Peter Carey looks at the new Data Protection Act 1998.

Peter Carey is senior lecturer at Guildford College of Law.

Any solicitor worth their salt must be equipped to advise clients on their radically altered responsibilities under the Data Protection Act 1998, which establishes a new regime for the processing of personal data.

The new legislation, repealing the 1984 Act ushers in fundamental changes to the responsibilities of those who obtain, store and manipulate personal data.

And while these new legislative responsibilities are as yet untried by court or tribunal, lawyers would be strongly advised to watch this space because it cannot be long before litigation arises over the nature of these responsibilities. The significance of the Act can be measured by the fact the Government has estimated compliance costs for business at more than £1bn.

The basis of the Act is this. Currently, any person about whom information is held is entitled to be infor-med by any person who holds that data, whether information is held about them and to a copy of that information.

The new provisions provide that a data subject is additionally entitled to know the purposes for which the data is being held, the recipients or classes of recipients to whom it may be disclosed and the source of the data.

Where the processing of a person's personal data causes unwarranted and substantial damage or distress they are entitled to send a notice to the data controller requiring them to cease.

"Processing" is broadly defined to include even reading the information on screen.

Special conditions exist for "sensitive personal data", which includes the person's political opinions, religious beliefs, health and sex life. The processing of sensitive personal data is permitted where the data subject has given express consent.

On the international front, all data controllers must inform the Commissioner of any countries outside the European Economic Area (EEA) to which personal data is transferred.

Significantly, the Act prohibits the transfer of data to non-EEA countries that do not have an "adequate level of protection" for personal data. This is called the "eighth data protection principle" and clients engaged in the transfer of data abroad must be advised of the ramifications of this principle.

The perils for those found to be contravening the new legislation, shortly to be put into effect, are that they will be committing a criminal offence punishable by a fine. Data processors may be held personally liable.