D a t a P r o t e c t i o n

DATA PROTECTION THE UK DATA PROTECTION ACT 1 9 9 8 - DATA SUBJECTS' RIGHTS

David Bainbridge and Graham Pearce

The Data Protection Act 1998 received the Royal Assent on 16 July 1998. Although it should come into force by 24 October 1998, it now looks as if it will not be until 1 January 1999 that its main provisions will take effect, because of the time needed to prepare regulations under the Act, including the notification regulations. ~ In Part III of their analysis of the UK Data Protection Act 1998 the authors examine the new and enhanced rights of data subjects.

INTRODUCTION An impor tan t feature of the n e w law is that r ights of data sub- jects ;Ire significantly e n h a n c e d and ex tended . The duty of data cont ro l le rs to p rov ide informat ion to data subjects w h e n the data are ob ta ined f rom them and in o the r cases has already h e e n no ted in a recent art icle on the n e w law. 2 This is a n e w depar tu re since, previously, any duty to p rov ide intbr- mat ion w h e n col lec t ing data f rom data subjects arose in limit- ed c i rcumstances , to t examp le w h e r e the data were to be used subsequent ly R)r a pu rpose w h i c h wou ld not have been obvious to the data subject at the t ime the data were ob ta ined

from him. ~ Othe r n e w rights given to data subjects ;ire a right to

objec t to p rocess ing likely to cause substantial damage or sub- stantial distress, a right to p reven t process ing h)r the purpose of direct market ing and rights in relat ion to cer ta in h)rms of au tomated decision-taking. Previously, the only control data subjects had in such cases was based on the first data protec- tion pr incip le in that personal data must be obta ined and p rocessed fairly and lawfully. For example , in British Gas Trading Ltd v Data Protect ion Registrar, i it was held that it was not fair p rocess ing simply to inR)rm exist ing cus tomers inheri ted f rom predecessors o f British (;as Trading Ltd of the p roposed market ing o f non-gas-related p roduc t s or services, giving them an oppor tun i ty to opt out by comple t ing and re turn ing a coupon . Making specif ic provis ion h)r these n e w rights is more satisfhctory than having to rely on the ques t ion o f what does o r does no t cons t i t u t e fair p rocess ing . Ftwthermore, these n e w rights are almost certainly more extens ive than wha t wou ld o the rwise be available on the basis of fair p rocess ing under the first data p ro tec t ion principle.

The data subject ' s right of access is i m p r o v e d and a prohi- bi t ion of enR)rced subject access in relat ion to cer ta in types o f records is i n t roduced and backed by cr iminal sanctions. In t e rms of subject access, far more in tbrmat ion must be provid- ed by the data con t ro l l e r than previous ly was tile case. Rights in relat ion to inaccura te data are improved and, finally, t i le data subject ' s rights to c o m p e n s a t i o n :Ire e x t e n d e d so as to he available, potentially, in respec t of any con t raven t ion of the Act. P rev ioush c o m p e n s a t i o n was available only R)r loss,

unau tho r i zed des t ruc t ion or unat , thor ized disc losure o f persona l data.

In the to l lowing discussion, the n e w and e n h a n c e d rights o f data subjects are e x a m i n e d and appraised.

DATA SUBJECTS' RIGHT OF ACCESS

Sect ions 7 to 9 of ti le l)ata Pro tec t ion Acl 1998 deal wi th data subjects ' r ight of acces s .The informat ion to be given to the data subject is specif ied in Sect ion 7 and is: • w h e t h e r any data relating to the data subject are be ing

p rocessed by or on beha l f of the data con t ro l l e r and, if so, the data con t ro l l e r nlust: • give a descr ip t ion of the personal data, • the purposes R)r wh ich the~ :ire being or are to be

processed , and • the rec ip ients or classes of rec ip ients to x~.hom they

are or may be disclosed: • c o m m u n i c a t i o n to the data subject in an intell igible fi)rm,

a c c o m p a n i e d wi th an explana t ion if necessar) , of: • tile informat ion cons t i tu t ing the personal data (a copy

in p e r m a n e n t lbrm unless this is not possible or wotfld require a d i sp ropor t iona te eftort or w h e r e tile data subject agrees o therwise) ,

