Data protection exemption expires tonight

An exemption for paper records from the Data Protection Act runs out at midnight. The transitional relief exemption only lasted until 23rd October, imposing less stringent conditions on the holding of paper records than electronic ones.

Most paper records, though, will still be exempt, and the change in the law will affect far fewer organisations than some have predicted, according to one data protection expert.

"It is hard to see where any normal data controller is likely to have significant problems," said Rosemary Jay, a data protection expert with Pinsent Masons, the law firm behind OUT-LAW.COM, earlier this year. "The end of the transition period only affects information held on structured manual files – not all manual files – so it is not applicable to all old pieces of paper."

Some experts have warned that a massive number of paper records will suddenly be covered by the Data Protection Act, causing a massive administrative headache for public authorities in particular.

But Jay said that the Act applies so selectively to paper records that not many will be covered. The Act applies only to filing systems which are extremely highly-structured and easy to search within.

In a landmark data protection ruling in 2003 the Court of Appeal said that the Act only applied to filing systems which were so complex that they were as sophisticated as a computer system when it came to organisation and searching.

In the aftermath of that ruling, a case brought by Michael Durant against the Financial Services Authority, the Information Commissioner's Office (ICO) updated its guidance on what filing systems were covered by the Act.

That new guidance said that the files must be organised so that "the content will either be so sub-divided as to allow the searcher to go straight to the correct category and retrieve the information requested without a manual search, or will be so indexed as to allow a searcher to go directly to the relevant page/s".

It said that a simple organisational principle such as chronology is not sufficient to qualify a system as coming under the scope of the Act.

"From 24th October this year the Data Protection Act 1998 will apply in full to all personal information covered by the Act and data controllers will need to ensure that the way personal information is processed is compliant with all the provisions of the Act," says guidance on the change to the Act issue provided by the ICO. "Individuals will also have full rights to go to court to rectify any inaccurate information about them that pre-dates 24 October 1998 under Section 14 of the Act. The Act does not require that data controllers digitise or computerise old manual records."

Jay said that the change was unlikely to have a significant effect because most files will have been added to since the Act came into force in 1998. That means that they will have been treated since then in line with the Act anyway.

The reality is that since this only applies to information held in these structured files, and the rest of the file – that is the information generated since 1998 – has been subject to the DPA anyway since the Act came into force, data controllers have been treating all the information in the same way," she said.