Data protection - A question of privacy

The 1998 Data Protection Act will impose significant new duties on IT managers. Tim Phillips warns of a rude awakening for business.

The machinery of Whitehall has rarely been known to grind quickly, especially when it comes to drafting new legislation. But before long, IT departments will be facing a major headache as harmonisation of European privacy laws imposes far greater constraints on how organisations collate and swap data.

The big issue is the 1998 Data Protection Act, likely to be finalised this September. Not only will it greatly strengthen the powers of the Data Protection Registrar, but it is already acting as a lightning rod for lobby groups. One of these is Privacy International, whose director Simon Davies makes no bones about his hopes that the legislation will end any complacency about the right of individuals to confidentiality. 'The new data protection regime has to be the iron fist in a velvet glove,' he insists. 'We want a data protection Commissioner who will be controversial and resolute, and who is prepared to make enemies.'

He adds dismissively: 'In the past, the situation has been so bad we may as well have been dealing with just another branch of the Home Office.'

Whitehall lawyers were expected to have finalised details of the new act last month. Now the final draft seems likely to come through some time in the autumn. If that is the case, it will be almost a year after IT heads were meant to comply with how new data - defined as that acquired after October 1998 - should be safeguarded.

Perhaps more worryingly, this will give IT departments barely two years to ensure that old data systems are similarly rendered compliant. All this, without having a real chance to inspect the proposed new rulings.

Central to the problem is the Home Office's race to update its 1984 Data Protection Act so that it is in tune with an EU directive, due to come into effect in October 2001.

When the 1998 act does finally come into force, Davies may well get his wish for legislation with real teeth. And for the thousands of UK businesses which are still either unaware of its powers, or are unwilling to comply, there may be a rude awakening.

The 1984 Act gives the Data Protection Registrar, who will be the Commissioner when the 1998 Act comes into force, strictly limited powers. 'For most people, the impact of the 1984 Act was merely that they registered as a data processor,' explains Rupert Battcock, a solicitor in the IT group at the Nabarro Nathanson law firm. 'It was an absurdity. If you were not registered and did awful things with your data, then the only thing the Registrar could do was to make you register.'

In short, says Nathanson, the previous Act was little short of a 'bureaucratic nightmare.'

The 1998 Act moves much closer to being a proper privacy law. When the statute is effected, your company's data will be open for scrutiny both by the Data Protection Commissioner and by any member of the public, whether you are registered or not. Moreover, any employee who wants to know what data you hold and what is being done with it has a legal right to find out.

If you are convicted under the act, the penalty can be a fine and a criminal conviction. The damage to your company's reputation can be worse. And not only the company will be prosecuted - individual can be held responsible, too.

But there are still 20 pieces of secondary legislation to be enacted before the new act sees the light of day, and the original June deadline is certain to be stretched for at least several more weeks, if not months.

'They are making a book at the Registrar's Office about when it's going to be. Most have their money on September,' Battcock reveals.

The much stricter conditions of the act (see box), which follows European Union Data Protection Directive 95/46/EC, will apply to any processing begun after 24 October 24 1998. Data created before then must be compliant by 24 October 2001. And paper-based records are affected for the first time: the deadline for them is 24 October 2007.

Yet many companies are still not aware, or choose to remain ignorant, of the forthcoming act. In a November 1998 survey of 100 medium and large organisations, encryption specialist Security Dynamics found that 85% were unaware that the law was about to change and 22% were still allowing external agencies sight of their personal data.

Mia Thomas, legal advisor for the Confederation of British Industry, says the public's lack of awareness of the act may, ironically, prove beneficial to companies by giving them a much-needed breathing space.

'If people don't know what their rights are, they are hardly likely to exercise them. So we don't anticipate that our members will get a deluge of requests from the public. But we are telling members they must train their staff to deal with any requests,' she says.

The problem is that many board level executives don't see the change as important. 'Information security managers are often a part of the finance division,' says Graham Welch, regional director for the UK, France and Benelux operations of Security Dynamics.

'They don't carry weight with the board or the budget. It doesn't help that the legislation is weighty and a little dull. It's a toothless wolf unless examples are made. It has been too easy for people to pay lip service to data protection .'

