Following the introduction of the Data Protection Act in 2001, Katie Paxton-Doggett looks at the impact the end of the transitional relief period will have on personal data


The last of the transitional arrangements in the Data Protection Act 1998 (DPA) expired on 23 October 2007, with some experts predicting that a data protection 'crisis' will result, as mountains of paper come within the scope of the Act.



The DPA came into force fully on 24 October 2001 in order to regulate the collection, storage, use and disclosure of information about individuals by organisations.



The Act applies to 'personal data' or information which relates to a living individual who can be identified. It relates to data which is held, or is to be held, electronically or, if held in manual files, as part of 'a relevant filing system'.



Personal data must be dealt with in accordance with the eight Data Protection Principles. This means that personal data must be:

l processed fairly and lawfully;

l obtained for specified and lawful purposes;

l adequate, relevant and not excessive;

l accurate and, where necessary, kept up-to-date;

l not kept for longer than necessary;

l processed in accordance with the subject's rights;

l kept secure; and

l not transferred abroad without adequate protection.



When the DPA was first introduced, it represented a huge sea-change in the way that personal data was required to be handled. The Act included transitional provisions which provided that the processing of certain data did not become fully subject to the Act until a later date. This would give data controllers the opportunity to bring their personal data-handling practices and records fully into line with the Act.



In particular, the transitional relief provisions exempted certain paper files from the full requirements of the Act so that data controllers and data processors would have sufficient time to organise those files to comply. Nevertheless, there is no requirement on data controllers to digitise or computerise old manual records.



Until now, exemptions applied to 'eligible manual data which were held immediately before 24 October 1998' and 'personal data' which was 'subject to processing which was already under way immediately before 24 October 1998' (schedule 8, part III, section 14).



The term 'processing already under way' is not defined in the Act and the Information Commissioner acknowledges in his guidance that the meaning is not clear and that it is open to more than one interpretation.



However, the Act seems to cover processing systems that were live and in use before 24 October 1998. The exemptions, though, only apply to data already held at that date and not any data subsequently added.



Eligible data was excluded from the requirements of the first five principles of the DPA and the general rights under section 14 of the DPA to go to court to get an order to 'rectify, block, erase or destroy' any personal information which is inaccurate.



Eligible manual data which are processed 'only for the purpose of historical research' (schedule 8, part IV, section 16) are excluded from the transitional provisions and remain exempt from the requirements of the DPA.



Data held in 'accessible records' also benefited from the relief, irrespective of when they were created. An 'accessible record' is defined in section 68 and relates to a health record, educational record (local education authority schools and special schools only), local authority housing record or local authority social services record. However, in practice, the end of the transitional period is likely to have little practical effect.



Subject access has long been available: medical records and local government records have been available since the 1980s, and access to public sector paper files since January 2005.



The transitional relief exemptions are mainly concerned with data held in relevant filing systems. These are paper filing systems which are structured 'in such a way that specific information relating to a particular individual is readily accessible'.



The Information Commissioner's guidance indicates that this means there must be a set of information about an individual, which must be structured in such a way that specific information about a particular individual is readily accessible. This will include filing systems which have an external structure, such as filed by client surname, as well as an internal structure, for example sub-dividers. Examples of relevant filing systems could be a client records system, or a set of files on service users that is organised alphabetically by the name of the individual or some other identifier such as case number.



The definition of 'a relevant filing system' was considered in Michael John Durant v Financial Services Authority [2003] EWCA Civ 1746. Here, the Court of Appeal felt that it was Parliament's intention to apply the Act to manual records 'only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system'. Files will need to be highly-referenced or indexed in order to fall within the definition: the court will adopt a restrictive interpretation and, thus, the majority of filing systems will fall outside the scope of the DPA. This means the exemption and the end of transitional relief will be academic for the majority of paper files.



Furthermore, the exemptions were only available in respect of personal data held prior to 24 October 1998. Where data has been added since to existing qualifying structured files, the exemption will not apply. The majority of pre-1998 files and filing systems are likely to have continued to be used and should have been processed in accordance with the requirements of the DPA.



However, even for data which was covered by the transitional relief, it was still necessary to handle eligible data in accordance with the requirement under the first principle to provide individuals with a data protection notice telling them about the processing, and the last three principles requiring an organisation to ensure that data was processed in accordance with the subject's rights, to keep it secure and to ensure that adequate protection is in place for data transferred overseas.



The majority of data processors are likely to have processes in place to ensure that handling of any data is compliant with the requirements of the DPA. Although, since 24 October 2007, data controllers must process all personal information, including that previously covered by the transitional relief, in accordance with all the provisions of the DPA, in reality this is unlikely to have a great impact.



One of the major practical changes will be the need for organisations to have regard to how long they keep personal data for and ensure that it is only as long as 'necessary', in accordance with the fifth data protection principle. Clearly, each case will depend on its own facts, but issues to consider will include legal and regulatory reasons, best practice and business needs. However, since the end of transitional relief mainly affects manual files which have been little used since 1998, it may be time to consider their destruction.



It seems unlikely that the end of the transitional relief will have a huge impact on properly-organised data controllers or data processors. In reality, the threatened crisis seems more likely to be pure scaremongering.



Katie Paxton-Doggett is a solicitor and producer at the Law Channel, Einstein Network