DATA PROTECTION – Meet the new guard

A perennial complaint from small enterprises is the weight ofre privacy hoops, says Anita Hunt. bureaucracy imposed on directors and companies by government. Time consuming, labour-intensive processes add to costs and divert attention away from the main activities of business. A typical example is data protection legislation.

But if companies find current data protection demands a headache, new proposals to extend and strengthen requirements will add substantially to the burden.

In January, the government unveiled the new data protection bill. So far, media coverage has concentrated on the likely costs to businesses. Given the estimates contained in the bill, this is not surprising. The government’s forecasts suggest that the start-up costs to business will be #836m with recurring costs of #630m. However, these figures are not so alarming when they are divided by the number of businesses in the UK. DTI figures indicate that there are 3.7 million businesses.

So, if government estimates are correct, the bill will cost each business around #225 start-up and #170 per year.

But Lord Williams of Mostyn, the junior Home Office minister who introduced this bill in the Lords, admitted that the figures were only a “guesstimate”.

Complex problem

One commentator has already dismissed these numbers as ‘ludicrous’, so we can anticipate a period of argument over what the real costs will be.

Even if the government figures are correct, the costs will probably be the least of the problems for small and growing businesses. The legislation is complex and detailed and it will impose an unwelcome new level of bureaucracy.

Making it understandable to the hard-pressed owner-manager of a small business will be a near impossible task.

The Act will extend data protection to all technologies (such as video and digital images) and, crucially, to records held in a ‘filing system’ (in other words traditional non-computerised files). It is not clear what the term ‘filing system’ covers.

Eager to embrace the fullest implications of new technology, the drafters have apparently forgotten their skills as communicators.

In its present form, the bill pays tribute to the makers of Yes, Prime Minister. Some of the language will confuse rather than enlighten. It talks about ‘any set of information relating to individuals to the extent that the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that particular information relating to a particular individual is readily accessible’.

There is already disagreement between the government and the data protection registrar (soon to be renamed the data protection commissioner) as to which sorts of records the definition covers. The registrar believes that it will cover a wide range of manual records. The government wants it to include such things as card-index systems but not collections of papers which only incidentally contain information about individuals. Lord Mostyn admits that the draftsmen have been unable to find a way of spelling out clearly exactly which records the definition covers.

This confusion must be cleared up before the bill becomes law. During consultation, businesses made clear to the government that what they valued above all was certainty. The burden of compliance will not be so severe if businesses know for sure which records the regulations cover. In the absence of certainty, the only safe assumption would be that the new law will cover all organised files on individuals (whether they are employees, customers or business contacts). It is likely that it will include the type of personnel file held by most employers.

In many respects, the new bill is similar to the existing law. Computer and filing system ‘controllers’ will still have to register with (now termed ‘notify’) the office of the data protection commissioner. It will be a criminal offence not to notify when required to do so. The bill includes data protection principles similar to those under the current Act. Controllers must ensure that data is fair, lawful, accurate, up-to-date, not kept for longer than necessary and kept securely.

The rights of access to computer data contained in the previous Act will now extend to filing systems. Businesses will need to put procedures in place to be sure that they comply properly with requests for access. If they do not have very many records, these procedures might involve no more than giving a particular employee the responsibility to make the records available on request. Larger organisations with many records may have to put more complex administrative procedures in place.

Marketing dilemma

The bill contains special provisions relating to data held for direct marketing purposes. Individuals now have the right to instruct a controller that they do not want to receive (or continue receiving) marketing material.

This will be a welcome move for those individuals who object to receiving junk mail. It will be less welcome to businesses involved in direct marketing whose operations will be restricted by this new layer of red tape.

They will have to introduce procedures to allow people to object to marketing.

They will have to keep records of those individuals who have objected, and cross-check against these records before distributing marketing material.

Another concern for the marketing industry (and other businesses) is the requirement for controllers to provide specified information to individuals.

To ensure that data is processed fairly, a controller must inform all the individuals whose data he processes who he is and why he is processing the data. This will be the case even where the controller has not obtained the data directly from those individuals. The rule could apply, for example, where a business purchases a mailing list.

The business may have to contact everybody on that list to provide the specified information. Such an onerous requirement would rule out many marketing initiatives and might put some companies out of business.

There is an exception to this requirement if providing the information would involve ‘disproportionate effort’. The bill does not explain what this means. This is another area where businesses need certainty. They need to know when they have to provide the information and what is meant by ‘disproportionate effort’. Without proper guidance, any mistakes could prove costly. A breach of the new regulations could mean not only enforcement action from the data protection commissioner but also claims for compensation from individuals.

The bill introduces restrictions on transfers of personal data to countries outside the EU. It forbids the transfers unless the country has adequate data protection. Before transferring data, controllers must consider, among other things, the law in force in the country in question and any international obligations to which the country is subject. This is not the type of information business people usually have at their fingertips.

It will surely be an obstacle for businesses hoping to engage in international trade and exchange of information; at worst, it may even prevent those activities altogether.

Internet considerations

The bill will cover personal information made available on the Internet or through e-mail communications. This could cause problems for individuals who send and receive information as well as for businesses who use the Internet to market and sell products.

One of the most unpopular aspects of the current data protection regime is the registration system. The registration forms and accompanying guidance are convoluted, unclear and can take many hours to complete. The fee for registration is currently #75 for a three year period. Many small businesses resent the fact that they have to pay the same fee as large companies whose register entries cover many more data processing activities.

The bill does not give details of the notification system that is to replace the existing registration system. The data protection Registrar is currently developing proposals which will be subject to the government’s approval.

The government intends that the notification system will be simpler and less burdensome. It remains to be seen whether it meets this objective.

Anita Hunt is technical projects officer at ACCA. She worked at the data protection Registrar’s office and the Home Office data protection unit before joining ACCA.

Related reading