The Data Protection Act 1998: A Guide for Housing ... Policy Pdfs/Data Protection/Dat… · The...

The Chartered Institute of Housing

in Scotland

The Data Protection Act 1998:

A Guide for Housing Professionals

The Data Protection Act 1998: A Guide for Housing Professionals: final Draft

2

The Chartered Institute of Housing is the only professional organisation

representing all those working in housing. Our purpose is to take a leading and

strategic role in encouraging and promoting the provision and management of good

quality, affordable housing for all.

The Institute has almost 1,600 members in Scotland working in local authorities,

Scottish Homes, housing associations, housing co-operatives, voluntary organisations,

the private sector and educational institutions.

The Data Protection Act 1998: A Guide for Housing Professionals

Written by Derek O’Carroll, Advocate

Published by the Chartered Institute of Housing in Scotland

6 Palmerston Place

EDINBURGH

EH12 5AA

Tel: 0131 225 4544

Fax: 0131 225 4566

email: [email protected]

© Derek O’Carroll

Advocate

Advocates Library

High Street

Edinburgh EH1 1RF [email protected]

Registered Charity: No 244067/R

Whilst all reasonable care and attention has been taken in compiling

this publication, the author and publisher regret that they cannot

assume any responsibility for any error or omission that it contains.

Readers should take legal, financial and other advice before taking any

action in relation to this subject. This document is the version that was

published by CIH in February 2000. It has not been updated since that

time. Caution should therefore be exercised for that reason also.

mailto:[email protected]


3

Acknowledgements

The Chartered Institute of Housing in Scotland would like to thank everyone who has

contributed towards the writing of this Guide.

The author gratefully acknowledges the assistance provided by Andrea Moore and

Alan Ferguson of the Chartered Institute of Housing in Scotland and the comments

made on this draft by the following:

Andrea Moore, Chartered Institute of Housing in Scotland

David Mallon, solicitor

Cy Neil, West Dumbartonshire Council

Alister Cant, Lister Housing Co-Operative Ltd

Linda Reid, Glasgow West Housing Association

Graeme Hamilton and David Comley, Glasgow City Council

Emma Gwynn

Ian Walker, Falkirk Council

Douglas Hendry, Argyll and Bute Council

Clive Murray, Tayside Police

Valerie Murray, Bield Housing Association Ltd

Ron Ashton, Angus Council

Andrew Mackay, Port of Leith Housing Association Ltd

C Cook, Aberdeen City Council

Jim Pollock, Larkfield Housing Association Ltd

Any errors are those of the author however. The law is stated as at February 2000.

This publication is copyright the author. It may only be used for the personal use of

the reader and may not be otherwise copied, excerpted, bowdlerised, amended, altered

or redistributed except as permitted by law or with the written permission of the author

whose contact details are given above.

The CIH in Scotland gratefully acknowledges the project

funding received from The Scottish Executive for this

Guide.


4

Contents

Section

About this Guide

Glossary

Executive summary

1 Introduction to the Act

2 Data Protection Principles

3 Rights of Access to Data by Individuals

4 Timescales for introduction of the Act

5 Enforcement of the Act

6 Some housing management practice issues

7 Further sources and references


5

About this Guide

This Guide to the Data Protection Act 1998 is published by the Chartered Institute of

Housing in Scotland and is funded by the Scottish Executive. It is the first in a series

of three Guides, which consider the legislation affecting information management

issues. The remaining two cover the Freedom of Information legislation (available

2004) and the Human Rights Act 1998 (published in 2001) respectively. The Guides

are intended to be readable, concise introductions to the main provisions of the

legislation and the consequent housing management issues that may arise.

They are intended for the use of housing professionals, particularly those working in

the public sector and for Registered Social Landlords. Information management within

housing impacts on many housing functions including: the collation and storage of

data on applicants for housing and tenants; the sharing of data or information with

other agencies, for example in relation to community safety issues and debt recovery.

They are not, and cannot be, a comprehensive statement of the law. In particular, only

those aspects of the legislation, which are likely to impact directly on housing

professionals in the delivery of housing services, are addressed1. Neither can these

Guides, given the constraints of space, provide very much in the way of detailed

analysis of the issues contained within them. Further information can be obtained from

the references noted at section 7 of this Guide.


6

Glossary

The Act employs a large amount of specialist terminology. In order to understand how

the Act works, it is necessary to master at least some of the core terms used. Many of

these terms (e.g. ‘processing’) have very different meanings in ordinary English usage.

Noted below is a much-simplified explanation of some of the essential terms used in

the Act. All of the definitions are found in section 1(1) of the 1998 Act unless

otherwise indicated.

What constitutes data?

Data includes the following:

Information on a computer

Information which has been recorded with the intention of being input to a

computer

“Accessible records”2 e.g. Local authority housing, educational and social work

records on individuals

Some information in paper/manual records. This is a major change in the law.

See box below.

What paper and manual records are covered by the Act?

The paper records that are covered are those which are contained in “a relevant

filing system”. This means any set of information relating to individuals where

the set is structured in such a way that specific information relating to a

particular individual is readily accessible.

It is not entirely clear exactly what records will be covered. The Data Protection

Registrar has published detailed guidance on this issue.3 From this, it is clear that

it is the information, and the way, in which it is structured, which should be

assessed rather than whether the information is actually in a file or filing system.

In other words, information does not necessarily have to be in a filing cabinet to

be caught by the definition of “data”4.

It will not be necessary to examine all paper files for accuracy. This is not

required for computer files either.5 It should be noted that most existing paper

record systems are exempt from parts of the Act at least until 24 October 2001

and some until 23 October 2007. See Section 4 for more detail.


7

Who is a data subject?

A Data subject is an individual (not an organisation) who is the subject of personal

data. The data subject is the beneficiary of rights under the 1998 Act in respect of

that data.

What is personal data?

Personal Data means all data (as defined above) relating to a living individual who

can be identified either from that data or from other information in the possession

of the data controller. It includes expressions of opinion about that individual as

well as any intentions that any person has regarding that individual. It also includes

information likely to come into the data controller’s possession as well as data in

his possession.[deletion]

What is sensitive personal data?

Sensitive personal data6 is information about a person’s:

Racial or ethnic origin

Political opinions

Religious or similar beliefs

Trade union membership

Mental or physical health

Sex life

Criminal record or allegations of criminal conduct.

Special conditions apply to the processing of sensitive personal data. See Section 2

(First Principle).

What does processing mean?

Processing of data or information (not just personal data) includes obtaining,

recording, holding, organising, adapting, consulting, retrieving, consulting or

otherwise performing some operation on it. Processing also includes: disclosure of

the data (in any way) and destroying the data or information. In other words, almost

all conceivable uses of data or information is included.


8

What is a data controller?

A data controller is a person or organisation who decides how personal data is to

be processed and for what purposes. In the context of housing, the data controller

will be Scottish Homes, a local authority or a housing association: not the

employees. It is mostly the data controller who is subject to obligations under the

1998 Act.


9

Executive summary

Introduction to the Act

The Data Protection Act 1998 replaces the 1984 Act of the same name. Its main

effects are to:

Increase the duties of those who process personal data

Increase the rights of “data subjects”

Extend the type of data covered by the legislation.

The addition of some paper records to the definition of data is new.

The Data Protection Principles

First Principle: Personal data shall be processed fairly and lawfully.

There are conditions to be met to ensure the data is processed fairly and lawfully,

including adherence to the Fair Processing Code. There are exemptions to the first

principle:

Personal data collected for the purposes of the prevention or detection of

crime

When the data controller is discharging a statutory function

Certain data contained in health, education and social work records

Regulatory activity.

