In 1969 the Data Surveillance Bill was introduced in the House of Commons by Kenneth Baker MP. This proposal, in common with a number of other Private Members' Bills introduced during the 1970's and early 1980's never appeared likely to reach the statute book. Had its fate been different, the United Kingdom would have been the first country in the world to enact data protection legislation. In the event, that honour went to Germany where the state of Hesse enacted legislation in 1970. Sweden followed with the first national statute in 1973 whilst United Kingdom legislation, in the form of the Data Protection Act, did not reach the statute book until 1984.
The fact that legislation appeared first in Germany and Sweden might be explained by differing historical factors. In Germany, awareness from the time of the Nazi era of the dangers arising from personal records was a major factor behind the decision to legislate in the early stages of the computer revolution. Indeed, legislative initiatives have continued in Germany. In 1986 the Hessian legislature enacted its third data protection statute, a number of other states have also legislated in the field whilst two national statutes have been enacted in 1974 and 1990. If the German legislation can be seen as based upon a recognition of the need to control the activities of data users, the Swedish legislation fell naturally into a tradition of openness in record keeping and the operation of principles of subject access. The lengthy struggle for the enactment of data protection legislation in the United Kingdom, coupled with problems encountered in the operation of the statute might suggest that the concept fits uneasily into the political and legal landscape.
Within the United Kingdom the data protection tide ebbed and flowed during the 1970's. In 1972 the Committee on Privacy - which had been appointed by the government in 1970 in return for the dropping of a well supported but unwelcome (to the government) private members' bill seeking to establish a statutory right to privacy, devoted a chapter of its report to the privacy implications arising from computer use. The committee, whose remit was confined to the private sector[1], identified the potential dangers discussed in the previous chapter but rejected the call for legislative intervention, concluding that these could be averted by compliance with a voluntary code containing ten principles. The view that legislation was unnecessary lasted only until 1975 when a White Paper was published entitled Computers and Privacy. This announced that "In the Government's view the time has come when those who use computers to handle personal information can no longer remain the sole judges of whether their own systems adequately safeguard privacy"[2]. An intention to legislate was announced and a further committee, the Committee on Data Protection, appointed to advise the Government on the precise form that such a statute should take.
The Committee's report was published in 1978. It joined the Committee on Privacy in recommending that users should comply with a number of data protection principles although the merging of a number of the earlier formulations reduced the total number to seven. Recognising that general statements of principle would require to be interpreted in the context of specific applications and users it was recommended that the principles should be supplemented by some 50 statutory codes of practice. Compliance would be secured through the appointment of a two tiered supervisory agency. A full time Data Protection Executive would oversee the day to day functioning of the legislation whilst a Data Protection Authority - with a membership selected as representative of the various interests involved in data processing - would assume executive responsibility for the new regime.
The report of the Committee on Data Protection is a voluminous document extending to 460 pages. As such, it is perhaps the most extensive study of the issues involved ever conducted. Its impact, however, on subsequent legislative developments has been minimal. In a White Paper published on the topic in 1982, the Committee's report was considered to constitute only "very helpful background information". More respect was afforded to the report of the Committee on Privacy which devoted only 15 pages to the implications of computerisation; the Home Secretary stating in answer to a Parliamentary question that "(t)he Government accepts as a starting point the recommendations of the (Committee on Privacy) ... Our intention is that the legislation should incorporate and so far as possible give effect to these principles" (Official Report (House of Commons) 19 March 1981, Col 161).
Although deference was shown to the work of the Committee on Privacy, the fact that a Data Protection Bill was introduced in 1982 undoubtedly owes more to international developments and concern for the economic interests of United Kingdom based data users than for the interests of individual data subjects.
Following the German and Swedish initiatives, data protection statutes mushroomed throughout western Europe. As states introduced controls over data processing operations located within their own territories, so concern mounted at the possible establishment of data havens. In the same way that funds might be transferred out of one state into another with a more lenient tax regime, so data users might be tempted to transfer data abroad in order to engage in processing which would be unlawful under their national regime. Apart from the possible circumvention of national laws, there was also a concern that the absence of data protection statutes in countries such as the United Kingdom might constitute a factor persuading multi-national undertakings to locate investment in a jurisdiction which would impose no controls over their data processing operations.
The negotiation and introduction of the Council of Europe Convention on the Automated Processing of Personal Data can be identified as a response to these concerns. The Convention lays down standards to be observed in national laws and binds signatories to refrain from erecting any barriers to the transfer of personal data to another signatory state on the ground of protecting individual privacy. The unwritten threat was that sanctions might be imposed against transfers to non-signatory states and, indeed, in the lead up to the enactment of the Data Protection Act, incidents were recounted of United Kingdom based firms losing contracts because of a refusal by national data protection authorities in France and Sweden to sanction the transfer of personal data.