• any available intbrmation as to the source of the cktta, and • a descript ion of the logic of am automated decision-tak-

ing (see below). More inR)rmation must be provided than under the 1984

Act wh ich simply requ i red the data subject to be inR)rmed as to w h e t h e r the data user ~ held data c o n c e r n i n g him and, if so. to give the data subject access to those data. Sect ion 7 stales that the data subject is ent i t led to the ink)rmation c o n c e r n e d but does not go st) far as to require the data cont ro l le r to give all the infi)rmation if not specif ical l) asked R)r bx the data subject . A data subject may, for example , make a subject access request , asking only k)r a copy of the data relating to him. Presumably because of this, regulat ions may be made bv the Secretary of State in p resc r ibed cases to treat a reques t lk)r any informat ion requi red to be given as ex tend ing to o the r in tormat ion to be given trader Section 7 .The infi)rmation to

Computer Law & Security Report Vol. 14 no. 6 1998 401 ISSN 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved

D a t a P r o t e c t i o n

be given must be as it was when the request was received apart from deletions of amendments that would have been made, notwithstanding the request.

The data controller can refuse to comply with a subse- quent identical or similar request by a particular individual unless a reasonable interval has elapsed. In determining what a reasonable interval is, regard shall be had to the nature of the data, the purposes of the processing and the frequency with which the data are altered.

Where the processing is by automatic means and has con- stituted or is likely to constitute the sole basis lbr any deci- sion significantly affecting him, the data subject has the right to be informed of the logic involved in that decision-taking but not if, or to the extent that, the information constitutes a trade secret. 'Trade secret ' is not defined but it would be sen- sible to apply the meaning used in the law of breach of confi- dence, albeit not clearly defined. One approach would be to consider a ' t rade secret ' in this context as information the dis- closure of which could harm the data controller 's legitimate interests or be of benefit to a competitor. Inevitably, data con- trollers will be worried about disclosing much about the logic underlying their automated decision-taking and are like- ly to interpret ' t rade secret ' fairly widely.They may decide that all the logic is a trade secret and refuse to disclose anything, This appears to be possible under the Act although this is a clear contradiction of the Directive.~'

There are specific provisions dealing with the situation when compliance with a subject access request would dis- close information relating to another identifiable individual.To comply with the request, the data controller must be satisfied that the other person has consented to the disclosure of his personal data to the person making the request or where it is reasonable in all the circumstances to comply without the consent of the other. In determining whether it is reasonable in all the circumstances to comply without the consent of the other, factors that may be taken into account are any duty of confidentiality owed to the other, any steps taken by the data controller to gain the consent of the other, whether the other is capable of giving consent and any express refusal of consent by the other individual. In other cases, lack of consent does not excuse a data controller complying with the subject access request where he can provide the information without disclosing the identity of the other individual, for example, by omitting the name or other identi6'ing particulars.

Further provisions deal with the period within which the data controller has to comply with a subject access request and the need for the data subject to make a wri t ten request providing sufficient information and paying the required fee. The basic time period will be 40 days (this may be altered by regulations) though there is no mention of the maximum fee that can be charged (it will be prescribed by regulations made tinder the Act). Different time periods and fees may be prescribed in different cases. Any failure to comply with a subject access request may result in a court order ordering compliance.

CREDIT REFERENCE AGENCIES

t inder Section 9 an application for subject access to a credit reference agency is taken to be limited to financial inR)rma- tion relating to the data subject unless a contrary intention is

expressed.The data controller must include with his response a statement of the data subject's rights under Section 159 of the Consumer Credit Act 1974, to the extent required as pre- scribed. Section 62 of the Data Protection Act 1998 modifies Section 158 of the Consumer Credit Act 1974 and the right under that Section to obtain a copy of a file applies only in relation to partnerships. For other individuals the right to a copy of the file is under Section 9 of the 1998 Act although the right of correction remains under Section 159 of the 1974 Act.

