The key issue for employers over the new Data Protection Act is forward planning. The new Act is more complex than its forebear and uses new terminology. Mike Hibbs offers a guide to formulating a policy
The Data Protection Act 1998 will come into force on 1 March 2000, although it received Royal Assent on 16 July 1998 and was scheduled to be fully implemented in 1999. There are, however, transitional rules in relation to exemptions for some manual data which postpone the requirements until 23 October 2007.
HR departments and other people likely to have dealings with the Act need to prepare in advance. Those affected should be aware that the new Act, which replaces the 1984 version, is more complex, and the 19 Statutory Instruments currently being drafted - 15 of which have been completed so far - can only add to the complexity.
One problem posed by the new Act and numerous regulations is the use of new terminology. Some terms are defined in the Act but the parameters of the definitions will have to be set by the tribunals.
The Act creates traps which the unwary could fall into because of grey areas. The best policy is transparency and keeping staff informed as to what information about them is held and what will be done with it. Forward planning is the key - policies need to be drafted now to anticipate and deal with anything new under the Act.
One of the most significant changes introduced by the 1998 Act is the fact that information held on a relevant filing system will now be deemed to be data and therefore subject to the provisions of the Act. Manual information will be covered as well as information held on automated systems.
What exactly is a relevant filing system? When debated by the Government, it was clear that the intention was that information on random pieces of paper which is not readily accessible should not count. On the face of it, the information needs to be held as a structured set which is readily accessible, such as a file. But the information need not be in order. Information about an individual could become structured by way of reference numbers or stickers.
Without any tribunal case law for guidance, this is a grey area for the time being. Employers should remain cautious and treat all information which falls under the definition of personal or sensitive personal data as subject to protection