The entry into force of the Council of Europe convention brought pressure from representatives of industry for legislation to be introduced enabling the United Kingdom to sign and ratify the instrument. These commercial pressures succeeded where civil libertarian concerns had failed. A Data Protection Bill was introduced into the House of Lords in 1982 only to be lost with the dissolution of Parliament prior to a general election in 1983. The Bill was reintroduced in the autumn of 1983 and ultimately received the Royal Assent in 1984.
One of the leading actors in the data protection field, Professor Spiro Simitis, formerly Data Protection Commissioner in Hesse, has commented that data protection statutes have an effective life span of seven years. After this, it is argued, changes in technology and practices renders them obsolete. By this standard, the Data Protection Act's retirement is somewhat overdue. Paradoxically, given that it was enacted because of external influences, international factors are now hindering its amendment. In 1989 the Data Protection Registrar conducted a consultation exercise and published proposals for reform of the legislation. In 1990 proposals for a European Directive were published. It was originally envisaged that the proposals would be enacted and implemented in Member States by January 1993. Enactment of the Directive in anything like the form proposed would require significant amendment to the Data Protection Act and there has been an understandable reluctance to make what could be short lived amendments whilst the shape and future of the European proposals remained uncertain. It would now appear that the dates for enactment and implementation have slipped to 1995 to 1997 and the Registrar has indicated that any further slippage in the timetable would make independent domestic reform a matter of some urgency.
The criterion for the Act's application is that a data user[3] should process personal data relating to one or more data subjects. In common with almost all European data protection regimes, the Act establishes an independent supervisory authority in the form of the Data Protection Registrar. It is further provided that the Registrar is to be assisted by a Deputy Registrar and an unspecified number of other staff to be appointed by the Registrar with the consent of the Treasury. At present some 90 permanent staff are so employed. Any decisions made by the Registrar which affect a data user adversely may be appealed to a Data Protection Tribunal consisting of a legally qualified chairman and deputy chairmen and representatives of data users and data subjects. All data users are obliged to register details of their activities, the information being entered onto the Data Protection Register. Subsequent to registration, users are required to ensure that their processing activities conform with eight data protection principles and face a variety of administrative, civil or even criminal sanctions in the event of any failure.
There is no doubt that the Data Protection Act is intended to regulate electronic or computerised data processing. Perhaps wisely, the Act, in common with virtually all statutory interventions in the computer related field, eschews any definition of "computer" and indeed the word itself appears only in a peripheral context. Instead the legislation talks in terms of the processing of personal data by "equipment operating automatically in response to instructions given for that purpose" (Section 1(2)). This definition certainly encompasses all computer applications. In the 1970's and even in the early 1980's this would have made up a comparatively small constituency. Reference has previously been made to the 9,000,000 personal computers in use in the United Kingdom. All of these, plus the vast number of electronic personal organisers possessed by every would be entrepreneur or manager are eminently capable of processing personal data. The Data Protection Act's definition is even sufficiently broad to include a number of non-computer related functions. Many homes possess a form of telephone directory where names and numbers are written on cards stored in alphabetical order and the act of depressing a key on the outer surface causes the directory to open at the appropriate place. Such a method of operation will constitute processing under the statutory definition.
The legislation does provide for a number of operations and users to enjoy total or partial exemption. Most significantly in numerical terms, those processing only for social or domestic purposes will incur no obligations under the Act. A number of other exemptions are provided for in the legislation although these are hedged with so many conditions and proviso's that the Registrar has expressed the view that they are unlikely to benefit any but the smallest users. In principle, the fact that millions of persons and organisations are subject to legislation poses no difficulties. What makes the effect on the data protection regime problematic is the requirement imposed upon all data users to register details of their activities with the Data Protection Registrar and pay a fee of [[sterling]]75 for a registration valid for three years[4]. Although it was argued by the Government that the introduction of a system of near universal registration was necessary in order to conform with the requirement of the Convention, it is now generally recognised that this is not the case and it would suffice to impose on at least smaller-scale data users a requirement that they comply with the substantive provisions of the legislation.
Faced with a situation where the cost of registration may exceed that of the equipment involved, it is not surprising that evasion has been widespread. As last reported, the Data Protection Register contains 188,766 entries. An unregistered user who processes personal data will commit a criminal offence. Although it is impossible to ascertain the exact number of those who are liable to register under the Act there can be no doubt that a very significant number of data users have failed to register. To date, (Insert number) of data users have been prosecuted for failure to register. Organisations involved include Levi Strauss Jeans, the Spectator magazine and the International Society for Krishna Consciousness. A cynic might query whether the activities of organisations such as these are likely to pose significant threats to individual rights. Although the widespread evasion of the registration requirements may not pose significant threats to individuals, knowledge of its occurrence must serve to bring the legislation into a measure of disrepute. The Registrar's review of the legislation advocated considerable pruning of the registration requirements so as to remove 90% of those currently on the Register although this would have the effect of increasing very significantly the fees charged to his remaining clients.