ENFORCED SUBJECT ACCESS

In a late amendment to the Bill, provisions were included to prevent, in specified cases, enforced subject access.An exam- pie is where a potential employee requires a job applicant to provide a copy of his police file showing whether the data subject has been convicted or cautioned in relation to any offences. Controls over enforced subject access is something the Data Protection Registrar has long campaigned lbr, recog- nizing that it is an abuse of the data subject's right of access. Section 56 of the Act sets out the situations where enforced subject access is prohibited, being in relation to: • the recruitment of another as an employee • the continued employment of another person • any contract R)r the provision of services by another per-

son • the provision of goods, facilities or services to any person

(this extends also to the supply of a 'relevant record' by a third-party) Section 56 applies to 'relevant records', being those show-

ing convictions and cautions where the data controller is a chief officer of police or the Secretary of State.Also included are details of the detention of young persons for long periods of time for grave crimes under Section 53 of the Children and Young Persons Act 1933, the Secretary of State's functions under the Prison Act 1952, tinder the Social Security Contributions and Benefits Act 1992, the Social Security Administration Act 1992, the Jobseekers Act 1995 or in rela- tion to certificates of criminal records under Part V of the PoliceAct 1997.The provisions also apply, mutatis mutandis, to Scotland and Northern Ireland.

Contravention of the prohibitions on enforced subject access ment ioned above is a criminal offence of strict liability. However, the provisions do not apply where the requirement is authorized or required by law or by court order or is justi- fied as being in the public interest (this does not include the ground that it would assist in the prevention of detection of crime).

A further restriction on enforced subject access is con- tained in Section 57 under which any term or condit ion in a contract is void in as much as it purports to require the sup- ply of, or the product ion to another person, of a record, copy or part of a record consisting of information contained in any health record as defined in Section 68(2). These are records consisting of information relating to the physical or mental health or condit ion of an individual which have been made by or on behalf of a health professional ~ in con- nect ion with the care of that individual.There are no crimi- nal penalties associated with the use of such contractual terms or conditions.

402 Computer Law & Security Report Vol. 14 no. 6 1998 ISSN 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved

D a t a P r o t e c t i o n

RIGHT TO PREVENT PROCESSING LIKELY TO CAUSE DAMAGE OR DISTRESS

A data subject can requi re the data con t ro l l e r to cease or n o t

to begin p rocess ing tot a specif ied pu rpose or in a specif ied m a n n e r on the g round that, lo t specif ied reasons, it is unwar- ranted as causing or be ing likely to cause substantial damage or substantial distress to him or another ; Sect ion 10(1).This right does not apply to p rocess ing under condi t ions 1 to 4 in Schedule 2, be ing p rocess ing w h e r e the data subject has given consent , w h e r e necessary in relat ion to a cont rac t or fi)r c o m p l i a n c e with a legal obl igat ion or to p ro tec t the vital interests of the data sub jec t .The Secretary of State may o rde r fur ther excep t i ons to this right.

The data subject has to give not ice in wri t ing to the data control ler , specil3:ing the pu rpose or m a n n e r o f the process- ing ob jec t ed to and the reasons why he o r ano the r is likely to be caused substantial damage or substantial distress. Within 21 days, the data con t ro l l e r must give wr i t t en not ice stating that hc has c o m p l i e d wi th the no t ice o r that he in tends to do so or stating why he cons iders the no t ice unjust if ied to an). ex ten t and the extent , if any, to wh ich he has c o m p l i e d o r in tends to comply wi th the not ice .