Personal data processed solely for the purposes of research, history or

statistics

Information which is already available to the public under statute

Management forecasts and planning

Negotiations in relation to the data subject

Necessary disclosure of information or data

Disclosure of personal data which is required by law or a court order

Information which the data controller is obliged to make publicly available

Data collected solely for an individual’s personal, family or household

affairs.

Second Principle: Personal data shall be obtained only for one or more specified and

lawful purposes and shall only be used for that specified and lawful purpose.

Exemptions to the Second Principle are:

Personal data collected for the purposes of the prevention or detection of

crime


Disclosure of personal data which is required by law or a court order

Information which the data controller is obliged to make publicly available.

Third Principle: Personal data shall be adequate, relevant and not excessive in

relation to the purpose or purposes for which they are processed.

Exemptions from the Third Principle are the same as for the Second Principle.


10

Fourth Principle: Personal data shall be accurate and, where necessary, kept up to

date.

Exemptions from the Fourth Principle are the same as for the Second Principle

Fifth Principle: Personal data processed for any purpose or purposes shall not be

kept for longer than is necessary for that purpose or those purposes.

Exemptions from the Fifth Principle are the same as for the Second Principle.

Sixth Principle: Personal data shall be processed in accordance with the rights of

data subjects under this Act.

Rights of data subjects

The rights of the data subject are:

Right of access to personal data held on them

Right to stop or prevent processing likely to cause unwarranted substantial

damage or distress

Right to compensation

Right to obtain rectification, blocking, erasure or destruction of inaccurate

data

Right to request the Data Protection Commissioner to assess whether personal

data is being processed lawfully.

The relevant exemptions to these rights are:

Crime and taxation data

Health and social work data

Regulatory activity


Data collected solely for an individual’s personal, family or household affairs

Management forecasts and planning

Negotiations in relation to the data subject

Privileged communications between the data controller and its legal advisers

Processing done in relation to a contract or with a view to entering a contract.

The data subject is not entitled to a copy of the information held on him/her in a

permanent form if the supply of such a copy is not possible or would involve

“disproportionate effort”.

Seventh Principle: Appropriate technical and organisational measures shall be taken

against unauthorised or unlawful processing of personal data and against accidental

loss or destruction of, or damage to, personal data.

Guidance from the Commissioner states that organisations must take reasonable steps

to ensure:

The reliability of employees who have access to personal data

Compliance by anyone who processes data on the organisation’s behalf.

There are appropriate measures to protect personal data

A risk approach is adopted to determine what is appropriate

A description of the security measures is made to the Commissioner


11

There is a written contract with any third party processor.

There are no exemptions to the Seventh Principle.

Eighth Principle - this is of limited relevance to housing professionals.

Timescales and transitional exemptions from the 1998 Act

The 1998 Act gained royal assent in July 1998 but its provisions will come into force

on 1 March 2000.

Computer records are exempt until 23 October 2001, from:

The fair processing code

The First Principle

Providing additional information to a data subject seeking access

An individual invoking their right to prevent processing

The right to compensation from some breaches of the 1998 Act

An individual invoking their right to ask the Data Protection Commissioner to

assess lawful processing.

Paper/manual records are exempt until 23 October 2001, from:

All the Data Protection Principles

All rights of access by data subjects

All requirements to notify the Data Protection Commissioner.

A further, limited transitional exemption period exists for paper/manual data only,

from 23 October 2001 until 24 October 2007.

Enforcement of the Act

This is done in three ways:

The exercise by the data subject of his/rights of access

The Data Protection Commissioner and the Data Protection Tribunal

The criminal courts.

The 1998 Act creates a number of criminal offences for breaches, including processing

without notification and unlawful selling of data.

Some Housing Management Issues

Data sharing

Section 115 of the Crime and Disorder Act 1998 gives the power (but not the duty) to

any person to disclose information to assist the purposes of the Act, provided Data

Protection Act principles are adhered to.

The use of Codes of Guidance and local protocols for information sharing purposes

are recommended.


12

Evictions for Anti-social behaviour

In these instances, the housing provider will wish to obtain information from other

agencies to build a successful court case. Whether this is permissible depends on what

data is sought, what that data was originally obtained for and the purposes for which is

needed.

Before the data can be released, the police will have to be satisfied that all the data

protection principles are fulfilled.

Rent recording and arrears

The housing provider must ensure that records are accurately maintained through:

Having systems that ensure this data is not revealed to any unauthorised

person

Taking reasonable steps to ensure the accuracy of the data

Not mixing other debits in with rent arrears

Clear and written protocols designed to ensure the integrity of the

information.

Applicants with special needs

To obtain or give information about a housing applicant who has special needs, a

signed consent form from the applicant authorising the release of the information and

data should be sought. If the applicant is not capable of giving consent (because of

their age or learning difficulties) consent may be given by the applicant’s guardian (for

example, a parent if under 16 or a person holding a power of attorney).

Access requests from data subjects

When a tenant or applicant requests access to their data records, there should be:

Clear and established procedures for dealing with access requests

A designated staff member who has responsibility for compliance with the

1998 Act.

Systems in place for effectively dealing with requests for data correction.

Access requests from commercial organisations

Information may be requested from commercial organisations, to assist them in their

business. If the data subject does not give permission for data release, the fair

processing code would not permit data release. There may be instances however where

the information is sought to assist in the apprehension of an offender. In these cases,

the ‘crime exemption’ might apply. A commercial organisation could obtain a court

order to access the information, if the housing provider refused and this was

prejudicing the apprehension of an offender.

Inter-relationship between the 1998 Act and other Acts

The Health and Safety at Work Act 1974 seeks to protect employees. It will be

appropriate for staff to be advised of a dangerous tenant or applicant when conducting

home visits or one-to one interviews, provided the provisions of the 1998 Act and

relevant exemptions are met.


13

1.0 Introduction to the Act

1.1 The Data Protection Act 1998 (the “1998 Act”) comes into force on 1st March

2000. It replaces the Data Protection Act 19847. Its main effects are:

To significantly increase the duties of those who process personal data8

To increase the rights of “data subjects”: those who are the subject of the

data.

To significantly extend the data covered by the legislation.

The Act applies to all UK individuals and organisations that process personal

data, subject to certain exceptions.9 Data protection is not devolved to the

Scottish Parliament.

1.2 This Guide to the 1998 Act does not cover all aspects of the 1998 Act, nor can

it be definitive, because the legislation is extremely complex and this Guide

concentrates on those aspects of particular relevance to housing. Further provisions

containing substantial detail in some parts, is contained in statutory instruments, a list

of the main ones is in section 7.

The reader is therefore strongly recommended to consult one of the further sources

listed in Section 7, or to take professional advice before making any decisions relating

to the implementation of the 1998 Act.

1.3 The principal aim of the 1998 Act is to protect the right of privacy of the

individual citizen against the misuse of personal data by organisations. It seeks

to restrict the flow of certain information. By contrast, the proposed Freedom

of Information Acts (in both Parliaments) seek to increase the flow of

information between the citizen, others, and government. There is potential for

conflict between the two Acts where someone seeks information about another

person. The Human Rights Act 1998 also impacts on the 1998 Act. That Act

also may provide for rights to information form official authorities although it

is thought that the effect of the 1998 Act will be to provide superior rights to

data subjects in most, if not all cases.


14

1.4 In practice, all local authorities, housing associations, other registered social

landlords and all their tenants are affected by the 1998 Act: as data controllers

and data subjects respectively. All other individuals on whom local authorities

and housing associations collect personal data, such as applicants for housing

and their families are also affected. All those organisations and bodies with

whom housing providers exchange information, such as the police and

voluntary organisations are also subject to the 1998 Act.

1.5 The 1998 Act builds on the 1984 Act. Some of the terminology and principles

are the same. Some are different.10

The following are some of the key changes.