A more controversial exemption excludes any data processing which is conducted in connection with national security. A certificate by a Minister to this effect is conclusive evidence on the point (Section 27). In line with traditional practice, this term is not defined and there may be difficulty in determining where national security ends and policing - which is covered by the legislation albeit subject to some exceptions - begins. The recent dispute between the Special Branch and MI5 over which organisation should enjoy primacy in the campaign against the activities of the IRA in mainland Britain indicates how blurred may be the boundary between the two activities. For the purposes of the Data Protection Act, of course, it is the activity rather than the organisation which is important but a further complicating factor is that the ministerial certificates referred to above are not issued in advance but will only be provided in the event that the Registrar indicates an intention to take any action against a particular user
The approach adopted in the United Kingdom legislation may not conform with the requirements of the European Convention. Although this recognises the special requirements of national security it sanctions only such "derogation" as "constitutes a necessary measure in a democratic society" (Article 9(2)). The same formulation is found in the European Convention of Human Rights and case law under this instrument indicates that total exclusion will seldom be an acceptable option. In a number of other signatory states, procedures have been adopted whereby national security data is exempted from aspects of the legislation, especially those concerned with conferring access rights upon data subjects, but remain subject to the scrutiny of the supervisory agency. By eschewing such an option the United Kingdom authorities may have failed to comply with their Treaty obligations although the data processing Convention, unlike its human rights predecessor, makes no provision for national actions to be challenged before the Commission and Court of Human Rights.
Personal data is defined as any data relating to a living, identifiable individual. It is provided further that this includes any statements of opinion which may be recorded concerning the data subject but excludes any statement of the intentions which the user may hold relating to the subject (Section 1(3)).
The question whether a subject is alive or dead may be expected to pose few problems but the remaining aspects of the definition are fraught with problems. The opinion/intention distinction in the data protection field has proved almost as impenetrable as the idea/expression dichotomy in the copyright arena. The explanation put forward by the government at the time of the Act's passage was that statements of intention belonged to the responsible user rather than to the subject. This view is not without merit but it is difficult to see how any different conclusion can be drawn concerning opinions. Even the Data Protection Registrar commented in his review of the Act in 1989that "it is not at all clear what the distinction is between an opinion and an intention" and has recommended its repeal. Enactment and implementation of the proposed European Union Directive would have this effect in bringing all information relating to an individual within the scope of the legislation.
Another problematic issue concerns the question when individuals may be considered identifiable. Clearly this must be the case if they are referred to by name. Names, however, are an inefficient form of identifier. A glance at any telephone directory will reveal the number of people who share the same or a similar name. Even a single person may be referred to in a variety of ways using various combinations of names and initials. It is also possible that individuals may, quite lawfully, determine to change their name. Numbers provide a more accurate form of identifier. In some countries individuals are allocated a personal identification number at birth, this number being used throughout the individuals life. In terms of administrative efficiency, such a system offers many advantages. It also offers the prospect of very efficient correlation of information held by a number of parties and in a number of countries proposals for the introduction of such a system have been dropped following public criticism of the adverse implications for individual privacy. No single system of personal identifiers operates in the United Kingdom, but there is no doubt that where information is held by reference to bank account numbers, national insurance numbers or any other form of identifier, the Act will apply. The question whether an individual is to be considered identifiable is also linked to the definition of processing. Here the Act refers to activities involving "amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject" (Section 1(7)).
The operations defined above are basic computing functions and it is doubted whether any act involving a computer will not constitute processing. The limiting factor is that the processing must be conducted "by reference to the data subject". A user can hold an unlimited amount of personal data without the legislation coming into play. An example might concern the storage of copies of newspapers on electronic format. Any issue of a newspaper will contain a significant amount of personal data. The act of loading a copy onto a data base will not be conducted by reference to any particular data subject and so will not fall within the scope of the Act. Assuming, however, that the data base permits a user to search by reference to names so that it is possible to retrieve all stories relating to a particular individual, processing as defined in the Data Protection Act will occur. Use of a computerised legal retrieval service which permits a user to search by reference to the names of parties involved in cases will involve processing.
Beyond the situation where information is sought about one individual, where data is processed by reference to some form of identifier, e.g. all people born in the year 1955, processing will be assumed to have taken place with reference to each individual whose data falls within the search parameters. In the first cases dealt with by the Data Protection Tribunal, the processing operations of credit reference agencies were challenged by the Registrar. Credit reference agencies have traditionally retrieved data by reference to address rather than by name. This form of processing might well retrieve information on a number of past and present residents. Although almost every other aspect of the Registrar's actions were challeneged before the Tribunal, the fact that processing of personal data had taken place was not in dispute.
The major continuing duty imposed on the Registrar is to ensure that users comply with eight data protection principles. These require that:
The data protection principles serve as a technical equivalent to the Ten Commandments in providing provide general statements of acceptable computer practice. A number of these might be regarded as self-evident. It would be a masochistic data user who deliberately held inaccurate or out of date data. In common with all generalities, the data protection principles will require to be interpreted in the context of particular forms of data processing. In a number of cases codes of practice have been promulgated by trade or professional associations providing interpretative guidance in the context of particular applications. Such codes are purely voluntary documents although the fact of compliance or non-compliance with a relevant code may have evidentiary value in any dispute concerning the acceptability of a user's behaviour.
