Data Privacy and the European Union

AUTHOR:

Elizabeth France

ABSTRACT:

The purpose of language is communication. Its imprecision can stimulate debate, lead to misunderstandings or create barriers. In a post like mine it is important that the public should understand what I and my Office can do. I am the Information Commissioner.

  • What does data mean?
  • Why does it need protecting?
  • Is the keeping of a register (and a register of what?) my primary task?

Data

It is useful to begin with the Oxford English Dictionary definition which shows it as the plural of datum meaning: “A thing given or granted; something known or assumed as fact, and made the basis of reasoning or calculation.

Then section 1(2) of the Data Protection Act elaborates this stating that “data” means information recorded in a form the can be processed by equipment operating automatically in response to instructions given for that purpose.

Note that there is no mention here of computers.

The key is that the information must be in a form that allows it to be automatically processed. It is a defintion which is not technology specific. That has been helpful in allowing legislation that is ten years old to remain relevant as information processing has changed. My Office has always seen the defintion as applying to sound and image – to tape recordings and video records. Scanned pictures and information on smart chips must also be embraced.

But, although my title gives no hint of this, the Act only bites on ‘Personal Data’. That means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user) including any expression of opinion about the individual but not any indication of the intention of the data user in respect of that individual (section 1(3) of the Act).

The EC Directive on Data Protection, now before the European Parliament, defines ‘personal data’ at Atricle 2 as: “any information relating to an indentified or identifiable natural person (“data subject”); an identifiable person is one who ca be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

Protection?
In the terms of the Data Protection Act, data only needs protecting to protect the individual it describes. It is important to ensure that this emphasis is understood. It is an Act born of the European Convention – Treaty 108. Respect for private life makes privacy (and so protection) of information important.

Registrar?

Yes, I am a Registrar, I am obliged by statute to keep a register of all ‘legal persons’ who process personal data – data users. Article 4 says what that Register should contain. But that should not be the entire – even the primary focus. Registration is the first hurdle, but it is the eight principles which bring my task and your focus together. The eight principles together provide a code which is capable of creating an information handling culture that recognises the power of automatic processing and the risks to individuals if personal information is handled in a cavalier, unthinking or unethical manner. They are carried forward into the EC Directive and are worthy of your consideration as you look more broadly at the ethical questions raised by changing technology.