CHAPTER 6

PRIVACY PROTECTION
Contents
• Introduction
• Technology and Privacy
• National Regulation on Privacy
Protection
• The UK Data Protection Act 1984
• The UK Data Protection Act 1998

BLAW2403 Information Technology Law

Technology and Privacy
• Privacy is the capacity to negotiate social relationships by
controlling access to personal information.
• As laws, policies, and technological design increasingly
structure people's relationships with social institutions,
individual privacy faces new threats and new
opportunities.
• Over the last several years, the realm of technology and
privacy has been transformed, creating a landscape that
is both dangerous and encouraging..
• Significant changes include large increases in
communications bandwidths; the widespread adoption of
computer networking and public-key cryptography;
mathematical innovations that promise a vast family of
protocols for protecting identity in complex transactions;
new digital media that support a wide range of social
relationships; a new generation of technologically
sophisticated privacy activists; a massive body of practical
experience in the development and application of data-
protection laws; and the rapid globalization of
manufacturing, culture, and policy making
Transborder Data Flow (TBDF)

• TBDF is defined as all kinds of electronic

transmission of personal information
across political and boundaries for
processing or storing in computer files
• It concerns the transfer of personal
information across sovereign geographic
boundaries.

BLAW2403 Information Technology Law

Definition of Data

• This term is only used to refer to the

personal information; that is information
relating to individuals rather than
information relating to companies
governments.For example, information
relating to travel, or credit, and health as
as information about criminal convictions

BLAW2403 Information Technology Law

• Personal data has been defined in the convention and
OECD guidelines as;
“any information relating to an identified or individual”
The above definition is extremely broad; it can include a
number of data of very varying kinds (social security,
bank accounts, etc) and all kinds of commercial activity.

BLAW2403 Information Technology Law

National Regulation on Privacy
Protection

International instrument governing the issue of transborder

data flow and privacy protection:
(a) Organization for Economic Cooperation and
Development Guidelines (OECPD)
(b) Council of Europe Convention For the protection of
Individuals with regards to automatic Processing of
Personal data.(convention)
(c) © European Community on the Directive on the
Protection of individuals (directive)

BLAW2403 Information Technology Law

OECPD PRIVACY GUIDELINES
• The guidelines seem to be a free data flow regulation
rather than a data protection. OECD Privacy guidelines
useful for establishing legal means to protect privacy on
the electronic highway.
• “A member country should refrain from restricting
transborder flows of personal data between itself and
another member country except where the latter does not
yet substantially observe these guidelines. Membar
countries should avoid developing laws, policies and
practices in the name of the protection of privacy which
would create obstacles to transborder flows personal data
that would exceed requirements of such protection”

BLAW2403 Information Technology Law

Why Data Protection is
relevant?
• to maintain privacy
• but Internet is an open environment -
opportunity to abuse personal data
• to bring back confidence of users.
• Data Protection Act 1984 (UK)
• 'data user" , "data subject", "computer
bureau" & "Registrar“

BLAW2403 Information Technology Law

The UK Data Protection Act
1984
• The Data Protection Act 1984 has now been
repealed by the Data Protection Act 1998 c.29 
• The UK has had a Data Protection act since 1984 which
gave individuals rights as data subjects.
• These rights include giving access to data stored about
us, a right to have inaccurate information corrected or
removed and to claim compensation if stored information
is misused. 
• It has it's origins in the European Rights Convention,
article 8 - giving individuals a right to respect for their
private life.

BLAW2403 Information Technology Law

The UK Data Protection Act 1984

• The UK DP Act requires data users to register

with the Data Protection Registrar indicating the
data they intend to store, the processes which
will be applied to it, and the use to which the
data is put.  Once registered the data user must
then ensure that they comply with the principles
of the Act.
 

BLAW2403 Information Technology Law

The UK Data Protection Act
1998

• The purpose of DPA is to regulate the use

of automatically processed information
relating to the individuals and the
provisions of services relating to the
individuals(data subjects)

BLAW2403 Information Technology Law

Important terms

• Data user : who hold data

• Data bureau : who provides services to
data users
• Data subject:living individual referred to in
the data
• Data protection registrar:in charge of
registration of data

BLAW2403 Information Technology Law

Application of Data Protection
Principles (8) - Schedule 1 Data
Protection Act (DPA)
• 1. personal data shall be fairly and lawfully
obtained and processed;
• 2. personal data shall be held only for lawful
and specified purposes;
• 3. personal data shall not be used or disclosed
in any manner incompatible with the purposes
for which they are held;
• 4 personal data shall be adequate, relevant
and not excessive in relation to the purposes
for which they are held;

BLAW2403 Information Technology Law

• 5. that personal data shall be accurate and,
where necessary, kept up to date;
• 6 personal data shall not be kept longer than
necessary for the purposes for which they are
held;
• 7. data subjects shall have access to data relating
to them; and
• 8. personal data shall be protected by reasonable
security measures against unauthorised access,
alteration, disclosure, destruction or loss.

BLAW2403 Information Technology Law

Exemption
• Exemption from Pt II (registration and
supervision for three separate classes of
exemption) and Pt III (rights of data subjects)
• Effects: the exempted personal data need not
be registered there is no right of subject
access to them; and
• they are exempt from the Registrar's
supervisory power through courts may
examine them if individual claim that the
exemptions do not apply

BLAW2403 Information Technology Law

Offences under DPA (UK)
• s.5(1) & (5) - any person who 'holds' personal data without
being registered as a data user, or having applied for
registration.
• s.5(2) & (5) - any registered person who knowingly or
reckless1 obtains uses, discloses or transfers personal
data of a kind not described in that person's register entry.
• S.15(1) & (3) - a computer bureau which knowing1 or
recklessly discloses personal data without the authority of
the bureau's customer for whom the processing is carried
out
• S.12(10) - failure to comply with a Registrar's transfer
prohibition notice

BLAW2403 Information Technology Law

Registrar's jurisdiction & power
of enforcement

• power to prosecute offence

• power to issue supervisory notices to
registered persons
• enforcement notice: must specify steps
to be taken for complying with the
Principle or Principles in question.

BLAW2403 Information Technology Law