6 The “data controller”(formerly the “data user”), the person or

organisation responsible for the processing of the data (such as a housing

association or local authority), has increased responsibilities

7 “Data” includes data held in manual records (e.g. a housing officers report

of a house visit) as well as on computer

8 “Processing” of data is defined much more widely than under the 1984

Act

9 “Personal data” (i.e. data from which an individual can be identified)

includes information about decisions of the data controller about the data

subject (e.g. whether a house will be allocated to that person)

10 The Data Protection Principles (i.e. the general principles governing the

use of all personal data) are altered and strengthened; especially in relation

to “lawful and fair” processing11

11 The data subject has improved rights of access to personal data held on

him/her, including the source of that data (that is, a tenant may be entitled

to know that the police has supplied information about alleged

wrongdoings).

12 The data subject has new rights to prevent processing likely to cause

damage and distress and a wider right to seek a court order for change to

the data 12

(so if a tenant believed that something on his housing file was

incorrect, s/he could attempt to force a change or addition)

13 There are new exemptions from the right of the data subject to access

personal data in areas including management forecasts and plans and

negotiation information13

.


15

14 There is a limited ban on forcing data subjects to access their personal

data in some cases14

15 The Data Protection Commissioner replaces the Data Protection

Registrar and has increased powers15

16 Notification to the Data Protection Commissioner16

replaces

registration with the Data Protection Registrar. Those who are presently

registered with the Data Protection Registrar are exempt from notification

until 24 October 2001 or the expiry of the current registration: whichever

is the earlier.

1.6 The Act also repeals the Access to Personal Files Act 1987. This Act gave the

right to individuals to access some personal files held by some organisations,

including local authorities. Housing files held by Scottish Homes and local

authorities were included. In effect however, this right is preserved in a similar

form by the 1998 Act17

. Individuals will continue to be entitled to access to the

personal information covered by that Act without interruption18.

1.7 The principal issues for housing professionals include the following:

The rights of individuals to access data processed by the housing

organisation and how to respond to such requests

The need to audit internal procedures and forms used for the purpose of

collecting personal data and information to ensure compliance with the

1998 Act

The way in which the 1998 Act affects co-operation agreements with

outside organisations, such as the police, particularly in the context of the

Crime and Disorder Act 1998

Security of data and confidentiality of information.

These matters and others are explored further in Section 6.


16

2.0 The Data Protection Principles

2.1 At the core of the 1998 Act are the Data Protection Principles19

referred to in

this Introduction as the “Principles”. There are eight (there were also eight

under the 1984 Act but they are not all the same). They are all concerned with

the processing of ‘personal data’: not just data. Accordingly, if the information

or data held by housing organisations does not fall within the definition of

‘personal data’, the Principles do not apply. A brief outline of the Principles

and the exemptions is detailed below.

2.2 First Principle

2.2.1 The requirement to process the data fairly and lawfully is the over-riding

general condition. It will always be unlawful to process data if none of the

conditions are met unless there is a specific exemption.

2.2.2 Processing data is lawful when one of the Schedule 2 conditions are met:

6 The data subject has given active ‘specific and informed’ consent to the

way in which it is proposed their personal data is to be processed.20

Silence

cannot be taken as consent.

7 The processing is necessary for the purposes of a contract involving the

data subject

8 The processing is necessary to comply with the data controller’s legal

obligations

“Personal data shall be processed fairly and lawfully and, in particular, shall

not be processed unless at least one of the conditions in Schedule 2 is met, and

in the case of ‘sensitive personal data’, at least one of the conditions in

Schedule 3 is met”


17

9 The processing is necessary to protect the vital interests of the data subject.

Guidance issued by the Data Protection Registrar is that this condition may

only be employed in life and death situations21

.

10 The processing is necessary for the administration of justice; for the

exercise of statutory functions; for the exercise of the functions of

government or other functions of a public nature exercised in the public

interest (for example, those of a local authority).

11 The processing is necessary for the purposes of the legitimate interests of

the data controller or third parties to whom the data is disclosed. This

condition will not be available where the rights and freedoms or legitimate

interests of the data subject make such processing unwarranted. The

Secretary of State may make Regulations clarifying when this condition

may be used.22

2.2.3 However, even if at least one of the conditions is met, it may still be unlawful

if, having regard to the wider circumstances, and any other relevant

legislation,23

the processing is unfair or unlawful.

2.2.4 In addition, in considering the question of fairness, the courts and the Data

Protection Registrar will have regard to the ‘fair processing code’24

. The code

says that the method of obtaining personal data and whether there was any

deception or misleading about the use or purposes to which the data would be

put, is relevant to fairness. The Code also specifies that where data or

information is obtained from the data subject, the data controller must, so far as

practicable, tell the data subject:

Who the data controller is

What the data is to be used for

Any other information appropriate in the circumstances.

2.2.5 If the data is obtained from someone other than the data subject, these

requirements are the same unless it would involve “disproportionate effort”.25

2.2.6 Finally, if the data consists of information obtained from an organisation or

person who is authorised or obliged by statute to provide the information, that

data will always be treated as having been fairly obtained.26


18

2.2.7 If the information which the data controller wants to process is ‘sensitive

personal data’27

at least one of the following conditions in Schedule 3 must be

satisfied in addition to Schedule 2 conditions28:

6 The data subject has given their “explicit” consent to the particular

processing of the sensitive personal data. A ‘blanket consent’ will not

suffice. The most obvious way of doing this would be by obtaining the

person’s signature on a form with the relevant details printed there.

7 The processing is necessary in connection with employment rights and

obligations.

8 The processing is necessary to protect the vital interests (‘life or death’)

of the data subject where s/he cannot give consent or the consent cannot

be reasonably obtained.

9 The processing is necessary to protect the vital interests of another person

and the data subject unreasonably refuses to consent.

10 The processing is carried out by certain voluntary organisations on its

members’ data

11 The data subject has already deliberately made the information public.

12 The processing is necessary for the purposes of legal proceedings, taking

legal advice, or establishing, exercising or defending legal rights or for

the administration of justice. Accordingly, disclosure of sensitive

personal data in the context of an anti-social behaviour court case is

permitted, as long as it is necessary.

13 The processing is necessary for the exercise of statutory functions or

governmental functions.

14 The processing is necessary for medical purposes.

15 The processing relates to racial or ethnic data, is necessary for equal

opportunity purposes, and there are safeguards for the rights and

freedoms of the data subject.

Necessary – a definition

The word ‘necessary’ is used frequently in the Principles. The word is taken

from the European Directive. Its meaning, (in terms of the jurisprudence of the

European Court of Justice) is much closer to ‘essential’ than, say, ‘desirable’.29


19

2.2.8 Exceptions to the First Principle

There are a number of exceptions to some or all of the requirements of the First

Principle. Key exemptions are as follows:

6 Personal data collected for the purposes of the prevention or detection

of crime, the apprehension or prosecution of offenders or the

assessment or collection of any tax, where doing so would be likely to

prejudice those purposes.30

This exception does not apply to the

requirements for processing of sensitive personal data.

7 If the data controller got the data from another organisation who

acquired the data for one of the purposes in the previous paragraphs

and the data controller is discharging a statutory function, that data is

exempt from the ‘fair processing code’ if adhering to it would be likely to

prejudice the crime or taxation purpose. It is not, however, exempted from

the remainder of the First Principle. 31

Data Protection Registrar guidance

states that for this exemption to apply, there would have to be a

“substantial chance” rather than a mere risk that the purposes would be

damaged in a particular case.32

8 Certain data contained in health, education and social work records is

exempt from the ‘fair processing code’, but not the remainder of the First

Principle, subject to Regulations published by the Secretary of State.33

9 Regulatory activity. A wide range of data collected by bodies, which

have a regulatory function, is exempt if compliance with the ‘fair

processing code’ would prejudice the proper discharge of those regulatory

functions.34

Not all regulatory functions are necessarily covered.35

10 Personal data to be processed solely for the purposes of research,

history or statistics, and not processed to support decisions in relation to

specific individuals and no substantial distress is caused to any data

subject, is exempt from the First Principle. It should be noted that the

requirements of the Second Principle must still be fulfilled.


