Data Protection – Review and Round-up

March 1, 2003

Government policy initiatives and consultation

There has been some legislation, dealt with below, over the last few months, but of more interest have been the announcement or taking forward of a number of policy initiatives with significant privacy implications.

Entitlement Cards and Identity Fraud – A Consultation Paper was issued by the Home Secretary in July 2002. The document states that the purposes of the card would be:

· to provide people who are lawfully resident in the UK with a means of confirming their identity to a high degree of assurance

· to establish, for official purposes, a person’s identity so that there is one definitive record of identity which all departments can use if they wish

· to help people gain entitlement to products and services provided by both the public and private sectors

· to help pubic and private organisations to validate a person’s identity, entitlement to products and services and eligibility to work in the UK.

There are significant data protection and privacy implications with the proposed scheme, arising not only from the use of the card itself, but from the underlying database necessary to make the card workable and the widespread access which would be available to such a database. The card would include a unique personal identifier linked to a core set of data held on the central database. The core data, plus additional data, would be stored on a chip on the card. The cards would be multi-functional. The cards would be mandatory for some purposes.

It is not clear how the mandatory aspect of the entitlement card proposal fits with the recommendations of the Privacy and Data Sharing Report. The Report was originally prepared for the Cabinet Office in April 2002 to review the issues around data-sharing or data-matching. In the Report it is recognised that there are currently legal barriers to data-sharing in the public sector. It proposed that, generally, data-sharing should be allowed with individual consent but, in those cases where it was appropriate to override consent, legislation should enable data-sharing gateways to be established subject to a set of safeguards. However, if the Entitlement Card proposal is taken forward, the option of seeking individual consent to many aspects of data-sharing, which of course must entail the possibility of refusing to share information, will no longer be viable. The Lord Chancellor’s Department, which is taking forward work on the Report, has stated that it will be holding a public consultation on proposed legislation in the spring.

Discussions with Government over the retention of communications data by telecommunications service providers continue with no resolution to date. The issue of retention is enmeshed in problems to do with the restriction on retention of traffic data imposed by Directive 97/66/EC, the fact that the potential uses of retained data fall outside Community competence (and therefore might be argued to be outside the Directive) but that the retention of all data is required for the policy to be effective and telecommunications is within competence, the optimistic move by the UK Government to side-step the difficulties posed by this by seeking to pass the buck to service providers and persuade them to agree a voluntary code of retention under the Anti-Terrorism, Crime and Security Act 2001 and the (thoroughly wise) refusal of the service providers to agree a voluntary code that would cause them to risk being in breach of 97/66/EC.

On a less controversial note, the Lord Chancellor’s Department has issued a consultation paper on amendment to the subject access provisions of the DPA to pull them into closer alignment with the rules under the Freedom of Information Act. There is also a consultation on the changes which will be required to the rules of procedure of the Information Tribunal to deal with appeals under the Freedom of Information regime. Some minor changes have been made to the rules to deal with the immediate needs but a wider revision is anticipated before the FOIA comes fully into force.


There has been a deluge of material dealing with privacy-related matters emanating from Europe one way and another, showing a wide divergence of positions and views:

· from the Parliament, the final version of the revised Electronic Communications Directive 2002/58/EC, which strikes a rational balance between competing interests over the issues of cookies, location data and e-mail marketing but leaves the position on the retention of communications data for matters outside mainstream Community competence still to be resolved;

· from the Council, privacy-threatening proposals to enhance and increase data-sharing between European databases for the purposes of crime prevention, the combating of terrorism and the control of immigration;

· from the Article 29 Working Party, several papers maintaining a strong pro-privacy stance, at least one of which (on the US requirements on passenger manifesto information) emphasises the gap between the position of the Working Party on privacy-related issues and the hawkish stance of the US;

· from a number of Member States, a paper recommending that the boundaries of the general directive, 95/46/EC, be pulled back and clarified;

· from the European Ombudsman, a strong criticism of the use of data protection by officials and others to avoid the disclosure of information under the Commission’s policies of openness;

· from the Commission, encouragingly sober words as part of the consultation on the possible revision of 95/46/EC, which recognise that the rhetoric of privacy protection is sometimes being used to impose unrealistic requirements and restrictions on controllers and that ways must be found to reconcile legitimate business practice and proper methods of regulation.

Most of the relevant papers can be found at the Web site

Office of the Information Commissioner

Richard Thomas took up his post as Information Commissioner from Clifford Chance at the end of last year. So far he has not made any controversial statements. He has kept his powder dry on Entitlement Cards, apparently waiting to see what happens as a result of his public consultation on the issue, and has not yet issued the revised section of the Employment Practices Data Protection Code on employee monitoring.

The section of the Code on employment records was issued in August 2002. The code covers the various stages of records gathered and held in relation to employees and some specific purposes such as fraud investigation. It is a hefty document and consists of: a section of general information on the DPA; the 16 chapters of the code; a section of further information and a set of frequently asked questions.

