29 September 2005

Computer Contracts and Data Protection

I have just edited and transposed the Data Protection and Freedom of Information page from the old NIPC website. So far, it is just an introduction with links to the legislation enforced by the Information Commissioner. Other articles and case notes from the old site as well as some new materials will follow over the weekend.

For the benefit of Americans and other readers outside the EC, the phrase "data protection" refers to a body of legislation that requires users of computer systems ("data controllers") to hold and process data relating to living human beings ("data subjects") in accordance with a set of principles ("the data protection principles"). They are essentially as follows:
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area (the 25 states of the EC plus Norway, Iceland, Switzerland and Liechtenstein) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Non-compliance with those principles can lead to service of an order by an official known as "the Information Commissioner" (formerly called the"Data Protection Commissioner" and before that the "Data Protection Registrar") and failure to abide by such an order is an offence. Moreover, anyone who suffers damage as a result of such non-compliace can sue for an injunctive and pecuniary relief.

The data protection principle that affects people outside Europe and sometimes gives rise to some pretty intemperate language is the 8th data protection principle. Many countries around the world have enacted legislation similar to ours but one important exception is the USA. A British branch of an American company cannot lawfully transfer data relating to employees or customers in the UK to its US head office unless the US company provides legally enforceable guarantees on the storage and processing of such data that are broadly equivalent to those imposed by statute. Of course, many US and other foreign companies would do that voluntary out of self-interest but this legislation obliges them to do so if they want to exchange data freely across the Atlantic.

I will discusss these topics in more detail in a later post. I should also like to mention that I have added some more articles and case notes on computer contracts including some stuff that I wrote for the old Lancaster Buildings website on Y2K and preparing for the euro.

No comments: