Copyright © 1996 Freddy Kosten and Chris Pounder.
First Published in Web Journal of Current Legal Issues in association
with Blackstone Press Ltd.
This paper explores and analyses the provisions of the EC Data Protection
Directive 1995. To assist readers, it is our practice to capitalise terms,
relating to natural or legal persons, which are defined in the Directive.
Article 1 explains the purpose of the Directive: to "protect the fundamental
rights and freedoms of natural persons, and in particular their right to
privacy with respect to the processing of personal data". Such protection
'shall neither restrict nor prohibit the free flow of personal data between
Member States'.
Article 2 introduces definitions which differ from those in the Data
Protection Act 1984 (the UK Act). For instance:
(a) 'personal data' comprise "any information relating to an identified or identifiable natural person ('Data Subject')". Personal data are, therefore, not limited to information which is processed automatically, nor to information about a 'living individual', nor do they exclude the intentions of the Data User with respect to the Data Subject (the UK Act imposes all three of these restrictions).Article 3 limits the scope of the Directive to personal data that are processed wholly or partly by automatic means, and to personal data processed by non-automatic means if these data are, or are intended to be, part of a 'filing system' (eg organised, or intended to be organised, in a structured manual file). In addition, Article 3 stipulates that Member States shall not apply this Directive to the processing of personal data outwith Community competence (eg to policing or to 'purely personal' matters). These exceptions prepare the ground for continuation of the wide exemptions found in Sections 27 (national security) and 33(1) (domestic and recreational affairs) of the UK Act.(b) 'processing of personal data' describes "any operation or set of operations which is performed upon personal data, whether or not by automatic means". Use of the word 'any' clearly emphasises that every conceivable operation on personal data is'processing' (eg from collection, use, and disclosure, to storage and destruction). Thus, non-automated processing such as the manual manipulation of personal information stored on a micro-fiche would be an 'operation'.
(c) a 'Controller' is the "natural or legal person" who "determines the purposes and means of the processing of personal data" (whether "alone or jointly with others"). This definition is close to that of 'Data User' in the UK Act.
(d) a 'Processor' is the "natural or legal person" who "processes personal data on behalf of the Controller". Since the definition of processing encompasses 'any operation', a 'Processor' includes any person who is instructed by the Controller to manipulate personal data (eg a contractor who destroys printout, organises mailings, or collects completed application forms). In practice, this definition will generally not impact on staff acting on behalf of their employer who is also a Controller.
(e) a 'Third Party' is "any natural or legal person...other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorised to process the data". This elucidates the status of 'Third Party' implicit in the UK Act.
(f) a 'Recipient' is one "to whom data are disclosed, whether a Third Party or not". Data Subjects can thus be Recipients of personal data. The definition permits "authorities which may receive data in the framework of a particular enquiry" not to be regarded as 'Recipients', a qualification which can be seen as introducing the equivalent of some of the non-disclosure exemptions of the UK Act (eg disclosures required by law; Section 34(5)(a)).
(g) 'Data Subject's consent' is "any freely given specific and informed indication of his wishes by which the Data Subject signifies his agreement to personal data relating to him being processed". The Directive does not demand express consent in writing, or the keeping of formal consent records; the indication could be a verbal "yes" or even a 'nod and a wink' although, in some circumstances, the absence of proof that consent had been given could create problems
(h) 'personal data filing system' comprises "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis". If personal data can be retrieved through use of an index, or accessed via criteria such as name, reference or policy number, address, vehicle registration mark etc, then these data can be considered as stored in a 'filing system'.
Article 4 establishes that each Member State shall apply the Directive:
(a) to any Controller "established on the territory of the Member State".(b) to Controllers who are "established on the territory of several Member States". For instance, if a UK company had offices in Paris and Berlin, then the French and German offices would have to comply with the standards of French and German law.
(c) to circumstances under which a specific national law applies because of the application of international public law. For instance, the UK Embassy based in any country is in international law UK territory; any Controller established at this location would be subject to UK data protection law.
(d) to processing carried out, in a Member State, on behalf of a Controller who is not established in the European Union. For instance, a USA company which processes personal data in the UK would need to appoint someone who can be 'nobbled' by the UK's Data Protection Authority. However, if the processing takes place "only for purposes of transit (of the data) through the territory of the Community" then there is no need to appoint a representative.
(a) "processed fairly and lawfully". Since processing, by definition, includes collection (ie obtaining), this obligation incorporates the First Data Protection Principle of the UK Act. Articles 10 and 11 provide more detail as to the information which has to be provided to Data Subjects and to Third Parties, when information is collected about the Data Subjects.(b) "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". This Principle prohibits any "further processing of personal data if such processing would be incompatible with the purpose(s) of collection. The link to the purpose specified at collection is important; new purposes determined after collection are likely to be in breach of the Principle unless necessary steps are taken by the Controller (eg to seek the consent of the source(s) for the new purpose). This approach is often referred to as the 'Finality Principle'.
(c) "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or for which they are further processed". Note that the Directive again links the Controller's purpose(s) at the time of collection and at the time of further processing. The preamble to the Directive states that the latter purpose(s) "shall not be incompatible with the purposes...originally specified".
(d) "accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified". The word 'reasonable' provides some flexibility with respect to the obligations imposed by this principle; however, Article 12 does imply that a disclosure log will be necessary.
(e) "kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed". This extends the UK's Sixth Principle by differentiating between the purpose(s) associated with collection and the purpose(s) of further processing. Longer periods can apply if personal data are processed for "historical, statistical or scientific" purposes and if a Member State imposes "appropriate safeguards".
(a) "the Data Subject has given his consent unambiguously". Since there must, by definition, be an 'indication' of consent, implied consent (ie when consent is assumed in the absence of an indication) is unlikely to meet this requirement.(b) "processing is necessary for the performance of a contract to which the Data Subject is party" (or in order to complete some pre-contractual stage at the request of the Data Subject).
(c) "processing is necessary for compliance with a legal obligation to which the Controller is subject" (eg statutory duties imposed, by law, on Controllers).
(d) "processing is necessary in order to protect the vital interests of the Data Subject". 'Vital interests' should involve some kind of emergency; the preamble to the Directive cites the protection of "an interest which is essential for the Data Subject's life".
(e) "processing is necessary...in the public interest". The phrase 'public interest', as the first Calcutt Report (Cm 1102) noted "means different things to different people"; in other words, the phrase has uncertain application in the UK.
(f) "processing is necessary...in the exercise of official authority vested in the Controller or in a Third Party to whom the data are disclosed". This would cover many Controllers and Third Parties who are public bodies, and others whose responsibilities are established and limited by statute.
(g) "processing is necessary for the purposes of the legitimate interests pursued by the Controller or by the Third Party or Parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject". The condition sets up a balance between two interests. Thus, if the consequences of the processing are detrimental to a particular Data Subject, and there are no other 'necessary' grounds that would take precedence, then one would expect the Data Subject's interests to override the Controller's interests in the continuation of the processing. One would always expect the Data Subject's interests to prevail if the Controller acted unlawfully (eg did not comply with the provisions of this Directive).
(a) "the Data Subject has given his explicit consent to the processing"; however, Member States can enact legislation to prohibit the processing even if such consent has been obtained.(b) "processing is necessary for the purpose of carrying out the obligations and specific rights of the Controller in the field of employment law insofar as it is authorised by national law providing for adequate safeguards". Note that this condition is very narrowly defined.
(c) "processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving his consent". As mentioned above with respect to Article 7, 'vital interests' is of limited scope.
(d) "processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a Third Party without the consent of the Data Subjects". The objective is to ensure that organisations like charities (eg in support of certain religious beliefs) are not subject to the need to obtain consent to the processing of sensitive personal data. This exception seems odd since one would expect the 'members' in 'regular contact' to have provided such consent. Cults with 'philosophical' or 'religious' aims which are also suspected of 'brainwashing' their members will presumably have no difficulty in obtaining the necessary consent!
(e) "processing relates to data which are manifestly made public by the Data Subject" (eg when a person 'comes out', or reveals political loyalties in a letter to a newspaper) or if the processing "is necessary for the establishment, exercise or defence of legal claims" (eg an insurance company which holds medical data because the Data Subject is suing for negligence).
(f) "processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health- care services, and where those data are processed by a health professional subject...to the obligation of professional secrecy". The UK Government expressed concern that compliance with earlier drafts of Article 8 would entail a cost of £1 billion to obtain the necessary consent, and would thus interfere with the internal NHS market. This wording should lay these worries to rest.
(g) when processing is sanctioned through legislation. Article 8 provides Member States with considerable flexibility (eg on the grounds of "substantial public interest", whatever this means; see Article 7) to lay down exemptions in addition to those listed above (eg who is allowed to hold criminal records, or use a Universal Personal Identifier or a PIN) ; however, such legislation must provide 'suitable safeguards'. The Commission must be notified of the scope of any legislation which permits an exemption which relates to these special categories of personal data.
(a) "the identity of the Controller and of his representative, if any".(b) "the purposes of the processing for which the data are intended"( the use of the word 'intended' implies that the Data Subject must be given advance notice of all the Controller's purposes).
