In his fifth article on Net law, Andrew Charlesworth examines whether the Data Protection Act can be applied effectively to the World Wide Web. The collection of data about individuals has accelerated as our ability to sort it into meaningful patterns with the aid of computers has developed. The profiling of individuals from electoral rolls, credit and store card records, magazine subscriptions and other sources has become a lucrative industry.
Often we do not know who holds information on us, to whom they may have passed it, or the purposes for which it is being used. The data protection laws go some way towards redressing the balance by creating a set of rules by which data processors should operate, and which give individuals some limited powers to ensure that at the very least the information that others hold on them in electronic form is accurate.
In the enthusiasm to publish information or run business operations on the World Wide Web, there is a danger that data protection law is either pushed to the back of people's priorities, or entirely overlooked.
Academic and commercial Internet sites are holding more personal data. Academic institutions see an official Web server, presenting information about their courses, staff and other attractions, as an important part of their PR package. Commercial sites are developing sophisticated methods of collecting data from individuals browsing their output. At the simplest level this data collection may simply involve asking people to "sign the visitors' book". More complex operations may offer goods for sale and accept names, addresses and credit card numbers.
The United Kingdom's existing Data Protection Act 1984 is acknowledged to be a less than perfect solution to the problems that exist. It will be interesting to see if the recent adoption of a somewhat more rigorous regime by the European Community, in its directive on data protection, has any greater effect when it is finally implemented into United Kingdom law around 1998. The DPA 1984 first defines data as "information recorded in a form in which it can be processed by equipment which operates automatically, in response to instructions given for that purpose." Data therefore includes information processed by a computer or other mechanical means. The Act does not apply to manually processed information in files or other paper records.
The Act proceeds to define personal data as data relating to a living individual (the data subject), who can be identified from that information by itself, or when it is coupled with other information held by the data user. Such data would include any expression of opinion about the individual. This definition clearly excludes both individuals who are deceased, and legal entities such as companies, universities and charities.
Some kinds of data which would appear to fall within the above definition are specifically exempted from the regime prescribed by the Act. Such data need not be registered, and the individual concerned will not have any right of access to the information (see panel, top right).
Individuals who hold personal data, defined as "data users" in the Act, are obliged to register with the Data Protection Registrar, and to use the data that they hold in accordance with the Data Protection Principles (see centre panel). Failure to register as a data user when holding personal data is an offence. Once a person has an entry on the register, it is an offence for them to: * hold personal data of any description other than that specified in their entry.
* hold any data, or use any data held, for a purpose other than the purposes described in their entry.
* obtain data, or information to be contained in the data to be held, from any source which is not described in their entry * disclose the data held to any person who is not described in their entry.
* directly or indirectly transfer data held to any country or territory outside the UK other than those named or described in their entry.
The take-up rate for registration is estimated to be less than 50 per cent of those required to do so. Given the current under-resourcing of the Data Protection Registrar's office, the likelihood of an action for minor non-compliance with the Act remains limited.
Individuals have the right to find out whether a data user holds personal data about them on computer, and to obtain a copy of that information in an intelligible form. The request must be in writing. The data user may charge a limited fee for the service, and must be provided with evidence of the identity of the person making the request.
If the request would result in the disclosure of information about another identifiable individual, the data user must be satisfied that the other individual consents. However, the data user may not withhold all the information if such a third party disclosure can be avoided simply by removing names or other identifying particulars.
The data subject has the right to challenge the accuracy of the information and, if necessary, obtain a court order for: the rectification or erasure of inaccurate data, and any other data or expressions of opinion which appear to the court to be based on the inaccurate data; the right to enter on to the record a supplemental statement of the true facts relating to the matters dealt with by the data.
In limited circumstances, a data subject may claim compensation for damage suffered as a result of inaccuracies in the data, loss or destruction of the data, or its unauthorised disclosure.
How does this affect information held on a Web server? The law could affect an institution whose Web pages contain personal data about specific and identifiable individuals. It might also apply to pages which do not identify individuals, but which permit such identification when allied with other information held by the institution. In either case it might be necessary to be registered with the Data Protection Registrar, and it would be wise to check the provisions of the DPA 1984. It is unclear whether the additional information which links individuals to otherwise anonymous computer data must itself be held in a machine-processable form.
