The Data Protection Act
Written by Ruth Winchester
So what is the Data Protection Act 1998?
The DPA 1998 replaces the DPA 1984 and implements an European Community Data Protection Directive (directive 95/46/EC) “on the protection of individuals with regard to the processing of personal data and the free movement of such data” which was adopted on 24 October 1995.
This directive was a response to the greater ease within which data can be processed and exchanged as a result of advances in information technology. The DPA came into force on March 1 2000.
Key principles are that data must be:
1. fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive,
5. Not kept for longer than is necessary
6. Processed in line with your rights
7. Secure, and
8. Not transferred to countries without adequate protection.
The act is the responsibility of the Department for Constitutional Affairs, although the Information Commissioner’s Office (ICO) has a duty to promote good practice and is responsible for enforcing the DPA.
Home secretary David Blunkett has ordered a review of what went wrong around the data protection aspects of the Huntley case.
The ICO is working on a toolkit for data sharing for service providers such as local auhtorities and other public sector employees who have to grapple with data sharing issues. This is not yet complete. The ICO has also issued legal guidance in November 2003 which explains existing powers and will help lawyers and practitioners decide whether they have the power to share personal information. However, this guidance is (at first glance) extremely complex and hence of limited value to front line practitioners.
In November 2003 the Department for Constitutional Affairs published “Public Sector Data Sharing. Guidance on the law”. The need for this guidance has arisen because – according to the report – there are concerns that “the existing data sharing powers of public bodies are insufficient to meet policy objectives and to improve service delivery.” It adds that “legal uncertainty over what is, and what is not, permissible may be inhibiting data sharing by local authorities. Similarly, some government departments have been inhibited from setting up new data sharing initiatives because of doubts as to what their legal powers allow them to do.” Eg. IRT (identification, referral and tracking).
Tell the ICO what you think: “The information commissioner recognises the importance of learning from those who have practical experience of complying with the law. We want to know which aspects of the law you find to be most problematic, for example where it seems to require you to do things that don’t make sense or which are impracticable. In particular, the commissioner wants to receive your suggestions for improving the UK’s data protection law to make it easier to comply with in practice. You are invited to send your suggestions to firstname.lastname@example.org.
The ICO runs a data protection helpline: 01625 545745
What the experts say about data protection
• Lord Falconer of Thoroton, Secretary of State for Constitutional Affairs: “It is generally recognised that the framework is complex… when dealing with the application of many facets of the law, some complexity is inevitable.”
• Richard Thomas, Information Commissioner: “Data protection law stands in the way of a surveillance society where government and commercial bodies know everything about everybody. The data protection principles are largely matters of common sense and fairness, but data protection can never be a set of detailed ‘dos and don’ts’. Organisations must use their own judgement to balance what they want or need to do against the need to safeguard the privacy of individuals and to ensure their personal information is handled properly.”
What practitioners think about data protection
• “Data protection is part of person centred care, and of professional judgement. Do we own it as well as we might? Or is it more often perceived as something imposed – “we have to ask this, get you to sign that, it’s Data Protection y’know”. The system takes over, practitioners cast an anxious backward glance at reams of legislation and guidance, service silos are maintained, and users disempowered.”
• “I get really worked up about this – I think people get confidentiality and secrecy mixed up. I worry that dangerous people move around hostels and vital information is not shared because people aren’t sure about what can be shared. I also see just the opposite, where people are passing on imaginary stories about clients which either aren’t true or are exaggerations.”
• “Very simply the act is a super cruise liner when what you need is a super manoeuvreable speed boat. It is heavy and huge, written in impenetrable jargon and full on ‘legal-ese’, for example, a “data subject” equals “a person”. I suspect its greatest value, for the general public, has been everyone’s [in business or civil service] concern not to contravene it whilst knowing absolutely nothing about its strictures. Result is that it has stopped a lot of people from taking too much of a hold on us as consumers, for a while at least.”
• “There will always be instances where judgement is to be made, and challenges where communication is difficult. But we can get this right for most people by a pro-active approach to consent and empowerment. When people know what happens next, know who else will be involved in their assessment or care, and how much they will know, they’re more confident. And confident service users means better outcomes.”
• “The act is now being largely bypassed or superceded by developments, so it is only really in the area of the civil service, national and local administration and law that the DPA holds sway. It is no more understood in those areas, maybe even less understood, but everyone is scared of what they don’t know and don’t understand.”
• “The act ought to be rewritten in common sense and simple language. But a first step would be a simple guide to the main demands and the limitations”.
• “I personally haven’t attended any formal training on data protection. The knowledge I do have has been through asking others, and even then there is uncertainty about what we share and fear of breaching confidentiality.”
What service users think about data protection:
Moraene Roberts works for anti-poverty organisation ATD Fourth World. She says: “The idea of multi-agency information sharing has raised a lot of fears among parents who were in care as children. They have experienced the stigma of their care history in every aspect of their lives. One person told us that, “People think I was in care because I had a bad mother or I was a bad kid. They always assume I was abused and I might become an abuser.”
It is not surprising then that these parents want their own care history to be known to as few people as possible and have very deep concerns that the sharing of this information widely will have a negative effect on how they are regarded and treated.
One mother explained how the teachers at her child’s school changed dramatically in their attitude towards her once it was revealed at a case conference that she had been in care for 10 years of her childhood. “It was like they had discovered that I had been in prison for murder or something, they avoided talking to me. At the same time they started to ask my son every day how things are at home and if he is OK, I felt like I was being investigated.”
All of the parents understood that information has to be shared in order to protect children, but felt that it should be current and relevant to the child. If a parent had previously been proven to be a danger to children, that is essential information to share. That a parent had been in care themselves was not considered essential information to share.
As children in care, these parents felt that every detail of their lives was an open book and they had no privacy. As adults, they are still fighting for their right to privacy and control over access to information about their lives – information that they themselves have been denied access to in some cases.”