In terms of altering the behaviour of data users, three aspects may be identified as worthy of more detailed consideration. The logical starting point concerns the manner in which data is acquired, this is followed by issues concerning the permitted use and disclosure of data and, finally, attention must be paid to the operation of and exceptions to the subject access provisions.
The first data protection principle requires that data be obtained and processed fairly and lawfully. A significant exception to the application of this principle occurs when data is obtained in connection with the prevention or detection of crime, the apprehension or prosecution of offenders or the collection or assessment of any tax or duty; it being provided that the Registrar may take no action against the user on the basis of a breach of the first principle where this would be likely to prejudice the attainment of the purpose in question (Section 28(4)). The justification put forward for the exemption is that the nature of policing activities entails that data may be received which has been acquired in what may be regarded as dubious circumstances. Whilst this view has considerable merit, it may be that the matter would be dealt with better by providing a detailed definition of the principle than by excluding its operation, especially for the situations where data was obtained unlawfully. The breadth of the exception is rendered more objectionable by the fact that registration in connection with policing purposes is not restricted to police forces. Although anyone obtaining information unlawfully may face sanctions in respect of this, denying the Registrar the discretion to act in such cases diminishes the role and status of the Data Protection Act.
Another aspect of fair obtaining relates to the fourth data protection principle which requires that the data held should not be excessive in relation to the purpose for which it is held. As has been stated previously, the enhanced storage potential created by the computer may tempt users to collect as much information as possible against the eventuality that they may find use for it. The fourth principle should cause them to guard against this temptation. An illustration of its operation can be taken from the decisions of the Data Protection Tribunal in a number of cases concerned with the operation of the Community Charge[5]. A key feature of the system involved the compilation of registers of those liable to pay the tax. As a single charge was levied upon all taxpayers, the information required by statute to be held on the registers was limited to a record of the taxpayer's name and address. A number of authorities sought to include additional items of information on their computerised registers. This resulted in the service by the Data Protection Registrar of a number of enforcement notices. These notices were upheld by the Tribunal. Examples of categories of information whose acquisition and storage was held to be unlawful included dates of birth and the kind of property where the taxpayer was resident. Significantly, the fact that taxpayers - who supplied the information making up the registers - were informed in a number of cases that they were not required to supply additional items of information was not regarded as providing any form of defence.
Beyond controlling the manner in which information is obtained, the data protection principles require that processing be conducted fairly and lawfully. Again, it is the criterion of fairness which gives rise to most problems. Action taken by the Registrar against the major credit reference agencies alleging breaches of this principle resulted in the first cases to be heard by the Data Protection Tribunal.
The function of a credit reference agency is to acquire information relevant to a determination of an individual's credit worthiness and to make this available to those who are considering extending credit facilities to that person. The nature of the agencies' operations was that information was recorded by reference to address rather than to an individual's name. Extracting information on this basis in the context of a credit application made by one individual would also retrieve information about any other persons who were or had been resident at the address. The Registrar alleged that this form of processing contravened the first data protection principle and served an enforcement notice upon each of the four major credit reference agencies involved requiring cessation of the practice.
Although all the agencies operated in a similar fashion, their appeals were heard separately before the Tribunal with different issues being raised (and in large part rejected) in each case[6]. An initial claim was that the practice of retrieving information by reference to address was justifiable as there was a statistical correlation between past defaults and the likelihood that another person resident at the same address would act in like fashion. This claim did not find favour with the Tribunal. Although it accepted that such a correlation might exist at the general level, it had no predictive value in respect of the particular individual whose credit application was being considered. A further argument sought to impose limits on the definition of processing as contained in the Act. This referred to the "amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data". The first data protection principle would be infringed if processing was unfair. The principle, it was argued made no reference to the use to which the data was put but stopped at the stage of its extraction. The extraction of data was a neutral process and could not, it was submitted, be stigmatised as unfair. Such an interpretation would serve to rob the first principle of much of its effect. The Tribunal were of a different opinion. Although the operation of computers might be value free, the machines could function only in accordance with their programs. These reflected the intentions of the operators[7], and it was these which required to be the subject of the Tribunal's determination of fairness.
One final point deserves mention concerning the decisions in these cases. The argument was advanced that prohibiting the practice of extracting third party information would result in an increase in the level of bad debt or, perhaps, in the denial of credit to persons who might otherwise have been accepted. This it was argued would itself result in unfairness. Whilst recognising that credit reference agencies did provide a valuable service to the credit industry, the purpose of the Data Protection Act was to safeguard the interests of individual data subjects. Considerations of the greater good could not prevail over those of the individual. Clearly such an approach must have its limits otherwise individuals with a poor credit history might claim that it was against their interests that the information should be recorded and processed. What the Tribunal's decision does signify is that processing which is considered to have the potential of unfairness as regards the legitimate interests of a data subject will not be permitted on the basis that it offers benefits to the user.
