The Gazette 1989
GAZETTE
MARCH 1989
The Data Protection Act 1988 - Must you Register?
The Act aims to give effect to the Council of Europe Data Protection Convention and so to protect the privacy of individuals about whom automated personal data are kept. It applies whether or not the personal data are kept on mainframes, minicomputers, microcomputers or word processors. The Convention contains basic principles of data protection and rules for the transborder flow of personal data. The Act obliges all persons who control the contents and use of personal data ("data controllers") or who process personal data on their behalf ("data processors") to comply with these basic principles and it confers new rights on individuals ("data subjects"). All data controllers must ensure which is optional but cannot
made before the right of access becomes exercisable (19 April 1989). The third major right given to an individual enables him to have per- sonal data rectified or erased if such data are kept in contravention of any of the data protection provisions. The data controller must comply with such a request within forty days. However, a data controller can refuse to accede to such a request and will still be regarded as having complied with the Act if he supplements the data with a statement agreed between the data subject and the data controller involved. An innovative right contained in the Act is that which allows an individual to have his or her name removed from a direct marketing or direct mailing list. Only certain categories of data controllers are required to register in the register established and maintained by the Commissioner, who is responsible for supervising the application of the Act. The data controllers required to register include virtually all those in the public sector; financial institutions, insurance companies and persons or firms whose business consists
that data are collected fairly; are accurate and up-to-date; are kept only for specified and lawful purposes; are adequate and not excessive, and are not kept longer than is necessary in relation to those purposes. The test to be applied when determining whether a person is a data controller is "Does the. person control the contents and use of personal data?" A data controller can be an individual, a firm or a corporate or an unincorporated body. Both data controllers and data processors must take appropriate security measures against unauth- orised access to, or alteration, disclosure or destruction of the data and against their accidental loss or destruction. In accordance with the Conven- tion, every individual, regardless of nationality or residence, must enjoy the rights it confers. The first major one is the right to establish the existence of personal data. An individual may exercise it free of charge by writing to any person he believes keeps personal data and he must be told within twenty-one days whether any such data are kept and, if so, the nature of the data and the purposes for which they are kept. The second major right entitles an individual to have access to any personal data kept in relation to him. He must be given a copy of the data within forty days of requesting it on payment of an access fee,
exceed £5. In certain cases the fee is refundable, for example, if the access request gives rise to a need to materially modify the data. The right of access is not absolute. It is subject to a number of restrictions in the interest of the rights and freedoms of others, for
By Donal C. Linehan, Data Protection Commissioner
example, where exercise of the right would prejudice the matters in respect of which the personal data are kept. However, in these cases a data subject may appeal to the Data Protection Commissioner if he feels that the exemption claimed is not justified. The Commissioner must investigate every complaint unless it is frivolous or vexatious. Section 4 of the Act, which gives the right to access, contains an important provision for those involved in the areas of health and social work. It enables the Minister for Justice, if he considers it desirable in the interests of data subjects (after consultation with the Minister for Health and other Ministers concerned) to make regulations modifying the right of access to personal data relating to physical or mental health or to social work. These regulations are in course of preparation and will be
Donal C. Linehan.
89
Made with FlippingBook