A cour t can o rde r the data con t ro l l e r to comply wi th the data subject ' s no t ice if the cour t cons iders the no t ice justified anti the data con t ro l l e r has failed to c o m p l y wi th it. It is not an easy mat te r to think of an example w h e r e such a no t ice wou ld be justified if the p rocess ing is o therwise , as it should be of course , in c o m p l i a n c e wi th the data p ro tec t ion princi- ples. In the l f o m e ()trice Consul ta t ion Paper on the Data Pro tec t ion Directive, it was sugges ted that it could apply w h e r e data, which , a l though p roces sed in acco rdance with the n c w law, wou ld in pract ice be likely to c o m e into the hands of pe rsons k n o w n to the data subject , u

RIGHT TO PREVENT PROCESSING FOR PURPOSES OF DIRECT MARKETING A data subject has a right, by g iv ing wr i t ten not ice , t o requi re a data con t ro l l e r to cease wi th in a reasonable t ime in the cir- c u m s t a n c e s o r not to begin p roces s ing his pe rsona l data tor the pu rposes of d i rec t market ing; Sect ion 11 . 'Di rec t market- ing' means the c o m m u n i c a t i o n by any means o f any advertis- ing or marke t ing mater ial w h i c h is d i r ec ted at par t icular individuals. This r ight is absolute . Again the cour t has the p o w e r to o rde r the data con t ro l l e r to c o m p l y wi th the not ice .

The data con t ro l l e r must r e spond by giving the data sub- ject a wr i t ten not ice wi th in 21 clays of rece ip t of the data sub- ject 's no t ice stating what steps be has or will take to comply wi th it.

If a data subject does not exerc i se this r ight or the above right to p reven t p rocess ing w h i c h is likely to cause substan- tial damage or substantial distress, this does no t affect his o the r rights unde r Part II of the Act (r ights of data subjects and others) .

AUTOMATED DECISION-TAKING

Sec t ion 12 deals w i t h a u t o m a t e d dec i s i on - t ak ing and resul ts f rom c o n c e r n s at t he E u r o p e a n C o m m i s s i o n abou t

the dangers a s soc ia ted wi th Stlch decis ion- taking, par t icu- larly in re la t ion to ce r t a in types o f d e c i s i o n s . T h e Di rec t ive p e r m i t t e d such dec i s ion- tak ing only in the c o n t e x t o f con- t racts or, subjec t to safeguards, w h e r e nat ional legis la t ion specif ica l ly a l l owed it. 9

The provis ions are d i rec ted at decision-taking significantly affi:cting an individual wh ich is based solely on process ing by automat ic means of personal data relating to that individual R)r the purposes of evaluat ing cer ta in mat ters relating to him. Examples are given, be ing his perR)rmance of work, his cred- i tworthiness , his reliability or his conduct ; Sect ion 12(1). It is notable the defini t ion is not exhaus t ive and the ex ten t of the provis ions are, accordingly, difficult to predict .

In the original l~/rm of the Bill such au tomated decision- taking was a l lowed in ve t} l imited c i rcumstances , be ing where : • the dec is ion is taken in the course of steps taken to con-

sider w h e t h e r to en te r into ;t cont rac t wi th the data sub- ject or wi th a v iew to en te r ing such a cont rac t or Ior pe r fo rming such a cont rac t or if it is au thor ized or requi red by or under any e n a c t m e n t

• the effect of the dec is ion is to grant a request of the data subject or, if not, steps have been taken to safe-guard his legi t imate interests (R)r example , by a l lowing him to make representa t ions) In the Act, these arc" k n o w n as ' e x e m p t decis ions ' and may

be added to by the Secretary of State by order. There was a substantial and significant anaendment to the

Bill in the House of Lords and the Act conta ins no part icular restr ic t ions on au tomated decision-taking e x c e p t that data subjects are given a right to p reven t such dec is ions by serv- ing a no t ice on the data control ler , e x c e p t it1 the con t ex t of e x e m p t dec is ions as def ined above: Sect ion 12.

Apart from exen lp t decis ions and o the rwise whe re no not ice has been given by the data subject, the safeguards are p rov ided by means of the data cont ro l le r be ing requi red to not i~ ' the data subject that the dec is ion was taken on the basis of au tomated decision-taking as soon as reasonably prac- t icable .The data subject then has the ot)por tuni ty to ask the data cont ro l le r to recons ider the dec is ion or take a n e w deci- sion by o the r means within 21 days of a wr i t ten reques t to do so by the data subject.

