DATA PROTECTION - International Encyclopedia of Information and Library Science

According to the Standard: BS-ISO 2382 on information processing systems, data protection is defined as: ‘The implementation of appropriate administrative, technical or physical means to guard against the unauthorized interrogation and use of procedures and data.’

In the context in which the term is customarily used, however, there needs to be a greater emphasis on protecting personal information.

The definition of privacy protectionin the same Standard appears more appropriate.

The implementation of appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of data records and to protect both security and confidentiality against any threat or hazard that could result in substantial harm, embar- rassment, inconvenience, or unfairness to any individual about whom such information is maintained.

Data protection extends far beyond the me- chanics of data securityand preserving perso- nalprivacy. In addition to ensuring the security and confidentiality of information, it also incor- porates the need for reliability, completeness and accuracy of any information, together with its fair use, in terms of the motives and behaviour of data users. This takes on particular meaning with public domain information that is clearly not private but still needs to be safeguarded against misuse. A recent investigation into UK public register information is relevant here.

Until relatively recently considerations of data protection were, to a large extent, centred on electronic data processing with its considerable potential for performing a range of operations with personal information. Early international initiatives, government policies and legislation tended to reflect this attitude. The current approach recognizes the need to safeguard personal information regardless of the medium on which it is kept or the mode of its processing. It encompasses paper-based or ‘manual’ records as well as a range of other manifestations of personal data including electronic images and sound. Thus data protection applies equally to the contents of a piece of paper, the use of a

mobile telephone or information gathered on a CCTV surveillance system.

In 1981 the Council of Europe established a Convention for the Protection of Individuals with Regard to Automatic Processing of Perso- nal Data, which became the catalyst for, and formed the model for, many nations to enact legislation. The OECD issued, also in 1981, its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which also acted as a landmark for the development of policy and legislation. Though there had long been European Union interest in the issue, serious attempts to codify and regulate activity did not gather momentum until the appearance of a draft Directive on data protection in 1990.

This encountered strong opposition from a range of interests, and a much revised version was presented in 1992 and achieved formal transla- tion into European legislation in 1995. The objectives of the Directive, as encapsulated in Article 1, are two-fold. It seeks to protect fundamental rights to privacy as well as facilitate the legitimate flow of information within member states.

Article 1 Object of the Directive:

1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

2. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons con- nected with the protection afforded under paragraph 1.

The first body to enact data protection legislation was the Lander of Hesse, in Germany, which achieved this in 1970. Sweden can claim the distinction of passing the first national data protection law in 1973. A number of countries now have legislation designed to achieve data protection in some measure. The UK Information Commissioner’s website includes a page (http://

www.dataprotection.gov.uk/dpr/dpdoc.nsf) that provides details of data protection and privacy authorities for the following countries (see Davieset al. 2000):

DATA PROTECTION 123

UK Territories:

Guernsey, Isle of Man, Jersey.

European Union and EEAAuthorities:

Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Luxem- bourg, the Netherlands, Norway, Portugal, Spain, Sweden, United Kingdom.

Other Data Protection/Privacy Authorities:

Australia, Canada, Czech Republic, Hawaii, Hong Kong, Hungary, Israel, Japan, Monaco, New Zealand, Poland, Slovak Republic, Swit- zerland, Thailand, Uruguay.

In the UK, the proper foundations of data protection legislation may be regarded as having been laid by the Younger Committee on Privacy, established in 1970. The Committee’s Report appeared in 1972. Later, the Lindop Committee on Data Protection, established in 1976, under- took the most extensive review of the issue and its Report, published in 1978, is of considerable value as a detailed commentary on the subject.

The international initiatives from the Council of Europe and the OECD, noted earlier, provided added impetus and the first Data Protection Act in the UK was passed in 1984. The legislation currently in force is the Data Protection Act 1998, which derives from the European Union Directive and covers personal data in whatever form, including paper records. The full text is available on the Web at: www.legislation.

hmso.gov.uk/acts/acts1998/19980029.htm.

Its purpose is described in its preamble as: ‘An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.’

The Act has, as its basis, eight guiding princi- ples. They require that personal data be:

. Processed fairly and lawfully [detailed conditions are specified].

. Obtained and processed only for specified and lawful purposes.

. Adequate, relevant and not excessive.

. Accurate and, where necessary, kept up to date.

. Not be kept for longer than is necessary.

. Processed in accordance with the rights of individuals about whom data are held [defined asdata subjects].

. Processed under appropriate technical and organizational security measures.

. Not transferred to a country or territory out- side theEuropean Economic Areaunless that country or territory ensures an adequate level of data protection.