In other situations the major area of concern relates to the issue whether an individual has been informed of the use to which information will be put. This issue is related closely to that of the manner in which information is obtained. In many instances, the information will be supplied by the data subject concerned on a voluntary basis. A typical example might see the individual giving details of name and address when ordering goods or services by post. Such details are necessary if the purpose of the transaction is to be attained. If the information is used only for this purpose, no difficulties will arise. In many cases, however, the user will wish to maintain a record of the subject's details on a mailing list. It may also be envisaged that access to the mailing list will be granted to other users. Here information which has been supplied freely for one use is being put to another use. In the case of Innovations Ltd. v. Data Protection Registrar (1993), the Data Protection Tribunal upheld the Registrar's contention that a failure to inform mail order customers of the fact that their details might be supplied to other companies at the time the data was first collected constituted a breach of the first data protection principle.
The starting point for consideration of the controls over the disclosure of data to third parties is the third data protection which provides that:
Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes.
This principle receives considerable expansion in the body of the statute. In every case, this takes the form of providing exemptions from its application, an approach which incurred the displeasure of Sir Norman Lindop, the Chairman of the Committee on Data Protection who was moved to write a letter to The Times complaining that the legislation "perpetrated a fraud on the public". The basis for this accusation was that whilst the third principle proclaimed the notion that data could only be disclosed in accordance with the terms of the user's entry on the Register, the exemption provided for contrary and secretive disclosures.
In every case where the Act makes provision for disclosures outwith the scope of the user's entry on the Register, there can be little dispute that some provision may be necessary. Thus it is provided that the principle is not to apply where disclosure is made for the purpose of the prevention or detection of crime, the apprehension or prosecution of offenders or the collection or assessment of any tax or duty and in circumstances where a failure to disclose it likely to prejudice the attainment of the purpose specified (Section 28(1)). Instances may be identified readily where the operation of an exemption would be eminently justified. Few users might be expected identify the police authorities as likely recipients of their data when drawing up their Register entry. In the event, however, that a fraud was perpetrated on the user, the police might require to obtain access to the user's computer system and to the personal data held therein in the course of their investigations. In the absence of any the statutory exemption, such an act would infringe the terms of the user's registration. Where the provisions can fairly be criticised is in respect of their breadth - there is no requirement that the criminal offence be of any order of magnitude so that an investigation into non-payment of a parking fine would be treated in the same vein as a murder inquiry. Particular concern might be expressed in respect of the crime prevention exception. Crime prevention is a nebulous concept and it is difficult to identify any item of data which could not be regarded as possessing some relevance to this topic. Although it is the case that the test whether a disclosure is justified has a second element - that a failure to disclose would prejudice the attainment of the specified purpose - there is again no requirement that there be any significant degree of impairment.
Beyond the substantive concerns regarding the scope of the exemptions, the legislation contains no procedural safeguards whatsoever. A request for a disclosure may be made by the most junior police officer and responded to by the most junior member of the data user's staff[8]. Although either or both of the actors may face internal disciplinary sanctions the data users will have nothing to fear from the Data Protection Act. Further, there is no requirement that any record be kept of the fact that disclosure has been sought and granted and no requirement that the Registrar, or anyone else, be informed of what has occurred.
A variety of other exemptions are provided for in the legislation. In terms of their area of application, these are less controversial that those discussed above although in a number of cases the scope of the provision is obscure. The non-disclosure principle will not apply where the disclosure is made for the purpose of obtaining legal advice or where the disclosure is required by order of a court. Disclosure may also be made when it is urgently required to safeguard the health of the data subject or of any other person.
From the individual's perspective, the subject access provisions constitute the most significant innovation in the legislation. Although a number of criticisms may be made of the manner in which the terms of the seventh data protection principle have been implemented in the body of the statute, the fact remains that the passage of the Act marked a very significant extension to the right of individuals to secure access to personal data.
A data user is obliged to respond only to requests which are received in writing and which provide such information as may reasonably be required to confirm the identity of the applicant and to permit the user to locate any relevant data (Section 21). It is, of course only the data subject or a person authorised to act on their behalf who lawfully may exercise the right of access. A user who discloses data to anyone other than the subject will breach the non-disclosure principle. Given this possibility, it may not be unreasonable for a user to seek additional items of information. If the subject has been allocated some form of identification number by the user, provision of this information may avoid any confusion with data relating to other subjects sharing the same name as the applicant. It may be difficult to distinguish, however, between a request by the user for further information designed to elicit information in order to ensure that the enquiring subject receives all relevant data (and none pertaining to a third party) and one which is intended to cause delay and perhaps to dissuade the applicant from pursuing a request.
