Data protection a farce?

Press, 6 May 1986, Page 45

Data protection a farce?

From the “Economist,” London By the morning of May 12, most British firms and many individuals using computers for work will have committed a criminal offence. A piece of legislation about computers and privacy, clumsily designed to appease the Council of Europe, has turned out to be intrusive, expensive and probably pointless. Many companies are either ignoring it or are unaware of it. Some of the newlycreated criminals will be members of Parliament who voted for the legislation. The Data Protection Act gives Britons the right to see computerised information about themselves from November 1987. A register has been set up by a Home Office quango in Wiltshire to keep records of every firm and individual with computerised Information about living persons used for business. Big companies will have to fill in many registration forms — British Telecom has five people on it full-time and will submit more than a thousand forms. A newsagent with a computerised list of houses for deliveries, a journalist with a computer at home, or an M.P. with a micro-

computer for constituency work will have to register. The accountants Arthur Andersen and Co. estimate that it will cost a small firm £5O to £lOO ($135 to $270) to register, not counting the opportunity cost of time lost filling in the complicated forms — the Data Protection Registrar says 10 per cent of forms filed so far have spending £750,000 ($2 million) publicising the Act. It is hard to see the point of registration. Companies do not have to give the names of everybody on whom they hold computerised information. They just have to say what sort of data they been completed wrongly — or the fees of advisers. In theory, anyone who has

not registered by May 11 may have to pay unlimited fines. In 1984 the Home Office said it thought about 80,000 firms would have to register. That turns out to be wrong by a factor of at least 10. Because of the way the legislation has been drafted and the way the registrar is Interpreting it, the real figure is almost certainly more than one million. But it seems that in fact only a minority will register. At the last count, 17,500 forms had been received. That will accelerate during the next few weeks, but the registrar himself admits that it will be six months after the May deadline before even 300,000 registrations are in. The registrar is

have, where they get It from and what they use it for. So if Mr Bloggs wants to inspect the information held on him, he will have to guess which companies might have some, and then get the Data Protection Registrar to check. The registrar will be able to tell from his register whether or not company X keeps computerised information, but — even with a complete register — he will have to contact company X to find out if it has any on Mr Bloggs. But if it has to begin its search with Mr Bloggs’ guess, and it has to contact company X, why have registration? West Germany’s computer privacy law gives citizens much the same rights as Britons will have, without asking priv-ate-sector companies to register. The British government — which seems barely to be aware of the monster created by its apparently innocuous law — now has an unpleasant choice. It could admit its mistake and simply scrap the register now; it could add to confusion by changing the rules to exempt small companies and inddlviduals; or it could leave things as they are, thus wasting some firms’ time and money, and criminalising the rest.