Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Privacy news worldwide [1998] PLBIRp 15; (1998) 45 Privacy Laws and Business International Report 2

Privacy News

UK DP law not fully in force until next year Although the UK Data Protection Act received Royal Assent on 16th July, it will not be fully in force on 24th October, the implementation deadline. More than thirty Statutory Instruments are still needed before the law is complete. The UK Government now estimates that this subordinate legislation will not be in place until 1st January 1999 at the earliest. The delay in bringing the new Act into force does not mean, however, that data controllers can relax. Any new processing started after 24th October will fall under the new provisions. Data controllers may wish to start any new processing operations now rather than after the starting date. For processing that is already under way, there is a three year transition period until October 24th, 2001. The Government is now in the process of consulting interested parties on its proposals for secondary

legislation. Issues that are covered in detail include subject access fees and time limits. It is suggested that the current maximum fee of £10 remains (but with the possibility of charging separate fees for access to different parts of an organisation’s data holding) as well as the 40-day response period. Other topics include information provided in response to a subject access request, data subject information exemptions regarding heath, social work and school data, restrictions on the processing of sensitive data, appeals to the Data Protection Tribunal and prior checking. With regard to prior checking, it is suggested that this assessment could apply to three categories: data matching, processing involving genetic data, and processing by private investigators.

Responses to the consultation are sought by the end of September. A separate consultation on the notification

(registration) system was published in late August. The consultation documents are available on the Home Office website at http://www.homeoffice. gov.uk/index.htm. Responses may be sent to Mr Colin McGrath, Home Office, Data Protection Section, Room 1173, 50 Queen Anne’s Gate, London SW1H 9AT. Fax: 0171 273 3205

US Privacy Summit criticises self-regulation A conference, organised in Washington by the US Department of Commerce on 23-24th June, found serious problems with the self-regulatory approach favoured by the Clinton administration. The meeting was arranged to assess the effectiveness of private sector efforts to ensure privacy online. While companies and business associations put forward many different privacy plans, none of the proposals provide sufficient privacy protection. The main problem with the different proposals, mainly based on the use of technological tools, was the lack of enforcement mechanisms and data subject access. A panel of privacy experts thought that technology could not serve the same function as a privacy policy. The Commerce Secretary, William D. Daley, said,“Industry has to move more swiftly to draft an effective plan to enforce privacy rules or face inevitable government regulation of electronic commerce.” However, US companies have still not given up designing self-regulatory schemes. The Online Privacy Alliance, a group of 50 companies, is working on specific recommendations for effective enforcement, expected to be ready by the end of September.

Data Protection Officers need more training Data Protection Officers working in UK companies seem to receive relatively little formal training on the Data Protection Act. A survey, carried out by Keep IT Legal, reveals that, on average, less than one in five of the data protection officers that responded have received formal training. Of those who have received training, the average was 2.3 days. Almost half of the respondents felt that their organisations do not take compliance with the Data Protection Act seriously enough. Nearly 60% thought that their managers are not fully aware of their DPA responsibilities. The survey was conducted at the first annual conference organised by Keep IT Legal in May. The number of respondents, 71, included data protection officers from both the private and public sectors.

Cryptography and Privacy Sourcebook The Electronic Privacy Information Center’s (EPIC) 1998 Sourcebook is a thorough compilation of reports, government documents, and Bills in Congress related to encryption policy from the past year. For further information, contact EPIC at sourcebook@epic.org. The cost of the book is $25 + shipping costs ($3 Canada, US and Mexico, $8 elsewhere). Additional information on the latest cryptography developments, including the EPIC 1998 Cryptography and Privacy Conference held in June, is available on the EPIC website at http:// www.epic.org/events/crypto98.

Reference book on New Zealand’s Privacy Act Privacy Law and Practice, a book on New Zealand’s Privacy Act, covers the provisions of the Act and also gives plenty of information on related privacy issues. The looseleaf book is updated quarterly, and thus provides readers with up to date information on the Act, codes of practice, casenotes by the Privacy Commissioner, relevant decisions of the Complaints Review Tribunal, and further domestic and international developments in the area of privacy law. The book, written by Dr Paul Roth, Senior Lecturer in Law at Otago University, is published by Butterworths of New Zealand Ltd, Tel: + 64 4 385 1479 Fax: + 64 4 385 1598 E-mail: customer.service@butterworths.co.nz. The price, NZ $288 includes two volumes of over 2,000 pages. A subscription to the quarterly updates costs around NZ $1,000 per year.

Switzerland’s 5th Annual Report covers loyalty cards The Swiss Data Protection Authority published its fifth annual report in July. Among the themes in the report are: surveillance in the workplace; use of personal data related

to loyalty cards and credit cards; and data protection on the Internet and in telecommunications. The Commissioner recommends that supermarkets and other retail outlets issuing loyalty cards should not only inform their customers about the discounts that are available with the card, but also about how their personal data will be processed. The office has also made recommendations to the largest credit card organisations on data organisations on data collection and individual consent. With regard to the use of global networks and the Internet, the Commissioner recognises the need for international regulation in order to ensure users’ privacy. He recommends

the use of privacy enhancing technologies, and points out that data protection is an essential element of a democratic society. In the telecommunications sector, new recommendations have been given with regard to disclosure of billing data. The report also covers surveillance at workplaces. The Commissioner regards use of the Internet, sending E-mail and private telephone calls as an area which may not be monitored, unless the employer has specifically informed the staff about restrictions on the use of these facilities. The Swiss Annual Report is available on the Internet at http://edsb.ch in German and French.

Guernsey appoints Commissioner

Ms Diana Thompson, a Guernsey born lawyer, was appointed as the Guernsey Data Protection Commissioner in June, succeeding Dr Peter Harris. Her first task will be to present a draft for a revised data law. Even though Guernsey is not an EU member, it has decided to revise its law to meet the adequacy standard required by the EU Data Protection Directive.

Ms Thompson can be contacted at

her office in Sir Charles Frossard

House, P.O. 43, La Charroterie,

St Peter Port, Guernsey GY 1 1FH,

Tel: 01281 717000, Fax: 01481 712520,

E-mail: dpcommission@gov.gg