A further aspect of subject access is the question of cost. The seventh principle states that a subject is to be entitled to access at a reasonable cost. When the Act's access provisions became operative in 1986, it was provided that a user would be entitled to require payment of a fee of up to [[sterling]]10. This fee was significantly higher than that suggested by the Registrar and also significantly greater than the fee of [[sterling]]1 pertaining to a request for access to data held by a credit reference agency under the similar provisions of the Consumer Credit Act 1974. The ten-fold difference in fee levels was justified at the time on the basis that credit reference agencies structured their data in such a way as to facilitate retrieval by reference to the individual whilst many users operating under the auspices of the Data Protection Act might not routinely extract information in this way. An example might concern the controller of a mailing list. As the cases brought before the Data Protection Tribunal indicate, this view of the nature of credit reference agencies' operations may have been misguided. Although the fee has not been increased in line with subsequent inflation it continues to represent a major barrier to access. The problem may be compounded by the fact that many users have divided their data holdings into separate entries on the Register. It may be that a number of the entries might contain information relating to a particular subject and in such an event the user will be able to require a separate fee in respect of each file searched. The fee will be payable even if a particular file contains no information on the subject.
Having received a valid request for access, a user is normally obliged to supply the subject with a copy of their personal data within 40 days. An extension may be sought from the Registrar if the circumstances of a particular case justify delay. Research conducted into the operation of the Act would suggest that a significant number of users fail to respond to access requests within the permitted period.
In responding to a request for access, the data which must be supplied to the subject is that which was held at the date the access request was received by the user. This is subject to a partial exception where the data is subjected to routine processing between the date of receipt and the date when the requisite copy is taken. An example might concern transactions relating to a subject's bank account where sums may routinely be credited and debited on a daily basis. The data is to be supplied to the subject in writing together with an explanation of any terms or codes used in the record whose meaning might not readily be apparent.
The operation of the subject access principle is subject to one general and to a number of sectoral exceptions. As with the exceptions to the non-disclosure principle, whilst the need for some exceptional provisions will be accepted by most people, there is scope for concern at the manner in which they have been implemented.
The general exception to the access right occurs where the data concerned relates to a third party. In principle, this approach must be regarded as correct. The third party is as entitled to have his or her data protected as is the enquiring data subject to access. Unless the third party has consented to the disclosure, the user will breach the third data protection principle should the information be disclosed to anyone else[9]. In many instances, of course, the data concerning two or more parties may be tightly linked. A typical situation will arise where the third party has served as the source of information about the data subject.
The Act contains a number of provisions which are designed to allow a satisfactory compromise to be reached between the competing claims of access and non-disclosure. Users are instructed that all practical steps are to be taken to suppress the third party's identity thereby allowing the remainder of the data to be supplied to the subject. One instance has been reported where a data subject sought access to records relating to a bank account held jointly with a partner. The transcript supplied had all references to the partner's name and transactions blanked out. Whilst showing commendable devotion to the principles of data protection, the subject would have been in no doubt who the concealed entries related to. In many situations, whether an attempt at concealing the third party's identity will be successful will depend upon a variety of circumstances including the knowledge of the data subject. The example may be postulated of a situation where a neighbour has reported suspicions that a data subject is mistreating a child. If the subject request access, the issue has to be confronted whether deleting the informant's name will suffice to conceal his or her identity. If the subject lives in an isolated area with only one close neighbour any such attempt may be futile. A different conclusion may be reached should the subject live in the centre of a city. A further complicating factor will concern any previous incidents involving the subject and the informant, even whether the subject harbours an unwarranted suspicion that a particular person is responsible for any problems that may befall them.
Beyond the general exception, special provision is made in a number of areas. Once again, records held in connection with the prevention or detection of crime[10], the apprehension or prosecution of offenders or the collection or assessment of any tax or duty are exempt from access to the extent that this would prejudice the purpose for which they are held (Section 28). The phrase "to the extent that this would prejudice" is significant in every case to which the exception applies. If only elements of the data are covered by an exception, this must be separated and the remainder of the information supplied to the enquiring subject. One major problem may be that no indication need be given to the subject of the fact that an exception has been relied upon. In the extreme case where all of the data was regarded as being covered by the terms of an exception, the reply could lawfully be given to the subject that "We do not hold any relevant personal data of which you are the subject". Such a response may well be misinterpreted by the subject although it is difficult to imagine how the request might be dealt with in any other way. Informing the subject that data is held but that the access request is being denied subject to the terms of an exception might be as damaging to the purpose of, for example, crime prevention, as would disclosure of the data. Again, it is the absence of procedural safeguards which constitutes the major cause for concern in that no intimation need be made to the Registrar of the fact that an exception has been relied upon. In the event, however, that a subject suspects that data has been withheld, a complaint may be made to the Registrar who may require the user to justify their conduct in the circumstances of the particular case and may, through the service of an enforcement notice, require that data be supplied to the data subject. Such control over the record keeping activities of law enforcement agencies constitutes a significant innovation for the Data Protection Act.
