The Data Protection Act 1998
Current legislation
As computers have become more widespread, so the need for legislation has grown. There now exists legislation that seeks to protect our health and safety while working with computers, to protect our privacy, to ensure that those who seek to carry out criminal acts using computer technology are punished and to ensure that intellectual rights to material are protected. One major problem with any country's legislation, however, is that it is difficult to enforce those laws if the 'crime' is carried out in another country. The Internet is a worldwide phenomenon that crosses the boundary of every country. What is illegal in one country may be perfectly legal in another country, or may simply be impossible to enforce. There are lots of good sources that deal with this issue on the Internet. Search Google using keywords like privacy, legislation, Data Protection Act, European privacy legislation, SPAM, junk mail, cookies and so on.
Data Protection Act 1998
Organisations collect data and store information about individuals. It is important, however, for each organisation to recognise that the information collected about an individual is private and that the individual has a right to expect that it stays private. Each organisation should only collect the information that it actually needs and should be up-front about what it needs it for. The DPA 1998 was an extension of the DPA 1984. It bought the 1984 Act up-to-date with European legislation and also included extra safeguards, such as including data sent over the Internet.
When an organisation wants to keep data about individuals, it must register with the Data Protection Commissioner. They have to fill in a form that
-
- gives details of their organisation
- says what data they want to collect
- says what they want to do with it
- says who will have access to the data.
The organisation must then use the data in the way they said they would. If it doesn't register, or uses the data in a way that it hasn't declared, then it may be subject to legal sanctions.
The DPA 1998 lays down eight principles of good practise, supported legally, which organisations must follow.
1. "Personal data shall be processed fairly and lawfully". This means that a company must be up-front about collecting personal data. It must seek permission from individuals to collect and process their personal details before they actually do it.
2. "Personal data shall be obtained only for one or more specified and lawful purposes". In other words, an organisation has to use the data they collect in the way that they said they would use the data when they registered with the Commissioner.
3. "Personal data shall be adequate, relevant and not excessive". We have already said that an organisation must declare to the Commissioner that it intends to collect data for one or more reasons. It must then collect only the information it actually needs and not collect any data that it doesn't really need.
4. "Personal data shall be accurate and, where necessary, kept up-to-date". An organisation must make attempts to ensure the information is accurate and up-to-date. For example, a school may, once a year, print off the personal details it holds about you, send them home and get someone to check, sign and return it. Any data can then be changed as necessary.
5. "Personal data ... shall not be kept for longer than is necessary". Companies must remove data if they do not need it any more. They should have a procedure in place to ensure that data kept on file is regularly reviewed.
6. "Personal data shall be processed in accordance with the rights of data subjects". An organisation must have in place a procedure to allow anyone who has data kept about them to see that data. This usually means having a form available so that any individual can request to see their data in writing. There is sometimes a small fee payable as well. The organisation must then provide the data within a fixed time.
7. "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss". An organisation must take practical steps to ensure the data is safe and secure. These can include restricting access to files using password protection and encryption, restricting access to the hardware that can access files and having a procedure to back-up files daily and storing the back-ups in a fire safe or securely off-site.
8. "Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection". In other words, data cannot be sent or accessed from another country outside of the EEA unless they have similar legislation to the DPA. If you have a web site that holds personal details that can be accessed by someone from another country, then this law applies to you!
Some disadvantages of the DPA
While most people would agree that the legislation is useful, there are some drawbacks. Some people would argue that while it sounds good in practice, it is very difficult to enforce. For example, if you are running a small club and store members' details on the computer, you are supposed to be registered - but how many are? The DPA legislation means extra administration and expense for an organisation. For example, somebody has to be responsible and take the time to ensure that data is kept accurate and up-to-date. Somebody has to administer the system that allows somebody to see their details. Somebody has to be responsible for making sure a company follows the DPA. Whenever somebody has to do something, it involves that person being away from the core activities of the organisation and involves an expense for the company. Some might argue that the last principle of the Act described above is impossible and impractical to enforce. How can you monitor who accesses data from an online database via a web site from another country? How can you enforce regulations? Conviction rates are low.
Other legislation related to the DPA 1998
There are other laws that have an impact on the way data is held on computers and used. These include the Human Rights Act 1998, the European Convention on Human Rights, the Freedom of Information Act 2000, the Anti-terrorism and the Crime and Security Act 2001. Of particular importance are two pieces of EU legislation, Directive 95/46/EC and the Privacy and Electronic Communication Regulations Act.
Directive 95/46/EC (2000) and directive 97/66/EC
We have already said that there is a problem when one country tries to impose its values and laws on people in other countries. One approach is to have legislation that crosses national boundaries. Directive 95/46/EC is European legislation that lays down rules designed to protect the rights and privacy of individuals with regard to data kept about them across Europe. Directive 97/66/EC is another piece of legislation concerned with provisions for data privacy and protection in the telecom industry.
Privacy and Electronic Communication Regulations (PECR) Act 2011
The EU's "e-Privacy" Directive from 2002, was amended in 2009. All E.U. member states had to bring the Directive into their own law by 2011. The U.K.'s amended Privacy and Electronic Communication Regulations (PECR) Act 2011 became law on May 26, 2011. The law stated, amongst other things, that companies operating in the E.U. and the U.K. must get the consent from its website users for cookies. Cookies are small programs that get installed on your computer when you visit a particular website. They allow websites to offer a more personalised experience, such as remembering a user's preferences and they allow a website owner to track how often their pages are being visited. Cookies can, however, also be used to track a user’s online behaviour and other ‘interesting’ personal information.
Accessing controversial information via the Internet
One country's laws and values are not necessarily another country's laws and values. If one country decides that hard-core pornography is perfectly legal to show and sell and their citizens put web sites on the Internet, how can another country like the UK stop people viewing this kind of material, even though it is against the law in the UK? The answer is that it can't. Nobody owns or runs the Internet so it is very difficult for anyone to have control over it. We live in a democracy and we expect freedom of expression and to a large degree freedom of information. Most citizens, however, accept that there are times when there is a 'national security' argument for having some information restricted. Before the Internet, each country could decide exactly what their nationals could have access to. Post Internet, however, the situation has completely changed. It is very easy to set up anonymous web sites that have all kinds of controversial material on including pornography, how to make a nuclear bomb and libellous gossip. This information crosses every boundary. It is difficult to convict anyone of anything anymore!