Successive UK Governments have seen data protection more as a cost overhead to be minimised rather than as an essential protection for the individual in an electronic age. This view started with Mrs Thatcher’s first Government and has endured for over three decades.
During the 1970s, there were a number of White Papers and Reports starting with the Younger Report on Privacy (in 1972) and ending with the Lindop’s Report on Data Protection (December 1978). So when Mrs Thatcher came to power in May 1979, it is fair to say that data protection was an item on the agenda but following the “winter of discontent”, probably very close to “AOB”.
Lindop’s proposals were not well received at the time, especially by the Home Office which had responsibility for data protection policy as well as its traditional law enforcement areas (e.g. national security and policing). It is difficult to imagine now, but the Home Office whose main functions required the invasion of privacy had also the responsibility towards the policy that protected individual privacy. In this way, the Home Office was acting like a lothario who has been tasked to define a law of celibacy.
This conflict of interest was only resolved in the last decade with the establishment of the Ministry of Justice. However, it has to be recognised that the current Data Protection and Freedom of Information Acts were Home Office Bills when they were presented to Parliament over a decade ago. That perhaps explains why there are generous exemptions for, yes you have guessed it, law enforcement, national security and policing.
Lindop called for statutory codes of practice produced by an independent data protection authority which would balance the needs for organisations to process personal data and the privacy of data subjects. Embedded in Lindop’s Codes were the rights of data subjects and the application of the various data protection principles, set in the context of the organisation’s processing purpose.
Lindop identified the need for about 40 Codes (e.g. for purposes such as employment, marketing and banking) and the current statutory Code of Practice on data sharing roughly provides an example of what Lindop had in mind. The text of the Code would be drafted by the Data Protection Authority to ensure that any balance between conflicting priorities was independently set.
Even the police and security services would be subject to a code of practice and be independently supervised. When you remember that 1979 was an era when there were no regulators in these areas, Lindop’s suggestion were too far ahead of their time to be universally accepted.
So in 1979, on the back of all the problems faced by the country, Mrs Thatcher was being asked to establish a large Quango which could produce statutory codes of practice that set the personal data processing rules for Government Departments, the police, security services and all businesses. The result? Lindop was speedily shelved.
However in 1981, the Council of Europe Convention No. 108 became active and the risk was that if the UK did not have any data protection legislation, countries that had ratified the Convention would prohibit the transfer of personal data to countries that had not. This meant that, without data protection legislation in the UK, personal data could be lawfully withheld from the City of London’s vital financial centres.
A rumour current at the time was that the Department of Trade and Industry was so concerned that it had rushed a memo to Number 10. To get Mrs T’s attention, it started off with the words “Do you know what those French and Germans are planning to do next?”.
This is the start of the process whereby Governments saw data protection legislation as being needed to protect the interests of free-trade. If the UK had a data protection law that just met its international obligations, then that would be problem solved; “maintaining privacy” was not an issue on anyone’s political agenda. (As an aside, I would identify the implementation of the Scottish Community Charge (Poll Tax) in 1989 as a significant turning point in this respect).
So in December 1982, the Home Office tabled a minimalistic Data Protection Bill that just satisfied the requirements of Convention No 108; it applied only to automatic processing of personal data. There was to be a central public register of all mainframe computers and details of the processing of personal data (e.g. purposes, sources, transfers, data items). The data protection principles only applied to registered organisations and were found in a Schedule towards the end of the Bill.
The regulator, known as the Data Protection Registrar, was given very few powers; there were no Monetary Penalty Notices, Information Notices, powers of audit or compliance agreements such as Undertakings. Criminal offences were linked to registration, compensation was limited to unauthorised disclosure of personal data or the processing of inaccurate personal data and there was a wide range of exemptions.
For example, in the Bill, the equivalent to the S.29 exemptions of the current Act (e.g. from the non-disclosure provisions and right of access if prejudicial to policing) extended to “the control of immigration” and removed the powers of the Regulator in relation to such disclosures. This meant that disclosures made by organisations that were Home Office responsibilities (e.g. police) were largely unfettered by any data protection concern.
This Bill was lost when the General Election was called, but it reappeared to be enacted as the Data Protection Act 1984. The 1984 Act lost the immigration clauses (which were removed because of a very effective campaign by Paul Sieghart) but included voluntary Codes of Practice.
Manual files containing personal information were excluded from the 1984 Act and there was a restrictive definition of personal data. Even word processing to produce the “text of documents” was excluded from the Act, as were data about intentions of an organisation towards an individual (e.g. “We intend to sack Fred Bloggs”).
For those of us working with the Data Protection Act 1984 within organisations, these weaknesses made data protection compliance a very difficult sell to management. Most of the personal information was in manual files and not subject to the Act. Non-registration was the key threat (an organisation could not process personal data without being registered) and subject access meant retrieval of information from the computer’s central databases. Non compliance wasn't a significant risk.
In summary, the minimalistic law that Mrs Thatcher had introduced meant that data protection was largely seen as needing low level administrative support: filling in (horrendous) 16 page registration forms per purpose and retrieving personal data from the mainframe.
It took a decade and the advent of Directive 95/46/EC for the main emphasis in the UK’s data protection regime to change from registration to the data protection principles. It took another decade and some lost disks to increase the risk factors associated with data protection non-compliance; New Labour's surveillance state made individual privacy a political issue
Of course, when this Directive was implemented by the 1998 Act, Mrs Thatcher was long gone from office. But the attitude of her first Government, namely that trade and business needed to be protected from “expensive” data protection obligations has been the mantra she has passed to all subsequent Governments.
Indeed, if you listen carefully, you can still hear her words today in relation to the Government's attitude to the cost of the current Regulation.