The Chartered Institute of Housing
in Scotland
The Data Protection Act 1998:
A Guide for Housing Professionals
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
2
The Chartered Institute of Housing is the only professional organisation
representing all those working in housing. Our purpose is to take a leading and
strategic role in encouraging and promoting the provision and management of good
quality, affordable housing for all.
The Institute has almost 1,600 members in Scotland working in local authorities,
Scottish Homes, housing associations, housing co-operatives, voluntary organisations,
the private sector and educational institutions.
The Data Protection Act 1998: A Guide for Housing Professionals
Written by Derek O’Carroll, Advocate
Published by the Chartered Institute of Housing in Scotland
6 Palmerston Place
EDINBURGH
EH12 5AA
Tel: 0131 225 4544
Fax: 0131 225 4566
email: [email protected]
© Derek O’Carroll
Advocate
Advocates Library
High Street
Edinburgh EH1 1RF [email protected]
Registered Charity: No 244067/R
Whilst all reasonable care and attention has been taken in compiling
this publication, the author and publisher regret that they cannot
assume any responsibility for any error or omission that it contains.
Readers should take legal, financial and other advice before taking any
action in relation to this subject. This document is the version that was
published by CIH in February 2000. It has not been updated since that
time. Caution should therefore be exercised for that reason also.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
3
Acknowledgements
The Chartered Institute of Housing in Scotland would like to thank everyone who has
contributed towards the writing of this Guide.
The author gratefully acknowledges the assistance provided by Andrea Moore and
Alan Ferguson of the Chartered Institute of Housing in Scotland and the comments
made on this draft by the following:
Andrea Moore, Chartered Institute of Housing in Scotland
David Mallon, solicitor
Cy Neil, West Dumbartonshire Council
Alister Cant, Lister Housing Co-Operative Ltd
Linda Reid, Glasgow West Housing Association
Graeme Hamilton and David Comley, Glasgow City Council
Emma Gwynn
Ian Walker, Falkirk Council
Douglas Hendry, Argyll and Bute Council
Clive Murray, Tayside Police
Valerie Murray, Bield Housing Association Ltd
Ron Ashton, Angus Council
Andrew Mackay, Port of Leith Housing Association Ltd
C Cook, Aberdeen City Council
Jim Pollock, Larkfield Housing Association Ltd
Any errors are those of the author however. The law is stated as at February 2000.
This publication is copyright the author. It may only be used for the personal use of
the reader and may not be otherwise copied, excerpted, bowdlerised, amended, altered
or redistributed except as permitted by law or with the written permission of the author
whose contact details are given above.
The CIH in Scotland gratefully acknowledges the project
funding received from The Scottish Executive for this
Guide.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
4
Contents
Section
About this Guide
Glossary
Executive summary
1 Introduction to the Act
2 Data Protection Principles
3 Rights of Access to Data by Individuals
4 Timescales for introduction of the Act
5 Enforcement of the Act
6 Some housing management practice issues
7 Further sources and references
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
5
About this Guide
This Guide to the Data Protection Act 1998 is published by the Chartered Institute of
Housing in Scotland and is funded by the Scottish Executive. It is the first in a series
of three Guides, which consider the legislation affecting information management
issues. The remaining two cover the Freedom of Information legislation (available
2004) and the Human Rights Act 1998 (published in 2001) respectively. The Guides
are intended to be readable, concise introductions to the main provisions of the
legislation and the consequent housing management issues that may arise.
They are intended for the use of housing professionals, particularly those working in
the public sector and for Registered Social Landlords. Information management within
housing impacts on many housing functions including: the collation and storage of
data on applicants for housing and tenants; the sharing of data or information with
other agencies, for example in relation to community safety issues and debt recovery.
They are not, and cannot be, a comprehensive statement of the law. In particular, only
those aspects of the legislation, which are likely to impact directly on housing
professionals in the delivery of housing services, are addressed1. Neither can these
Guides, given the constraints of space, provide very much in the way of detailed
analysis of the issues contained within them. Further information can be obtained from
the references noted at section 7 of this Guide.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
6
Glossary
The Act employs a large amount of specialist terminology. In order to understand how
the Act works, it is necessary to master at least some of the core terms used. Many of
these terms (e.g. ‘processing’) have very different meanings in ordinary English usage.
Noted below is a much-simplified explanation of some of the essential terms used in
the Act. All of the definitions are found in section 1(1) of the 1998 Act unless
otherwise indicated.
What constitutes data?
Data includes the following:
Information on a computer
Information which has been recorded with the intention of being input to a
computer
“Accessible records”2 e.g. Local authority housing, educational and social work
records on individuals
Some information in paper/manual records. This is a major change in the law.
See box below.
What paper and manual records are covered by the Act?
The paper records that are covered are those which are contained in “a relevant
filing system”. This means any set of information relating to individuals where
the set is structured in such a way that specific information relating to a
particular individual is readily accessible.
It is not entirely clear exactly what records will be covered. The Data Protection
Registrar has published detailed guidance on this issue.3 From this, it is clear that
it is the information, and the way, in which it is structured, which should be
assessed rather than whether the information is actually in a file or filing system.
In other words, information does not necessarily have to be in a filing cabinet to
be caught by the definition of “data”4.
It will not be necessary to examine all paper files for accuracy. This is not
required for computer files either.5 It should be noted that most existing paper
record systems are exempt from parts of the Act at least until 24 October 2001
and some until 23 October 2007. See Section 4 for more detail.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
7
Who is a data subject?
A Data subject is an individual (not an organisation) who is the subject of personal
data. The data subject is the beneficiary of rights under the 1998 Act in respect of
that data.
What is personal data?
Personal Data means all data (as defined above) relating to a living individual who
can be identified either from that data or from other information in the possession
of the data controller. It includes expressions of opinion about that individual as
well as any intentions that any person has regarding that individual. It also includes
information likely to come into the data controller’s possession as well as data in
his possession.[deletion]
What is sensitive personal data?
Sensitive personal data6 is information about a person’s:
Racial or ethnic origin
Political opinions
Religious or similar beliefs
Trade union membership
Mental or physical health
Sex life
Criminal record or allegations of criminal conduct.
Special conditions apply to the processing of sensitive personal data. See Section 2
(First Principle).
What does processing mean?
Processing of data or information (not just personal data) includes obtaining,
recording, holding, organising, adapting, consulting, retrieving, consulting or
otherwise performing some operation on it. Processing also includes: disclosure of
the data (in any way) and destroying the data or information. In other words, almost
all conceivable uses of data or information is included.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
8
What is a data controller?
A data controller is a person or organisation who decides how personal data is to
be processed and for what purposes. In the context of housing, the data controller
will be Scottish Homes, a local authority or a housing association: not the
employees. It is mostly the data controller who is subject to obligations under the
1998 Act.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
9
Executive summary
Introduction to the Act
The Data Protection Act 1998 replaces the 1984 Act of the same name. Its main
effects are to:
Increase the duties of those who process personal data
Increase the rights of “data subjects”
Extend the type of data covered by the legislation.
The addition of some paper records to the definition of data is new.
The Data Protection Principles
First Principle: Personal data shall be processed fairly and lawfully.
There are conditions to be met to ensure the data is processed fairly and lawfully,
including adherence to the Fair Processing Code. There are exemptions to the first
principle:
Personal data collected for the purposes of the prevention or detection of
crime
When the data controller is discharging a statutory function
Certain data contained in health, education and social work records
Regulatory activity.
Personal data processed solely for the purposes of research, history or
statistics
Information which is already available to the public under statute
Management forecasts and planning
Negotiations in relation to the data subject
Necessary disclosure of information or data
Disclosure of personal data which is required by law or a court order
Information which the data controller is obliged to make publicly available
Data collected solely for an individual’s personal, family or household
affairs.
