The Data Protection Decade 1995-2005

Richard Howley, Simon Rogerson, Ben Fairweather and Lawrence Pratchett


The ETHICOMP decade may also be seen as the ‘data protection decade’. It was on the 24th October 1995 that the Draft General Directive on ‘the protection of individuals with regard to the processing of personal data and at the free movement of such data’ was adopted by the European Commission (Directive 95/45/EC). This Directive created the foundation for all current European Data Protection legislation and, it can be argued, the foundations for the global trend to the enactment of privacy and data protection legislation. In 1995 a UK Government White Paper concluded that ‘the time had come when those who use computers to handle personal information, however responsible they are, can no longer remain the sole judges of whether their own systems, adequately safeguard privacy’ (Barber 1998). The UK 1998 Data Protection Act came into force on 1 March 2000 thereby allowing for the incorporation of 1995 EC Data Protection Directive and for strengthening and extending the data protection regime created by the UK 1984 Data Protection Act, which it replaced.

The ETHICOMP decade has witnessed many changes in the use of data in business, administration and marketing. In the last ten years the volume of data and the uses to which it can be put have grown rapidly to accompany and to exploit the business opportunities that are present in the Internet age. Data is global, it is highly ‘greased’, it is shared, it is abused and it has become a key element of national defence in a war on terror. Each of these developments present huge challenges to those that seek to use and protect data and those that seek to establish and maintain national and trans-national schemes for the protection of data. In the light of these challenges and given that it is now a decade since the EU directive on data protection was adopted it is an appropriate time to examine how organisations, and their computing staff in particular, have responded to legislation that increasing regulates their use and management of data.

The last decade has also seen an increasing recognition that information systems and information systems staff are key players in the provision of data protection. A major focus of UK research in this area has been on the importance of the systems design stage of the development process. This research resulted in the production of a set of ‘Best Practice Guidelines in Systems Design’. Other research has sought insights into levels of awareness regarding data protection and how information systems staff can and do contribute to it. This research discovered that information systems staff actively support data protection provision within organisations generally and within the systems development process specifically. The same research found that awareness of data protection amongst information systems staff was relatively low leading to the conclusion that their contribution to the ‘data protection decade’ may be less than it otherwise could be.

Building on these quantitative research findings case study research has been designed and implemented by the authors during 2004/5 into how three UK organisations have and are responded to data protection legislation and the challenges outlines above. These organisations are all UK local authorities (Local Councils) and as such they are all large data users. They are significantly accountable to their data subjects and they are the custodians of a wide variety of data ranging from non-personal to the highly personal and sensitive. Using interviews, observations and discussions with Data Protection Officers, IT Directors, IT Managers within Service Departments and Information Systems Development staff detailed insights at all levels of these organisations were gained in the following areas:

  • How data protection is provided for and managed within these organisations and an evaluation of the effectiveness of these processes.
  • The relationship between organisations structures and processes and information systems staff in the provision for data protection.
  • The contribution that information systems staff can and do make to the provision of data protection and an evaluation of their contribution.
  • The views of information systems staff to their increasing responsibilities in the area of data protection.
  • Specific insights were sought into how information systems development practices can and do support the creation of systems that are supportive of data protection.

This paper provides more detail regarding the methods used, the research design, including the case study protocol and reports the findings of the research. It concludes by relating those findings to a consideration of the progress made in this ‘data protection decade’ and in the context of the wider social changes and events that have and continue to define the ETHICOMP decade.