(c) and "any further information...insofar as such...is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the Data Subject". The Article illustrates the kinds of details which might help "guarantee fair processing"; these include: "the Recipients or categories of Recipients of the data", "whether replies to the questions are obligatory or voluntary", the "possible consequences of failure to reply", and the existence of the Data Subject's rights of access and rectification.
There are several exceptions from the need to provide these details;
they apply when:
(a) the Data Subject already has the information.(b) an exemption applies (see Article 13).
(c) "if recording or disclosure is expressly laid down by law". So, for instance, the Electoral Registrars in the UK would not have to inform Data Subjects concerning those who had purchased the register, since this disclosure is authorised by statute.
(d) if the provision of information proves impossible. This is a tough condition, and is only likely to apply in rare cases (eg the personal data do not include the Data Subject's address).
(e) if the provision of information involves "a disproportionate effort". There are two ways of interpreting the word 'disproportionate'. Firstly, in relation to the effort involved (eg if the obligation would impose unreasonable demands on the Controller) and secondly, in relation to the Directive's prime objective of protecting the Data Subject (eg if the recording or disclosure involved was unlikely to harm or distress the Data Subject, then provision of this information could be claimed to be disproportionate to that aim).
(a) to obtain "confirmation as to whether or not data relating to him are processed", and information concerning (at least) "the purposes of the processing, the categories of data concerned, and the Recipients or categories of Recipients to whom the data are disclosed". These requirements resemble those in the UK Act: via part of the Subject Access provisions (Section 21(1) (a) ) , and the right to inspect any Data User's Register Entry (Section 9).(b) to obtain "in an intelligible form...the data undergoing processing". Unlike the UK Act, Article 12 further identifies, as one component of the right of Access, the obligation to provide the Data Subject with "any available information" as to the source of the data; this information can only be withheld if an exemption applies (Article 13; see next paragraph). By contrast, the UK Act permits an individual, as source, to remain unidentified (except if the source is a social worker or health professional involved in a professional capacity with the Data Subject).
(c) to obtain "knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15(1) ". In essence, Member States have to enact legislation so that the broad facts provided to Data Subjects (eg under Article 10) could be augmented, on demand, by details about any automated decision-making process.
(d) to have personal data rectified, erased or blocked if the processing "does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data". This could be a very powerful weapon: Controllers could find it difficult to refuse Data Subjects who say "you have not complied with Article X. Now delete my data".
(e) to obtain "notification to Third Parties to whom the data have been disclosed of any rectification, erasure or blocking...unless this proves impossible or involves a disproportionate effort". The Article points, inexorably, towards the implementation of a disclosure log.
(a) 'national security' and 'defence' purposes. Note that under Article 3, personal data held for certain purposes (eg national security, public security, policing) are excluded from the scope of the Directive. The exemption is necessary since 'ordinary' Controllers who process personal data for 'normal' purposes might need to disclose such data for these purposes.(b) 'public security'. In the UK Act, there is no specific exemption for this aspect, but certain personal data could involve the exemptions under Section 28.
(c) "the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions". In the UK Act, Section 28 permits exemptions for crime prevention purposes and for breaches of ethics which result in crime.
(d) "an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters". These interests link to at least three Sections of the UK Act: Section 27 since national security relates to the economic well-being of the UK, Section 28 with respect to the "collection of any tax or duty", and Section 30 with respect to the finance sector. These last provisions will permit the continuation of some of the Subject Access exemptions found in the Orders made under Section 30 of the UK Act, as modified by Section 190 of the Financial Services Act 1986 (eg pertaining to the regulatory functions of the Bank of England).
(e) "a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority" (mainly in respect of security and criminal matters). This exemption would cover relevant disclosures of personal data to official bodies (eg as with many disclosures subject to the non-disclosure provisions).
(f) "the protection of the Data Subject". This could maintain the Subject Access exemptions to particular health and social work data, if Access to those data could seriously harm the patient or social work client (Section 29 of the UK Act).
(g) "the rights and freedoms of others". This could maintain the exemptions associated with legal professional privilege (Section 31(2) of the UK Act) and other restrictions on the right of Access already sanctioned (eg adoption records as in Section 34(2) , or genetic records as in Section 32(8) of the Human Fertilisation and Embryology Act 1990).
(h) research and statistics. The exemption is limited to Article 12 only, and applies to personal data which "are processed solely for purposes of scientific research" or are kept no longer than "necessary for the sole purpose of creating statistics", but only if such data are "subject to adequate legal safeguards". This would allow the UK to continue with Section 33(6) of the UK Act.