At most education institutions a data protection officer should be appointed, with responsibility for ensuring that the institution as a whole is properly registered for the data that it holds. If personal data appears on Web pages it is important to ascertain that the registration permits this usage of the data concerned. Further questions are raised for Web site operators by the obligations on registered data users not to "disclose the data held to any person who is not described in their entry" or "directly or indirectly transfer data held to any country or territory outside the UK other than those named or described in their entry."
The DPA 1984 does not define "transfer", but it would seem possible to argue that the process by which data is passed on demand from a Web server to a machine being used to browse the Web, goes further than mere "disclosure". If it is accepted that this is "transfer", it would follow that if personal data is held on an open access Web server, there would be no way for the owner of that Web server to avoid the transfer of that personal data to any individual with full Internet access in any number of countries outside the UK.
It is difficult to see how an open access Web page containing personal data could successfully stay within the letter of the law, unless it were possible to have entries in the register of "all other Web users", and "the world" respectively. Such a solution would seem to be so wide-ranging as to render this part of the DPA 1984 meaningless. It is interesting to speculate whether education institutions that have placed their members' details (such as name, work address, telephone number, email address, academic interests and publications) online, either on the X.500 directory or the Web, are adhering strictly to the letter of their registration.
Those UK sites which actively collect personal data would seem to fall into a grey area of the law, the significant factor being what they do with the data collected. For example, the Act exempts data held for recreational use. If a student's personal Web page includes a "visitors' book", the intention being simply to collect visitors' names, email addresses, occupations and comments for the student's personal edification, this exemption might apply.
On the other hand a higher education institution wishing to collect the same personal data would probably need to be registered; it would then be obliged both to inform people that it was collecting data about them, and to tell them of any purpose to which the data might be put. This would be particularly relevant if the institution intended to use the personal data in a study (subject to certain exemptions in Schedule 1, Art. 7, DPA 1984) or to sell it on to an interested third party.
A final thought concerns the use of search engines, webcrawlers and data retrieval mechanisms on the Web and other online resources. Given the ability to carry out searches on the names of individuals - for example "John Major" - it might be possible for a person to collect and then process information from online sources which would qualify as personal data under the DPA 1984. A person doing this would become a data user, and should register as such. It remains to be seen just how feasible it is to require people to register in such circumstances, given the difficulty of getting larger data users to register correctly, or indeed at all.
Legal resources hotlist, page ix * The Data Protection Registrar may be contacted at Office of the Data Protection Registrar, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AX Tel: 01625 535777.
Andrew Charlesworth (a.j.charlesworth@law.hull.ac.uk) is director of the information law and technology unit at the University of Hull Law School.
The Data Protection Principles:
1 The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
2 Personal data shall be held only for one or more specified and lawful purposes
3 Personal data held for any purpose shall not be used or disclosed in a manner which is incompatible with that purpose or those purposes.
4 Personal data held for any purpose or purposes must be adequate, relevant and not excessive in relation to that purpose or purposes.
5 Personal data shall be accurate and, where necessary, kept up to date.
6 Personal data held for any purpose must not be kept for longer than is necessary for that purpose or those purposes.
7 An individual shall be entitled, at reasonable intervals, and without undue delay or expense, to be informed by any data user whether he holds personal data of which that individual is the subject, and; the individual is also entitled to have access to any such data held by a data user and; where appropriate, to have such data corrected or erased.
8 Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of personal data and against accidental loss or destruction of personal data.
Data exemptions
Data which is exempt from the provisions of the Data Protection Act 1984 includes: *information required for the purpose of safeguarding national security (Art. )
*information held for payroll, pensions, and accounts purposes, under certain circumstances. (Art.32)
*personal data held only for domestic or recreational purposes (Art.33)
*information relating to unincorporated members clubs, which relates only to members of the club who have been asked whether they object to the personal data being held for such a purpose and have not objected (Art. 33)
*mailing lists consisting only of names, addresses, and other details required for distribution, where the data subjects have been asked whether they object to the personal data being held for such a purpose and have not objected. (Art. 33)
*information that the law requires to be made public. (Art. 34)