Praiseworthy as all these efforts are, there is a danger that in the enthusiasm to place information on the WWW, or to run viable business operations via webservers, the law relating to data protection is either pushed to the back of people's priorities, or entirely overlooked. In modern society, the collection of data about individuals has become of increasing importance, as our ability to sort it into meaningful patterns with the aid of computers has developed. The ability to profile individuals via records such as electoral rolls, credit records, use of store loyalty cards, magazine subscriptions, and the like has become a lucrative industry. More often than not we do not know who holds information on us, to whom they may have passed it, and the purposes to which it is being used(103). The data protection laws go some way towards redressing that balance by creating a set of rules by which data processors should operate, and which give individuals some limited powers to ensure that at the very least the information that others hold on them in electronic form is accurate. It is widely acknowledged that the existing UK Data Protection Act 1984 (hereafter the DPA 1984) is a less than perfect solution to the problems that exist, and it will be interesting to see if the recent adoption of a somewhat more rigorous regime by the European Community in its Directive on Data Protection(104) will have any greater effect when finally implemented into UK law.
The Act then proceeds to define personal data as being data which consists of information which relates to a living individual (the data subject (106) ), who can be identified from that information by itself, or when it is coupled with other information held by the person holding that data(107) (the data user(108) ). Such data would include any expression of opinion about the individual. This definition clearly excludes both individuals who are deceased, and legal entities such as companies, universities and charities.
Some kinds of data which would appear to fall within the above definition are specifically exempted from the regime prescribed by the Act. Such data does not need to be registered, and the individual concerned will not have any right of access to the information.
However, at present, the take-up rate for registration is estimated to be less than 50% of those required to do so, and given the current under-resourcing of the Data Protection Registrar's office, the likelihood of an action for minor non-compliance with the Act remains limited.
In limited circumstances, a data subject may claim compensation for damage suffered as a result of inaccuracies in the data, loss or destruction of the data, or its unauthorised disclosure(119).
it would be wise for the person responsible for those webpages, or the webserver, to check the provisions of the DPA 1984 with regard to whether or not it is necessary to be registered with the Data Protection Registrar. It is unclear from the wording of the DPA 1984 as to whether the additional information which may be used to link an individual to otherwise anonymous data on a computer must itself be held in a form in which it can be processed automatically e.g. on another computer. The important thing to ascertain is not just that an institution is registered to hold certain types of personal data, but also that the particular personal data which is to be placed on the webpage is permitted to be used in that manner under the terms of the registration.
A particular question with regard to the WWW lies in the obligations on registered data users not to "disclose the data held to any person who is not described in their entry" or "directly or indirectly transfer data held to any country or territory outside the UK other than those named or described in their entry."
With regard to the latter issue, the DPA 1984 does not define what is meant by 'transfer', but it would seem entirely possible to argue that the process by which data is passed on demand from a webserver, to the RAM or harddisk cache of a machine being used to browse that webserver, goes further than mere 'disclosure'. If it is accepted that this is 'transfer', it would seem to follow that if personal data is held on an open access webserver, i.e. a webserver that is not in some way domain restricted, there would appear to be no way for the owner of that webserver to avoid the transfer of that personal data to any individual with full Internet access in any number of countries outside the UK.
Thus, when one looks at both those obligations, it is difficult to see how a open access webpage containing personal data could successfully stay within the letter of the law, unless it were possible to have entries in the register of "all other web users", and "the world" respectively. Such a solution would, however, seem to be so wide-ranging as to render the DPA 1984 meaningless. It is therefore interesting to speculate for example whether educational institutions that have placed details (such as name, work address, telephone number, e-mail address, academic interests and publications) of all their members on-line, either on the X500 database or the WWW, are actually adhering strictly to the letter of their registration.
As far as those UK sites which actively collect personal data are concerned, they would seem to fall into a grey area of the law, with the significant factor being what is done with the personal data collected. If an individual has a personal webpage with an embedded form being used as a 'visitors' book', their intention being to simply collect names, e-mail addresses, occupations and comments of visitors to the webpage for their own personal edification, it would seem that while they are obviously holding personal data, this would appear to fall under the recreation exemption. On the other hand if an institution collects the same personal data, it appears that the holding of that personal data would require registration, and at the time that it was obtained, the data subject would have to be informed both that it is being collected, and any purpose to which it might be put. This would be particularly relevant if the institution intended to use the personal data in a study(120), or to sell it on to an interested third party.
A final thought concerns the use of search engines, webcrawlers and the like on the WWW and data retrieval mechanisms in other on-line resources. Given the ability to carry out searches on the names of individuals i.e. John Major, it may be possible for a person to download and then process information from one or more on-line sources which would qualify as personal data for the purposes of the DPA 1984. At that point that person would become a data user, and should register as such - however, as the volume of accessible electronic data increases, it remains to be seen just how feasible the requirement of registration becomes in such circumstances, given the present difficulty of getting larger data users to register correctly, or indeed at all.
102 e.g. Hot Hot Hot which specialises in hot sauces.
103 See for various examples, Branscomb, A.W. Who Owns Information ? From Privacy to Public Access (Harper Collins/Basic Books 1994).
104 OJ 1992 C311/04 (adopted 24 July 1995). This should result in new UK legislation around 1998.
109 S5 (1).
110 See Schedule 1, DPA 1988
111 S5 (5).
112 S5 (2)(a) - (e), S5 (5)
113 S21 (1).
114 S21 (2)
115 S21 (4).
117 S24 (1).
118 S24 (2)
119 S23 (1). There are also criminal sanctions for procuring disclosure of, and selling, computer-held personal information - s161 Criminal Justice and Public Order Act 1994.
120 Subject to certain exemptions in Schedule 1, Art. 7, DPA 1984
Graphics Multimedia Virtual Environments Visualisation Contents