A cou r t can o rde r that a p e r s o n mak ing a dec i s ion on the basis of a u t o m a t e d dec is ion- tak ing r e c o n s i d e r s it or takes a n e w dec i s ion w h i c h is no t based solel~ on automat- ed dec is ion- tak ing if he has t'ailed to c o m p l y wi th a data subjec t not ice . The o r d e r must no t affect the r ights of any p e r s o n o t h e r than the data subjec t and the pe r son taking the dec i s ion in r e spec t o f h im.

COMPENSATION

Data subjects are ent i t led to compensa t i on f rom the data con- t rol ler lor damage result ing from a con t raven t ion o f any of the r equ i remen t s in the new Act. Al though similar in opera- tion, this is much wide r than under the 1984 Act as it ex tends to an) con t raven t ion of the Act. Compensa t i on for distress is also available. This appl ies w h e r e damage also is p resent or the con t raven t ion c o n c e r n s process ing for the ~special pur- poses ' : be ing the purposes of journalism, artistic or literary purposes .Thus , w h e r e p rocess ing is fi)r the special purposes .

Computer Law & Security Report Vol. 14 no. 6 1998 403 ISSN 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved

D a t a P r o t e c t i o n

c o m p e n s a t i o n for distress is available in the absence of specif ic damage.

The right to c o m p e n s a t i o n is t e m p e r e d by the ex i s tence of a de fence similar to that unde r the 1984 Act, be ing w h e r e the data con t ro l l e r can p rove that he took such care as was in all the c i r cums tances reasonably requ i red to comply the r e q u i r e m e n t wh ich has b e e n con t ravened .

RIGHTS IN RELATION TO INACCURATE DATA Data are inaccura te it" they are incor rec t or misleading as to any mat te r of fact: Sect ion 70(2) .This is the same def ini t ion as unde r the 1984 Act.

Inaccura te data may be o rde red by a cour t , on appl ica t ion by the data subject , to be rectif ied, b locked, erased or des t royed if the cour t is satisfied that the}.' are inaccura te .This ex tends to o the r data w h i c h conta in an express ion of op in ion about the data subject wh ich is based u p o n such inaccura te data: Sect ion 14. It w o u l d seem that a s t a tement of in tent ion based on inaccura te data is no t wi th in the sect ion. 'Blocking ' is not def ined but, p resumably means that the data are not erased as such but are suppressed f rom fl~rther process ing , R)r examp le by set t ing a sof tware flag in the r ecord in a data- base con ta in ing the personal data in ques t i on .The incluskm of des t ruc t ion is in t ended to apply w h e r e the persona l data are s tored in p a p e r fi)rm.

Paragraph 7 o f Part II o f Schedule 1 ( i n t e rp re t a t i on of the p r inc ip le s ) s tates that it is no t a c o n t r a v e n t i o n of the four th p r inc ip l e (data shall be accura te and, w h e r e necessary , up to date) if the data accura te ly r e c o r d in fo rma t ion g iven by the data sub jec t o r a th i rd-par ty w h e r e , hav ing regard to the pur- p o s e s for w h i c h the data w e r e o b t a i n e d and fu r the r p roces sed , the data co n t ro l l e r has t aken reasonab le s teps in the c i r c u m s t a n c e s to ensure the accuracy of the data and, if no t i f ied by the data subjec t of his v i ew that the data are inaccura te , the data indica te that fact.

W h e r e this is the case, the cour t may instead of o rder ing rect if icat ion, etc. , requi re a supp l emen ta ry s t a t ement of the t rue facts. If data accurately record in lbrmat ion rece ived or ob ta ined Dom the data subject or a third-party but Paragraph 7 of Part II of Schedule 1 does not apply (R)r example , w h e r e the data con t ro l l e r has failed to take reasonable steps to ensure accuracy) , the cour t may instead of o rde r ing rectifica- t ion etc. , make an o rder to secure c o m p l i a n c e wi th the Rmrth pr inc ip le wi th o r w i thou t a fur ther o rde r for a supp lemen ta ry s ta tement of the t rue facts.