Second Principle: Personal data shall be obtained only for one or more specified and
lawful purposes and shall only be used for that specified and lawful purpose.
Exemptions to the Second Principle are:
Personal data collected for the purposes of the prevention or detection of
crime
Information which is already available to the public under statute
Disclosure of personal data which is required by law or a court order
Information which the data controller is obliged to make publicly available.
Third Principle: Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.
Exemptions from the Third Principle are the same as for the Second Principle.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
10
Fourth Principle: Personal data shall be accurate and, where necessary, kept up to
date.
Exemptions from the Fourth Principle are the same as for the Second Principle
Fifth Principle: Personal data processed for any purpose or purposes shall not be
kept for longer than is necessary for that purpose or those purposes.
Exemptions from the Fifth Principle are the same as for the Second Principle.
Sixth Principle: Personal data shall be processed in accordance with the rights of
data subjects under this Act.
Rights of data subjects
The rights of the data subject are:
Right of access to personal data held on them
Right to stop or prevent processing likely to cause unwarranted substantial
damage or distress
Right to compensation
Right to obtain rectification, blocking, erasure or destruction of inaccurate
data
Right to request the Data Protection Commissioner to assess whether personal
data is being processed lawfully.
The relevant exemptions to these rights are:
Crime and taxation data
Health and social work data
Regulatory activity
Information which is already available to the public under statute
Data collected solely for an individual’s personal, family or household affairs
Management forecasts and planning
Negotiations in relation to the data subject
Privileged communications between the data controller and its legal advisers
Processing done in relation to a contract or with a view to entering a contract.
The data subject is not entitled to a copy of the information held on him/her in a
permanent form if the supply of such a copy is not possible or would involve
“disproportionate effort”.
Seventh Principle: Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.
Guidance from the Commissioner states that organisations must take reasonable steps
to ensure:
The reliability of employees who have access to personal data
Compliance by anyone who processes data on the organisation’s behalf.
There are appropriate measures to protect personal data
A risk approach is adopted to determine what is appropriate
A description of the security measures is made to the Commissioner
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
11
There is a written contract with any third party processor.
There are no exemptions to the Seventh Principle.
Eighth Principle - this is of limited relevance to housing professionals.
Timescales and transitional exemptions from the 1998 Act
The 1998 Act gained royal assent in July 1998 but its provisions will come into force
on 1 March 2000.
Computer records are exempt until 23 October 2001, from:
The fair processing code
The First Principle
Providing additional information to a data subject seeking access
An individual invoking their right to prevent processing
The right to compensation from some breaches of the 1998 Act
An individual invoking their right to ask the Data Protection Commissioner to
assess lawful processing.
Paper/manual records are exempt until 23 October 2001, from:
All the Data Protection Principles
All rights of access by data subjects
All requirements to notify the Data Protection Commissioner.
A further, limited transitional exemption period exists for paper/manual data only,
from 23 October 2001 until 24 October 2007.
Enforcement of the Act
This is done in three ways:
The exercise by the data subject of his/rights of access
The Data Protection Commissioner and the Data Protection Tribunal
The criminal courts.
The 1998 Act creates a number of criminal offences for breaches, including processing
without notification and unlawful selling of data.
Some Housing Management Issues
Data sharing
Section 115 of the Crime and Disorder Act 1998 gives the power (but not the duty) to
any person to disclose information to assist the purposes of the Act, provided Data
Protection Act principles are adhered to.
The use of Codes of Guidance and local protocols for information sharing purposes
are recommended.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
12
Evictions for Anti-social behaviour
In these instances, the housing provider will wish to obtain information from other
agencies to build a successful court case. Whether this is permissible depends on what
data is sought, what that data was originally obtained for and the purposes for which is
needed.
Before the data can be released, the police will have to be satisfied that all the data
protection principles are fulfilled.
Rent recording and arrears
The housing provider must ensure that records are accurately maintained through:
Having systems that ensure this data is not revealed to any unauthorised
person
Taking reasonable steps to ensure the accuracy of the data
Not mixing other debits in with rent arrears
Clear and written protocols designed to ensure the integrity of the
information.
Applicants with special needs
To obtain or give information about a housing applicant who has special needs, a
signed consent form from the applicant authorising the release of the information and
data should be sought. If the applicant is not capable of giving consent (because of
their age or learning difficulties) consent may be given by the applicant’s guardian (for
example, a parent if under 16 or a person holding a power of attorney).
Access requests from data subjects
When a tenant or applicant requests access to their data records, there should be:
Clear and established procedures for dealing with access requests
A designated staff member who has responsibility for compliance with the
1998 Act.
Systems in place for effectively dealing with requests for data correction.
Access requests from commercial organisations
Information may be requested from commercial organisations, to assist them in their
business. If the data subject does not give permission for data release, the fair
processing code would not permit data release. There may be instances however where
the information is sought to assist in the apprehension of an offender. In these cases,
the ‘crime exemption’ might apply. A commercial organisation could obtain a court
order to access the information, if the housing provider refused and this was
prejudicing the apprehension of an offender.
Inter-relationship between the 1998 Act and other Acts
The Health and Safety at Work Act 1974 seeks to protect employees. It will be
appropriate for staff to be advised of a dangerous tenant or applicant when conducting
home visits or one-to one interviews, provided the provisions of the 1998 Act and
relevant exemptions are met.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
13
1.0 Introduction to the Act
1.1 The Data Protection Act 1998 (the “1998 Act”) comes into force on 1st March
2000. It replaces the Data Protection Act 19847. Its main effects are:
To significantly increase the duties of those who process personal data8
To increase the rights of “data subjects”: those who are the subject of the
data.
To significantly extend the data covered by the legislation.
The Act applies to all UK individuals and organisations that process personal
data, subject to certain exceptions.9 Data protection is not devolved to the
Scottish Parliament.
1.2 This Guide to the 1998 Act does not cover all aspects of the 1998 Act, nor can
it be definitive, because the legislation is extremely complex and this Guide
concentrates on those aspects of particular relevance to housing. Further provisions
containing substantial detail in some parts, is contained in statutory instruments, a list
of the main ones is in section 7.
The reader is therefore strongly recommended to consult one of the further sources
listed in Section 7, or to take professional advice before making any decisions relating
to the implementation of the 1998 Act.
1.3 The principal aim of the 1998 Act is to protect the right of privacy of the
individual citizen against the misuse of personal data by organisations. It seeks
to restrict the flow of certain information. By contrast, the proposed Freedom
of Information Acts (in both Parliaments) seek to increase the flow of
information between the citizen, others, and government. There is potential for
conflict between the two Acts where someone seeks information about another
person. The Human Rights Act 1998 also impacts on the 1998 Act. That Act
also may provide for rights to information form official authorities although it
is thought that the effect of the 1998 Act will be to provide superior rights to
data subjects in most, if not all cases.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
14
1.4 In practice, all local authorities, housing associations, other registered social
landlords and all their tenants are affected by the 1998 Act: as data controllers
and data subjects respectively. All other individuals on whom local authorities
and housing associations collect personal data, such as applicants for housing
and their families are also affected. All those organisations and bodies with
whom housing providers exchange information, such as the police and
voluntary organisations are also subject to the 1998 Act.
1.5 The 1998 Act builds on the 1984 Act. Some of the terminology and principles
are the same. Some are different.10
The following are some of the key changes.
