The Data Protection Act – what you need to know

by Gordon Brewster

Best practice for legal firms when dealing with issues under the 1998 Act

The Journal, March 2003, page 40

In January a number of firms contacted the Society concerned about a letter they had received from a firm called ‘Data Protection Agency Services’.

The letter, headed ‘final notice’ used assertive language, requesting the firm send a cheque for £95 ‘to commence registration’ with the Information Commissioner, as ‘the Data Protection Act 1998 requires every business processing personal data to register or face a maximum fine of £5,000’.

The Society checked the position with the Information Commissioner and immediately contacted all firms by fax informing them about the actual fee which should be paid to the Commissioner and urging caution should they receive a letter from organisations other than the Commissioner’s office.

The Commissioner makes it clear on his website that there is no connection with Data Protection Agency Services. The OFT are aware of this organisation having received “hundreds of complaints”, whilst the BBC Watchdog programme carried out an investigation last September.

The Society recommends that all firms notify the Commissioner as a matter of best practice (regardless of whether an exemption may exist). The annual fee is £35 and should be paid directly to the Commissioner’s office. Firms should automatically receive an annual reminder letter.

The letter resulted in a large response from members, welcoming the Society’s actions but raising questions about the Data Protection Act and its requirements. In particular, members wanted to know:

  • Definitions within the Act
  • The requirement and process of notification
  • The Principles of the Act
  • Subject Access Requests and guidance on how to handle and prepare for them

This article considers the first two points and a follow-up article will address the second two points.

While the articles address the issues most frequently raised, they are introductory. A fuller understanding of the Act is always to be encouraged. The Act is a complex piece of legislation with complex rules and it may be necessary to seek expert advice from time to time.

Definitions

In understanding the 1998 Act it is essential to understand the definitions it sets out. By doing so the Act will make more sense.

“Data controller” the person (or firm or organisation) that decides what personal data is held and how it is used (e.g. the Society is a data controller)

“Data subject” a living individual who is the subject of the personal data held. Note the inclusion of the word ‘living’ (e.g. a client or a member of staff)

“Personal data” means information from which a living individual can be identified, including expressions of opinion and records of intentions towards that person (e.g. a client file or a staff file)

“Sensitive personal data” means personal data about intimate personal details, including ethnic origin, political opinion, physical or mental illness, and any criminal record (e.g. health information on a client)

“Processing” has a very comprehensive meaning, and covers any activity which can be carried out using personal data, from collecting and obtaining through holding and organising to modifying and destroying that data (e.g. shredding paperwork)

Notification

Members expressed uncertainty as to the need to notify. Notification is the process by which a data controller’s details are added to the public register of data controllers, maintained by the Information Commissioner.

Basic information on the data controller is included, such as the name and address together with a general description of what personal data processing is carried out. Anyone can inspect the register on line at www.dataprotection.gov.uk and will find out about the processing of personal data by a given data controller.  

The Society carried out research to find out how many firms (data controllers) have notified. It randomly selected 154 firms. They were selected on the basis of number of partners: 1-5 (108 firms), 6 - 14 (27 firms) and 15+(19 firms) and geographical spread of 50 from the Central Belt and 104 from around Scotland. The results are shown in figures 1 and 2:

Figure 1. Breakdown of firm size in sample showing notification status against firm size

Figure 2. Geographical spread of firms in sample showing notification status against geographical area

The research showed that only 54% of firms have notified, whilst 46% have not.  This bears out the feedback to the Society from firms unsure about whether they should notify or not.

The Society strongly recommends all firms to notify. While forms and full guidance on notification can be found at www.dataprotection.gov.uk or by telephoning the Information Commissioner’s help line 01625 545 740, set out below is a very simple step-by-step guide:

  • s17 (1) [of the Act] requires that a data controller notify prior to processing data
  • s17 (2) permits an exception if data processed is neither “processed by means of equipment operating automatically in response to instructions given for that purpose” or “is recorded with the intention that it should be processed by means of such equipment”
  • Virtually any kind of computer equipment, from a simple word processor through to a complex client relations management system, falls within the s17 (2) definition
  • The processing mentioned in s17 (1) is far reaching and will include normal day-to-day usage of a computer in a solicitor’s office – writing letters, drafting deeds etc
  • Unless a solicitor uses no computer equipment whatsoever notification is mandatory. (Further information on exemptions can be found at www.dpr.gov.uk/downloads/selfassess.doc )
  • Even where there is doubt, the Society considers it best practice to notify. The cost is minimal, whereas the consequences for failing to notify are potentially damaging

Note that the Society does not have a collective notification policy to cover all firms as some members have suggested might be in place. Under the definitions of the Act, firms are data controllers in their own right and it is therefore their responsibility to notify.