As with the non-disclosure exemptions, a second condition requires that it be demonstrated that the grant of access would prejudice the purpose for which the data is held. In most cases this may be non-problematic although in the situation where the record indicates knowledge that a subject is planning to commit a criminal offence, it might be argued that the interests of crime prevention would best be served by informing the subject of the fact that his or her plans are known to the authorities.
In the case of medical data the right of access is generally to apply[11] subject to the proviso that access may be denied when in the opinion of a relevant medical professional, the grant of access would cause serious harm to the subject's physical or mental health[12]. It is difficult to conceive of any circumstances where this provision might apply in respect of physical health, not least because in this area the subject is almost certain to be aware that records will be kept. Any form of denial will effectively say to the subject, "we will not tell you what is on your record because it will make you seriously ill". It is doubtful whether this will be any more comforting to the patient than to be confronted with the record. The provision may be more relevant in the case of psychiatric illness although the ground for the denial may in many cases lie as much in the fact that the data relates to third parties as to a concern for the subject's health[13].
Broadly similar restrictions upon the extent of subject access apply where data is held for social work purposes[14]. The provisions here are somewhat looser than those pertaining to health data. In addition to access requests being rejected out of consideration for the subject's physical or mental health, the somewhat nebulous ground of emotional condition is included in the list. Further, whilst decisions to deny access to medical records may only be made by a relevant medical professional - a term which is extensively defined in the enabling regulations - no provision is made as to the qualifications of the person who may determine whether a request for access to social work data is to be accepted or rejected.
Implementation of the proposed European Union Directive would require significant changes to present UK practice in these areas. The proposal recognises the need to make special provision to regulate the manner in which access to medical and social work data is obtained. A practice utilised in a number of other systems is for the data to be revealed to the subject by a medical professional rather than the more common provision of a written transcript. The proposal confers primacy upon the subject's right to seek access and this will override any concerns held by medical professionals as to the potentially adverse effects. A similar provision currently operates in the United Kingdom in respect of access requests which are made by an adoptive child for information relating to his or her natural parents. Here it is a condition of the request being granted that the child first accept counselling as to its potential implications. Following this, the decision whether to proceed is one entirely for the child.
A variety of more specialised exceptions apply to the access provisions. These include the situations where data is held under the protection of legal professional privilege, where it relates to the making of judicial appointments and, analogous to the provisions relating to criminal investigation and prosecution, to data which is held by certain regulatory bodies such as Lloyds and the Stock Exchange. Further provisions regulate student access to examination records. Here, users may respond within the normal 40 day period and be subject to the general rules. In the case of some major examinations, such as the SCE Ordinary and Higher Grade examinations, the marking process may extend beyond this period. An option is provided to the data user allowing compliance with a request for access to be delayed until 40 days after the publication of the results, subject to a maximum period of six months. Exercise of this option carries a not insignificant penalty in that the subject then has to be supplied not only with information relating to the marks finally awarded but also with any other material, perhaps in the form of provisional marks which were recorded at any time subsequent to receipt of the request for access.
In many situations, obtaining access to data will constitute an end in itself. A variety of options are made available to the data subject in the event that objection is taken to all or part of the data which is revealed. The basis upon which any complaint may be pursued will rest in an allegation that a breach of one or more of the data protection principles has occurred. In the event that a complaint to the data user fails to resolve the issue, the most attractive option for the subject may be to raise the matter with the Data Protection Registrar. The Act provides that the Registrar "may consider any complaint that any of the data protection principles or any provision of this Act have been contravened and shall do so if the complaint appears to him to raise a matter of substance and to have been made without undue delay by a person directly affected"(Section 36). Where the Registrar undertakes an enquiry, the data subject is to be informed of its findings. Although the formulation confers a great deal of discretion on the Registrar, much of his efforts have been directed at following up complaints from data subjects.
A number of rights and remedies are conferred directly upon data subjects. In the event that the subject disputes the accuracy of any personal data held, it is provided that the Court may order the rectification of any errors of fact and also of any expressions of opinion which appear to be based on that error (Section 24). This appears a rather strange provision. It echoes the issue discussed previously who statements of opinion and intention might be regarded as belonging to. Although there is a distinction between holding a particular opinion and recording that opinion, the provision does appear capable of threatening a user's freedoms. As an alternative to ordering the amendment of the data, the court may order that it be supplemented by such further statement as may be directed. To date, there do not appear to have been any cases brought under these provisions of the Act and it is uncertain how the available options will be exercised. One scenario illustrates some of the difficult issues which may arise. Increasingly, newspapers and journals maintain copies of past issues in an electronic data base. Any issues of a newspaper will contain a great deal of personal data. The operation of a data base is very likely to involve processing as defined in the Data Protection Act. In the not unprecedented event that a story is wrong, the subject concerned would have right to seek rectification. The information as held in the data base is presented as the contents of particular issues of the journal in question. Correcting errors might be justifiable from the perspective of the aggrieved subject but it would render the data base unreliable as a historical record. In such a case it may well be that the addition of a notice of correction would be preferable to the amendment of the text to produce a more accurate version.