6 The “data controller”(formerly the “data user”), the person or
organisation responsible for the processing of the data (such as a housing
association or local authority), has increased responsibilities
7 “Data” includes data held in manual records (e.g. a housing officers report
of a house visit) as well as on computer
8 “Processing” of data is defined much more widely than under the 1984
Act
9 “Personal data” (i.e. data from which an individual can be identified)
includes information about decisions of the data controller about the data
subject (e.g. whether a house will be allocated to that person)
10 The Data Protection Principles (i.e. the general principles governing the
use of all personal data) are altered and strengthened; especially in relation
to “lawful and fair” processing11
11 The data subject has improved rights of access to personal data held on
him/her, including the source of that data (that is, a tenant may be entitled
to know that the police has supplied information about alleged
wrongdoings).
12 The data subject has new rights to prevent processing likely to cause
damage and distress and a wider right to seek a court order for change to
the data 12
(so if a tenant believed that something on his housing file was
incorrect, s/he could attempt to force a change or addition)
13 There are new exemptions from the right of the data subject to access
personal data in areas including management forecasts and plans and
negotiation information13
.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
15
14 There is a limited ban on forcing data subjects to access their personal
data in some cases14
15 The Data Protection Commissioner replaces the Data Protection
Registrar and has increased powers15
16 Notification to the Data Protection Commissioner16
replaces
registration with the Data Protection Registrar. Those who are presently
registered with the Data Protection Registrar are exempt from notification
until 24 October 2001 or the expiry of the current registration: whichever
is the earlier.
1.6 The Act also repeals the Access to Personal Files Act 1987. This Act gave the
right to individuals to access some personal files held by some organisations,
including local authorities. Housing files held by Scottish Homes and local
authorities were included. In effect however, this right is preserved in a similar
form by the 1998 Act17
. Individuals will continue to be entitled to access to the
personal information covered by that Act without interruption18.
1.7 The principal issues for housing professionals include the following:
The rights of individuals to access data processed by the housing
organisation and how to respond to such requests
The need to audit internal procedures and forms used for the purpose of
collecting personal data and information to ensure compliance with the
1998 Act
The way in which the 1998 Act affects co-operation agreements with
outside organisations, such as the police, particularly in the context of the
Crime and Disorder Act 1998
Security of data and confidentiality of information.
These matters and others are explored further in Section 6.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
16
2.0 The Data Protection Principles
2.1 At the core of the 1998 Act are the Data Protection Principles19
referred to in
this Introduction as the “Principles”. There are eight (there were also eight
under the 1984 Act but they are not all the same). They are all concerned with
the processing of ‘personal data’: not just data. Accordingly, if the information
or data held by housing organisations does not fall within the definition of
‘personal data’, the Principles do not apply. A brief outline of the Principles
and the exemptions is detailed below.
2.2 First Principle
2.2.1 The requirement to process the data fairly and lawfully is the over-riding
general condition. It will always be unlawful to process data if none of the
conditions are met unless there is a specific exemption.
2.2.2 Processing data is lawful when one of the Schedule 2 conditions are met:
6 The data subject has given active ‘specific and informed’ consent to the
way in which it is proposed their personal data is to be processed.20
Silence
cannot be taken as consent.
7 The processing is necessary for the purposes of a contract involving the
data subject
8 The processing is necessary to comply with the data controller’s legal
obligations
“Personal data shall be processed fairly and lawfully and, in particular, shall
not be processed unless at least one of the conditions in Schedule 2 is met, and
in the case of ‘sensitive personal data’, at least one of the conditions in
Schedule 3 is met”
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
17
9 The processing is necessary to protect the vital interests of the data subject.
Guidance issued by the Data Protection Registrar is that this condition may
only be employed in life and death situations21
.
10 The processing is necessary for the administration of justice; for the
exercise of statutory functions; for the exercise of the functions of
government or other functions of a public nature exercised in the public
interest (for example, those of a local authority).
11 The processing is necessary for the purposes of the legitimate interests of
the data controller or third parties to whom the data is disclosed. This
condition will not be available where the rights and freedoms or legitimate
interests of the data subject make such processing unwarranted. The
Secretary of State may make Regulations clarifying when this condition
may be used.22
2.2.3 However, even if at least one of the conditions is met, it may still be unlawful
if, having regard to the wider circumstances, and any other relevant
legislation,23
the processing is unfair or unlawful.
2.2.4 In addition, in considering the question of fairness, the courts and the Data
Protection Registrar will have regard to the ‘fair processing code’24
. The code
says that the method of obtaining personal data and whether there was any
deception or misleading about the use or purposes to which the data would be
put, is relevant to fairness. The Code also specifies that where data or
information is obtained from the data subject, the data controller must, so far as
practicable, tell the data subject:
Who the data controller is
What the data is to be used for
Any other information appropriate in the circumstances.
2.2.5 If the data is obtained from someone other than the data subject, these
requirements are the same unless it would involve “disproportionate effort”.25
2.2.6 Finally, if the data consists of information obtained from an organisation or
person who is authorised or obliged by statute to provide the information, that
data will always be treated as having been fairly obtained.26
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
18
2.2.7 If the information which the data controller wants to process is ‘sensitive
personal data’27
at least one of the following conditions in Schedule 3 must be
satisfied in addition to Schedule 2 conditions28:
6 The data subject has given their “explicit” consent to the particular
processing of the sensitive personal data. A ‘blanket consent’ will not
suffice. The most obvious way of doing this would be by obtaining the
person’s signature on a form with the relevant details printed there.
7 The processing is necessary in connection with employment rights and
obligations.
8 The processing is necessary to protect the vital interests (‘life or death’)
of the data subject where s/he cannot give consent or the consent cannot
be reasonably obtained.
9 The processing is necessary to protect the vital interests of another person
and the data subject unreasonably refuses to consent.
10 The processing is carried out by certain voluntary organisations on its
members’ data
11 The data subject has already deliberately made the information public.
12 The processing is necessary for the purposes of legal proceedings, taking
legal advice, or establishing, exercising or defending legal rights or for
the administration of justice. Accordingly, disclosure of sensitive
personal data in the context of an anti-social behaviour court case is
permitted, as long as it is necessary.
13 The processing is necessary for the exercise of statutory functions or
governmental functions.
14 The processing is necessary for medical purposes.
15 The processing relates to racial or ethnic data, is necessary for equal
opportunity purposes, and there are safeguards for the rights and
freedoms of the data subject.
Necessary – a definition
The word ‘necessary’ is used frequently in the Principles. The word is taken
from the European Directive. Its meaning, (in terms of the jurisprudence of the
European Court of Justice) is much closer to ‘essential’ than, say, ‘desirable’.29
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
19
2.2.8 Exceptions to the First Principle
There are a number of exceptions to some or all of the requirements of the First
Principle. Key exemptions are as follows:
6 Personal data collected for the purposes of the prevention or detection
of crime, the apprehension or prosecution of offenders or the
assessment or collection of any tax, where doing so would be likely to
prejudice those purposes.30
This exception does not apply to the
requirements for processing of sensitive personal data.
7 If the data controller got the data from another organisation who
acquired the data for one of the purposes in the previous paragraphs
and the data controller is discharging a statutory function, that data is
exempt from the ‘fair processing code’ if adhering to it would be likely to
prejudice the crime or taxation purpose. It is not, however, exempted from
the remainder of the First Principle. 31
Data Protection Registrar guidance
states that for this exemption to apply, there would have to be a
“substantial chance” rather than a mere risk that the purposes would be
damaged in a particular case.32
8 Certain data contained in health, education and social work records is
exempt from the ‘fair processing code’, but not the remainder of the First
Principle, subject to Regulations published by the Secretary of State.33
9 Regulatory activity. A wide range of data collected by bodies, which
have a regulatory function, is exempt if compliance with the ‘fair
processing code’ would prejudice the proper discharge of those regulatory
functions.34
Not all regulatory functions are necessarily covered.35
10 Personal data to be processed solely for the purposes of research,
history or statistics, and not processed to support decisions in relation to
specific individuals and no substantial distress is caused to any data
subject, is exempt from the First Principle. It should be noted that the
requirements of the Second Principle must still be fulfilled.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
20
11 Information which is already available to the public under statute,
including public registers such as the electoral roll.36
is exempt from the
whole of the First Principle, except for the provisions relating to the
processing of sensitive personal data.