Some firms will have been registered (as it was previously called) under the Data Protection Act 1984, paying £75 every three years.  Given that the 1998 Act came into force on 1st March 2000 some firms may still just, have their 1984 Act registration in place (one firm for example that the Society spoke to, have a registration in place until May 2003).  Firms in this position should ensure they notify at the appropriate time (reference should be made to www.dataprotection.gov.uk on the exact process in moving from 1984 Act registration to 1998 Act notification).

In any event, while there may be a notification exemption there is no escape from compliance with the eight Data Protection Principles and the provisions of the Act. The Information Commissioner can enforce these against a data controller who is in contravention of them.  Confusion is possible as this is a different position from that which existed under the 1984 Act, which allowed non-compliance if there was no need to register. It is essential that all firms comply with the Principles and provisions of the Act.

In the second article the Principles of the Act will be considered and in particular one and seven. That article will also provide guidance on handling and preparing for subject access requests.

Gordon Brewster is Director of IT at The Law Society of Scotland

LAW SOCIETY - HOME REPORTS LAW SOCIETY - EMPLOYMENT LAW

Current Issue Features

Braving the storm

How different types of legal firm are coping with the current economic downturn, and how they see their future

Civil justice: where next?

An abridged version of the keynote address delivered to the conference on civil justice held in Edinburgh on 20 June

Title Conditions Act: new registration procedures

New procedures are in place for deeds intended to create new real burdens, to assist solicitors in complying with the requirement for dual registration

Young lawyers reborn

Interview with Scottish Young Lawyers Association President Maryam Labaki on SYLA's ambitions as it relaunches

Shining some more light...

Second part of overview of this year's Finance Act looks at the provisions on savings, pensions, residence/domicile and business taxes, among others

Power to the tribunal?

An advocate's and a solicitor's views of how the Scottish Government's proposed reforms to arbitration law might work in practice

Piece by piece

A progress report from England & Wales on the setting up of the complex regulatory machinery under the Legal Services Act 2007

The poor in our midst

Interview with Scottish Solicitors' Benevolent Fund convener Craig Bennet, who aims to raise awareness of the Fund so it can provide more help to those in need


Current Issue Articles

Shifting sands

President's message: with economic issues dominating the profession's thoughts, the Society is taking steps to provide advice and support to those in need

A rank bad rule

Opinion by two advocates that the Faculty's response to the OFT does its members a disservice by defending the cab rank rule and by resisting the use of ABS

The Society's future role in complaints handling

A reminder, in the light of reactions to the first levy issued on behalf of the new Complaints Commission, of when and how the Society's responsibilities are changing

Appreciation: Lord Johnston

Report of the tribute paid in court by the Lord President

Professional Practice Committee

New guidelines on acting as a company director; and document control and file tracking

Facing the lean years

Some advice on how to pull through a recession and be ready for the next upturn, as word goes round of legal firms looking at staff cuts and other measures (part 1 of 2)

It's a web 2.0 world

The interactive nature of web 2.0 technology presents business opportunities, while posing new risks for those with inadequate precautions as to employee internet use

Questions, questions

In reviewing their risk profiles and risk controls, all firms might benefit from conducting a self-assessment by addressing questions put by some insurers elsewhere

Bare necessities

Latest criminal cases, including offensive weapons; Moorov rule; withdrawal of representation; evidence of a deceased; contempt of court by solicitor

Coming on the blind side

A technical-sounding consultation, currently open for comments, covers some significant aspects of dispute resolution in employment

Relocation, relocation

A recent decision explores the matters to consider when one parent wants to relocate abroad along with their child

Worse than the disease?

Has the UK quietly outlawed "alternative" medicine through the Consumer Protection from Unfair Trading Regulations?

Sleeping bounty

The Scottish Community Foundation has a scheme to breathe new life into dormant charitable trusts

Scottish Solicitors' Discipline Tribunal

Reports relating to Eileen Agnes Coogans; Zosia Marion Elizabeth Fraser; Annaline Webster; Ian Samuel Gerard Donnelly; Mark David Sheppard

Website reviews

Reviews of sites of organisations concerned with domain name disputes

Book reviews

Review of Child and Family Law (Sutherland)

Industry standard

A survey south of the border suggests that in-house work in commerce and industry doesn't always match expectations - but most in-house lawyers expect to stay

Meet the committee

Profile of In-house Lawyers Group committee member Sara Scott

What's in a motto?

A sample of In-house Lawyers Group members' notarial mottoes, collected by ILG secretary Tricia Sim

Leasing by example

"Green leases" appear to be some way off yet for the UK, but a Canadian model now published shows how they might work

Good call?

Reply to article questioning the Donald Trump planning application call-in argues that the decision is both competent and consistent with proper operation of the system

Home reports - the practice questions

Open letter over reservations as to the Society's proposed guidelines on the operation of home reports, in so far as they deal with conflict of interest