(a) "at least in the cases referred to in Article 7(e) and (f) " allow Member States to legislate with respect to any 'case' whatsoever (ie even beyond those specified in Article 7). However, the minimum scope of such legislation must relate at least to the last two paragraphs of Article 7 (ie if "processing is necessary...in the public interest or in the exercise of official authority...or...for the purposes of the legitimate interests pursued by the Controller...except where such interests are overridden by the interests...of the Data Subject").The right in Article 14(b) to object with respect to direct marketing is much clearer; it is strengthened by the requirement that "Member States shall take the necessary measures to ensure that Data Subjects are aware" of this opportunity (eg through appropriate publicity). The options provided are:(b) "compelling legitimate grounds relating to his particular situation to the processing of data relating to him" place the right to object onto a case-by-case basis, and ensure that, to succeed, Data Subjects would have to show that the consequences of the processing were likely to be strongly detrimental to them.
(c) "save where otherwise provided by national legislation" permit Member States to enact legislation which would override the right to object in any appropriate circumstance.
(a) for a Data Subject to "object, on request and free of charge, to the processing of (his) personal data...which the Controller anticipates being processed for the purposes of direct marketing", or(b) if the purposes of the direct marketing involve Third Parties (eg host mailing) , the Controller must inform the Data Subject "before personal data are disclosed for the first time to Third Parties or used on their behalf", and expressly offer "the right to object free of charge to such disclosures or uses".
(a) does not produce a 'legal effect', nor 'significantly' affect the Data Subject, nor concern any 'personal aspect' of the Data Subject.(b) allows for a review of the decision (eg by staff), since the decision would then not be 'solely' the result of an automated process.
(c) results in a decision which relates to the performance of a contract (or entering into a contract) "provided that the request (for the processing) by the Data Subject has been satisfied or that there are suitable measures to safeguard his legitimate interests". The Article provides one example of a safeguard: "arrangements allowing him to defend his point of view" (ie an appeal against the decision)
(d) "is authorised by a law which also lays down measures to safeguard the Data Subject's legitimate interests".
(a) a requirement to have "regard to the state of the art" with respect to security measures (ie be aware of new security fandangos);(b) to see that "such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected" (ie carry out some kind of risk analysis) , and to take account of "the cost of their implementation" (ie how cost-effective the new security methods would be);
(c) to "choose a Processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out", and to "ensure compliance with those measures";
(d) to record the security measures adopted "in writing or in another equivalent form". This "contract or legal act" shall stipulate that "the Processor shall act only on instructions from the Controller" and that the Processor shall meet the security obligations of this Article.
(a) full notification. Articles 18(1) and 19 establish a regime very similar to the current UK registration framework (ie Data User identification details and, for each Purpose, a description of Data Subject Types, Data Classes, Sources, Disclosures and Overseas Transfers). Article 19 slightly modifies this list: it omits the obligation to register Sources; it expands Disclosures to include "Recipients or categories of Recipient", and adds an obligation to notify "a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken...to ensure security of processing".(b) simplification of, or exemption from, notification. Article 18(2) allows Member States to determine that certain personal data, whose processing is "unlikely...to affect adversely the rights and freedoms of Data Subjects", can be exempt from notification or be subject to a simplified notification procedure. UK legislation can thus be expected to continue the exemptions from registration found in the current UK Act (eg payroll and accounts; Section 32) , where each exemption sets out a list of conditions to which Data Users must conform (otherwise the exemption is invalid). Simplification of the registration process, on the basis of the risks which the processing signifies to Data Subjects, is actively being considered by the UK's Data Protection Registrar.
(c) notification through a designated official. Article 18(2) permits Member States to provide for simplified notification or for exemption from notifying the Data Protection Authority, if national law requires a Controller to appoint "a data protection official" who is responsible "for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive", and "for keeping the register of processing operations carried out by the Controller".
(d) special exemption from notification. Through Article 18(3) , Member States can exempt from the notification procedures any 'registers' of personal data which, by statute, have to be made public; in this way, the UK Government can broadly maintain the exemption from registration found in Section 34(1) of the UK Act.
(e) optional notification. Article 18(5) states that "Member States may stipulate that certain or all non-automatic processing operations involving personal data shall be notified, or provide for these processing operations to be subject to simplified notification". Given the current UK Government's opposition to the extension of legal safeguards to structured manual records, it would be surprising if it decided to take advantage of this provision.
(f) advance notification. Article 20 permits Member States to define certain processing operations as "likely to present specific risks to the rights and freedoms of Data Subjects". If a State takes advantage of this provision, the Data Protection Authority will be obliged to carry out checks prior to permitting a Controller to start processing operations.
