Today (24 October 2001), the second transitional period of the Data Protection Act takes effect in the UK.   This means that companies and individuals may only hold and process personal data with the consent of the data subject.  This sounds a good idea.  It is not.  It is a gross infringement of freedom of speech.   

The Data Protection Act tends to be presented as protecting the individual from evil big business.  For example preventing double-glazing companies from inundating us with unsolicited mail.   In fact, although private companies may annoy us in the short term, they will soon go out of business if they persist because we won't buy their products.   

The real danger is government using personal information to manipulate our views or behaviour; to persuade us that it is best able to protect the environment for example.   Such "big brother" activity is less obvious, but in the long run a much greater, danger because the government does not need us to freely buy its services.  We have no choice about paying our taxes.   Government exemptions mean that the Data Protection Act does little about that sort of intrusion.   

The Act is fairly complicated but the section on personal data goes as follows.   NOTE - Personal data covers both facts and opinions about the individual, and the definition of processing includes 'obtaining', holding' and 'disclosing' the data.

To put it simply - Private individuals and companies can only hold personal data with the permission of the data subjects, unless the data is needed to comply with a legal contract, or to protect their vital (life and death) interests.  An exception is made for the courts or the state, and the government (through the secretary of state) has powers to invoke a "special interest" defence.  

Now of course it is generally sensible for private individuals and companies holding databases with personal information, to permit the data subjects to check the information and correct errors etc.   It makes the data more valuable, and will please their customers.   However, no one should have the power to force them to do so.    

If I hold data about you that I came by legitimately, i.e. by finding it, collecting it, buying it, or being given it, that is my data, not yours.   So long as I don't libel or threaten you, or otherwise harm you, I should be allowed to do with it what I like.    Whether a written list of names in my jacket pocket, or a dataset of thousands of names, it never becomes your data just because it is about you.   If I harm you when I use it, you should have right of redress.  But you should not have a veto over my simply holding the data.    

An analogy is the personal data about other people which I hold in my head.   Some is wrong, some malicious, and some highly sensitive.   You may not like me thinking certain thoughts or even gossiping about you but you cannot justify preventing me either thinking or talking about you.  Only if I harm you with my gossip should you have right of redress.

Of course there should be one big exception to the principle that people should both be allowed to think and say what they like about others, and process what information they like about others.  This is data obtained by theft or force.   If you tell someone your personal secrets and they tell their friends you have only yourself to blame.  If a thief breaks into your house steals your secrets and gossips about you he should be punished.   Similarly if someone forces secrets from you by threats of violence or by so arranging things that you have no choice but to reveal your secrets.  

The most common data collected this way is that collected by government and its agencies, such as the National Health Service etc.   Most of us have little choice over the personal information we reveal to government.   Even if the data was not forced out of you, the funding to collect and hold it was.  You were forced to pay the tax.    

I experienced the double standard in a small way in my day job as a doctor, as member and chairman a number of NHS research ethics committees.   These are designed to safeguard NHS patients when they participate in research.  The committees were often asked to consider whether a particular data item could be stored by a researcher for a particular project.  

Committee members, who were mostly NHS employees, tended to insist that private pharmaceutical companies and other commercial organisations followed the letter of the Data Protection Act.   A reasonable requirement when the companies were researching on NHS patients who had little choice over where they got their health care.  

However, the committee was often persuaded to relax the rules by NHS researchers who wanted to use personal data for their pet project without the patient's consent.  They argued that there was an over riding public interest, that the harms were trivial, or that it would cause inconvenience and worry to ask patient's permission.   Some government scientists have even obtained exemptions for whole classes of epidemiological research on the grounds that if some people refused to participate the results would be jeopardised.   These are double standards. 

The safeguards of the Data Protection Act should apply with extra force to government held data.  Private individuals and companies should be exempt, except when they are doing the government's business.       

It should be no surprise that the Data Protection Act was developed in the European Union with its burgeoning super state, and is now spreading to previously freedom- loving Britain.   It is fortunate that it has so far been resisted by countries such as the United States which take freedom of speech seriously.    

24 Sept is a sad day, and the Data Protection Act is bad law.  Right-thinking people should oppose it at every turn.

Jim Thornton Leeds 24 Sept 2001