THE DATA PROTECTION ACT 1998 -- APPLICATION TO BELLRINGING ASSOCIATIONS

A REPORT PREPARED FOR THE CENTRAL COUNCIL OF CHURCH BELL RINGERS

On 1 March 2000 the Data Protection Act 1998, which applies to the processing of personal data, will replace the current -legislation; the Data Protection Act 1984. Bellringing associations and the Central Council, as 'unincorporated membership organisations', are exempt from registration under the 1984 Act. Organisations which were exempt from registration under the 1984 Act were also exempt from compliance with that legislation. (The Ringing World, however, which is a limited company, was required both to register and to comply with the 1984 Act.)

In contrast, all organisations will be required to comply with the 1998 Act, but, although it seems likely, it is not yet clear whether bell ringing associations will be required to notify under the 1998 Act (notification will replace registration under the 1984 Act). Notification, if required, will require payment of a fee. When the Regulations relating to notification become available, further guidance will be published in The Ringing World. A further difference is that, unlike the 1984 Act, the new Act covers not only automatically processed or processable information but also "manual data", which is discussed further below.

The new Act does contain certain transitional provisions which would allow bell ringing associations to remain exempt from some of its requirements until October 2001. However, they would still need to ask every member whether they object to personal data relating to them being held by the club, and if any member objected, their data would have to be removed and notification would then be required. It may therefore be preferable not to rely on the transitional provisions, and instead promptly to comply with the new Act.

The Act applies to the processing of personal data. "Personal data" is defined as "data which relate to a living individual who can be identified

"Processing" means obtaining, recording or holding data or carrying out any operation on data, such as the organisation, adaptation, alteration, retrieval, consultation, use of, disclosure of, alignment, combination, blocking, erasure or destruction of the data. Therefore, "processing" covers virtually any action connected with data, including simply holding data.

It is therefore clear that membership lists which are augmented or amended on an ongoing basis, mailing lists, and information prepared for an annual report or a web site (for example, including lists of names and addresses under tower or branch names) will all be covered. There is a possibility that peal records will also be covered -- particularly peal records contained in an association report, where the names in the peal records may be cross-referred to names and addresses elsewhere in the report.

The Act contains the following list of eight principles which must be adhered to by data controllers:

Personal data shall:

  1. be processed fairly and lawfully;

  2. be obtained for one or more specified purposes and shall not be processed in a manner incompatible with that purpose;

  3. be adequate, relevant and not excessive;

  4. be accurate and where necessary kept up to date;

  5. not be kept for longer than necessary;

  6. be processed in accordance with the rights of data subjects under the Act;

  7. be kept secure;

  8. not be transferred to a country outside the EEA (1) that does not have an equivalent level of protection (unless consent has been obtained -- see below).

Bellringing associations will certainly fall within the definition of "data controller", and must adhere to these principles whether or not they are required to notify under the legislation.

There is a total prohibition on processing without prior notification (note that whilst bellringing associations may possibly be exempt from notification, they will still be required to adhere to the data protection principles). Before processing commences, the data must have been obtained fairly -- the data subject must have been informed of the data controller's identity, of the purposes for which the data is intended to be processed, and any other information relating to the processing that will allow the data subject to understand the nature of the processing.

Before processing the data, the data controller must ensure that the processing activities comply with one of a list of requirements. For our purposes, the data subject must have given his consent, the processing must be necessary for the performance of a contract, or must be for the legitimate interest of the data controller or a third party to whom the data has been disclosed.

Note that further safeguards apply to "sensitive" personal data, which consists of information as to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, or actual or alleged legal offences.

Where the data controller employs third parties to conduct processing activities (called "data processors" in the Act), then the data controller must have a written contract with the data processor whereby the data processor agrees to act on the instructions of the data controller and to abide by the security principle (the seventh principle). The data controller must also take reasonable steps to ensure the reliability of its employees who have access to the data.

Note the importance of the eighth principle -- the EEA currently has the most stringent level of protection in the world. Therefore, data which are the covered by the Act must not be transferred outside of the EEA, unless the data subject has given express consent to such a transfer. There may be situations in which data could potentially be transferred abroad -- an example might be an Association secretary sending a list of names and addresses of tower correspondents by email to a ringer in the US. Such an action would be prohibited unless each of the tower correspondents had given their written consent.

