The Data Protection Act 1998 replaces the Data Protection Act 1984. The new Act extends the provisions of the previous Act to much paper-based material, and introduces a category of sensitive personal date.
All data relating to a person must be kept in line with the following principles.
Data should be:
The Data Protection Registrar has been replaced by a Data Protection Commissioner, and registration with the Registrar's Office has been replaced by a process of notification. Notification is to be renewed every year, rather than every three years as for registration. A fee remains payable.
All data controllers processing personal data on a computer (or other automated equipment) should notify the Commissioner unless they are able to take advantage of the exemptions (see below). Failure to notify is a criminal offence. Data controllers are those persons or bodies who control or use the data in question. For parochial records this would normally by the PCC, for other records kept personally by the incumbent, he or she is the data controller. Any person or body that merely processes data for a data controller is classified as a computer bureau and does not need to notify.
There is no requirement to notify if data is kept in paper based files BUT ALL DATA MUST STILL BE KEPT AND PROCESSED IN LINE WITH THE ABOVE PRINCIPLES.
Those persons or bodies previously classified as data users under the old Act become data controllers, but if they were previously registered they need not take any action to notify the Commissioner. They will be sent a form so to do at the time they would normally renew their registration.
PCCs, incumbents, archdeacons, bishops, the London Diocesan Fund and the London Diocesan Boards for Schools are separate legal entities under the Act and are required to notify separately. However, if data is held and processed in line with the normal administration of the parish PCCs should not need to notify. The same exemption from notification will normally apply to an incumbent unless pastoral care records are held on a computer. If a parish keeps records above and beyond "normal administration" then the advice of the Data Protection Commissioner's office should be sought.
Any individual about whom data is kept is allowed to request access to all data relating to them. This must be complied with within 40 days and can be subject to a maximum fee of £10 (correct at 1 January 2001). All data held about an individual REGARDLESS OF THE FORMAT (i.e. including paper based records) should be disclosed, including job references and any other personnel records, but subject to various exceptions. All information under the control of the PCC, incumbent or other data controller must be revealed REGARDLESS OF WHO ACTUALLY KEEPS THE DATA. If the PCC secretary, the PCC treasurer and the electoral roll officer all keep separate records they must all be included in the response to the subject access request. It is not the individual's responsibility to ask each person.
When revealing data that includes data relevant to another person you must be careful not to reveal the identity of that other person without their consent. For example, in a reference you could replace "The Rev'd John Smith said …" with the Rev'd XY said …"
The Act introduces a new category:
