The Gazette 1989

GAZETTE

MARCH 1989

The Data Protection Act

1988

- Must you Register?

The Act aims to give effect to the Council of Europe Data Protection

Convention and so to protect the privacy of individuals about whom

automated personal data are kept. It applies whether or not the

personal data are kept on mainframes, minicomputers,

microcomputers or word processors.

The Convention contains basic principles of data protection and

rules for the transborder flow of personal data. The Act obliges all

persons who control the contents and use of personal data ("data

controllers") or who process personal data on their behalf ("data

processors") to comply with these basic principles and it confers

new rights on individuals ("data subjects").

All data controllers must ensure which is optional but cannot

that data are collected fairly; are

accurate and up-to-date; are kept

only for specified and lawful

purposes; are adequate and not

excessive, and are not kept longer

than is necessary in relation to

those purposes. The test to be

applied when determining whether

a person is a data controller is

"Does the. person control the

contents and use of personal

data?" A data controller can be an

individual, a firm or a corporate or

an unincorporated body.

Both data controllers and data

processors must take appropriate

security measures against unauth-

orised access to, or alteration,

disclosure or destruction of the

data and against their accidental

loss or destruction.

In accordance with the Conven-

tion, every individual, regardless of

nationality or residence, must enjoy

the rights it confers. The first major

one is the right to establish the

existence of personal data. An

individual may exercise it free of

charge by writing to any person he

believes keeps personal data and he

must be told within twenty-one

days whether any such data are

kept and, if so, the nature of the

data and the purposes for which

they are kept.

The second major right entitles

an individual to have access to any

personal data kept in relation to

him. He must be given a copy of the

data within forty days of requesting

it on payment of an access fee,

exceed £5. In certain cases the fee

is refundable, for example, if the

access request gives rise to a need

to materially modify the data.

The right of access is not

absolute. It is subject to a number

of restrictions in the interest of the

rights and freedoms of others, for

Donal C. Linehan,

Data Protection Commissioner

example, where exercise of the

right would prejudice the matters in

respect of which the personal data

are kept. However, in these cases

a data subject may appeal to the

Data Protection Commissioner if he

feels that the exemption claimed is

not justified. The Commissioner

must investigate every complaint

unless it is frivolous or vexatious.

Section 4 of the Act, which gives

the right to access, contains an

important provision for those

involved in the areas of health and

social work. It enables the Minister

for Justice, if he considers it

desirable in the interests of data

subjects (after consultation with

the Minister for Health and other

Ministers concerned) to make

regulations modifying the right of

access to personal data relating to

physical or mental health or to

social work. These regulations are

in course of preparation and will be

made before the right of access

becomes exercisable (19 April

1989).

The third major right given to an

individual enables him to have per-

sonal data rectified or erased if

such data are kept in contravention

of any of the data protection

provisions. The data controller

must comply with such a request

within forty days. However, a data

controller can refuse to accede to

such a request and will still be

regarded as having complied with

the Act if he supplements the data

with a statement agreed between

the data subject and the data

controller involved.

An innovative right contained in

the Act is that which allows an

individual to have his or her name

removed from a direct marketing or

direct mailing list.

Only certain categories of data

controllers are required to register

in the register established and

maintained by the Commissioner,

who is responsible for supervising

the application of the Act. The data

controllers required to register

include virtually all those in the

public sector; financial institutions,

insurance companies and persons

or firms whose business consists

Donal C. Linehan.