12 Management forecasts and planning are exempt from the fair processing
code.37
13 Negotiations in relation to the data subject are exempt from the fair
processing code.38
14 Communications between the data controller and its legal advisers are
exempt from the fair processing code.39
15 Necessary disclosure of information or data in connection with legal
proceedings, legal advice or for the purposes of the administration of
justice etc. is exempt from the whole of the First Principle.
16 Disclosure of personal data which is required by law or an order of a
court is wholly exempt.
17 Information which the data controller is obliged to make available to
the public is exempt from the fair processing code.40
18 Data collected solely for an individual’s personal, family or household
affairs (such as household accounts held on a computer) is fully exempt
from all the Principles.41
2.3 Second Principle
2.3.1 There are two means by which the data controller may specify these purposes.
The first is timely notice to the data subject. The second is by notification to
the Data Protection Commissioner42
. The data controller is not therefore
entitled to collect information for one purpose and then use it for another.
“Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible with
that purpose or those purposes”
For example, a local authority would not be entitled to tell a social work client
that personal data was being taken from him/her only for its social work files
and then to pass it on to the housing benefit department.43
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
21
Exemptions from the Second Principle
Personal data -collected for the purposes of the prevention or
detection of crime, the apprehension or prosecution of offenders or the
assessment or collection of any tax, if doing so would be likely to
prejudice those purposes.44
Information already available to the public under statute, including
public registers such as the electoral roll.45
Disclosure of personal data which is required by law or an order of a
court.46
Information which the data controller is obliged to make available to
the public.47
2.4 Third Principle
2.4.1 The idea here is that the data controller is not entitled to obtain and process
whatever data it wishes. A limit is placed on the quality and quantity of the
data by reference to the purposes to which the data will be put. There has been
extensive litigation on the equivalent Principle in the 1984 Act in relation to
the poll tax and the practice of some local authorities at that time which was to
obtain and use more information than was strictly necessary for poll tax
purposes.48
2.4.2 Exemptions from the Third Principle are the same as for the Second
Principle.
2.5 Fourth Principle
“Personal data shall be adequate, relevant and not excessive in relation to the
purpose or purposes for which they are processed”
“Personal data shall be accurate and, where necessary, kept up to date”
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
22
2.5.1 The data controller has a duty to take reasonable steps to ensure the accuracy of
the data. Providing that it can show that such steps were taken, it will not be
liable for any inaccuracies in the data which it has accurately recorded which
was provided by the data subject or another person or organisation.
2.5.2 Exemptions from the Fourth Principle are the same as for the Second
Principle.
It is important to note that exemption from the Fourth Principle is only in
relation to the accuracy of the information.
2.6 Fifth Principle
2.6.2 Once the data has served its purpose, it must be disposed of. The length of
time that the data should be kept will vary according to the type of data. Some
data must be kept for minimum periods by statute.49
Note that destruction of
personal data is itself ‘processing’ and must be done in terms of the 1998 Act.
2.6.3 Exemptions from the Fifth Principle are the same as for the Second
Principle.
2.7 Sixth Principle
2.7.1 Section 3 describes the rights of the data subject and the exemptions to those
rights.
“Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes"
“Personal data shall be processed in accordance with the rights of data
subjects under this Act”
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
23
2.8 Seventh Principle
2.8.1 In other words, good care must be taken of the data.
2.8.2 The 1998 Act provides that account must be taken of the current state of
technology and its cost at any given time. Given the remarkable and sustained
changes in these matters, data controllers have a duty to continually review
their adherence to this Principle. The level of the protective measures put in
place must balance:
The harm that is to be avoided
The kind of information that requires protection.
2.8.3 British Standard 7799 is available to meet the needs of information security
management within organisations,50
but is not a requirement by the
Commissioner. The Registrar’s office has issued a draft set of questions that
organisations should consider in relation to information security.
“Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data”
Examples of unauthorised processing might be an employee accessing personal
data on a computer about someone else for a friend; a housing officer telling one
tenant about another tenant’s rent arrears or a credit union official passing on
details of a member’s debts to a finance company without that member’s
permission.
Additional guidance on security from the Commissioner states:
You must take reasonable steps to ensure:
The reliability of employees who have access to personal data
Compliance by anyone who processes data on your behalf.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
24
2.8.4 There are no exemptions from the Seventh Principle.
2.9 Eighth Principle
2.9.1 The EEA comprises the 15 EU countries plus Norway, Liechtenstein and
Iceland. The Data Protection Directive, which led to the 1998 Act, applies to
all EU countries. This Principle and its exemptions are probably of limited
importance to housing professionals in the social housing sector.
You must:
Take appropriate measures to protect personal data
Adopt a risk approach to determining what is appropriate
Give a description of the security measures to the Commissioner (as per the
above questionnaire)
Have a written contract with any third party processor.
Information security checklist
Have you taken any measures to guard against unauthorised or unlawful
processing of personal data and against accidental loss, destruction or damage?
If yes, do they include:
Adopting an information security policy?
Taking steps to control physical security?
Putting in place controls on access of information?
Establishing a business continuity plan?
Training your staff on security systems and procedures?
Detecting and investigating breaches of security when they occur?
Have you adopted BS7799?
“Personal data shall not be transferred to a country or territory outside the
European Economic Area unless that country or territory ensures an adequate
level of protection for the rights and freedoms of data subjects in relation to
the processing of personal data”
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
25
3.0 Rights of the data subject
3.1 The 1998 Act creates a range of rights available to individuals (not
organisations) in relation to personal data processed by data controllers. There
are seven principal rights but only five of them are likely to be relevant to
housing professionals. They are explained below.51
As with all parts of the 1998
Act, they are subject to various exemptions, which are also explained below. The
date from which the rights are effective will vary too. See Section 4.
3.2 Right of access by individuals to personal data held on them
3.2.1 The principal right of access is now extended in two main ways. First, since
certain paper records are now relevant data, the data subject may be entitled to
access to that data subject to certain exceptions. Second, the range of
information that must be supplied to a data subject by a data controller is
expanded. Such information includes: opinions, facts or intentions of the data
controller to the data subject.
3.2.2 The access rights are summarised as follows. If an individual makes a request
in writing, together with the appropriate fee (no more than £10),52
that
individual is entitled to:
Be told whether personal data is being processed, and if so:
Be told what data is being processed, why and to whom that data may be
disclosed
Be given a copy of the information or data in an intelligible form
Be told the source of the data.
3.2.3 They should be provided with this information within 40 days of the request.
The information must not be tampered with in order to make it acceptable to
the data subject. If the information would reveal information relating to another
person, the data controller does not have to comply unless either that other
person agrees or it is reasonable in all the circumstances.53
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
26
3.2.4 Whilst not directly relevant to housing professionals, the Social Work Services
Inspectorate for Scotland have produced some useful guidance for social work
agencies on the Data Protection Act 199854
3.3 Right to stop or prevent processing likely to cause unwarranted
substantial damage or distress55
3.2.1 This is a new right. It is not available where the data controller has applied one
of the first four conditions for processing of personal data (see Section 2). To
claim the right, the subject of the data must write to the data controller giving
the grounds on which it is asserted that the processing of the data has, or will,
cause unwarranted and substantial distress to him/her or another. The data
controller has 21 days to reply. The data subject may seek a court order if
dissatisfied with the response.