Battcock agrees. 'Companies should have someone whose job is data protection and a team to carry out some type of compliance project,' he says. 'Don't leave it until 2001.'

One company that has already implemented the terms of the act is Air Miles. You might not like the terms of the act, says head of group marketing and strategy Judith Thorne, but you can't afford to ignore it. 'There's a difference between lobbying against legislation and recognising the need to comply when it becomes law,' she says.

The Air Miles team is three people in the legal department who brief others in the company about their responsibilities. Thorne says compliance is simply good business practice 'We could make millions from renting our list,' she says. 'But we always complied with the old act and we will comply with the new one even before it is law.'

Companies ignoring the act may find that it is a toothless wolf no longer.

Elizabeth France, the Data Protection Registrar, has promised advertising to make people aware of their rights and will encourage complainants to exercise them.

At Privacy International, Davies is planning more direct action. 'The onus is on us, rather than the government, to protect our rights. But now we actively have rights. We're ready to go - the only thing holding us back is that the 1998 Act has yet to be enacted,' he warns.

That threat is aimed at 25 organisations that Privacy International says flout the conditions of the new act. They range from 'the FBI to the Hyatt Group, Monsanto to Microsoft', according to Davies. Depending on the exact terms of the legislation - the Home Office is still deciding on who may be exempt - he is ready to take some or all of them to court starting on the day after the act becomes UK law.

Davies is focusing on the final principle of the 1998 Act (see box below and left), which is causing the most controversy. This prohibits companies from exporting personal data to countries without 'adequate levels of protection'. The most obvious target is the US, where there are no data protection laws and a culture of self-regulation.

The US response has been to promote the concept of 'Safe Harbour' - in effect, a voluntary code of conduct for businesses. Davies promises to challenge this in the courts if necessary and has met the US government to say so.

'The Safe Harbour concept has been held together by the chewing gum of goodwill,' he says. 'The US government has hoodwinked the business sector for so long by saying they can cut a deal. They can no more cut a deal about the act than we can cut a deal about their Constitution. If we challenge Safe Harbour, the US has no alternative but to invoke Federal regulations.'

Privacy International may gain headlines and kill off Safe Harbour formally, but the signs are that the Data Protection Registrar will not be following Davies into the courts.

David Smith, assistant registrar, prefers a more pragmatic approach.

'Data protection issues are increasingly going to be international issues,' he says. 'The way you enforce them has to be by self-regulation. There's certainly no prospect of a general data protection law in the US. The difficulty isn't with having voluntary standards, it's how you check and enforce them. But it is certainly possible to deliver data protection in that way.'

In consultation with the Data Protection Registrar's office, Batt-cock is also advocating that businesses take a practical approach in the expectation that they will be treated sympathetically by the Commissioner. 'If you are using a third party to process your data, then you must have a written agreement with that company specifying what it must do with your data, and that is the only thing it can do with your data,' he says. 'In some cases, it may not even be necessary to sign up to the full code of conduct.

There may be other ways to get around the legislation. If you ask people providing the data to let you do the processing at a specific location, or if you have a contractual mechanism with the company, that might be sufficient.'

Battcock says one of his multinational clients has already made contracts with local subsidiaries to enable its personnel records to be moved. This offers some comfort to Bill Pepper, head of information security and risk management at outsourcer CSC's UK division, which processes personal data for Du Pont, JP Morgan and S&P.

'At the moment we would have great difficulty exporting our data to the US. For a global business like ours it raises some serious problems,' he admits. 'It would have been helpful if the government had given us a clearer indication of its plans. We have other things going on, such as year 2000 for example, so it is hard for companies to make senior management pay attention.'

The US isn't the only problem; in Asia, only Hong Kong has data protection legislation. CSC has a steering group made up of the IT director, the company secretary, the HR manager and representatives from its clients.

As with year 2000 compliance, once the company began to look at the task, it had become much bigger.

'We are 50% down the line in identifying what we have to do. There's a lot of personal data out there in small amounts,' Pepper says. CSC must secure any personal data that has been created in Lotus Notes databases, for example, and must ensure that records concerning each client are kept in separate databases.