The cour t has a general p o w e r to o rder erasure, destruc- t ion or b locking of data w h e r e the data subject has suftcred damage and w h e r e there is a substantial risk of a fur ther t:ail- ure to comply wi th the provis ions of theAct .This cou ld apply, for example , w h e r e data are accura te but excess ive in b reach of the third data p ro t ec t i on pr inciple , m

It is i m p o r t a n t to stress that the n e w Act c o v e r s any con- t r aven t ion o f the Act whi l s t the 1984 Act was l imi ted to con- t r a v e n t i o n s re la t ing to loss, u n a u t h o r i z e d d e s t r u c t i o n , d i sc losure o r u n a u t h o r i z e d access. F u r t h e r m o r e , the 1984 Act was l imi ted to e rasure and did no t c o v e r de s t ruc t i on o r b locking .

In addi t ion to the o rde r above a cour t may, w h e r e it con- s iders it to be reasonab ly p rac t i cab le , o r d e r the data

cont ro l le r to notify third-part ies to w h o m the data have been disclosed of the rectif ication, blocking, erasure or disclosure. Regard is to be had, in particular, to the n u m b e r of persons involved. In the Direct ive third-part ies are requi red to be noti- fied unless it p roves impossible o r involves a d ispropor t ion- ate effort .To some extent , this may be a ques t ion of h o w well the data cont ro l le r ' s sof tware records or logs disclosures. Recipients of pe rsona l data should cons ide r requir ing re)tiff- cat ion of inaccurac ies by the data con t ro l l e r f rom w h o m the data are obtained, o the rwi se the rec ip ients may themse lves be in b reach of the lbur th data p ro tec t ion pr inciple .

JURISDICTION AND PROCEDURE

Under Sect ion 15 jurisdict ion is conferred , in England and Wales, on the High Cour t or a coun t T c o u r t . W h e r e there is an issue as to w h e t h e r a data subject is ent i t led to subject access under Sect ion 7 ( inc luding informat ion as to the logic in any au tomated decision-taking), the data subject or his represen- tative will not have access to the inR)rmation to be p rov ided in response to a subject access reques t unless and until the cour t de t e rmines the ques t ion of r ight of access in favour of the data subject .This could be impor tant , R)r example , w h e r e a data con t ro l l e r has refllsed to c o m p l y wi th a data subject access request , al leging that the p rocess ing c o n c e r n e d is e x e m p t from the subject access provisions. The cour t will grant the data subject or his representa t ive access only if it rules that the data con t ro l l e r canno t rely on the exempt ion .

SUMMARY

It can be seen that data subjects ' rights are greatly e n h a n c e d unde r the 1998 Act. Many data subjects will w e l c o m e the absolu te r ight to p reven t p rocess ing for di rect market ing and the r ight to in tbrmat ion about the p rocess ing of their data in addi t ion to access to data relating to t h e m held by the data controller . Bearing in mind that the rights of access will also apply to manual p rocess ing w h e r e the data are con ta ined in a ' re levant filing sys tem' and to 'access ible records ' , ~ this is a logical and useful ex t ens ion to data p ro tec t ion law. There is n o w no benef i t to be gained by e s c h e w i n g c o m p u t e r tech- no logy to avoid regula tory con t ro l of the p rocess ing of per- sonal data, However , unde r the transit ional provisions, access to data in relevant filing systems, w h e r e p rocess ing is already unde rway before 24 O c t o b e r 1998, will not be awulable until 24 O c t o b e r 2{)01.

It appears that a data cont ro l le r does not have to provide all the informat ion under Sect ion 7 to an individual making a subject access reques t unless that individual specifically asks l~)r it. This cou ld be seen as a serious flaw and it is highly arguable that all the informat ion m e n t i o n e d in Sect ion 7 should be given as a mat te r o f course w h e t h e r or not asked for. Many individuals will not realize that they have a right to in tormat ion about the p rocess ing in addi t ion to access to thei r persona l data. There is provis ion tot the Secretary of State, in p resc r ibed cases, to o rde r that any reques t ex tends to all the inR)rmation but this seems a very hal t :hear ted approach and is not in the spirit of the Direc t ive .An impor- tant part of the Commiss ioner ' s role may be to raise publ ic awareness that the right of access applies to more informa- t ion than was the case under the 1984 Act.