3.4 Right to compensation56
3.4.1 If an individual suffers damage, or damage and distress, as a result of a
contravention of the 1998 Act by the data controller, s/he may seek
compensation in the courts. Even if a contravention is proved, the data
controller has the defence that it took such care as was reasonable in all the
circumstances to comply with the requirement (even if it was unfulfilled).
Distress alone is not enough. The pursuer must prove actual loss (for example,
loss of wages or damage to reputation) to succeed.
Who can exercise their right to access information about them?
Children under 16 years of age who understand what it means to exercise that
right
Any adult aged 16 or over, either in person, or through another person (who
must be able to prove that they have the explicit authority of the data
subject)[note bracket]
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
27
3.5 Right to obtain rectification, blocking, erasure or destruction of
inaccurate data and expressions of opinion based on that
inaccurate data57
3.5.1 While this is particularly relevant in the context of credit reference agencies, it
may also be relevant in other circumstances.
3.6 Right to request the Data Protection Commissioner to assess
whether any specified type of personal data is being processed
lawfully
3.6.1 The principal, relevant exceptions to these rights are as follows.
Crime and taxation58
. The data controller is entitled to refuse access to
personal data if release of the information would prejudice:
The purposes of the prevention or detection of crime
The apprehension or prosecution of offenders
The assessment or collection of any tax.
In addition, where the data controller is an authority administering housing
benefit or council tax benefit, or is a government department, there is no
subject access to data which has been collected by the authority which
attaches a classification to the data subject in order to collect a tax or
prevent fraud if granting that request is not in the interests of the operation
of the system. In other words, such a body does not have to reveal what it
believes about someone who it suspects of wrongly claiming benefit or
who it is trying to collect a tax from, such as Council tax if that would
interfere with its efforts to deal with fraud or to collect tax.
Health and social work data. Certain data on these subjects, collected by
local authorities, is exempt under certain circumstances, subject to
Regulations .59
Regulatory activity. A wide range of data collected by bodies, which
have a regulatory function, is exempt to the extent that access to that data
would prejudice the proper discharge of those regulatory functions.60
Not
all regulatory functions are necessarily covered.61
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
28
Information which is already available to the public under statute.
This would include public registers such as the electoral roll.62
The data subject is not entitled to a copy of the information held on
him/her in a permanent form if the supply of such a copy is not
possible or would involve “disproportionate effort”.63
The meaning of
this phrase is not defined64. Even if it would involve “disproportionate
effort”, the data subject is still entitled to access to the information. One
way would be for the data subject to view the data in its original form at
the organisation’s offices.
Data collected solely for an individual’s personal, family or household
affairs.65
Management forecasts and planning.66
Negotiations in relation to the data subject.67
Privileged communications between the data controller and its legal
advisers.68
Processing done in relation to a contract or with a view to entering a
contract.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
29
4.0 Timescales
4.1 The 1998 Act received the Royal Assent in July 1998. In terms of the Data
Protection Directive, the Act ought to have been brought into force by 24
October 1998. The Government has announced that the target date for bringing
it into effect is 1 March 2000, 16 months late69
.
4.2 Some parts of the Act will however not apply immediately to all processing of
data. For some types of data and some types of processing, the 1998 Act will
not apply until one of two further dates: 23 October 2001 and 23 October
200770
. (These dates are referred to in the 1998 Act as “transitional periods’).
In other words, data controllers will have a further period in which to adjust to
the new regime. There is nothing to prevent a data controller voluntarily
treating all data processing as if the Act were fully in force even though that
data or processing is, for the time being, not subject to the Act. Indeed, it
would be good practice for all data controllers to make any necessary
adjustments to their systems as soon as possible without waiting for any of the
‘trigger dates’.
4.3 Processing of data will only be eligible for transitional exemption (i.e., non-
compliance with some or all of the 1998 Act) if the data was subject to (what
the Data Protection Directive calls) “processing under way” before 24th
October 1998. This means that if the data controller has a system or practice
for dealing with personal data that was in force before that date and which is
still in force after 1 March 2000, there is “processing under way” and
transitional exemption may be possible. The phrase refers to the effect or result
or purpose of the processing, not the individual inputs so that even if new data
is introduced into the data controller’s data processing system after 24 October
1998, if the operation performed on it is the same as before that date, there is
“processing under way”. Even if the processing changes but the effect or result
is the same, there is likely to be “processing under way”. If a new system or
new process is introduced after 24 October 1998, that data becomes subject to
the 1998 Act from 1 March 2000.71
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
30
4.4 The transitional exemption varies according to whether the data is held on
computer or in paper files. The principal transitional exemptions for computer
files up to 23 October 2001 (where there is “processing under way”) are as
follows:
6 The fair processing code
7 The First Principle as regards conditions for processing of personal
data and sensitive personal data
8 The provision of additional information to a data subject seeking
access to his/her personal data
9 The right of an individual to prevent processing that may cause
unwarranted damage and distress
10 The right to compensation for some breaches, only, of the 1998 Act
11 The right of an individual to request that the Data Protection
Commissioner assess whether data is being lawfully processed.
4.5 The principal transitional exemptions up to 23 October 2001 for paper or
manual data (as defined above at paragraph 2.1) where there is “processing
under way” are as follows:
All the Data Protection Principles
All rights of access by data subjects
All requirements relating to notification of processing to the Data
Protection Commissioner.
There is an exception in relation to records such as housing records and some
educational and social work records to which rights of access were previously
given by the Access to Personal files Act 1987. Such records will still be
accessible72
.
4.6 The further transitional exemption period from 24 October 2001 to 24 October
2007 applies to paper/manual data only. There is no further transitional
exemption for computer data. This exemption is very much more limited than
for the first period. It only applies to data recorded manually, which had been
held before 24 October 1998 and was subject to ‘processing already under
way’ before then. All manual data added after 23 October 1998 will not qualify
for the exemption. Data qualifying for the second exemption period is exempt
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
31
from: the First Principle (except for the requirement to give additional
information on request to a data subject), the Second to the Fifth Principles and
the data subject’s right to have data corrected, blocked, erased or destroyed.
There is no continued exemption from the data subject’s right to access the
data.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
32
5.0 Enforcement of the Act
5.1 There are three principal methods by which the act is enforced. They are:
The exercise by the data subject of his/rights of access (see Section 3)
The Data Protection Commissioner and the Data Protection Tribunal
The criminal courts.
5.2 The Data Protection Commissioner has stated that she will attempt to “ achieve
compliance by dialogue…formal enforcement action is the exception rather
than the norm…”73
This is borne out by the statistics.74
The main powers
available to the DPC are as follows:
6 Service of Enforcement Notices on a data controller where she is
satisfied that there is a breach of the Data Protection Principles. The
notice specifies steps that must be taken to comply. Failure to comply is a
criminal offence. There is a right of appeal to the Data Protection
Tribunal
7 Service of an Information Notice on a data controller requiring it to
provide specified information in order that the DPR can decide whether
the Act is being complied with
8 The right to apply to a sheriff for a warrant to enter and search
premises where the DPR has reasonable suspicion that the 1998 Act is
being breached.
5.3 The 1998 Act creates a number of criminal offences punishable by fines of up
to £5,000 on summary complaint (i.e., trial before a sheriff alone) and
unlimited fines on indictment (i.e. trial before sheriff and jury). The offences
include:
Processing without notification
Failure to comply with written request for particulars
Failing to comply with an enforcement notice
Unlawful selling of personal data.