20

11 Information which is already available to the public under statute,

including public registers such as the electoral roll.36

is exempt from the

whole of the First Principle, except for the provisions relating to the

processing of sensitive personal data.

12 Management forecasts and planning are exempt from the fair processing

code.37

13 Negotiations in relation to the data subject are exempt from the fair

processing code.38

14 Communications between the data controller and its legal advisers are

exempt from the fair processing code.39

15 Necessary disclosure of information or data in connection with legal

proceedings, legal advice or for the purposes of the administration of

justice etc. is exempt from the whole of the First Principle.

16 Disclosure of personal data which is required by law or an order of a

court is wholly exempt.

17 Information which the data controller is obliged to make available to

the public is exempt from the fair processing code.40

18 Data collected solely for an individual’s personal, family or household

affairs (such as household accounts held on a computer) is fully exempt

from all the Principles.41

2.3 Second Principle

2.3.1 There are two means by which the data controller may specify these purposes.

The first is timely notice to the data subject. The second is by notification to

the Data Protection Commissioner42

. The data controller is not therefore

entitled to collect information for one purpose and then use it for another.

“Personal data shall be obtained only for one or more specified and lawful

purposes, and shall not be further processed in any manner incompatible with

that purpose or those purposes”

For example, a local authority would not be entitled to tell a social work client

that personal data was being taken from him/her only for its social work files

and then to pass it on to the housing benefit department.43


21

Exemptions from the Second Principle

Personal data -collected for the purposes of the prevention or

detection of crime, the apprehension or prosecution of offenders or the

assessment or collection of any tax, if doing so would be likely to

prejudice those purposes.44

Information already available to the public under statute, including

public registers such as the electoral roll.45

Disclosure of personal data which is required by law or an order of a

court.46

Information which the data controller is obliged to make available to

the public.47

2.4 Third Principle

2.4.1 The idea here is that the data controller is not entitled to obtain and process

whatever data it wishes. A limit is placed on the quality and quantity of the

data by reference to the purposes to which the data will be put. There has been

extensive litigation on the equivalent Principle in the 1984 Act in relation to

the poll tax and the practice of some local authorities at that time which was to

obtain and use more information than was strictly necessary for poll tax

purposes.48

2.4.2 Exemptions from the Third Principle are the same as for the Second

Principle.

2.5 Fourth Principle

“Personal data shall be adequate, relevant and not excessive in relation to the

purpose or purposes for which they are processed”

“Personal data shall be accurate and, where necessary, kept up to date”


22

2.5.1 The data controller has a duty to take reasonable steps to ensure the accuracy of

the data. Providing that it can show that such steps were taken, it will not be

liable for any inaccuracies in the data which it has accurately recorded which

was provided by the data subject or another person or organisation.

2.5.2 Exemptions from the Fourth Principle are the same as for the Second

Principle.

It is important to note that exemption from the Fourth Principle is only in

relation to the accuracy of the information.

2.6 Fifth Principle

2.6.2 Once the data has served its purpose, it must be disposed of. The length of

time that the data should be kept will vary according to the type of data. Some

data must be kept for minimum periods by statute.49

Note that destruction of

personal data is itself ‘processing’ and must be done in terms of the 1998 Act.

2.6.3 Exemptions from the Fifth Principle are the same as for the Second

Principle.

2.7 Sixth Principle

2.7.1 Section 3 describes the rights of the data subject and the exemptions to those

rights.

“Personal data processed for any purpose or purposes shall not be kept for

longer than is necessary for that purpose or those purposes"

“Personal data shall be processed in accordance with the rights of data

subjects under this Act”


23

2.8 Seventh Principle

2.8.1 In other words, good care must be taken of the data.

2.8.2 The 1998 Act provides that account must be taken of the current state of

technology and its cost at any given time. Given the remarkable and sustained

changes in these matters, data controllers have a duty to continually review

their adherence to this Principle. The level of the protective measures put in

place must balance:

The harm that is to be avoided

The kind of information that requires protection.

2.8.3 British Standard 7799 is available to meet the needs of information security

management within organisations,50

but is not a requirement by the

Commissioner. The Registrar’s office has issued a draft set of questions that

organisations should consider in relation to information security.

“Appropriate technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and against accidental

loss or destruction of, or damage to, personal data”

Examples of unauthorised processing might be an employee accessing personal

data on a computer about someone else for a friend; a housing officer telling one

tenant about another tenant’s rent arrears or a credit union official passing on

details of a member’s debts to a finance company without that member’s

permission.

Additional guidance on security from the Commissioner states:

You must take reasonable steps to ensure:

The reliability of employees who have access to personal data

Compliance by anyone who processes data on your behalf.


24

2.8.4 There are no exemptions from the Seventh Principle.

2.9 Eighth Principle

2.9.1 The EEA comprises the 15 EU countries plus Norway, Liechtenstein and

Iceland. The Data Protection Directive, which led to the 1998 Act, applies to

all EU countries. This Principle and its exemptions are probably of limited

importance to housing professionals in the social housing sector.

You must:

Take appropriate measures to protect personal data

Adopt a risk approach to determining what is appropriate

Give a description of the security measures to the Commissioner (as per the

above questionnaire)

Have a written contract with any third party processor.

Information security checklist

Have you taken any measures to guard against unauthorised or unlawful

processing of personal data and against accidental loss, destruction or damage?

If yes, do they include:

Adopting an information security policy?

Taking steps to control physical security?

Putting in place controls on access of information?

Establishing a business continuity plan?

Training your staff on security systems and procedures?

Detecting and investigating breaches of security when they occur?

Have you adopted BS7799?

“Personal data shall not be transferred to a country or territory outside the

European Economic Area unless that country or territory ensures an adequate

level of protection for the rights and freedoms of data subjects in relation to

the processing of personal data”


25

3.0 Rights of the data subject

3.1 The 1998 Act creates a range of rights available to individuals (not

organisations) in relation to personal data processed by data controllers. There

are seven principal rights but only five of them are likely to be relevant to

housing professionals. They are explained below.51

As with all parts of the 1998

Act, they are subject to various exemptions, which are also explained below. The

date from which the rights are effective will vary too. See Section 4.

3.2 Right of access by individuals to personal data held on them

3.2.1 The principal right of access is now extended in two main ways. First, since

certain paper records are now relevant data, the data subject may be entitled to

access to that data subject to certain exceptions. Second, the range of

information that must be supplied to a data subject by a data controller is

expanded. Such information includes: opinions, facts or intentions of the data

controller to the data subject.

3.2.2 The access rights are summarised as follows. If an individual makes a request

in writing, together with the appropriate fee (no more than £10),52

that

individual is entitled to:

Be told whether personal data is being processed, and if so:

Be told what data is being processed, why and to whom that data may be

disclosed

Be given a copy of the information or data in an intelligible form

Be told the source of the data.