404 Computer Law & Security Report Vol. 14 no. 6 1998 ISSN 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved

D a t a P r o t e c t i o n

It is by no means clear how well the rights of data sub- jects in relation to certain forms of automated decision-taking will work in practice and to what extent these rights will be exercised in practice, l)ata controllers are unlikely to greet with warmth the prospect of reconsidering such decisions oi", worse still, receiving notices from data subjects requiring the data controller not to take decisions affccting him by automatic means.

It also remains to bc seen whether the new and enhanced rights will result in significant improvements in the quality and acctwacy of personal data and tim fiairness of processing. Such

improvements arc all the more desirable in view of the growing use of data-matching and data warehousing. It cotfld be argued that there are too many escape routes lor the data controller and data subjects may thud, as under the 1984 Act, that the m~)st eflcctive tbrm of control over breaches of the data protection principles afl~'cting them as individuals is afforded by reti~rring the matter to the l)ata Protection (]Olllnlissioner.

David Bainbridge (Report Correspondent) and Graham Pearce Aston Business School Aston l ]niversit}

Footnotes IData Protection Registrar (1998), D a t a ProtectioJt Acl. Preparil tgf i~r lDe New Law, 21 .July. -'Bainbridge, I). and Pearcc G.,'l)ata Controllers and the New l)ata Protection I,aw', [1998] 14 CLSR 259. 5For example, as in Innovations (Mail Order) Ltd v Data Protection Registrar (unreported) 29 September 1993, Data Protection Tribunal, Case DA/92 31/49/1. 4(1 lnrcported) 24 March 1998, Data Protection Tribunal. S'l)ata controller ' under the 1998Act. 6Recital 41 to the 1)irective excuses the giving of intorma- tion if to do so would adversely affect trade secrets or intel- lectual property and, in particular, software copyright. However, it goes on to say that this must not restdt in tim data subject being refused all inlormation. "Extensivel) defined in Section 69.

'~Home Office (1996), Consultation Paper on the EC Data Protection Directive (95/46/EC), p. 30. "Articlc 15 of the I)irective. m Cf cases under the 1984 Act such as Rhondda BC v Data Protection Registrar (unreported) 11 October 1991, where the Tribunal upheld the Registntr's interpretation of the tourth principle and confirmed his enforcement notice issued against officers col lect ing information for the Commtmitv Charge who had heen asking R)r individuals' dates of birth and CCRO of Runneymede BC v Data Protection Registrar (unreported) 1990, Data Protection Tribunal, where information relating to the type of property in which the person paying Community Charge resided was deemed to be excessive. I qnfra.

Update: important changes made to the Data Protection Bill as reflected in the Data Protection Act 1998 The l)ata Protection Act 1998 received the Royal Assent on 16 July 1998.A ntunber of important changes wcrc made to the I)ata Protection Bill as originally introduced in the House of l,ords. Both Houses made some significant amendments to the Bill. In particular, the following changes are notable: • the definition of~data' is extended to include ~accessible records' being health rccords, educational records and accessible

public records (housing and social services records) - - this effectivel} brings the rights under thc Access to Personal Files Act 1987 within the new Act and the 1987 Act is repealed in fidl;

• the provisions in the Consumer Credit Act 1974 on rights of access in relation to credit reference agencies art" modified and, under that Act, the right of access will apply only to partnerships as other individuals' rights of access to credit retcr- mace agency files will be under the 1998 Act (however, the right to have wrong intbrmation corrected under section 159 of tim 1974Act applies in all cases),

• flflfilling the Registrar's long held views on the matter, there are now restrictions on enforced subject access; • comprehensive transitional provisions, allowing the United Kingdom to take ffdl benefit of the derogation allowing the

exemption of processing already under way from the full rigours of the new law are included in Schedule 8 to the Act, (generally until 24 October 2001 1or automated processing and to 24 October 2007 tot manual processing but with no time limit in relation to processing fbr historical research providing certain conditions arc met); however, some of the pro- visions of the new Act will apply immediately to processing already underway;

