Data Protection Act 1998 Tutorial Part 2

This article first appeared in PC Pro magazine

Enforcement & Prosecutions Under the Data Protection Act 1998

A Summary of Last Month’s Issues - Key Points for Data Controllers

If you are preparing for the new Act make sure that:-

• You are ready to treat manual records in the same way as automated records – especially as regards subject access
• Your processing of personal data complies with the specified criteria
• Your procedures meet all the requirements for informing individuals when obtaining and disclosing their data
• Your subject access procedures are modified to provide the additional information required
• Any data to be transferred outside the EU will receive ‘adequate protection’, or one of the exceptions apply
• You keep up date with guidance issued by the Commissioner and the government

Enforcement of the Principles – Business As Usual

Last month I outlined the 8 ‘new’ Data Protection Principles. If you’ve mislaid your copy of last month’s PCPro then the article now appears on my web site (http://www.btinternet.com/~hamiltons) in the ‘Data Protection Legislation’ section.

The concept of enforcement by way of the Data Protection Commissioner issuing Enforcement Notices is retained under the ’98 Act and, indeed, the whole Enforcement Notice procedure is virtually identical to that under the 84 Act.

As before, the Commissioner may serve an Enforcement Notice on any data controller suspected of breaching one or more of the Data Protection Principles. The Notice will set out steps to be taken to rectify the breach and a timescale for rectification. The Commissioner must take into account, when deciding whether to serve an Enforcement Notice, whether any person has or is likely to be caused damage or distress by the suspected breach.

When dealing with a breach of Principle 4 (the requirement for accurate and up to date data) the Commissioner may require the data controller to rectify or erase inaccurate data or any expression of opinion based on inaccurate data or to incorporate an amending comment from the data subject.

A data controller has identical rights of notice and appeal as under the 1984 Act and the Commissioner may as before require urgent compliance with an Enforcement Notice in exceptional cases. Appeals are heard, against as before, by the Data Protection Tribunal.

Assessment & Information – A New Procedure – Take Notice!

What is new in the ‘98 Act is the assessment procedure by which a data subject (or, significantly, a person who believes themselves to be a data subject) may ask for an assessment of whether it is likely or unlikely that data processing has been carried out by a data controller in compliance with the provisions of the ‘98 Act.

The Commissioner may then serve an Information Notice on the data controller requiring the provision of information to enable the Commissioner to carry out the assessment. The Commissioner may also serve a Special Information Notice in order to investigate suspected breaches of claimed exemptions under the ‘98 Act. The relevant exemptions are those set out the ‘98 Act relating to journalistic, literary and artistic material (referred to in the legislation as the ‘special purposes’). If the Commissioner determines that the exemption has been wrongly claimed then he may issue a Determination Notice to this effect.

The Commissioner may not issue an Enforcement Notice against a Controller processing personal data for the special purposes without first issuing a Determination Notice to the effect that that exemption has been wrongly claimed.

As with Enforcement Notices the Commissioner must notify the Controller of their rights of appeal against Information and Determination Notices. Again as with Enforcement Notices the Commissioner may seek an urgent response (not less than 7 days) to Information Notices in exceptional cases.

A person who fails to comply with a Notice under the legislation or who knowingly or recklessly provides incorrect information in response to any Information Notice commits an offence punishable by a fine (maximum £5000 in the Magistrates Court, unlimited in the Crown Court). It is a defence to show that all due diligence was exercised to comply with the Notice. The concept of ‘due diligence’ is one that appeared in the 84 Act.

Entry & Inspection

The new Act preserves powers for the Commissioner to obtain a warrant for his or her officers to enter and search premises and to seize evidence where a breach of the legislation (including the Principles) is suspected. These powers existed under the ’84 Act although, until fairly recently, there seemed to be some reluctance on the part of the Registrar to use them.

It is an offence under the ’98 Act to obstruct the execution of a warrant or, without reasonable excuse, to give assistance for the execution (an example might be the refusal to give a password to access a computer system). Unlike other offences under the ‘98 Act this offence may only be dealt within the Magistrates Court and is punishable with a maximum fine of £5000.

Notification Offences

Under the new legislation the system of Registration by data users is replaced by one of Notification by data controllers. Whoever it was who drafted the supporting criminal offences which buttress the requirement of Notification deserves to be taken out and shot. No longer are the offences neatly contained in one comprehensible section of the legislation (as with s.5 of the ‘84 Act) Rather they are now scattered throughout the Act in a confusing fashion which requires continual cross-referencing to comprehend. One particular section (s.22 – dealing with ‘preliminary assessments’ by the Commissioner) is guaranteed not to win any awards from the clear English campaign.