3.2.3 They should be provided with this information within 40 days of the request.

The information must not be tampered with in order to make it acceptable to

the data subject. If the information would reveal information relating to another

person, the data controller does not have to comply unless either that other

person agrees or it is reasonable in all the circumstances.53


26

3.2.4 Whilst not directly relevant to housing professionals, the Social Work Services

Inspectorate for Scotland have produced some useful guidance for social work

agencies on the Data Protection Act 199854

3.3 Right to stop or prevent processing likely to cause unwarranted

substantial damage or distress55

3.2.1 This is a new right. It is not available where the data controller has applied one

of the first four conditions for processing of personal data (see Section 2). To

claim the right, the subject of the data must write to the data controller giving

the grounds on which it is asserted that the processing of the data has, or will,

cause unwarranted and substantial distress to him/her or another. The data

controller has 21 days to reply. The data subject may seek a court order if

dissatisfied with the response.

3.4 Right to compensation56

3.4.1 If an individual suffers damage, or damage and distress, as a result of a

contravention of the 1998 Act by the data controller, s/he may seek

compensation in the courts. Even if a contravention is proved, the data

controller has the defence that it took such care as was reasonable in all the

circumstances to comply with the requirement (even if it was unfulfilled).

Distress alone is not enough. The pursuer must prove actual loss (for example,

loss of wages or damage to reputation) to succeed.

Who can exercise their right to access information about them?

Children under 16 years of age who understand what it means to exercise that

right

Any adult aged 16 or over, either in person, or through another person (who

must be able to prove that they have the explicit authority of the data

subject)[note bracket]


27

3.5 Right to obtain rectification, blocking, erasure or destruction of

inaccurate data and expressions of opinion based on that

inaccurate data57

3.5.1 While this is particularly relevant in the context of credit reference agencies, it

may also be relevant in other circumstances.

3.6 Right to request the Data Protection Commissioner to assess

whether any specified type of personal data is being processed

lawfully

3.6.1 The principal, relevant exceptions to these rights are as follows.

Crime and taxation58

. The data controller is entitled to refuse access to

personal data if release of the information would prejudice:

The purposes of the prevention or detection of crime

The apprehension or prosecution of offenders

The assessment or collection of any tax.

In addition, where the data controller is an authority administering housing

benefit or council tax benefit, or is a government department, there is no

subject access to data which has been collected by the authority which

attaches a classification to the data subject in order to collect a tax or

prevent fraud if granting that request is not in the interests of the operation

of the system. In other words, such a body does not have to reveal what it

believes about someone who it suspects of wrongly claiming benefit or

who it is trying to collect a tax from, such as Council tax if that would

interfere with its efforts to deal with fraud or to collect tax.

Health and social work data. Certain data on these subjects, collected by

local authorities, is exempt under certain circumstances, subject to

Regulations .59

Regulatory activity. A wide range of data collected by bodies, which

have a regulatory function, is exempt to the extent that access to that data

would prejudice the proper discharge of those regulatory functions.60

Not

all regulatory functions are necessarily covered.61


28

Information which is already available to the public under statute.

This would include public registers such as the electoral roll.62

The data subject is not entitled to a copy of the information held on

him/her in a permanent form if the supply of such a copy is not

possible or would involve “disproportionate effort”.63

The meaning of

this phrase is not defined64. Even if it would involve “disproportionate

effort”, the data subject is still entitled to access to the information. One

way would be for the data subject to view the data in its original form at

the organisation’s offices.

Data collected solely for an individual’s personal, family or household

affairs.65

Management forecasts and planning.66

Negotiations in relation to the data subject.67

Privileged communications between the data controller and its legal

advisers.68

Processing done in relation to a contract or with a view to entering a

contract.


29

4.0 Timescales

4.1 The 1998 Act received the Royal Assent in July 1998. In terms of the Data

Protection Directive, the Act ought to have been brought into force by 24

October 1998. The Government has announced that the target date for bringing

it into effect is 1 March 2000, 16 months late69

.

4.2 Some parts of the Act will however not apply immediately to all processing of

data. For some types of data and some types of processing, the 1998 Act will

not apply until one of two further dates: 23 October 2001 and 23 October

200770

. (These dates are referred to in the 1998 Act as “transitional periods’).

In other words, data controllers will have a further period in which to adjust to

the new regime. There is nothing to prevent a data controller voluntarily

treating all data processing as if the Act were fully in force even though that

data or processing is, for the time being, not subject to the Act. Indeed, it

would be good practice for all data controllers to make any necessary

adjustments to their systems as soon as possible without waiting for any of the

‘trigger dates’.

4.3 Processing of data will only be eligible for transitional exemption (i.e., non-

compliance with some or all of the 1998 Act) if the data was subject to (what

the Data Protection Directive calls) “processing under way” before 24th

October 1998. This means that if the data controller has a system or practice

for dealing with personal data that was in force before that date and which is

still in force after 1 March 2000, there is “processing under way” and

transitional exemption may be possible. The phrase refers to the effect or result

or purpose of the processing, not the individual inputs so that even if new data

is introduced into the data controller’s data processing system after 24 October

1998, if the operation performed on it is the same as before that date, there is

“processing under way”. Even if the processing changes but the effect or result

is the same, there is likely to be “processing under way”. If a new system or

new process is introduced after 24 October 1998, that data becomes subject to

the 1998 Act from 1 March 2000.71


30

4.4 The transitional exemption varies according to whether the data is held on

computer or in paper files. The principal transitional exemptions for computer

files up to 23 October 2001 (where there is “processing under way”) are as

follows:

6 The fair processing code

7 The First Principle as regards conditions for processing of personal

data and sensitive personal data

8 The provision of additional information to a data subject seeking

access to his/her personal data

9 The right of an individual to prevent processing that may cause

unwarranted damage and distress

10 The right to compensation for some breaches, only, of the 1998 Act

11 The right of an individual to request that the Data Protection

Commissioner assess whether data is being lawfully processed.

4.5 The principal transitional exemptions up to 23 October 2001 for paper or

manual data (as defined above at paragraph 2.1) where there is “processing

under way” are as follows:

All the Data Protection Principles

All rights of access by data subjects

All requirements relating to notification of processing to the Data

Protection Commissioner.

There is an exception in relation to records such as housing records and some

educational and social work records to which rights of access were previously

given by the Access to Personal files Act 1987. Such records will still be

accessible72

.

4.6 The further transitional exemption period from 24 October 2001 to 24 October

2007 applies to paper/manual data only. There is no further transitional

exemption for computer data. This exemption is very much more limited than

for the first period. It only applies to data recorded manually, which had been

held before 24 October 1998 and was subject to ‘processing already under

way’ before then. All manual data added after 23 October 1998 will not qualify

for the exemption. Data qualifying for the second exemption period is exempt


31

from: the First Principle (except for the requirement to give additional

information on request to a data subject), the Second to the Fifth Principles and

the data subject’s right to have data corrected, blocked, erased or destroyed.

There is no continued exemption from the data subject’s right to access the

data.


32

5.0 Enforcement of the Act

5.1 There are three principal methods by which the act is enforced. They are:

The exercise by the data subject of his/rights of access (see Section 3)

The Data Protection Commissioner and the Data Protection Tribunal

The criminal courts.

5.2 The Data Protection Commissioner has stated that she will attempt to “ achieve

compliance by dialogue…formal enforcement action is the exception rather

than the norm…”73

This is borne out by the statistics.74

The main powers

available to the DPC are as follows:

6 Service of Enforcement Notices on a data controller where she is

satisfied that there is a breach of the Data Protection Principles. The

notice specifies steps that must be taken to comply. Failure to comply is a

criminal offence. There is a right of appeal to the Data Protection

Tribunal

7 Service of an Information Notice on a data controller requiring it to

provide specified information in order that the DPR can decide whether

the Act is being complied with

8 The right to apply to a sheriff for a warrant to enter and search

premises where the DPR has reasonable suspicion that the 1998 Act is

being breached.

