. It is best addressed by appropriate interpretation of the data protection principles. The conditions for processing sensitive data do not achieve their aim.
Article 11: The provision made as to the time at which information must be given to individuals is flawed.
Article 15: The justification for this Article is unclear.
Article 17: The requirement for there always to be a written contract when a controller uses a processor is overly prescriptive.
Article 18: The notification provisions impose burdens which are disproportionate to any benefits. If retained, they should be limited to the provision of details about controllers and the nature of their business.
Article 25: The requirement for "adequate" protection in third countries is sound, but the provisions relating to trans-border data flows are over-prescriptive and place undue emphasis on centralised decision-making.
The 1998 Act could have been less complex and less burdensome for business while providing individuals with simpler, more effective rights.
Section 13: Compensation should be available for contraventions of the Act which cause distress even if there is no damage.
Section 22: No "assessable processing" should be designated.
Section 23: The Government should keep open the possibility of an order providing for the appointment of data protection supervisors.
Section 32: The exemption for freedom of expression is particularly difficult to understand.
Section 34: The exemption for information required to be published is very wide and has no obvious basis in the Directive.
Section 42: The Commissioner should have discretion whether or not to carry out an assessment.
Section 51: The Commissioner should be empowered to carry out data protection "audits" without the consent of the data controller.
Section 59: The restrictions (backed by a criminal penalty) on the disclosure of information imposed on the Commissioner are disproportionate.
Section 60: It should be an offence for data controllers knowingly or recklessly to breach the data protection principles to a significant degree.
Schedule 1: The first data protection principle should be restructured to make its different elements clearer.
Schedule 3: Additional "gateways" for the processing of sensitive data without explicit consent are needed. This is a priority for the Commissioner.
Section 1: Inconsistencies between some definitions in the Act and those in the Directive cause lack of clarity. The definition of "relevant filing system" is a particular problem.
Section 7: There should be a consistent approach to subject access fees. [NOTE: See NOTE in Section 4 of Part A of this paper.]
Section 12: The terminology used is, unhelpfully, different from that in the Directive.
Section 16: Allowing controllers to choose whether or not to include details of their processing which is exempt from notification is unhelpful. There should be a simple statement pre-entered in every register entry to cover this.
Section 36: The exemption for domestic purposes should be limited to processing which does not prejudice the rights and freedoms or legitimate interests of others.
Section 53: The Commissioner's power to assist individuals in proceedings under the Act should not be limited to "special purposes" cases.
Section 56: The Commissioner may, when she has further evidence, wish to seek an extension of the scope of the prohibition of enforced subject access to cover health records.
Section 57: This provision seems redundant.
Schedule 1, Part II, Paragraph 3: The conditions set out in the Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 are cumbersome and onerous.
Organisations
Association of British Insurers
Association of Chief Police Officers in Scotland
Association of Community Health Councils
Association of Litigation and Risk Management
Association of Personal Injury Lawyers
Association of Security Consultants
Avon & Western Wiltshire Mental Health Care Trust
Avon Health Authority
Ayrshire & Arran Acute Hospitals NHS Trust
Barclays Plc
BBC
Blackburn, Hyndburn & Ribble Valley NHS Trust
Brighton Health Care NHS Trust
British Airways
British Bankers' Association
British Computer Society
British Medical Association
British Security Industry Association
Budget Group of Companies
Central Council of Physical Recreation
Church of England
Clackmannanshire Council
CBI
Council of Mortgage Lenders
Council on Tribunals
County Hospital, Hereford
Coventry Community Health Council
CIFAS
Department for Education & Employment
Department of Trade & Industry
Devon & Cornwall Constabulary
Direct Marketing Association
Doncaster Royal and Montagu Hospital
Doncaster Royal Infirmary
Eastbourne Hospitals NHS Trust
Electricity Association
IHS Energy
Experian
Factors and Discounters Association
Fife Primary Care NHS Trust
Forth Valley Primary Care NHS Trust
General Council of the Bar
Grampian Primary Care NHS Trust
Health & Safety Executive
Hereford Hospitals NHS Trust
Independent Healthcare Association
Information Commissioner
Information Management in Voluntary Organisations
Institute of Health Record Information & Management
Ipswich NHS Trust
Joint Security Industry Council
JUSTICE
Kings Mill Centre for Health Care Services
Kneesworth House Hospital
Lanarkshire Acute Hospitals NHS Trust
Lanarkshire Primary Care NHS Trust
Leeds City Council
Mail Order Traders' Association
Ministry of Defence
NHS Executive
NHS in Scotland
National Pharmaceutical Association
Nationwide
New Cross Hospital, Wolverhampton
Newspaper Society
North Bristol NHS Trust
Northern Devon Healthcare NHS Trust
North Manchester Healthcare NHS Trust
Northampton General Hospital NHS Trust
Nottingham City Hospital NHS Trust
Office for National Statistics
Papworth Hospital
Prudential
Renfrewshire & Inverclyde Primary Care NHS Trust
Royal Bournemouth Hospital
Royal Society for the Prevention of Cruelty to Animals
Scottish Borders Council
Security Design International Ltd
Security International Ltd
Society of Editors
South Buckinghamshire NHS Trust
South Devon Healthcare NHS Trust
South Durham Health Care NHS Trust
Southern Derbyshire Community Health Services NHS Trust
SPC
St Andrews Hospital, Northampton
Standard Life
Surrey Hampshire Borders NHS Trust
Swindon and Marlborough NHS Trust
Vodafone
Westwood Hospital
Wirral Hospital
Wycombe General Hospital
Individuals
Keith Batchelor
Deryck Beyleveld
Martin Hoskins