data protection legislation

views updated

data protection legislation Legislation that has been or is being introduced all over the world to protect personal data handled in computers. The aim of the legislation is to control the immense potential for misuse of information that arises when personal data is stored in computers. Once the data has been transcribed from paper files into a form that is easily readable and accessible by computers, it is an inexpensive and easy task for the data to be extracted from one record and correlated with personal data concerning the same person from another file. This results in a synergistic combination of information that is considered to be an infringement of privacy.

To combat the fear of misuse of data, governments have introduced legislation that, among other things, makes the following requirements of organizations that maintain personal records on computers:

to declare and/or register the use for which the data is stored;

to provide the data subject with a right of access to data concerning himself or herself on their computers;

to maintain a prescribed minimum level of electronic and physical security in their computer installation;

not to transmit personal data to any organization that does not have similar controls over misuse of data.

This last requirement has led to fears that countries without data protection legislation on their statute books are losing contracts for the processing of data, since countries with such legislation can refuse to permit the export of data to countries where data is not adequately protected. For this reason companies that consider that the data protection fears are not borne out by real instances of misuse of data are nonetheless pressing for legislation.

In Europe a convention concerning misuse of data was signed by all member countries of the Council of Europe. The OECD (Organization for Economic Cooperation and Development) has also drafted a convention of similar effect. The USA has a Privacy Act that deals with data stored by government agencies, but it is thought by some in the legal profession that for constitutional reasons the USA could not legislate to prohibit misuse of data along the lines required by the OECD and Council of Europe conventions. The debate is rapidly getting more complicated: third world countries are now finding that data protection legislation may enable them to create a nontariff barrier around indigenous data processing companies, and hence the issues are moving out of civil rights and into economics.

In 1984 the UK enacted the Data Protection Act to comply with the Council of Europe Convention. (The Act is described at the end of the dictionary.)

In February 1995 the Council of Ministers of the European Union formally approved a common position on the “Framework” Data Protection Directive, in response to the political agreement reached on 6 February 1995. The final version of the Directive includes a 12-year transition period for noncomputerized data. Member States will also have a three-year transition period in which to implement the Directive following its adoption.