5.3 The 1998 Act creates a number of criminal offences punishable by fines of up

to £5,000 on summary complaint (i.e., trial before a sheriff alone) and

unlimited fines on indictment (i.e. trial before sheriff and jury). The offences

include:

Processing without notification

Failure to comply with written request for particulars

Failing to comply with an enforcement notice

Unlawful selling of personal data.

Forcing a data subject to access his/her own personal data will be a criminal

offence in limited circumstances, for example, involved in the recruitment of a


33

person, continued employment or the contract for the provision of services.

This will come into force when Part V of the Police Act 1997 is enacted.

6.0 Some housing management issues

6.1 Data protection issues are very important to the functions of many housing

providers in the public sector and RSL movement. Such organisations have

millions of pieces of personal data on file and are constantly processing them.

All such organisations are already subject to data registration under the 1984

Act, so some of the issues will be relatively clear.

6.2 However the increased scope of the 1998 Act (as compared with the 1984 Act)

means that such organisations have to reconsider their data protection strategy

in the light of the new features of the 1998 Act. All such organisations should

have carried out, or be carrying out a detailed audit of their systems for

processing personal data, checking for compliance with the 1998 Act and in

particular the provisions of the 1998 Act.75

In doing so, they may wish to have

regard to Codes of Practice that have already been agreed in some industries

and which have been approved by the Data Protection Registrar.76

They may

wish to seek to obtain BS 779977

. The British Standards Institution has

published a very useful guide to the practical implementation of the Act.78

6.3 In particular areas of work, Codes of Practice have already been drawn up, for

example, in relation to police information. A critical issue is the inclusion of

paper/manual records under the definition of data. Although there is a generous

transitional exemption period, any new processing of such data is not exempted

and will be subject to the new regime from 1 March 2000 (see Section 4).

Managers will wish to ensure that their systems not only comply with the 1998

Act as regards such holding and obtaining such data but also that the

consequences of data subject access to such data is fully considered and the

implications for management practice are properly digested.


34

6.3 Data sharing and joint working

6.3.1 A key housing issue concerns data sharing, given the emphasis on the need for

co-operation between various agencies in:

Tackling crime and anti-social behaviour

Ensuring community safety

Delivering community care needs.

6.5 Tackling crime and anti-social behaviour

6.5.1 It will still remain possible for housing providers to both give and receive

personal data to use the provisions of the Crime and Disorder Act 1998 (for

example in order to obtain an anti-social behaviour order). However, the Data

controllers processing that information must still ensure that the Principles of

the 1998 Act are maintained.

6.5.2 Section 115 of the Crime and Disorder Act 1998 gives a power (but not a duty)

to any person to disclose information if it assists the purposes of the Act. This

section does not override the 1998 Act. Any such information disclosure is

‘processing’ within the meaning of the 1998 Act. The First Data Protection

Principle is particularly relevant. A number of local authorities and police

forces in England and Wales have drawn up Codes of Practice and local

protocols. In Scotland, all Police forces have also developed local information

sharing protocols to regulate the way in which data is shared ensuring that

proper protection is given to that data and that the requirements of the 1998 Act

are observed.79

The use of local protocols is strongly recommended.


35

6.5.3 The Scottish Executive has not yet published its guidance on the data

protection implications of the Crime and Disorder Act. The Data Protection

Registrar has done so80

and has also published a checklist for setting up

information sharing arrangements, which is helpful.81

6.6 Seeking evictions for anti-social behaviour

6.6.1 Another issue is that of seeking eviction for anti-social behaviour reasons. In

such cases, the housing provider will often wish to obtain information from

other agencies, such as the police, to build a successful court case. Is this

permissible? The answer depends on what data is sought, what that data was

originally obtained for and the purposes for which is needed. Before the data

Data Protection implications for the Crime and Disorder Act

1998

In summary, the Commissioner recommends that when setting up protocols or

considering the use or disclosure of personal information, all of the following

questions should be considered:

What is the purpose of the information sharing agreement?

Will it be necessary to share personal information in order to fulfil that

purpose?

Do the parties to the arrangement have the power to disclose personal

information for that purpose?

How much personal information will need to be shared in order to

achieve the objectives of the arrangement?

Should the consent of the individual be sought before disclosure is

made?

What if the consent of the individual is not sought, or is sought but

withheld?

How does the non-disclosure exemption apply?

How do you ensure compliance with the other data protection

principles?


36

can be released (for example, details of all previous convictions of the tenant

and the circumstances in which the crimes occurred) the police will have to be

satisfied that all the data protection principles are fulfilled.

6.6.2 The best way of course of dealing with this type of issue is for protocols to be

put into place between the various partners so that there are clear

understandings between the partners as to what data may be disclosed and

when especially in the most common types of cases.

6.7 Community safety issues

6.7.1 Community safety is a shared responsibility between agencies and can involve

obtaining information about people who may pose a risk. This necessarily

involves co-ordination and co-operation between housing services, social work

departments and the police. When someone may pose a risk to the community,

for example a high risk sex offender, consideration should be given to when,

how and why housing departments will receive information about sex

offenders in the community. The 1998 Act must also form part of this

Seeking eviction for anti-social behaviour

Questions to consider are:

First Principle: is the processing fair? Is there a good reason for the

release of the information to the housing provider? Is it necessary to

provide the information for the administration of justice or the public

interest? Can the information be provided on an anonymous basis?

Second Principle: Was the data collected for the purpose of disclosing it to

the housing provider? Was the information provided by a third party (such

as a witness) in confidence? If so, has that person been asked for

permission to release the information? If that person refuses, is there an

over-riding reason for nevertheless releasing it?

Third Principle: does the data sought all relate to the eviction action? Is it

all necessary for that matter? Is there unnecessary information being

sought?

Sixth Principle: What would be the effect on the data subject of

information being released without consent?


37

consideration. It is recommended that local information protocols should be

developed for addressing community safety issues.

6.8 Delivering community care needs

6.8.1 Applicants for housing with special or particular needs raise different issues.

The housing provider is likely to need information from the applicant relating

to his/her special needs. Some of this information will be held by other

agencies such as Social Work Services and doctors. The easiest way to comply

with the 1998 Act in such a situation is to obtain a signed consent form from

the applicant authorising the release of the information and data sought. The

applicant must give explicit consent: that is, s/he must be told what information

is being sought, from where and why. If the applicant is not capable of giving

consent (because of their age or learning difficulties) consent may be given by

the applicant’s guardian (for example, a parent if under 16 or a person holding

a power of attorney). Where housing is allocated to such a person, it is likely

that the housing provider will want to exchange data and information on a

Local information sharing protocols for community safety

Guidance produced in England by the Association of Chief Police Officers,

Association of Directors of Social Services and the Association of Chief

Officers of Probation is relevant to Scotland. They recommend that any local

information sharing protocol should include:

Definitions of the groups on which the protocol focuses (e.g. sex

offenders)

The forum for agreeing the protocol

Potential partners (including a core group who assess risk and those with

whom information is shared)

Process of sharing information

Seniority of representation

Possible action following sharing of information (such as interdict,

management transfer)

The rights of the offender or suspected offender.


38

regular basis with various authorities and persons. Again, the best solution is to

obtain the written consent of the person for the release of specified information

for specified purposes to specified organisations and/or individuals

6.9 Rent recording and arrears

6.9.1 Several issues will arise in relation to rent recording and arrears. The first is the

maintenance of financial records relating to the arrears. The information

collected in these records may only be used for the purposes specified to the

tenant and the Data Protection Commissioner. Therefore, there must be

systems in place to ensure that this data is not revealed to any person other than

for the purposes for which it was obtained.

