Data law is late

Researchers need to find out now whether they will breach data privacy laws says Andrew Charlesworth

By tomorrow European Union member states should have implemented the 1995 EU Data Protection Directive, controlling use of personal data held on computers and in some manual filing systems. The United Kingdom has missed the deadline.

The Data Protection Act 1998 received royal assent on July 16, but will not come into force this weekend. The government has not completed the necessary secondary legislation - the detailed regulations to be drawn up under the act's enabling powers. This is likely to happen early in the new year - the public consultation on the secondary legislation having already quietly taken place.

Even then, several key elements of the act, including those relating to manual data, will not come into force immediately, but be phased in between now and October 2007. Despite this, institutions should be acquainting themselves with the law and what it has to say about such things as examination scripts and medical and social research files. There are new controls on personal data transfer to nations outside the European Economic Area, designed in part to stop companies avoiding European Union laws by using non-EEA "data havens". These could conceivably affect universities which franchise their courses to overseas institutions, or outsource their data processing to multinational companies. The most widely-publicised change to the existing legislation is that manual records held in "relevant filing systems" fall within the act's definition of "data". However, there is still disagreement as to what a relevant filing system would be.

A further change concerns the processing of "sensitive personal data" that is, data relating to race, ethnic origin, political or religious views and health. Processing this data is subject to much stricter controls than other personal data.

Personal data processed only for research purposes (including historical and statistical purposes) continues to receive certain exemptions. To benefit from the exemptions researchers must not use the data to support measures or decisions with respect to particular individuals or in a manner that causes them substantial harm or distress. Nor can they identify individuals in the resulting publications or statistics. If researchers breach these conditions, their work loses exempted status, and will be subject to the full provisions and penalties of the act.

However, a crucial change arises out of the differentiation between "personal data" and "sensitive personal data". Researchers, particularly in the social sciences and medical fields, may find that this affects their work. One higher education institution has already discovered that an on-going research project may be affected, having been informed by the office of Data Protection Registrar Elizabeth France that it is unlikely to meet the criteria for the processing of sensitive personal data. Representations may need to be made to the Secretary of State for a specific exemption.

The EU directive sought a balance between personal data privacy and freedom of information. The act provides wide exemptions for journalistic, artistic and literary purposes, where processing takes place with a view to publication, and where the data controller reasonably believes that publication would be in the public interest. The courts will be left to determine who is a journalist, artist or literateur, and the definition of "the public interest". Examination marks will be treated much as before, but the act extends the exemption from denying students access to examination scripts. Confidential references, such as those provided by tutors to employers, are also exempted, as far as the original referee is concerned. However, if the recipient of the confidential reference retains it in a form covered by the act, they might be compelled to reveal it.

Andrew Charlesworth is senior lecturer in IT law and director, Information Law and Technology Unit, University of Hull Law School.

Text of the new Act is on the HMSO website: http://www.hmso.gov.uk/. The Data Protection Registrar's legislation webpage: http://www.open.gov.uk/dpr/ eurotalk.htm. Consultation Paper on Subordinate Legislation: http://www. homeoffice.gov.uk/ccpd/condpa.htm. Comments of the Data Protection Registrar http://www. open. gov.uk/dpr/subord.html. Consultation Paper on Notification Regulations: http://www. homeoffice.gov.uk/ ccpd/condpa2.htm. Comments of the Data Protection Registrar: http://www. open. gov.uk/dpr/notific.html