Roy Stockdill, Editor of The Journal of One-Name Studies, has recently been in communication with the Office of the Data Protection Registrar and has encouraged members of the Guild to pass on the replies which he received from them about the implications of the Data Protection Act. As Roy noted in one of his messages, the wider dissemination it receives the better!
The statement from the DPR is in the form of questions and answers as follows:
OFFICE OF THE DATA PROTECTION REGISTRAR
DO WE NEED TO REGISTER?
A Guide to the Registration Requirements for Genealogists
Compiled by Compliance Group A, April 1997
WHAT IS DATA PROTECTION?
The Data Protection Act regulates the holding and use of information which is held on computer in order to protect the rights and freedoms of Individuals. The Data Protection Registrar aims to promote respect for the private lives of individuals and in particular for the privacy of their information.
The Data Protection Act requires that data users (i.e. those legal person who control the contents and use of particular collections of personal data) register the purposes for which they hold personal data. They are also required to provide a brief description of that data, including the source from which the data are obtained and the persons to whom that data might be disclosed. A registered data user is further obliged to comply with the eight Data Protection Principles. These are a set of enforceable rules for good data protection practice.
Computer bureaux are also required to register under the Act. A computer bureau is an individual or organisation who processes personal data on behalf of a data user or who allows a data user to use his computing equipment.
WHAT TYPE OF INFORMATION IS COVERED?
The Act defines ‘personal data’ as information relating to a living individual who can be identified from that information (or from that and other information in the possession of the data user). The Act applies to as little as a name and address. It applies to data collected from a public source. Therefore, unless a genealogist only holds historical data about deceased people, the Data Protection Act will apply to the data which they hold.
WHO NEEDS TO REGISTER?
There are several specific exemptions from the requirement to register. If a data user can rely on one or more of the exemptions, registration is not required. The exemptions have strict conditions attached to them. It is the responsibility of the data user to satisfy himself that an exemption applies. The exemptions are explained in chapter 6 of the Guidelines (available from the Registrar’s Office). If a data user is unsure about whether registration is required he should contact the Registrar’s Office for further advice.
THE EXEMPTIONS
Domestic or Recreational Use
Personal data held by an individual and concerned only with the management of his own personal, family or household affairs or held by him only for recreational purposes are exempt from registration. Therefore, a genealogist holding personal data simply in connection with his own studies and research would not be required to register such data. However, the Registrar considers that the genealogist would no longer hold such personal data solely for his personal recreational purposes if he disclosed the data to another genealogist, or any other person, and the exemption would no longer apply. Similarly, the exemption would not apply where a genealogist holds personal data which is shared with, and provided by, a group of genealogists who share research information, or held in connection with a local society of genealogists, or a one-name society.
Unincorporated Members’ Clubs
There are several exemptions from registration which might apply to a club whose members are genealogists. These include an exemption for accounting, mailing lists and an exemption for unincorporated members’ clubs which can cover personal data relating to members which are held with the consent of the members. These exemptions are set out in detail in a separate factsheet for clubs and societies which is available from the Registrar’s Office. However, a genealogists club which held research data about living individuals who are not members of the club would be required to register.
Word processing
In addition to the exemptions from registration, there is a provision for word processing. A person or an organisation does not become a data user simply by using the editing facilities provided by a simple word processor, with the sole purpose of producing a letter or other document, even though that document, when printed, may contain personal data. However, if the documents are held on a computer as a store of personal data then this ‘exemption’ would not apply.
HOW DO WE REGISTER?
If you are satisfied that you need to register, please telephone our Registration Department on (01625) 545740. You will be asked the broad nature of your business. A registration form designed to cover your own particular business will be sent to you. You will be required to check the details, make any amendments and return the form with the registration fee. The current fee is £75.00 for three years.
THE DATA PROTECTION PRINCIPLES
Registration alone does not ensure compliance with the Data Protection Act. Once registered, a data user must comply with the eight Data Protection Principles. The Principles are enforceable rules for good practice.
Broadly, the Principles state that personal data must be:
1. Obtained and processed fairly and lawfully;
2. Held for the lawful purposes described in the data user’s entry;
3. Used only for those purposes, and disclosed only to those people described in the register entry;
4. Adequate, relevant and not excessive in relation to the purpose for which they are held;
5. Accurate and, where necessary, kept up-to-date;
6. Held no longer than is necessary for the registered purpose;
7. Accessible to the individuals concerned who, where appropriate, have the right to have information about themselves corrected or erased;
8. Surrounded by proper security.
The principles are described in further detail in chapter 4 of the Guidelines, available from the Registrar’s Office on request. The Registrar’s staff will be happy to assist with any further questions about the requirements of the Data Protection Act.
As regards whether it is necessary to register if putting family tree on the Internet, the further advice from the Data Protection Registrar’s Office was as follows:
The Data Protection Act 1984 obliges all those organisations and/or individuals who process personal data to be registered with this office. There are some narrow exemptions from this requirement, all of which have stringent conditions attached. The fact that you intend to put this information on the Internet means that you would not be able to rely on any of the exemptions, and therefore you would need to register.
The First Data Protection Principle
Following on from registration data users must also comply with the eight Data Protection Principles of good data handling practice. Of particular relevance to your proposal is the First Principle which states that;
"The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully."
The Registrar takes the view that fair obtaining requires that people should be put in a position to decide whether or not to give the information requested. This will normally mean that they should be made aware of;
– the identity of the data user;
– any proposed uses of personal data which may not be obvious;
– any disclosures of personal data to third parties.
Our general position to anyone considering publishing personal data on the Internet is that this should only be done with the informed consent of the individuals concerned. We maintain that making such information available via a global medium such as the World Wide Web without the individuals involved understanding the implications of this and without their consent, would constitute unfair processing of personal data in contravention of the First Principle.
The 1998 Act is intended to implement in the UK the EU Data Protection Directive to be implemented by all the EU Member States. It did not originate in the UK (although we already had the less stringent 1984 UK Act which is now being replaced). One significant aspect is that any affected data cannot be transferred to a country outside the EU unless that country has equivalent data protection legislation. This would seem to rule out sending any such data outside Europe and especially to the USA.
Although the 1998 Act is mostly due to come into force on 1 April 2000, many of the rules and regulations are still awaited. The amount of the registration fee has only recently been announced as £35 per year which is a substantial increase over the figure of 75 pounds for three years under the 1984 Act.
A number of one name groups have registered following concerns over the implications and possible penalties of this legislation. The Lin(d)field One Name Group has recently registered as it seems clear that the cost is outweighed by the possible fines which can be incurred. The cost therefore equates to about 30 pence per member yearly.
On a related issue, members may have read of the project in Iceland to compile a database of DNA profiles. Here is part of an article which appeared in the San Fransisco Sunday Examiner, Dec. 19, 1999 under the headline – Iceland Company compiling vast database of nation’s DNA Profiles Sub Head_ Some scientists fear participants’ privacy could be in jeopardy.
"Within weeks the Icelandic Company, Decode Genetics, will begin collecting DNA samples from Iceland’s 270,000 citizens and linking the genetic profiles with their health records and family trees. It is an ideal site for using DNA to track genetic links to disease. Relatively few outsiders have moved in over 1,000 years, and the nation has extensive health records and family trees, some dating back 500 years. The company plans to use computer programs to search for patterns. Decode Genetics has the right to the database for 12 years and plans to sell information to pharmaceutical companies and researchers. It will take three years to complete the database programming, but much less time to get usable information".
Data Protection, as covered by the DP Act, is of course something of a misnomer. It should more accurately be described as Data privacy. In the more literal meaning of the phrase, there is at least one area where government agencies are patently failing to protect data. A number of correspondents have recounted how, having recently completed paying off their mortgage, they were duly sent the Land Registry Certificate by the Building Society, with instructions to forward the Certificate onto the Land Registry for updating. Most people have clearly assumed that their names would be entered at the bottom of the list of previous owners and the Certificate returned to them. Sadly, what is actually returned is a new computer-printed Certificate containing only the names of the current owner. The trajedy is that they destroy old Certificates when data has been added to the computer so that the primary evidence of previous owners to the property is destroyed forever. Members who may be approaching the long-awaited final mortgage payment might do well to retain a good quality copy of the Land Registry Certificate in order to minimise the damage caused by this wanton destruction of evidence!
The moral of the tale is "Always take photocopies of all evidence, because some people don’t ‘collect’ paper like genealogists do"