• a new condition for processing sensitive data in included being where processing is of sensitive personal data consisting of infi)rmation as to racial or ethnic origin when it is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or t reatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and the processing is carried out with appropriate safe- guards for the rights and freedoms of data subjects;

• a new exemption is granted from the subject information provisions (the subject access provisions and the requirements to inform data subjects in order to saris6.' the first data protection principle) in relation to corporate finance (nnderwriting in respect of issues relating to investment services, advising on capital strt,cturc, industrial strategy, mergers and acquisi- tions):

Computer Law & Security Report Vol. 14 no. 6 1998 405 ISSN 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved

D a t a P r o t e c t i o n

the Secretary of State is given power to exempt from the subject information provisions personal data relating to school pupils (before this was possible only in respect of health data and social work data), and may also exempt from the sub- ject access provisions personal data processed for the purpose of discharging functions conferred on a number of persons including the Parliamentary Commissioner for Administration, the Commissioners for Local Administration in England, Wales and Scotland and Health Service Commissioners where the function is designed to protect the public from malad- ministration.

David Bainbridge, Report Correspondent Aston Business School,Aston University

Book Review

Internet Security I n t eme t Besieged - - Counter ing Cyberspacc Scofflaws, by Doro thy E. Dennln~ and Peter J. Denning, 1998, soft-cover, Addison Wesley, 547 pp., ISBN 0 201 308 20 7

This text contains a series of essays prepared by leading exper ts in the field, designed to provide an increased level of insight into the problems of Internet security. Originally, the book was intended to be an update of the anthology Computers Under Attack, prepared in 1989 and publ ished in 1990. However, the editors indicate that so much has changed in the field that most of the previous essays were no longer relevant.Those that did survive have been brought up-to-date by the authors .The text is divided into five parts, covering the wor ldwide network; Internet security; cryptog- raphy; secure electronic commerce; and law, pol icy and eduction.To assist readers in navigating round the different sec- tions, the authors have prefaced each of the five sections with a short summary of what they will discuss and what common themes br ing them together. The book is a imed for software developers, system managers and engineers, stu- dents and conce rned citizens. The book provides a broad awareness of the Internet security risk, while exploring the social, legal, polit ical and ethical implications of security breaches and suggested counter-measures .The book is published as part of HCM Press Books - - a col laborat ion be tween the Association for Computing and Addison Wesley Longman.

Available f rom ACM Mr-tubers Servicea, 108 Cowley Road, Oxford, OX4 lyF, U'K, or USA: 1515 Broadway, 17th Floor, New York, NY 10036-5701; Intemet: wWw.acm.org.

Book Review

Global Information

Global Information and World Communication - - New Frontiers in International Relations, by Harold Mowlana, 1997, soft-cover, Sage Publications, 270 pp., £15.99, ISBN 0 7619 5257 8

The first edit ion of this book was publ ished in 1986 and is designed to offer a comprehensive analysis of international communicat ions systems and the global f low of information. The thesis of the book is that international relations tran- scend political and economic relationships, and that culture and communicat ion are the fundamental aspects of the process.The study takes a broader view of the international f low of information than might be found in traditional analy- sis of mass media messages and communicat ion technologies. It seeks an integrative approach to international communi- cation by examining both the human and technological dimensions of global information. It also draws considerably on studies conduc ted in such areas as economics, political science, sociology, cultural anthropology and international rela- tions. The latest edit ion takes account of how the revolution in communicat ion and transportat ion technologies has altered how government, citizens, business and industry perform in the international environment. The substance and form of a number of the chapters has been recast for this edition to take account of these developments .The book is aimed at s tudents and scholars of communicat ion, media studies, journalism, international relations, politic science, sociol- ogy and international development .

Available from Sage Publications, 6 Bonhill Street, London, EC2A 4PU, UK; tel: +44 171 374 0645, fax: +44 171 374 8741.

406 Computer Law & Security Report Vol. 14 no. 6 1998 ISSN 0267 3649/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved