Information Guides, Resources & Consultations
Data Protection: Essential Web Resources
Date added: 2 March 2005
Dr. Paul Duller, Consultancy Director, Tribal Technology
This Web page has been archived. Its content will not be updated.
This guide aims to highlight quality information resources available on the Internet regarding the Data Protection Act 1998, and other issues relating to the protection of personal information. The Act came into force on 1st March 2000, and gives effect in UK law to the 1995 EC Data Protection Directive. The Act strengthens and extends the data protection regime created by the Data Protection Act 1984, which it replaces. The 1998 Act extends the scope of the previous Act to include personal data held in structured manual files in addition to electronic personal data.
The Act is of particular relevance to records professionals within public organisations at this time due to the introduction and implementation of the Freedom of Information Act 2000. The two laws interact when personal information is being considered for disclosure, and the data protection principles should be applied when processing requests under the Freedom of Information Act. The interaction between the two Acts is symbolised by the role of the Information Commissioner, who is responsible for implementation and enforcement of both Acts.
Legislation and general government guidance
The government provides online access to the Act itself, in addition to related legislation, and information and guidance from government bodies. The two bodies responsible for the Act are the Department for Constitutional Affairs and the Information Commissioner.
The Department for Constitutional Affairs aims to improve people's knowledge and understanding of their rights and responsibilities regarding data protection and Freedom of Information, and is responsible for developing a data protection policy that balances protection of personal information with the need for public and private organisations to process personal information. The data protection section of their Web site contains a wealth of resources about the Act, including a fact-sheet, information regarding subordinate legislation, a regulatory impact assessment, advice on handling subject access requests, and guidance for government departments on the "Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002".
The site also contains the Lord Chancellor's Department Consultation Paper entitled "Data Protection Act 1998: Subject Access". This paper, which was published in October 2002, requested comments from both data subjects and data controllers on the subject access arrangements under the Act. The Government's September 2000 post-implementation appraisal of the Act can also be accessed from this site, as can a summary of responses to this paper.
The Information Commissioner enforces and oversees the Data Protection Act 1998 and the Freedom of Information Act 2000. The Commissioner is a UK independent supervisory authority and reports directly to the UK Parliament. The Commissioner's duties include the promotion of good information handling and the encouragement of codes of practice for data controllers. The Commissioner's Web site contains a wide variety of information and guidance regarding the Act. Useful resources include compliance advice, legal guidance, codes of practice and drafts for consultation.
A particularly useful section of the site is the "Guide to Data Protection Auditing". A Data Protection Audit is:
"A systematic and independent examination to determine whether activities involving the processing of personal data are carried out in accordance with an organisation's data protection policies and procedures, and whether this processing meets the requirements of the Data Protection Act 1998."
The complete audit manual can be downloaded in PDF format.
The Information Commissioner maintains a public register of data controllers. In addition to the register, this site houses an online notification service and further information about notification (the process by which a data controller's details are added to the register). The site also includes publications related to the notification process and the register, such as "Notification Exemptions - A Self Assessment Guide" and "Notification Handbook - A Complete Guide To Notification".
Non-government guidance and information
A number of non-government Web sites provide free information and advice about data protection issues. Basic information about the Act is available from the Thomson Snell and Passmore Web site. They provide a Data Protection Act information sheet, which is available in PDF format. A number of frequently asked questions (FAQs) are also answered on the site.
JISC provide guidance and advice to further and higher education establishments about information and communications technology. The Data Protection section of their Web site contains a Senior Management Briefing Paper entitled "Data Protection Act 1998", and the JISC Data Protection Code of Practice. The JISC Legal Information Service site also includes general information and guidance concerning the Act, in addition to a discussion of the effect of data protection law on the further and higher education sector.
Adrian Beney is the Deputy Director of Development and Alumni Relations at the University of Durham, and assisted the Information Commissioner in the development of guidelines for operations with regards to data protection. His Data Protection site contains FAQs about working with the Act, in addition to FAQs specifically designed for those working within public relations. The site also contains a summary of a meeting concerning alumni databases and the Act, which was held between CASE (the Council for Advancement and Support of Education) and the Information Commissioner. A presentation to CASE about the Act can also be accessed from the site.
Sector specific guidance and information
A number of organisations provide guidance and information aimed at specific sectors, including the Department of Health, whom offers advice on issues regarding the protection and use of patient information, in addition to guidance for social services.
Valuable guidance is also provided for UK online Centre Managers, and organisations that operate CCTV systems. A document entitled "The Data Protection Act 1998 and UK online centres" is available from the Safety for UK online Centre Managers Web site, which offers guidance on acceptable use of the Internet in UK online centres. The advice offered in this data protection guide is relevant to any organisation that processes personal information, but is particularly relevant to organisations that offer computing facilities to users (for example universities and libraries).
The CCTV Information Web site discusses the Act in relation to CCTV, and focuses in particular on the eight data protection principles. Topics discussed include the location of cameras, access by data subjects, the quality and retention of images.
A technical report has been published concerned with the specifications of database systems to ensure that they satisfy the requirements of the Data Protection Act. This is available from the Centre for Research in Information Management (CRIM), which is based at UMIST. Users need to submit their name and e-mail address in order to access the document. A further article entitled "Using technology as a tool for compliance" is available from Sibilo (an organisation who collaborate with CRIM). The article discusses how information technology can be used to facilitate compliance with the Data Protection and Freedom of Information Acts.
The Journal of Information, Law and Technology (JILT) have published a wealth of papers concerning data protection, with a particular focus on European data protection issues. A number of these documents are available from the data protection section of the JILT Web site. However, at the time of writing this page had not been updated since 1997. An up-to-date list of data protection articles available from JILT can be accessed by selecting data protection from the "about" menu on the search page.
Portals and news sources
Rebecca Wong maintains a comprehensive and up-to-date directory of data protection resources. She is currently a PhD student at the University of Sheffield studying the implications of data protection in the online environment, and has recently been working on European funded project entitled PRIVIREAL. Rebecca's site contains details of resources categorised by topics such as core data protection resources, privacy, and international data protection authorities. The site also contains a bibliography, links to data protection journals, and details of news and events.
The Data Protection Forum also provides a data protection portal. The forum aims to facilitate discussion between businesses, the public sector and consumers on matters relating to the protection of personal data. The links section of the site contains a number of links to data protection resources, including links to UK and international legislation, data protection articles, and the Web sites of the members of the forum.
A useful way of keeping up-to-date with data protection issues is by subscribing to the popular Data Protection mailing list provided by JISCmail. Topics recently discussed include the amendments made to the Data Protection Act 1998 by the Freedom of Information Act 2000, and data protection issues relating to topics as wide ranging as CCTV systems, online dating services, social work, and off-site working.
The Society offers four types of membership, from Corporate through to Student.
If you are not already a member and would like to join the Society, or if you know anyone who would be interested in joining, please complete the application form.