Statute law

There has been consultation on a new statutory instrument to extend the grounds on which sensitive personal data may be processed without the consent of individuals, the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002. The Order will allow elected representatives or those acting with their authority to process sensitive personal data in connection with their functions.

The Representation of the People (England and Wales) (Amendment ) Regulations 2002 are now in effect and electors have been allowed to opt-out of the copy of the electoral register which is made generally available. The full register remains available for a limited range of private sector purposes and a wide range of public sector purposes. Mr Robertson, the elector whose court action led to the change of rules to give electors the right of opt-out, has challenged the Regulations on the basis that no private sector uses should be permitted. The case is still to be decided by the court but it is thought that Mr Robertson’s chances of overturning the Regulations are not high.

The Financial Services and Markets Act 2000 (Consequential Amendments) Order 2002 (SI 2002/1555) has amended the provisions governing the subject access exemption to protect financial markets.

The Information Tribunal (Enforcement Appeals) (Amendment) Rules 2002 (SI 2002/2722) have made a number of minor changes in order to provide for appeals against actions by the OIC in respect of publication schemes should they be required.

For those whose missed it when it hit the statute book, here is a reminder that the Immigration and Asylum Act 1998 provided that the transfer of personal identification data by the Secretary of State under that Act is a transfer necessary for reasons of substantial public interest under ground 4 of Schedule 4. Such transfers arise where a person is to be removed from the UK to a country of which he is not a national or citizen but will not be admitted unless identity data relating to him is provided by the Secretary of State.

Case law

The case brought by Naomi Campbell against the Mirror newspaper made headlines a second time when the original ruling, in which Ms Campbell won modest damages for breach of confidence and breach of her rights under the DPA, was reversed by the Court of Appeal. The ruling by the Court of Appeal on the issue of privacy/confidentiality was uncontroversial as was the ruling on the interpretation of the exemption under the DPA, s 32 (which relates to the processing of personal data for the purposes of literary, journalistic or artistic activity), but the application of exemption to the facts and the comments on the general applicability of the exemption are a cause for concern.

In the High Court the judge had decided that, while the publication of the fact that Ms Campbell had a drugs problem was justified, additional material which related to the nature of the therapy she was receiving and the publication of a photograph of her leaving a session was not. It also held that the collections and publication breached the DPA and the Mirror could not claim the benefit of the exemption which applies to journalistic purposes, as that only applied before publication.

The Court of Appeal decided that it was not appropriate to be “picky” about the material published. It was all part and parcel of one story. If the main story was justified the relatively small amount of additional material, which made it credible and put flesh on the bare statements, was also justifiable. The photograph did not show anything private about Ms Campbell and was taken in the street so it was not to be restricted on grounds of privacy/confidentiality.

On the s 32 exemption, the judge in the High Court appeared to have suggested that the Mirror could not claim the benefit of the substantive exemption post-publication of the material. The judgment was not wholly clear on the point and it would have been a curious finding had it been the case.* However he went on to consider whether the publication of the material would have the benefit of the exemption and held that it would not.

The Court of Appeal held that s 32(1) applied post publication and further that on the facts the Mirror would be entitled to the exemption. They even went as far as to suggest that a daily paper would almost never be able to comply with the DPA.

The Court of Appeal ruled that the retention of samples from those investigated for criminal conduct was not in breach of the Human Rights Act 1998 (ie the right to respect for private and family life) in R v Chief Constable of South Yorkshire ex parte Marper [2002] EWCA Civ 1275, [2003] 1 All ER 148. The party has applied for leave to appeal.

In R v Ipswich Crown Court ex parte NTL Ltd [2002] EWHC 1585, the High Court held that a service provider did not breach the prohibition on the interception of telecommunications imposed by the Regulation of Investigatory Powers Act 2000 by copying e-mails to another mail address in the absence of knowledge or consent of the e-mail account holder. They acted in anticipation of a police application to the court for a warrant of interception for the material under s 9 of the Police and Criminal Evidence Act 1994.

In an unreported county court case, a judge has applied a strict reading of the definition of a relevant filing system and refused to allow an applicant subject access to material which, although filed in a divider under his name, was organised in date order rather than by any specific criteria relating to him.

In one way or another these cases all take a restrictive view of the privacy rights of individual. Are we seeing the turning of the tide on the expansion of privacy rights?


Rosemary Jay is a Senior Consultant at Masons and author of Data Protection Law and Practice, the second edition of which is about to be published by Sweet and Maxwell. She was previously Legal Adviser at the Office of the Data Protection Registrar. She can be contacted at

* I confess to some personal interest. The judge referred to the treatment of the exemption in the textbook Data Protection Law and Practice as support for his view. That text most certainly does not suggest that the exemption in s 32(1) is exhausted on publication of the material. As the author of the relevant chapter, I can be absolutely certain on the point.