The requirement to ‘notify’ the ‘Commissioner’ is set out in sections 16 - 20 of the ‘98 Act. These provisions require controllers to notify the Commissioner of:-

• their name and address
• a description of the personal data
• the purpose(s) for which they are held
• the recipients of disclosures
• non EEC countries to which the data may be transferred
• security measures to comply with Principle 7

The requirement to notify is buttressed by section 21 which makes it an offence to fail to notify the Commissioner of the processing of personal data and also to keep the Commissioner notified of relevant changes (for example. in the address of the controller, or in the intentions of the controller with respect to the processing of personal data, or in the security measures to comply with Principle 7)

As with the ‘84 Act, the failure to notify can be prosecuted in the Magistrates Court or the Crown Court and is punishable with a maximum £5000 fine in the Magistrates Court or an unlimited fine in the Crown Court.

The s.21 offence is the clear equivalent of the ‘old’ offence of non-registration under s5(1) of the 84 Act with an additional offence based on a failure to keep notification up to date. This latter point is an effective distillation of the offences in s5(2) of the ‘84 Act (operating outside the terms of your register entry) and of the offence under s6(5) of failing to notify the Registrar of a change in the data user’s address. Interestingly the s6(5) offence is a matter that may only be tried in the Magistrates Court and in respect of which a prosecution must be commenced within 6 months of the date of the offence (i.e. the date on which the data user moved). As a result very few s6(5) prosecutions were brought because the offence was not discovered in time. The small change in the law introduced by the ‘98 Act should overcome this problem.

Unlawful Obtaining and Disclosing of Personal Data

Section 55 of the ‘98 Act radically reworks aspects of the s5(2) offences in the ‘84 Act and the much criticised amendments introduced by the 1994 Criminal Justice and Public Order Act (s5(6) - 5(8)).

It will now be an offence:-

• to obtain or disclose personal data or the information contained in personal data or
• to procure the disclosure to another person of the information contained in personal data

without the consent of the data controller.

The offences may be committed knowingly or recklessly. These established legal concepts are carried over from the ‘84 Act – s5 (2) offences had to be committed either knowingly or recklessly.

The obtaining/disclosing/procuring without the consent of the data controller will not be an offence if:-

• it was for the prevention or detection or crime
• it was required by law
• the 'obtainer' etc acted in the reasonable belief that he had a right to act as he did or that he would have had the consent of the controller if they had known of the particular circumstances
• it was justifiable as being in the public interest.

I have criticised aspect of ss5(6) to 5(8) of the ‘84 Act and it is pleasing to see that the new section 55 provisions go a long way to removing those concerns – gone is the odd concept of ‘having reason to believe’ that appeared in those provisions and the lacuna whereby it did not appear to be an offence if a person duped a data user into disclosing personal data to a third party.

This is not to say that section 55 will be without problems – ‘without the consent of the data controller’ is going to require some careful interpretation. In a recent successful prosecution an enquiry agent was convicted of s5(6) offences after duping BT into parting with ex-directory phone numbers. On some analyses it could be said that BT ‘consented’ to the disclosure – certainly it was offered willingly but only because BT was duped. Presumably the Commissioner is going to be arguing that ‘consent’ must be interpreted as ‘fully informed consent’.

It is an offence to sell or to offer to sell personal data that has been unlawfully obtained/procured/disclosed. This is an effective (and sensible) extension of the similar provisions in s.5(7) – (8) of the ’84 Act.

These offences attract the same procedure and penalties as the non-notification offences.

Damaging and Distressing Data

Data which is particularly likely to cause significant damage or distress to data subjects or significantly to prejudice their rights and freedoms is subject to a special monitoring procedure by the Commissioner which is set out in s. 22. It is an offence for a controller to process such data without first complying with the monitoring procedure. Exactly what data this will protect will be the subject of an order made by the Home Secretary.

Data Subject Rights

As under the ‘84 Act a data subject’s rights (which under the ‘98 Act are: to see their data; to prevent processing likely to cause damage or distress; to prevent direct marketing – ‘junk mail’; or to object to automated decision-making) are enforced not by way of prosecution by the Commissioner but by the data subject applying for a court order. Again, as before, the data subject is given a right to compensation. In practice the Commissioner is likely to play a semi-formal role in such disputes by raising any pertinent complaints with the relevant data controller.

Angus Hamilton runs his own practice in North London. Since 1986 he has conducted prosecutions under the Data Protection Act for the Office of the Data Protection Registrar and has advised corporations on data protection compliance and other matters relating to computing and the law.

1998 Act Tutorial Part 1Return to Data Protection Legislation IndexReturn to the Introduction Page
Copyright © 2000 Hamiltons Solicitors. All rights reserved.
Re-Designed by December 2000