Forcing a data subject to access his/her own personal data will be a criminal
offence in limited circumstances, for example, involved in the recruitment of a
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
33
person, continued employment or the contract for the provision of services.
This will come into force when Part V of the Police Act 1997 is enacted.
6.0 Some housing management issues
6.1 Data protection issues are very important to the functions of many housing
providers in the public sector and RSL movement. Such organisations have
millions of pieces of personal data on file and are constantly processing them.
All such organisations are already subject to data registration under the 1984
Act, so some of the issues will be relatively clear.
6.2 However the increased scope of the 1998 Act (as compared with the 1984 Act)
means that such organisations have to reconsider their data protection strategy
in the light of the new features of the 1998 Act. All such organisations should
have carried out, or be carrying out a detailed audit of their systems for
processing personal data, checking for compliance with the 1998 Act and in
particular the provisions of the 1998 Act.75
In doing so, they may wish to have
regard to Codes of Practice that have already been agreed in some industries
and which have been approved by the Data Protection Registrar.76
They may
wish to seek to obtain BS 779977
. The British Standards Institution has
published a very useful guide to the practical implementation of the Act.78
6.3 In particular areas of work, Codes of Practice have already been drawn up, for
example, in relation to police information. A critical issue is the inclusion of
paper/manual records under the definition of data. Although there is a generous
transitional exemption period, any new processing of such data is not exempted
and will be subject to the new regime from 1 March 2000 (see Section 4).
Managers will wish to ensure that their systems not only comply with the 1998
Act as regards such holding and obtaining such data but also that the
consequences of data subject access to such data is fully considered and the
implications for management practice are properly digested.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
34
6.3 Data sharing and joint working
6.3.1 A key housing issue concerns data sharing, given the emphasis on the need for
co-operation between various agencies in:
Tackling crime and anti-social behaviour
Ensuring community safety
Delivering community care needs.
6.5 Tackling crime and anti-social behaviour
6.5.1 It will still remain possible for housing providers to both give and receive
personal data to use the provisions of the Crime and Disorder Act 1998 (for
example in order to obtain an anti-social behaviour order). However, the Data
controllers processing that information must still ensure that the Principles of
the 1998 Act are maintained.
6.5.2 Section 115 of the Crime and Disorder Act 1998 gives a power (but not a duty)
to any person to disclose information if it assists the purposes of the Act. This
section does not override the 1998 Act. Any such information disclosure is
‘processing’ within the meaning of the 1998 Act. The First Data Protection
Principle is particularly relevant. A number of local authorities and police
forces in England and Wales have drawn up Codes of Practice and local
protocols. In Scotland, all Police forces have also developed local information
sharing protocols to regulate the way in which data is shared ensuring that
proper protection is given to that data and that the requirements of the 1998 Act
are observed.79
The use of local protocols is strongly recommended.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
35
6.5.3 The Scottish Executive has not yet published its guidance on the data
protection implications of the Crime and Disorder Act. The Data Protection
Registrar has done so80
and has also published a checklist for setting up
information sharing arrangements, which is helpful.81
6.6 Seeking evictions for anti-social behaviour
6.6.1 Another issue is that of seeking eviction for anti-social behaviour reasons. In
such cases, the housing provider will often wish to obtain information from
other agencies, such as the police, to build a successful court case. Is this
permissible? The answer depends on what data is sought, what that data was
originally obtained for and the purposes for which is needed. Before the data
Data Protection implications for the Crime and Disorder Act
1998
In summary, the Commissioner recommends that when setting up protocols or
considering the use or disclosure of personal information, all of the following
questions should be considered:
What is the purpose of the information sharing agreement?
Will it be necessary to share personal information in order to fulfil that
purpose?
Do the parties to the arrangement have the power to disclose personal
information for that purpose?
How much personal information will need to be shared in order to
achieve the objectives of the arrangement?
Should the consent of the individual be sought before disclosure is
made?
What if the consent of the individual is not sought, or is sought but
withheld?
How does the non-disclosure exemption apply?
How do you ensure compliance with the other data protection
principles?
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
36
can be released (for example, details of all previous convictions of the tenant
and the circumstances in which the crimes occurred) the police will have to be
satisfied that all the data protection principles are fulfilled.
6.6.2 The best way of course of dealing with this type of issue is for protocols to be
put into place between the various partners so that there are clear
understandings between the partners as to what data may be disclosed and
when especially in the most common types of cases.
6.7 Community safety issues
6.7.1 Community safety is a shared responsibility between agencies and can involve
obtaining information about people who may pose a risk. This necessarily
involves co-ordination and co-operation between housing services, social work
departments and the police. When someone may pose a risk to the community,
for example a high risk sex offender, consideration should be given to when,
how and why housing departments will receive information about sex
offenders in the community. The 1998 Act must also form part of this
Seeking eviction for anti-social behaviour
Questions to consider are:
First Principle: is the processing fair? Is there a good reason for the
release of the information to the housing provider? Is it necessary to
provide the information for the administration of justice or the public
interest? Can the information be provided on an anonymous basis?
Second Principle: Was the data collected for the purpose of disclosing it to
the housing provider? Was the information provided by a third party (such
as a witness) in confidence? If so, has that person been asked for
permission to release the information? If that person refuses, is there an
over-riding reason for nevertheless releasing it?
Third Principle: does the data sought all relate to the eviction action? Is it
all necessary for that matter? Is there unnecessary information being
sought?
Sixth Principle: What would be the effect on the data subject of
information being released without consent?
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
37
consideration. It is recommended that local information protocols should be
developed for addressing community safety issues.
6.8 Delivering community care needs
6.8.1 Applicants for housing with special or particular needs raise different issues.
The housing provider is likely to need information from the applicant relating
to his/her special needs. Some of this information will be held by other
agencies such as Social Work Services and doctors. The easiest way to comply
with the 1998 Act in such a situation is to obtain a signed consent form from
the applicant authorising the release of the information and data sought. The
applicant must give explicit consent: that is, s/he must be told what information
is being sought, from where and why. If the applicant is not capable of giving
consent (because of their age or learning difficulties) consent may be given by
the applicant’s guardian (for example, a parent if under 16 or a person holding
a power of attorney). Where housing is allocated to such a person, it is likely
that the housing provider will want to exchange data and information on a
Local information sharing protocols for community safety
Guidance produced in England by the Association of Chief Police Officers,
Association of Directors of Social Services and the Association of Chief
Officers of Probation is relevant to Scotland. They recommend that any local
information sharing protocol should include:
Definitions of the groups on which the protocol focuses (e.g. sex
offenders)
The forum for agreeing the protocol
Potential partners (including a core group who assess risk and those with
whom information is shared)
Process of sharing information
Seniority of representation
Possible action following sharing of information (such as interdict,
management transfer)
The rights of the offender or suspected offender.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
38
regular basis with various authorities and persons. Again, the best solution is to
obtain the written consent of the person for the release of specified information
for specified purposes to specified organisations and/or individuals
6.9 Rent recording and arrears
6.9.1 Several issues will arise in relation to rent recording and arrears. The first is the
maintenance of financial records relating to the arrears. The information
collected in these records may only be used for the purposes specified to the
tenant and the Data Protection Commissioner. Therefore, there must be
systems in place to ensure that this data is not revealed to any person other than
for the purposes for which it was obtained.