(a) enable any person to have access to the Courts and "provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law". The UK Act establishes such access through Sections 21, 24 and 25.(b) allow "any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions" to seek compensation from the Controller. This extends compensation possibilities considerably when compared with those provided by Section 22 (inaccuracy) and Section 23 (inadequate security) of the UK Act. In effect, any breach of Chapter II, if damage arose as a result, could lead to a claim for compensation.
(c) "lay down sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive". In the UK Act, these find expression through criminal sanctions (eg in Section 5) , and through the various Supervisory Notices available to the Registrar (eg the power to enforce compliance with the Principles).
Article 26 defines derogations from Article 25, and indicates that transfer
can occur even though an adequate level of protection cannot be guaranteed,
on condition that:
(a) "the Data Subject has given his consent unambiguously to the proposed transfer".(b) "the transfer is necessary" as part of "a contract between the Data Subject and the Controller", or for "the implementation of precontractual measures".
(c) "the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Controller and a Third Party". This is a very flexible condition, and permits the Controller to transfer personal data to any Third Party anywhere in the world (eg for telesales, airline bookings etc).
(d) "the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims"; as mentioned with respect to Article 7, 'public interest' is a vague term.
(e) "the transfer is necessary in order to protect the vital interests of the Data Subject" (see Article 7).
(f) "the transfer is made from a register which according to laws or regulations is intended to provided information to the public". The logic for this provision seems to be as follows: the personal data are in the public domain, and consequently are insecurely held (ie anybody can access the data). Thus, there are no grounds on which to prohibit the transfer of the data to a very 'insecure' third country, irrespective of what use may then be made of those data.
(g) Controllers are authorised, by Member States, to transfer personal data to countries which offer an inadequate level of protection, if a Controller "adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals" (eg via a contract).
(a) endowed with "investigative powers, such as powers of access to data forming the subject-matter of processing operations (covered by this Directive) and powers to collect all the information necessary for the performance of its supervisory duties".Articles 29-30 establish a Working Party whose members will include one representative of the Data Protection Authority in each Member State (if the State has a federal structure, then a joint representative of all its Authorities has to be found) , as well as one representative each from the Commission and from the Community. The Working Party will have "advisory status and act independently" and will be able to convey, to the Commission, its opinions on various data protection problems (eg on 'Codes of Conduct', divergences between national legislation, data protection problems occurring in third countries, implementation of the Directive by Member States). The Working Party will publish an annual report which will be presented to the European Parliament and the Commission. At first reading this seems a body with little power except to put forward opinions; much will depend on its expertise and the status accorded to it by Member States.(b) equipped with "effective powers of intervention, such as (that of) ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the Controller, or that of referring the matter to national parliaments or other political institutions".
(c) involved in the prior checking of certain sensitive processing operations (see Article 20).
(d) consulted when Member States are "drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data".
(e) able "to engage in legal proceedings" when breaches of national legislation occur, subject to appeal through the Courts.
(f) able to "hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data".
(g) able to "hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply".
(h) expected to produce "a report on its activities at regular intervals" (eg as per the UK Registrar's reports to Parliament).
(i) expected to liaise with other Data Protection Authorities "to the extent necessary for the performance of their duties".
(a) apply a delay of up to three years, from the date the national legislation comes into force, with respect to personal data whose processing is underway at that time. This means there is no delay with respect to personal data whose processing begins after this time (even if the data are processed in a manual filing system).(b) apply a nine year delay, from the date the national legislation comes into force, to the application of three Articles with respect to personal data already held in manual filing systems. These Articles are: Article 6 (Principles) , Article 7 (Lawfulness of processing) , and Article 8 (special personal data). Note that this extension does not include Article 12 (ie the rights of Data Subjects)
(c) provide, subject to suitable safeguards, that "data kept for the sole purpose of historical research" need never be brought into conformity with Articles 6 - 8. Note that this derogation is limited; it excludes any other form of research, and leaves such data subject to the other Articles in the Directive.
The Journal of Information Law and Technology The first issue of this new UK based electronic journal contains a useful special feature on the EC Data Protection Directive. This feature contains articles on the impact of the Directive from the UK, Danish, Dutch, Irish and Swedish perspectives.
Surfing The Internet - Skating on Thin Ice? An article by Dr Chris Pounder and Freddy Kosten, published by UK Index.
The UK Data Protection Registrar The home page of the Office of the Registrar which includes a brief outline of the UK Data Protection Act 1984.
http://webjcli.ncl.ac.uk/1996/issue2/kosten2