One limitation upon the subject's right to require the rectification of errors is that it extends only to data held by a particular user. In many cases, the inaccurate data will have been passed on to third parties so that the invidious effects of the error will survive its expulsion from the original user's records. Under the Consumer Credit Act it is provided that notification of any change made to a record pursuant to the exercise of a subject's right of access is to be given to any third party who had received the information in question within the previous six months (Consumer Cedit (Credit Reference Agency) Regulations 1977). Although attempts were made to include similar provisions in the Data Protection Act, these were rejected on the basis that it would put an unfair burden upon data users. The European Union proposals require, however that third parties be notified of any rectification or erasure (Article 13(4)). Once again, it is clear that the new proposals give primacy to the rights of the subject over the operational convenience of the user.
In the event that data is inaccurate, the Act provides that a subject may claim compensation for any damage and distress which the error has caused (Section 22). This action will be additional to any claims which may be brought under more traditional headings such as breach of contract or defamation. The use of the formulation "damage and distress" entails that a measure of financial loss will be a prerequisite to any action. This will serve to limit significantly the scope of the action. Although inaccurate data may cause opportunities to be lost, for example where a subject is denied credit facilities following receipt of an inaccurate and unfavourable report by a credit reference agency, these will not be considered compensatable.
The current European proposals represent a compromise between the comparatively laissez faire approach adopted in the Data Protection Act and the more stringent principle of informational self-determination which constitutes a feature of the German system.
The proper role of a system of data protection remains a subject for debate. The concept of subject access is one which few would criticise yet it may be queried how far it is of special relevance to automated data processing. The rationale behind the concept is clear. If decisions affecting individuals are to be made on the basis of recorded information, equity requires that they should be able to verify its accuracy. In most of the instances where an individual may wish to see what information is recorded about them the fact of a computers involvement will be purely incidental. Indeed in a number of the most sensitive areas, such as educational records, health records and credit reference agency files, the right of subject access operates regardless of the format in which the information is held. Subject access under the Data Protection Act may be seen as a specific instantiation of a much wider phenomenon. Particular note may be taken of the proposal contained in the recent White Paper on Open Government (1993, Cmd. 2290) that the individual's right of access should, subject to exceptions, extend to all personal information held by government agencies regardless of the format in which it was held.
One perhaps unfortunate consequence of the individual focus of data protection legislation is that too little attention is paid to the societal implications of data processing. Subject access asserts the primacy of the individual. Much data processing subverts individual personality in a sea of anonymous, aggregate data. By concentrating on abusive conduct, too little attention is paid to the desirability of what is becoming the norm. In a number of cases, subject access appears to have proved more of a prison than a refuge for the data subject. A number of instances have been reported of employers requiring prospective employees to exercise their new found right of subject access to obtain a copy of their criminal record - or confirmation that no such record exists. It may also be possible to require the provision of exact examination results rather than a pass/fail indication, to require details of medical records. The European Union proposal suggests that individuals should be entitled to refuse a requirement by a third party that access rights should be exercised on their behalf. It appears unlikely that matters may be resolved so simply. At present, an individual is under no obligation to supply the information described above. Short of rendering it illegal for a third party to receive data obtained pursuant to subject access, the imbalance of power that frequently exists in these situations may entail that even the mildest expression of interest on the part of a potential employer will be regarded as akin to a command.
The Act has had some high profile successes. The effect of the enforcement orders served on the four leading credit reference agencies has brought about major changes in their method of operation. In a sense, however, it may be that the victory is pyrrhic. Certainly, a number of data subjects will benefit from wider access to credit because they are no longer tainted by the activities of others who have lived at the same address. It was suggested on behalf of the agencies that if this form of processing were to be prohibited, the effect might be that whole areas might become credit ghettos. The use of credit scoring as a technique for profiling credit applicants may also prove more attractive. The consequence may be that individuals may be denied credit not because of their own record, not because of information held concerning some other individual but because of the processing of aggregate data relating to a large number of individually unidentifiable decisions. This may be even less tolerant of the non-conformist or eccentric individual than is the present system. The European proposals recognise this danger by providing that decisions should not be made purely as a result of automatic processing but that there should be some level of human decision-making.
The Act has created a bureaucracy. Even the term "Registrar" is redolent of form filling and filing. The Committee on data protection in their report used the term used the term "Data Protection Authority". In other states the word "Commissioner" is used. It may be that the choice of terminology is indicative of the lack of commitment by the Government at the time of the Act's passage. Although there can be no complaint concerning the energetic manner in which the Registrar has exercised his role, in too many respects the office operates on the periphery of the key issues. Given the fact that many significant forms of data processing function in the public sector, it may not be unreasonable to see the muzzling of the Registrar as motivated by a concern to avoid independent scrutiny.