6.9.2 Finance departments in particular must have systems for ensuring that in
relation to queries about the rent arrears, only those authorised to obtain that
information may receive it. A range of people and organisations may seek such
information such as: the tenant, a member of the tenant’s family, a friend of the
tenant, the tenant’s advisor or lawyer, another local authority in connection
with an application for housing, the Benefits Agency, the courts, a credit
reference agency etc. etc. The housing provider must therefore ensure that
(particularly in relation to Principles 1,2,4,6 and 7) that the rent arrears
information is kept secure and is only released for one of the authorised
purposes for a legitimate reason to an authorised person and that there are
verifiable methods of checking the identity of persons seeking the rent arrears
data. Again, detailed protocols will require to be put in place especially
between the main partners.
6.9.3 The second issue is concerned with the accuracy of the rent arrears
information. The housing provider has a duty to take reasonable steps to ensure
the accuracy of the data and keep it up to date. Rent arrears records that mix
other debits in with the rent arrears (such as housing benefit overpayments and
recharges) may not be accurate. Where sums are paid to the landlord by the
tenant, are those sums clearly set off against a specified debt due? There is a
need for clear, written protocols designed to ensure the integrity of the
information contained in the financial records.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
39
6.9.4 Thirdly, where the records are to be used in a legal action (for example
eviction) such use is specifically permitted by the Act. The remaining
Principles of the 1998 Act still apply however, even though such a use is
permitted.
6.10 Dealing with access requests from data subjects
6.10.1 Housing providers will, like any other processor of personal data, be faced with
requests for access from the data subjects; most of who will be tenants. It is
important that there are clear and established procedures for dealing with such
requests. The housing provider will have to decide whether to charge a fee and
if so, how much.82
The procedures will have to ensure that only data relating to
the data subject is released (unless one of the exemptions applies) and that the
person seeking access to the information is properly entitled.
6.10.2 All requests should be routed to the data protection co-ordinator or staff
member who has responsibility for compliance with the 1998 Act. The
procedures will have to ensure that if there are any exemptions that apply (for
example with regard to combating fraud) that proper consideration is given as
to whether the exemption should be claimed. Where an individual obtains a
copy of data held on him and wants correction or blocking, there must be
systems in place for effectively dealing with such a request.
6.11 Dealing with access requests from commercial organisations
6.11.1 Information may be requested from commercial organisations, to assist them in
their business. For example, an electricity company, suspecting that an
electricity meter has been tampered with (and thus, electricity has been stolen),
might ask the housing provider who was living in the house during specified
periods so that it could obtain payment. Such information is personal data. If
the data subject does not give his/her permission for the data to be released,
and the data subject had never been informed that that data might be released to
the electricity supplier, would the housing provider be able to give the
information anyway? It is unlikely. The data was not gathered for the purpose
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
40
of the requested disclosure. Consent has not been given. The fair processing
code would not permit it.
6.11.2 If however the electricity company’s primary purpose in seeking the
information was to assist in the apprehension of an alleged offender (a
suspected thief of electricity) the housing organisation may have to consider
whether the ‘crime exemption’ might apply. This exemption may allow
disclosure of personal data (not sensitive personal data) for the purpose of
apprehending offenders: but only if there would be “likely prejudice” to the
possibility of apprehending an offender. The Data Protection Commissioner
takes the view that this requires a “substantial chance” that the crime detection
purpose would be noticeably damaged. The housing organisation would
therefore have to make a decision as to what was the purpose of the electricity
company seeking the information, and if it was seeking to invoke the crime
exemption, whether there would be likely prejudice to the apprehension of an
offender.
6.11.3 The housing provider may well take the view that the information sought
would be only marginally relevant to the question as to whether criminal
offence had occurred and if so, who did it. If that were the view that it took, it
would have to refuse to supply the information. One recourse of the electricity
company would be to raise a court action against the alleged thief and then
obtain a court order requiring the production of the information. In this case,
the housing provider would have to comply.
6.12 The interrelationship between the 1998 Act and other Acts
6.12.1 Another issue that will be relevant to housing providers is the interrelationship
between the 1998 Act and other Acts, for example the Health and Safety at
Work Act 1974, and the numerous Regulations associated with them.
6.12.2 For example, would a housing provider be able to release personal data about
one of its tenant’s violent criminal record to one of its employees about to go
on a house visit? The following are some of the issues that would arise. If the
reason for doing so was in fulfilment of the housing provider’s legal duties
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
41
regarding health and safety, then the conditions for processing data in the First
Principle are met (including those for sensitive personal data). The Second
Principle will be complied with as long as the data controller’s notification to
the Data Protection Commissioner allows such processing. The Third Principle
will be complied with as long as the information passed to the employee is no
more than is reasonably required for his/her safety. The Fourth Principle is
satisfied as long as the information or data is accurate and up to date. The Fifth
Principle would mean that once the information or data had been used for the
purpose of safety of the employee, it would be disposed of. The Sixth Principle
means that the tenant could, if s/he wished, try to obtain a copy of that
information and data held on him or her and seek its correction or deletion if
that information was incorrect. This would however depend on the tenant
taking the initiative. The Seventh Principle means that the employee given the
personal information about the allegedly dangerous tenant would have to use
that information only for his own safety and would not be entitled to pass it on:
to a neighbour of the tenant for example.
6.13 There are undoubtedly many other management issues for housing professional
arising from the 1998 Act. Space does not permit further analysis of the issues.
It is recommended that use be made of the references given in the section 7 and
that further advice is taken from the DPC and other sources so as to seek full
compliance with the 1998 Act and its underlying principles.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
42
7.0 Further sources and references
Bibliography
P. Carey (1998), Blackstones Guide to the Data Protection Act 1998, Blackstones
Press Ltd
Guide to the Practical Implementation of the Data Protection Act 1998, (1999 plus
updates) DISC; British Standards Institution
Ian Lloyd (1998), A Guide to the Data Protection Act 1998, Butterworths
Andrea Moore (1999) Housing and Sex Offenders in Scotland: A Practice Note,
Chartered Institute of Housing in Scotland
J. Mullock and P. Leigh-Pollitt (1998) The Data Protection Act Explained, The
Stationery Office
M. Poustie (1999) Freedom of Information in the IT Age (in Miller(ed.)(2000), Citizen
or Data Subject-Surveillance, Data and Privacy Law in the IT World, T&T Clark)
S. Singleton (1998), Data Protection: the New Law, Jordans
The Data Protection Act 1998: An Introduction (1998), Data Protection Registrar
The Guidelines to the Data Protection Act 1984 (4th
ed. 1997), Data Protection
Registrar
R.Widdison (1998) Data Protection Law: The Key Changes;
http://webjcli.ncl.ac.uk/1998/issue4/widdis4.html
Useful websites:
Data Protection Act 1998 (full text)
www.hmso.gov.uk/acts/acts1998/19980029.htm
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
43
European Data Protection legislation and associated reports
www.europa.eu.int/comm/dg15/en/media/dataprot/index.htm
Office of the Data Protection Registrar/Commissioner (includes text of all annual
reports)
www.dataprotection.gov.uk
other legislation including statutory instruments
www.hmso.gov.uk
information on BS 7799: information security management
www.c-cure.org
British Standards site on principles of good practice for information management
www.bsi.org.uk/disc/products/pd0009.html
The Home Office is responsible for legislation in this area, not the Scottish Parliament.
This site contains some useful material on the Data Protection Act 1998 including the
text of the draft statutory instruments on the 1998 Act
www.homeoffice.gov.uk
Home Office guidance on the Crime and Disorder Act
www.homeoffice.gov.uk/cdat/actgch5.htm
The British Computer Society is s source of information on all aspects of
computerised data processing
www.bcs.org.uk
The national Computing Centre is a source of further information
www.ncc.co.uk
The Records management section of the Public Records Office contains some useful
information and some documents that can be downloaded
www.pro.gov.uk/recordsmanagement/default.htm
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
44
Privacy Laws and Business organises conferences and produces publications.