So far, few have guessed at the cost of compliance. Pepper admits only that 'there is a lot to be done'. The Home Office makes what it concedes is an estimate of £837 million for UK businesses. Battcock calls this a 'high figure', but still pegs costs as 'significant'.

At the Data Protection Registrar's Office, Smith pooh-poohs high estimates, saying that 80% of the work should have been done to comply with the 1984 Act, and the rest is merely good practice. 'We don't pretend there are no costs whatsoever,' he says. 'But we are sceptical about some of the costs bandied about. Many people are including the cost of complying with the present act.'

The Data Protection Commissioner will not expect companies to revise every paper file, for example. 'They won't have to go back into their archives and go through every record,' says Smith. 'If the record is accessed, they should make their accuracy checks. But 99 out of 100 records, you'll never access.'

If the Data Protection Commissioner is willing to play nice cop, then Privacy International is determined to play nasty cop, and for some organisations the message is 'see you in court'.

'I have no sympathy for companies,' says Davies. 'They will sign up to anything as long as it doesn't cost a dollar. As soon as it begins to bite, they back away.' You have been warned.

THE DATA PROTECTION ACT SHARPENS ITS CLAUSES

There are eight parts, or 'Principles', to the 1998 Data Protection Act. The main departure from the 1984 Act is that you are bound by these principles whether or not you have been notified of them by the Data Protection Registrar, and whether or not you are registered.

1. Personal data must be processed fairly and lawfully

The individual either has to be told what you will do with the data, or the processing has to be necessary - perhaps for legal, medical or 'contractual' reasons. There are also 'sensitive' categories of data, such as a subject's political beliefs or sexuality, that require explicit agreement from the subject before the data can be processed.

Consent cannot be assumed from a lack of response to a question, for example if the subject has not replied to a letter. The Home Office has not yet decided on exemptions - or

'black holes', as Privacy International calls them. When

you collect information, you must tell the subject on whose behalf

the information is being obtained and how it will be used.

2. Personal data is obtained only for specified purposes Currently, you just have to register the purpose with the Registrar.

Under the new legislation, even if you are not registered you are still bound by this principle.

3. Personal data shall be adequate, relevant and not excessive

This is in the 1984 Act, although the clause will now cover manual records too.

4. Personal data shall be accurate and up to date

If the subject informs you that data is inaccurate, you must record this.

You also have a legal duty to take 'reasonable steps' to ensure that data is accurate beyond simply asking the subject when the data is collected - another grey area.

5. Data shall not be kept for longer than is necessary

This is part of the 1984 act.

6. Data shall be processed in accordance with the rights of the subjects

This covers protection from damage or distress from processing the data, direct marketing and automatic decision taking. Subjects cannot be denied access to their data.

7. Appropriate technological measures shall be taken

It's your legal responsibility to stop personal data being hacked, lost, damaged or stolen. In future, you are responsible for the data from the time it is created until the time it is destroyed.

8. Personal data shall not be transferred outside the European Economic Area unless that country provides an adequate level of protection This is the most controversial restriction - the US does not have 'an adequate level' of protection, having no federal data protection laws. It looks as if you will have to have either a clear contractual arrangement with whoever does the data processing in the US, or the explicit permission of the subject.

WILL YOU BE HURT BY THE 1998 ACT?

- International companies It matters where your data is held. You cannot transfer it to countries which have no data protection legislation, even to your head office. A possible workaround will be a formal contract between offices, stating what will be done with the data, specifying security measures and rights of access.

- Personnel departments Human resource data cannot be transferred outside the European Union to countries that do not have data protection legislation. You cannot pass on CV details to other countries.

If you use an automated application to pre-select job applicants, you have to tell applicants how this is done. You must have explicit consent to hold 'sensitive' information.

- Ecommerce businesses If you gather information from customers, you must ensure it is secure - unlike one building society, which was gathering mortgage applications over an unencrypted link. If you use information for marketing purposes, you must tell your customers what you intend to use it for. Where you hold your internet data has to be similarly secure.

- Managers Data held in informal databases, for example, Lotus Notes applications, is covered by the act and needs to be secured. If you pass personal data on to another manager for another purpose, the email should be secure and the subject needs to give permission.

- Public sector organisations

Already bound by European legislation. The main challenge will be allowing access to paper-based records.