6.9.2 Finance departments in particular must have systems for ensuring that in

relation to queries about the rent arrears, only those authorised to obtain that

information may receive it. A range of people and organisations may seek such

information such as: the tenant, a member of the tenant’s family, a friend of the

tenant, the tenant’s advisor or lawyer, another local authority in connection

with an application for housing, the Benefits Agency, the courts, a credit

reference agency etc. etc. The housing provider must therefore ensure that

(particularly in relation to Principles 1,2,4,6 and 7) that the rent arrears

information is kept secure and is only released for one of the authorised

purposes for a legitimate reason to an authorised person and that there are

verifiable methods of checking the identity of persons seeking the rent arrears

data. Again, detailed protocols will require to be put in place especially

between the main partners.

6.9.3 The second issue is concerned with the accuracy of the rent arrears

information. The housing provider has a duty to take reasonable steps to ensure

the accuracy of the data and keep it up to date. Rent arrears records that mix

other debits in with the rent arrears (such as housing benefit overpayments and

recharges) may not be accurate. Where sums are paid to the landlord by the

tenant, are those sums clearly set off against a specified debt due? There is a

need for clear, written protocols designed to ensure the integrity of the

information contained in the financial records.


39

6.9.4 Thirdly, where the records are to be used in a legal action (for example

eviction) such use is specifically permitted by the Act. The remaining

Principles of the 1998 Act still apply however, even though such a use is

permitted.

6.10 Dealing with access requests from data subjects

6.10.1 Housing providers will, like any other processor of personal data, be faced with

requests for access from the data subjects; most of who will be tenants. It is

important that there are clear and established procedures for dealing with such

requests. The housing provider will have to decide whether to charge a fee and

if so, how much.82

The procedures will have to ensure that only data relating to

the data subject is released (unless one of the exemptions applies) and that the

person seeking access to the information is properly entitled.

6.10.2 All requests should be routed to the data protection co-ordinator or staff

member who has responsibility for compliance with the 1998 Act. The

procedures will have to ensure that if there are any exemptions that apply (for

example with regard to combating fraud) that proper consideration is given as

to whether the exemption should be claimed. Where an individual obtains a

copy of data held on him and wants correction or blocking, there must be

systems in place for effectively dealing with such a request.

6.11 Dealing with access requests from commercial organisations

6.11.1 Information may be requested from commercial organisations, to assist them in

their business. For example, an electricity company, suspecting that an

electricity meter has been tampered with (and thus, electricity has been stolen),

might ask the housing provider who was living in the house during specified

periods so that it could obtain payment. Such information is personal data. If

the data subject does not give his/her permission for the data to be released,

and the data subject had never been informed that that data might be released to

the electricity supplier, would the housing provider be able to give the

information anyway? It is unlikely. The data was not gathered for the purpose


40

of the requested disclosure. Consent has not been given. The fair processing

code would not permit it.

6.11.2 If however the electricity company’s primary purpose in seeking the

information was to assist in the apprehension of an alleged offender (a

suspected thief of electricity) the housing organisation may have to consider

whether the ‘crime exemption’ might apply. This exemption may allow

disclosure of personal data (not sensitive personal data) for the purpose of

apprehending offenders: but only if there would be “likely prejudice” to the

possibility of apprehending an offender. The Data Protection Commissioner

takes the view that this requires a “substantial chance” that the crime detection

purpose would be noticeably damaged. The housing organisation would

therefore have to make a decision as to what was the purpose of the electricity

company seeking the information, and if it was seeking to invoke the crime

exemption, whether there would be likely prejudice to the apprehension of an

offender.

6.11.3 The housing provider may well take the view that the information sought

would be only marginally relevant to the question as to whether criminal

offence had occurred and if so, who did it. If that were the view that it took, it

would have to refuse to supply the information. One recourse of the electricity

company would be to raise a court action against the alleged thief and then

obtain a court order requiring the production of the information. In this case,

the housing provider would have to comply.

6.12 The interrelationship between the 1998 Act and other Acts

6.12.1 Another issue that will be relevant to housing providers is the interrelationship

between the 1998 Act and other Acts, for example the Health and Safety at

Work Act 1974, and the numerous Regulations associated with them.

6.12.2 For example, would a housing provider be able to release personal data about

one of its tenant’s violent criminal record to one of its employees about to go

on a house visit? The following are some of the issues that would arise. If the

reason for doing so was in fulfilment of the housing provider’s legal duties


41

regarding health and safety, then the conditions for processing data in the First

Principle are met (including those for sensitive personal data). The Second

Principle will be complied with as long as the data controller’s notification to

the Data Protection Commissioner allows such processing. The Third Principle

will be complied with as long as the information passed to the employee is no

more than is reasonably required for his/her safety. The Fourth Principle is

satisfied as long as the information or data is accurate and up to date. The Fifth

Principle would mean that once the information or data had been used for the

purpose of safety of the employee, it would be disposed of. The Sixth Principle

means that the tenant could, if s/he wished, try to obtain a copy of that

information and data held on him or her and seek its correction or deletion if

that information was incorrect. This would however depend on the tenant

taking the initiative. The Seventh Principle means that the employee given the

personal information about the allegedly dangerous tenant would have to use

that information only for his own safety and would not be entitled to pass it on:

to a neighbour of the tenant for example.

6.13 There are undoubtedly many other management issues for housing professional

arising from the 1998 Act. Space does not permit further analysis of the issues.

It is recommended that use be made of the references given in the section 7 and

that further advice is taken from the DPC and other sources so as to seek full

compliance with the 1998 Act and its underlying principles.


42

7.0 Further sources and references

Bibliography

P. Carey (1998), Blackstones Guide to the Data Protection Act 1998, Blackstones

Press Ltd

Guide to the Practical Implementation of the Data Protection Act 1998, (1999 plus

updates) DISC; British Standards Institution

Ian Lloyd (1998), A Guide to the Data Protection Act 1998, Butterworths

Andrea Moore (1999) Housing and Sex Offenders in Scotland: A Practice Note,

Chartered Institute of Housing in Scotland

J. Mullock and P. Leigh-Pollitt (1998) The Data Protection Act Explained, The

Stationery Office

M. Poustie (1999) Freedom of Information in the IT Age (in Miller(ed.)(2000), Citizen

or Data Subject-Surveillance, Data and Privacy Law in the IT World, T&T Clark)

S. Singleton (1998), Data Protection: the New Law, Jordans

The Data Protection Act 1998: An Introduction (1998), Data Protection Registrar

The Guidelines to the Data Protection Act 1984 (4th

ed. 1997), Data Protection

Registrar

R.Widdison (1998) Data Protection Law: The Key Changes;

http://webjcli.ncl.ac.uk/1998/issue4/widdis4.html

Useful websites:

Data Protection Act 1998 (full text)

www.hmso.gov.uk/acts/acts1998/19980029.htm


43

European Data Protection legislation and associated reports

www.europa.eu.int/comm/dg15/en/media/dataprot/index.htm

Office of the Data Protection Registrar/Commissioner (includes text of all annual

reports)

www.dataprotection.gov.uk

other legislation including statutory instruments

www.hmso.gov.uk

information on BS 7799: information security management

www.c-cure.org

British Standards site on principles of good practice for information management

www.bsi.org.uk/disc/products/pd0009.html

The Home Office is responsible for legislation in this area, not the Scottish Parliament.

This site contains some useful material on the Data Protection Act 1998 including the

text of the draft statutory instruments on the 1998 Act

www.homeoffice.gov.uk

Home Office guidance on the Crime and Disorder Act

www.homeoffice.gov.uk/cdat/actgch5.htm

The British Computer Society is s source of information on all aspects of

computerised data processing

www.bcs.org.uk

The national Computing Centre is a source of further information

www.ncc.co.uk

The Records management section of the Public Records Office contains some useful

information and some documents that can be downloaded

www.pro.gov.uk/recordsmanagement/default.htm


44

Privacy Laws and Business organises conferences and produces publications.