Although concerned with the private sector, some of the information may be of use.
www.privacylaws.co.uk
Useful addresses
Office of the Data Protection Registrar British Standards Institution
Wycliffe House 389 Chiswick High Road
Water Lane London W4 4AL
Wimslow Tel: 0181 996 9600
Cheshire SK9 5AF
Tel: 01625 545700
The main Statutory Instruments under the 1998 Act
The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 The Data Protection Act 1998 (Commencement) Order 2000 Data Protection (Notification and Notification Fees) Regulations 2000 The Data Protection (Fees under section 19(7)) Regulations 2000 The Data Protection (Functions of Designated Authority) Order 2000 The Data Protection (International Co-operation) Order 2000 The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 The Data Protection (Corporate Finance Exemption) Order 2000 The Data Protection Tribunal (Enforcement Appeals) Rules 2000 The Data Protection Tribunal (National Security Appeals) Rules 2000 Data Protection (Designated Codes of Practice) Order 2000 Data Protection (Subject Access Modification) (Health) Order 2000 Data Protection (Subject Access Modification) (Education) Order 2000 Data Protection (Subject Access Modification) (Social Work) Order 2000 Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 Data Protection (Processing of Sensitive Data) Order 2000
Data Protection (Crown Appointments) Order 2000
1 So that, for example, the detailed requirements of notification contained in the 1998 Act is omitted as
this will be a function of the housing provider organisation, through the Data Protection Officer, rather
than the housing professional him/herself 2 Section 68
3 The Data Protection Act 1998: An Introduction, (1998), p3
4 See further the useful discussion in Lloyd (1998) at page 16,17; and Carey, p8
5 See Data Principle 5 , discussed below
6 Section 2
7 However, some parts of the Act come into force in stages: see Part 4 of this Guide. The 1984 Act will
continue to apply until those stages are reached.
8 See the Glossary for definition.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
45
9 The exceptions are noted in the text below
10 See Glossary above for more detail on some of the definitions and section 1(1) of the 1998 Act
11 See Glossary above for further details; and schedule 1 of the 1998 Act
12 Sections 10 and 14 of the 1998 Act
13 See Schedule 7 to the 1998 Act
14 See section 56
15 She will also be the Information Commissioner once the (UK) Freedom of Information Bill is
enacted
16 This Guide does not cover the detailed requirements of notification: see Part III of the 1998 Act.
Detailed Regulations have been made on the notification provisions: see section 7 of this Guide. 17
See sections 1(1), 7, 68 and Schedule 12 of the 1998 Act
18 As before, the information that is accessible is all information held for the purpose of the tenancy in
respect of a current or past tenant or applicant for housing. A fee of up to £10 may be charged for the
access and copying of the records. 19
Schedule 1
20 Article 2(h) of The Data Protection Directive 97/66/EC
21 The Data Protection Act 1998 : An Introduction, p8
22 see SI 2000/185
23 See comments above at para 1.5
24 Schedule 1, Part II, paragraphs 1 to 4
25 See Schedule 1, Part II, paragraphs 1 to 4 and the guidance of the Data Protection Registrar in
Introduction to Data Protection Act 1998 , page 13. See also SI 2000/185
26 It is important to realise however that this does not remove the requirements of lawful processing of
data which are applied by the rest of the 1998 Act
27 see the Glossary above for the definition
28 See also the Data Protection (Processing of Sensitive Data) Order 2000
29 see Lloyd (1998), A Guide to the Data Protection Act 1998, page 46
30 section 29
31 section 29
32 The Data Protection Act 1998 , An Introduction, p22
33.See section 7 of this Guide for those regulations
34 Section 31
35 Section 31(2) specifies the range of purposes of regulation. Section 31 (4) and (5) relates to named
bodies. Local authorities and Scottish homes are not specifically mentioned although there is no doubt
that some if not most of their regulatory functions would be exempt from the subject access provisions
36 section 34
37 Schedule 7
38 Schedule 7
39 schedule 7
40 section 34
41 section 36
42 Notification requirements are dealt with in Part III of the 1998 Act and the Regulations:see part 7 of
this Guide.
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
46
43
Cases on this point include British Gas v Data Protection Registrar 1998 , Innovations (Mail Order)
Ltd v Data Protection Registrar 1992, Case DA/92 31/49/1 and Linguaphone Institute v Data
Protection Registrar 1994, Case DA/94 31/49/1
44 section 29
45 section 34
46 Schedule 7
47 section 34
48 See cases DA/90 24/49/3 and DA/90 25/49/2
49 See further the BSI Guide and the very useful discussion of this topic at para 6.5
50 The British Standards Institution and its offshoot, DISC, have done a lot of work in this area. There
is no legal requirement to fulfil the terms of this British Standard: but compliance with it will probably
mean that the Act is being complied with. See Part 8.0 for references
51 The two not noted are the right to prevent processing for the purposes of direct marketing (section
10) and rights in relation to automated decision making (section 12) which are mainly relevant to the
credit finance industry.
52 See the Data Protection(Subject Access)(Fees and Miscellaneous Provisions) Regulations 2000
53 Further explanation of this is given in section 7(6). This provision was introduced as a result of
Gaskin v United Kingdom (1990) 12 EHHR 36, a case in which the plaintiff, who had been in local
authority care as a child, sought various records relating to that time from the local authority whom he
was suing for negligence.
54 Circular 1/2000
55 Section 10
56 Section 13
57 Section 14
58 See section 29 for the full scope of these exemptions
59 See section 30 and the following Regulations Data Protection (Subject Access
Modification)(Education) Order 2000 and the Data Protection (Subject Access Modification)(Social
Work) Order 2000
60 Section 31
61 Section 31(2) specifies the range of purposes of regulation. Section 31 (4) and (5) relates to named
bodies. Local authorities and Scottish homes are not specifically mentioned although there is no doubt
that some if not most of their regulatory functions would be exempt from the subject access provisions
62 Section 34
63 Section 7(2)
64 Very detailed Regulations have been published: SI 2000/186
65 section 36
66 Schedule 7
67 Schedule 7
68 Schedule 7
69 Thus, the UK Government is in continuing breach of its community obligations. Any person or
organisation who can show that s/he has suffered loss as a result of the late implementation of the
Directive may have a right of action for damages against the UK Government.
70 See Schedule 8
The Data Protection Act 1998: A Guide for Housing Professionals: final Draft
47
71
See the helpful Guidance by the Data Protection Registrar in The Data Protection Act 1998; an
Introduction, p27.
72 Section 68 and Schedule 12 for the records involved, schedule 8 for the transitional relief. The
accessible information is that which is held by the organisation for any purpose of the landlord and
tenant relationship in respect of any tenant or applicant, past or present.
73 Press release 26 October 1998
74 See for example figures given in the latest annual report of the Data Protection Registrar
75 See Chapter 10 of the BSI Guide for a very helpful ‘Action Plan’
76 See the Data Protection (Designated Codes of Practice) Order 1999, a draft statutory instrument
available on the DPR’s website which specifies a number of such Codes.
77 See note 41 above
78 Guide to the Practical Implementation of the Data Protection Act 1998. See Part 8 for address
79 A number of examples are given in the Home Office guidance on the Crime and Disorder Act, Chp5
available on the Home Office website: www.homeoffice.gov.uk
80.Crime and Disorder Act 1998: Data Protection Implications for Information-Sharing (September
1999)
81 Available directly from the DPC
82 £10 is the maximum. There is no requirement to charge any fee