10 Reasons
Why Britain Should Leave the EU

euro Cringe

Sources of Information
Articles
News Sources
News Archives
 Web Sites
Speeches

Channels
European Constitution (IGC)
Euro
Regions
Fishing

Action
Support
 Meet
Buy

Share
 Mailing Lists

eurosceptic.com
 Add Your Website URL
Report a Dead URL
Recommend this Site

Data Protection - The Background
The development of data protection in the UK can be traced back to the 1970's. Several attempts by private members to introduce legislation in the 1960's came to nothing, but the 1970's saw the publication of the Younger Report on Privacy (1972) and the Lindop Report on Data Protection (1978).

Both reports examined the risks to privacy posed by the growth in the use of computers to process personal information. In particular, it was Sir Kenneth Younger, in his report, who first formulated the general principles, which are to be found as a basic standard in all data protection legislation today.

The Council of Europe and the OECD
However, the impetus for the government to introduce data protection legislation in the UK came with the publication of two international legal instruments on data protection in the early 1980's: the OECD Guidelines in 1980 and the Council of Europe Convention in 1981.

The Council of Europe Convention was particularly influential. It provided for the free movement of personal data between those countries which had ratified the Convention with, potentially, restrictions being placed on the movement of data outside that group. Only countries whose domestic law provided equivalent safeguards to those set out in the Convention could ratify.

The Council of Europe Convention makes clear that its objective is to balance the need to provide for the movement of personal data with the need to protect personal privacy. The starting point in drafting the Convention was the European Convention on Human Rights (ECHR) and particulary Articles 8 and 10, but the Council of Europe identified the need for a specific convention to deal with the risks posed by computer processing rather than rely solely on those general principles.

The Data Protection Act 1984
The Conservative administration in the UK, concerned more with the impact which the Council of Europe Convention would have on business than with any desire to protect personal privacy, introduced a data protection bill in 1982. The bill did not complete its passage through parliament before the general election in 1983, but was reintroduced after the election and reached the statute book in July of that year as the Data Protection Act 1984.

The 1984 Act adopted the general principles in the Council of Europe Convention and the OECD Guidelines (and indeed from the Younger report) and built a regulatory framework around them. At the heart, was a public register of those organisations in both the public and private sectors which processed personal data, administered by an official known as the Data Protection Registrar, who was given powers of enforcement. The Act established new rights for individuals, most importantly, the right to know if an organisation was processing personal data about them and the right to have a copy of the information (the right of subject access). Individuals also had a right to complain to the Registrar.

The 1984 Act was limited in its effect. It applied only to data held on computer, the enforcement regime was cumbersome and linked too closely to the register and there was no recognition of data protection as a privacy matter. Nevertheless, the Registrar and the Data Protection Tribunal (another creation of the Act) gradually established a jurisprudence which significantly improved standards of processing of personal data, particularly in interpreting the general principle of fairness to require transparency by data users and a degree of control by individuals.

The EU Directive
In 1990, the European Commission, pursuing the single market objective, and concerned that the free movement of data within the EU boundaries could be inhibited because standards of data protection were widely different across member states (some member states having no relevant legislation at all), published a draft directive as one of six proposed measures.

The process of negotiation on the draft was long and led to many changes before the directive was adopted in 1995. All through the negotiations, the Conservative government in the UK was hostile, arguing that there was no need for a directive at all. As a result, UK influence is little reflected in the final text.

The directive does, overall, set relatively high data protection standards. Indeed, one of the objectives was that it should lead to no diminution in the level of protection already provided in any existing national law. It also establishes explicitly the link between data protection and personal privacy. Nevertheless, it is an unhappy mixture of broad general principles and detailed prescriptive measures, many of which reflect the domestic interests of particular member states.

The directive was formally approved in the European Council on 24 October 1995 (Directive 95/46/EC). The UK abstained in the vote. Member states were given 3 years from that date to implement the directive in their domestic law.

The Data Protection Act 1998
In March 1996, the Conservative Government issued a consultation paper on implementation of the directive.6 The paper made it clear that the government favoured an approach which placed minimum burdens on business and others and made maximum use of any flexibility which the directive allowed.

An important issue was whether the directive should be implemented by primary or secondary legislation. Respondents to the consultation,7 including the Data Protection Registrar, were overwhelmingly in favour of primary legislation, largely because of their desire to have a single overall data protection framework and to avoid the complexities of the dual regime which would be the outcome if the existing Data Protection Act 1984 were not repealed. It is doubtful, though, that the government was convinced.

The change of government in May 1997 heralded a new approach. In July 1997, the new Labour government published a White Paper8 making it clear that there would be primary legislation and placing data protection firmly in the government's human rights agenda. In January 1998, the Data Protection Bill was introduced in the Lords. Speaking at second reading, Lord Williams of Mostyn (Parliamentary Under Secretary of State at the Home Office) said:

"It [data protection] shares common ground to that extent with the Human Rights Bill. That Bill will improve the position of citizens of this country by enabling them to rely on the wide range of civil and political rights contained in the European Convention on Human Rights. Those rights include the right to respect for private and family life. The Data Protection Bill also concerns privacy, albeit a specific form of privacy: personal information privacy. The subject matter of the Bill is, therefore, inherently important to our general social welfare."
The Bill received Royal Assent as the Data Protection Act 1998 on 16 July 1998. The Act faithfully transposes the provisions of the EC directive into UK law, but does little to resolve the practical difficulties arising from some of the directive's more incongruous provisions. Much of the detail was left to secondary legislation, which meant that no fewer than 17 Statutory Instruments were needed before commencement. These ranged from the commencement order itself to detailed regulations on, for example, notification.

The Act eventually entered into force on 1 March 2000. Transitional arrangements limited its effect on existing processing until 24 October 2001.

The main features of the Data Protection Act 1998 are:

the retention of a set of general principles, broadly similar to those in the 1984 Act, as the basis for regulation
the introduction of specific conditions to legitimise processing, with more stringent conditions for sensitive data
the broadening of the definition of personal data to include some categories of manual data
the retention of the right of subject access and the broadening of other rights of individuals
the consolidation of rights of access under other legislation (to records on health, education, housing and social services)
the retention of a register of data controllers but with more exemptions from and a simpler process for registration (now called notification)
the de-coupling of enforcement from registration
the retention of a supervisory authority, the Data Protection Commissioner (later renamed the Information Commissioner) with increased powers of enforcement
the retention of the Data Protection Tribunal (later renamed the Information Tribunal)

The Constitution Unit
School of Public Policy, UCL
The Eurosceptic Portal
Site Hosted by on-line-solutions.co.uk