Although concerned with the private sector, some of the information may be of use.

www.privacylaws.co.uk

Useful addresses

Office of the Data Protection Registrar British Standards Institution

Wycliffe House 389 Chiswick High Road

Water Lane London W4 4AL

Wimslow Tel: 0181 996 9600

Cheshire SK9 5AF

Tel: 01625 545700

The main Statutory Instruments under the 1998 Act

The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 The Data Protection Act 1998 (Commencement) Order 2000 Data Protection (Notification and Notification Fees) Regulations 2000 The Data Protection (Fees under section 19(7)) Regulations 2000 The Data Protection (Functions of Designated Authority) Order 2000 The Data Protection (International Co-operation) Order 2000 The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 The Data Protection (Corporate Finance Exemption) Order 2000 The Data Protection Tribunal (Enforcement Appeals) Rules 2000 The Data Protection Tribunal (National Security Appeals) Rules 2000 Data Protection (Designated Codes of Practice) Order 2000 Data Protection (Subject Access Modification) (Health) Order 2000 Data Protection (Subject Access Modification) (Education) Order 2000 Data Protection (Subject Access Modification) (Social Work) Order 2000 Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 Data Protection (Processing of Sensitive Data) Order 2000

Data Protection (Crown Appointments) Order 2000

1 So that, for example, the detailed requirements of notification contained in the 1998 Act is omitted as

this will be a function of the housing provider organisation, through the Data Protection Officer, rather

than the housing professional him/herself 2 Section 68

3 The Data Protection Act 1998: An Introduction, (1998), p3

4 See further the useful discussion in Lloyd (1998) at page 16,17; and Carey, p8

5 See Data Principle 5 , discussed below

6 Section 2

7 However, some parts of the Act come into force in stages: see Part 4 of this Guide. The 1984 Act will

continue to apply until those stages are reached.

8 See the Glossary for definition.

http://www.legislation.hmso.gov.uk/si/si2000/20000191.htm











http://www.legislation.hmso.gov.uk/si/si2000/draft/20005815.htm








45

9 The exceptions are noted in the text below

10 See Glossary above for more detail on some of the definitions and section 1(1) of the 1998 Act

11 See Glossary above for further details; and schedule 1 of the 1998 Act

12 Sections 10 and 14 of the 1998 Act

13 See Schedule 7 to the 1998 Act

14 See section 56

15 She will also be the Information Commissioner once the (UK) Freedom of Information Bill is

enacted

16 This Guide does not cover the detailed requirements of notification: see Part III of the 1998 Act.

Detailed Regulations have been made on the notification provisions: see section 7 of this Guide. 17

See sections 1(1), 7, 68 and Schedule 12 of the 1998 Act

18 As before, the information that is accessible is all information held for the purpose of the tenancy in

respect of a current or past tenant or applicant for housing. A fee of up to £10 may be charged for the

access and copying of the records. 19

Schedule 1

20 Article 2(h) of The Data Protection Directive 97/66/EC

21 The Data Protection Act 1998 : An Introduction, p8

22 see SI 2000/185

23 See comments above at para 1.5

24 Schedule 1, Part II, paragraphs 1 to 4

25 See Schedule 1, Part II, paragraphs 1 to 4 and the guidance of the Data Protection Registrar in

Introduction to Data Protection Act 1998 , page 13. See also SI 2000/185

26 It is important to realise however that this does not remove the requirements of lawful processing of

data which are applied by the rest of the 1998 Act

27 see the Glossary above for the definition

28 See also the Data Protection (Processing of Sensitive Data) Order 2000

29 see Lloyd (1998), A Guide to the Data Protection Act 1998, page 46

30 section 29

31 section 29

32 The Data Protection Act 1998 , An Introduction, p22

33.See section 7 of this Guide for those regulations

34 Section 31

35 Section 31(2) specifies the range of purposes of regulation. Section 31 (4) and (5) relates to named

bodies. Local authorities and Scottish homes are not specifically mentioned although there is no doubt

that some if not most of their regulatory functions would be exempt from the subject access provisions

36 section 34

37 Schedule 7

38 Schedule 7

39 schedule 7

40 section 34

41 section 36

42 Notification requirements are dealt with in Part III of the 1998 Act and the Regulations:see part 7 of

this Guide.



46

43

Cases on this point include British Gas v Data Protection Registrar 1998 , Innovations (Mail Order)

Ltd v Data Protection Registrar 1992, Case DA/92 31/49/1 and Linguaphone Institute v Data

Protection Registrar 1994, Case DA/94 31/49/1

44 section 29

45 section 34

46 Schedule 7

47 section 34

48 See cases DA/90 24/49/3 and DA/90 25/49/2

49 See further the BSI Guide and the very useful discussion of this topic at para 6.5

50 The British Standards Institution and its offshoot, DISC, have done a lot of work in this area. There

is no legal requirement to fulfil the terms of this British Standard: but compliance with it will probably

mean that the Act is being complied with. See Part 8.0 for references

51 The two not noted are the right to prevent processing for the purposes of direct marketing (section

10) and rights in relation to automated decision making (section 12) which are mainly relevant to the

credit finance industry.

52 See the Data Protection(Subject Access)(Fees and Miscellaneous Provisions) Regulations 2000

53 Further explanation of this is given in section 7(6). This provision was introduced as a result of

Gaskin v United Kingdom (1990) 12 EHHR 36, a case in which the plaintiff, who had been in local

authority care as a child, sought various records relating to that time from the local authority whom he

was suing for negligence.

54 Circular 1/2000

55 Section 10

56 Section 13

57 Section 14

58 See section 29 for the full scope of these exemptions

59 See section 30 and the following Regulations Data Protection (Subject Access

Modification)(Education) Order 2000 and the Data Protection (Subject Access Modification)(Social

Work) Order 2000

60 Section 31

61 Section 31(2) specifies the range of purposes of regulation. Section 31 (4) and (5) relates to named

bodies. Local authorities and Scottish homes are not specifically mentioned although there is no doubt

that some if not most of their regulatory functions would be exempt from the subject access provisions

62 Section 34

63 Section 7(2)

64 Very detailed Regulations have been published: SI 2000/186

65 section 36

66 Schedule 7

67 Schedule 7

68 Schedule 7

69 Thus, the UK Government is in continuing breach of its community obligations. Any person or

organisation who can show that s/he has suffered loss as a result of the late implementation of the

Directive may have a right of action for damages against the UK Government.

70 See Schedule 8


47

71

See the helpful Guidance by the Data Protection Registrar in The Data Protection Act 1998; an

Introduction, p27.

72 Section 68 and Schedule 12 for the records involved, schedule 8 for the transitional relief. The

accessible information is that which is held by the organisation for any purpose of the landlord and

tenant relationship in respect of any tenant or applicant, past or present.

73 Press release 26 October 1998

74 See for example figures given in the latest annual report of the Data Protection Registrar

75 See Chapter 10 of the BSI Guide for a very helpful ‘Action Plan’

76 See the Data Protection (Designated Codes of Practice) Order 1999, a draft statutory instrument

available on the DPR’s website which specifies a number of such Codes.

77 See note 41 above

78 Guide to the Practical Implementation of the Data Protection Act 1998. See Part 8 for address

79 A number of examples are given in the Home Office guidance on the Crime and Disorder Act, Chp5

available on the Home Office website: www.homeoffice.gov.uk

80.Crime and Disorder Act 1998: Data Protection Implications for Information-Sharing (September

1999)

81 Available directly from the DPC

82 £10 is the maximum. There is no requirement to charge any fee

Date post:	25-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

The Data Protection Act 1998: A Guide for Housing ... Policy Pdfs/Data Protection/Dat… · The...

Documents