The new rules are the result of a EU directive to harmonise data protection laws across Europe. The UK has had a data protection law since 1984, but the European directive extends its scope considerably. As well as information in databases, companies will have to apply the new law to other digital records, and also to some paper records.
The Act has already run into controversy for its clauses about transferring data outside the EU to countries with less stringent restrictions - including the US. There has been talk of a data trade war between Europe and the US, although it looks increasingly likely that some form of compromise will be reached.
The new Data Protection Act aims to strengthen our privacy as individuals, and make cross-border trade within the EU easier, with a single set of rules. "It is wider in scope," explains John Woulds, director of operations at the Data Protection registrar's office. "There are specific rules for processing data. It has to be processed fairly and lawfully. It is lawful only if it fulfils certain conditions."
Banks and insurance companies, as important users of data, will be heavily affected by the Act. In particular, companies using data and automated computer systems to make decisions, such as whether to grant a loan, will have to tell customers who ask, how they arrived at the decision. This comes on top of the current requirement to show customers their data records if they ask, and are prepared to pay a fee.
Data protection officials, though, are more worried about whether newer industries, especially those operating on the Internet, know enough about their obligations. "There are certain commercial sectors that are well aware of the data protection laws, and are in regular contact with us - for example, financial services and banking," Woulds says. "We are in continuous dialogue with organisations in these sectors.
"We are disappointed with the way Internet service providers have an apparent lack of understanding of data protection, and how to implement the Act."
For its part, the Internet industry believes that common sense and good business practice will be as effective as laws in protecting our personal data. Insiders point to the different attitudes towards junk e-mail - known as "spam" - among the online community. It is difficult, if not impossible, for individuals to prevent their data being used for junk mail through the conventional post. Electronic junk mailers get short shrift from ISPs (service providers).
ISPs themselves should hold relatively little information on subscribers, according to Richard Woods, communications manager for UUNet. "For individual users, as long as they pay their bills, all we need is their name and address and bank details. We use a Web-based system to store that information, but we can restrict what people can do with it," he says.
"We are not in the business of selling lists of e-mail addresses," agrees David Johnson, commercial director at Virgin Net. "In some ways, it is a good thing to tighten up the rules slightly. I am concerned about it, and want to make sure we comply." Virgin Net already has a policy of obtaining consent for data, and is conducting an audit to see whether it is keeping to the new Act's provisions.
Companies that misuse the data they gather may find that their customers vote with their browsers and go elsewhere, warns Johnson: "I know that our customers would leave hand over fist if information were being passed on," he says.
The law is less specific on information that companies gather from visitors to their websites, for example from so-called "cookies", or from software that builds a picture of customers' preferences based on the information they look at on the Web.
Companies that do give out information could well be damaging their businesses, he suggests. "Information gives them a competitive advantage. They will not give that information away."
More information on the new Act is available from http:// www.open.gov.uk/dpr/ dprhome. htmReuse content