Information Age: News, analysis & insight for IT & business leaders

When the Berlin wall came down the German government set up an organisation in the reunited city that is unique in the modern world. It was called the Gauck Authority and its purpose was simple: to preserve the records of the Stasi, the former East German secret police, and to provide access to these documents to any citizen who had been the subject of Stasi surveillance.

The principle was easy, the practice a little harder: much of the Stasi's information came from informants recruited to spy upon their colleagues, friends, lovers and, in some cases, even on husbands or wives. Simply turning over such records to those spied upon could be devastating to people who had a connection with the reports, sometimes as inadvertent informers, sometimes incidentally as bystanders.

Consequently there are intricate rules - data protection rules - which regulate the disclosure of the records by the Gauck Authority, and a small army of officials who intervene manually to edit the records in accordance with these rules and oversee their proper application.

Although the day-to-day application of the European Directive on Data Protection is somewhat more mundane, the principles underlying it and the rules of the Gauck Authority have a lot in common - and are, indeed, relatively straightforward.

At their heart lies the principle of safeguarding information about individuals that is personal to them. In fulfilling the first purpose, both regulations contain rules about how to balance different competing interests, whether in the form of the privacy of other individuals or of other interests that may override data protection rights, such as the rights of courts to obtain information or the necessity to obtain information in order to prevent a crime.

Yet the UK manifestation of the Directive, the Data Protection Act 1998, has recently been cited both by the public and the private sector as a complex obstacle to the keeping and/or the release of information that could have saved lives.

For example, Humberside Police cited the Act as the reason why it could not pass on intelligence about Soham murderer Ian Huntley to Cambridgeshire Police. Likewise, British Gas cited the Act as the reason why it could not pass on details to social services about an elderly couple whose gas supply it cut off for failure to pay their bills and who subsequently died of hypothermia.

The Act does contain more than its fair share of unclear or ambiguous drafting, but the real reason British Gas did not pass the information onto social services, as it subsequently conceded, had less to do with obstacles under the Data Protection Act than that it had not in fact known that the couple in question were as vulnerable as transpired.

Similarly, the chief of Humberside Police later admitted that the Data Protection Act had nothing to do with the mistakes made by his police force. It had failed to pass on the warnings, he said, because of inadequacies in its own record keeping.

There are two points to make about such cases. First, there is now clear judicial support for the Commissioner's proposition that one has to adopt a "common-sense" approach to interpretation of the Act.

In an important guidance - Campbell versus MGN (2002) - the judge said: "The Act should, if possible, be interpreted in a manner that is consistent with the [European] Directive. Furthermore, because the Act has, in large measure, adopted the wording of the Directive, it is not appropriate to look for the precision in the use of language that is usually to be expected from the parliamentary draftsman. A purposive approach to making sense of the provisions is called for."

While "common sense" and "purposive" are not necessarily the same, it is hoped that such a call will put a brake on those very detailed technical expositions of the meaning of the Act that have been put forward without any adequate 'sense check' of the Act's underlying principles.

Second, recent tragic cases will hopefully provide a renewed impetus for continuing co-operation between data controllers and the Commissioner to promote guidance about those areas of application of the Act that would benefit from more context-specific rules. And certainly the Commissioner has been at pains to emphasise his willingness to continue to promote such guidance.

By and large, many of these codes, such as the early parts of the employment practices code have, after initial problems, been a success, helping to shed light on specific aspects of data controllers' obligations under the Act.

For organisations in both the private and public sector, the trick will be to ensure a balance between rules that are sufficiently specific without being unnecessarily prescriptive, or alternatively, so generic as to add nothing to the principles already set out in the Act.

Article by Marc Dautlich