The coalition government has issued a call for evidence seeking views on the data protection law in the UK. The call for evidence presents an opportunity for businesses from all sectors to review their internal information management practices and to consider where legal reform would be of benefit to them.

UK Data Protection regime

In the UK, the collection and use of personal data is regulated by the Data Protection Act 1998 (the "DPA"), which implements a European Data Protection Directive (95/46/EC).

The Directive, which is intended to harmonise data protection law across the European Union, bestows extensive rights upon individuals whose personal data is collected as well as imposing fairly stringent obligations on those who process such personal data.

"Personal data" and "processing" are defined at length in the legislation and related case law. However, in practical terms, any organisation operating in the UK which holds information about individuals (whether employees, members, customers etc.) is covered by the legislation.

Broadly speaking, the DPA requires that all personal data:

1. is processed fairly and lawfully;
2. may be obtained for specified lawful purposes only and not further processed in a manner which is incompatible with those purposes;
3. is adequate, relevant and not excessive in relation to the purposes for which it is processed;
4. is accurate and, where necessary, kept up to date;
5. must not be kept for longer than is necessary;
6. is processed in accordance with the rights of individuals under the DPA; and
7. must not be transferred outside the European Economic Area unless adequate data protection provisions are in force in the destination country.

With certain exceptions, all data processing activity (which includes collecting, using and holding information about an individual) must be notified to the Information Commissioner's Office, the body responsible for overseeing and enforcing the DPA. Notification is a simple and relatively inexpensive process, however failure to notify where notification is required by the DPA is a criminal offence.

Data Protection in Sport

Data protection is an important issue for all sports organisations, from governing bodies to local clubs, as they could not exist without processing information about their members.

The DPA requires that membership and customer databases are kept up to date and do not contain information which is no longer required (e.g. unnecessary information about former members).

The DPA also obliges data controllers to take appropriate technical and organisational security measures to prevent unauthorised data processing, accidental loss of or destruction or damage to personal data. This can be a burdensome duty, especially where personal data is held on mobile devices such as laptops, mobile phones or USB sticks.

Other matters regulated under the DPA include the disclosure of personal data to third parties, (such as sponsors), or any use of data that was not made clear to the individual at the time that the data was collected, e.g. marketing of equipment or related services.

As well as the negative publicity caused by data security breaches, individuals can claim compensation in respect of breaches of the DPA by organisations holding their data. In certain circumstances, breaches can also constitute criminal offences.

Government Call For Evidence

The government call for evidence has been instigated to assist the government to form its position on the European Commission's plans to produce a legislative proposal reforming the Directive during 2010 and to aid negotiations of the new European instrument. The call for evidence invites opinions on inter alia:

1. whether current data protection legislation provides adequate protection to individuals whose personal information is processed;

2. whether data controllers should be required to notify all data breaches to affected individuals;

3. whether the Information Commissioner's powers are sufficient and appropriate; and

4. the effectiveness of current provisions for international transfers of personal data.

Responses to the call for evidence are sought by 6 October 2010.

22 July 2010

« Back to Article index