Data subjects will have the right to obtain details of the data held, and also the right to prevent processing. Consent forms and association reports should, therefore, contain details of the name and address of the person to whom requests should be made.

Manual records which form part of a "relevant filing system" will in future be covered by the Act. To be caught, the filing system must contain structured records, either by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to an individual is readily accessible. This will certainly catch most card filing systems, but will not cover bundles of manuscript notes. This is an area that associations will have to consider carefully. Under the transitional arrangements, manual records held in a relevant filing system prior to 24/10/98 will, in some cases, be exempt until 2007, although it is recommended that the data protection principles are applied in relation to such records as soon as possible.

The following recommendations are therefore made to bellringing associations:

  1. that they carry out an audit of the information which falls within the ambit of the Act, before 1/3/2000;

  2. that all those individuals (including, for example, non-members who are tower correspondents) who supply personal information to those bodies sign an authority form which lists the purposes for which the information will be used and authorises the association to use their personal data for those purposes (remember to refer to any display of the data on web sites or any potential transfer of the data outside of the EEA). These purposes should also be set out in annual reports and the like. An individual must specifically give their consent -- it is not sufficient to state that payment of a subscription amounts to an implied consent, the consent must be signified by active communication. Initially it is likely that associations will need to seek the consent of all their resident (or active) members; thereafter consent should be sought from new members on joining;

  3. that care is taken to update data annually if possible -- for example, by removing the details of those people who have left the association and effecting changes of address as soon as possible. This means that associations who allow one year's grace to a member who fails to pay a subscription may have to revisit this policy -- if a person fails to pay a subscription, it may have to be assumed that they no longer wish to be a member, and that they wish their details to be removed from the annual report;

  4. that the security of the data be reviewed -- where is manual data kept? Is electronic data password protected?

The 1998 Act introduces significant changes from the current 1984 Act, including coverage of manual data, the likelihood that bell ringing associations will be required to notify under the new Act, and the need to comply with the eight data protection principles in any event. Although in some circumstances we might be able to claim exemption from some aspects of the new Act until October 2001, this would require much of the administrative burden required for full compliance, which may therefore be preferable. The detailed Regulations implementing the 1998 Act have not yet been published; when this is done, further guidance will be published in The Ringing World.

NOTE

(1) EEA = European Economic Area (i.e. the fifteen EU Member States together with Iceland, Liechtenstein and Norway)

LOUISE M BLAND
November 1999

IMPORTANT NOTE: The foregoing report has been produced in my personal capacity. I am not an expert in Data Protection Law, and this report does not constitute legal advice.

DATA PROTECTION ACT 1998

DECLARATION OF CONSENT UNDER THE DATA PROTECTION ACT 1998 (TO BE INCORPORATED INTO EACH ASSOCIATION'S MEMBERSHIP APPLICATION FORM)

Please note that the details which you have provided on this form will be held on a computer and may also be held in a manual filing system. This data will be processed by [ name of association ] and will be included in the [ name of association ]'s annual report.

Where you are a tower correspondent or an officer of the [ name of association ], it may also be published on the web pages or in newsletters of [ name of association ] and provided to third parties such as the Central Council of Church Bell Ringers (who may publish it on the CCCBR web site), The Ringing World Limited (for publication in the Ringing World, the Ringing World website and/or the Ringing World Diary), and to other ringers upon request. The data may also be sent to ringers or bellringing associations outside the EEA upon request.

Details of peals rung on behalf of the [ name of association ], including names of the ringers, will be sent to the Ringing World and to [ other details? ] for publication.

If you wish to obtain a copy of the data processed, a description of the purposes for which it is being processed, description of any potential recipients of the data, or any information as to the source of the data, please contact [ name and address ]. Please note that [ name of association ] is entitled to charge a statutory fee not exceeding [ details ] for the provision of this information.

Please sign below to confirm your consent to your personal data being processed in the manner set out above and as necessary for the purposes of the legitimate interests of [ name of association ].

Signed

Date

(Note: an individual may be happy for certain data to be published but not other data -- for example, an individual may be happy for his email address to be published on a web site, but not his address or telephone number. Any such restrictions to the consent should be specified by the individual at the time of signing.)

HTML Version Roger Bailey, December 1999. Arrived by search engine? Click here for a comprehensive list of other change-ringing links.