The role of implementing the legislation is placed upon the Office of the Information Commissioner. The Commissioner maintains a Register of personal data-processing activity compiled from notifications submitted by data users [defined as: data controllers]. Operating without notifying the Commissioner is prohibited and a punishable offence unless the circumstances are covered by an exemption. The Com- missioner also has powers to investigate, monitor, approve, regulate and direct the activ- ities of data users and has responsibility for promoting good practice and disseminating information about data protection. A Data Protec- tion Tribunal acts as an appeal mechanism for data controllers regarding decisions taken by the Commissioner.

The interests of the individual are safeguarded in the Act by several means. In many cases a person’s informed consent has to be sought for data gathering and use, and a person may object to data processing in certain circumstances. A person’s rights of scrutiny of data and provision for redress in the event of its inaccuracy or if it is being misused are also included. The Act also identifies a category ofsensitive personal datafor which additional safeguards are specified. Such data comprises information on a person’s race, or political, religious or trade union activity as well as a person’s health, sexual life or any alleged or actual criminal offences.

There is a lengthy list of exemptions to the Act’s provisions, and these are generally specified in relation to the purposes to which information is put. Many are rather specialized and the degree and nature of exemption varies. Among the exemptions are information applied to:

. Protecting national security.

. The prevention of crime and offences relating to taxation.

. Health, education and social work where there are conditions on data subject access.

. Regulatory activity such as that undertaken by agencies concerned with the protection of members of the public [for example, Ombuds- men and similar ‘watchdogs’].

. Journalism, literature and art as they represent 124 DATA PROTECTION

‘special purposes’ that warrant a degree of protection of expression.

. Research, history and statistics [an important provision for academic activity].

. Information available to the public by, or under, any enactment [it will be in the public domain already].

. Disclosures required by law or made in con- nection with legal proceedings.

. Domestic household purposes [lists of home personal contacts and addresses].

The global relevance of data protection is clearly apparent especially with the potential for transborder data flow offered by information technology. The need to assure adequate data protection across national boundaries be- comes imperative. Legislation originating in European Union countries makes adequate protection beyond the European Economic Area a requirement. This has caused particular diffi- culty for the USA with its fundamentally differ- ent approach based on voluntary self-regulation.

The situation has been resolved through the creation of a ‘Safe Harbour’ arrangement.

Through this means organizations may affirm their compliance with prescribed controls that then enable them to operate globally. This ‘self- certification’ is overseen by the US Department of Commerce, which publishes a list on its website of organizations participating (www.ex- ports.gov/safeharbor/).

There is particular relevance in data protection for knowledge managers and those directing information and library services because they have customarily played a role in ensuring the efficient handling of data. Examples where personal data feature in information and library services are numerous. They include user regis- tration records, loan transaction files, records of information services provided, logs of database searches, Internet transactions, library catalogues containing personal authors’ details, indexes of expertise and databases, sales, accounts and financial records, staff files, payroll and pension records, and survey and research data. The management of operations necessitates appropriate systems, procedures, training and supervision to ensure adequate data protection and that it is an ongoing commitment.

Reference to specific legislation has been made above. It needs to be emphasized that, in the

discussion, detail has of necessity been abbre- viated. There is no substitute for consulting the full text of the legislation before undertaking any related action.

References

BS-ISO 2382/8:1986.

Committee on Data Protection (1978)Report of the Committee on Data Protection(Chairman: Sir Nor- man Lindop), London: HMSO (Command Paper no.

Cmnd 7341).

Committee on Privacy (1972)Report of the Committee on Privacy(Chairman: Rt Hon. Kenneth Younger), London: HMSO (Command Paper no. Cmnd 5012).

Council of Europe (1981)Convention for the Protec- tion of Individuals with Regard to Automatic Pro- cessing of Personal Data, Strasbourg: Council of Europe (European Treaty Series no. 108).

Data Protection Act (1984) London: HMSO (Public General Acts 1984 – Chapter 35).

—— (1998), London: SO (Public General Acts 1998 – Chapter 29).

Davies, J.E., Oppenheim, C. and Boguscz, B. (2000) Study of the Availability and Use of Personal Information in Public Registers: Final Report to the Office of the Data Protection Registrar, Wilmslow, Office of the Data Protection Commissioner [published on the Information Commissioner’s website at:

http://www.dataprotection.gov.uk/dpr/dpdoc.nsf].

European Communities Commission (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Perso- nal Data and on the Free Movement of Such Data, Brussels: ECCommission (Official Journal of the European Communities, 23 November 1995, no. L 281, p. 31).

Information processing systems – Vocabulary – Part 08.

Control, integrity and security. Section 08.06.03 Information processing systems – Vocabulary – Part 08.

Control, integrity and security. Section 08.06.04 Organization for Economic Co-operation and Develop-

ment (1981)Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Paris:

OECD.