While the Data Protection Act 1984 may have gathered dust in a rarely visited corner of your office library, the extended scope of the 1998 Act will call for close attention, both in relation to your own office records and also to those of your clients.

The new Act will apply to all structured records about living persons, and the powers of the courts to regulate the use of information in records will be extended.

A brief summary follows of the position as it will be from now on.'Data' is computerised and manualThe new Act applies to personal information about identifiable living individuals which is held in an automatically processable form or which is kept in records, computerised or manual, structured by reference either to individual identities or characteristics.

School and local government records are also within the regime and the basic yardstick is whether specific information relating to particular individuals is accessible from the records.Who is regulated?Anyone who carries out operations on personal data, or who decides how or why the operations should be conducted, is classified as a data controller and is required to comply with the provisions of the Act.What principles apply?The general principles are are set out in Schedule 1 of the Act.

Personal data must be processed fairly and lawfully and must be obtained for lawful purposes.

It must be relevant to those purposes and must no t be processed in an incompatible manner.

The data must be accurate and up to date and must not be kept longer than necessary.

The processing must accord with the rights of the data subjects.

Suitable security measures must be applied and personal data is not to be transferred outside the European Economic Area unless it can be established that there will be adequate security for the data in the state to which it is sent.Schedule 2 of the Act sets out preconditions to the lawful processing of data:-- the individual concerned must consent to the processing; or-- the processing must be necessary for the performance of a contract with the individual;-- the processing must be required by law; or-- the processing must be required to protect vital interests of the individual; or-- the processing must be necessary to carry out public functions; or-- the processing must be necessary to pursue legitimate interests of the data controller or third parties where these interests are not prejudicial to the interests of the individual concerned.Where the data is classified as sensitive -- some examples being data relating to ethnic origins, political or religious sympathies, trade union membership or sexual empathies and criminal convictions -- it is also necessary to comply with the criteria in Schedule 3 of the Act.

The principal examples are:-- the express consent of the individual concerned;-- a legal requirement for the data to be processed for purposes of employment;-- protection of the interests of the individual concerned or a third party;-- administration of justice or the conduct of legal proceedings.Practitioners should be warned that the Secretary of State can extend the Schedule 3 criteria by order.The control frameworkBy the commissioner:The Data Protection Registrar becomes the Data Protection Commissioner.

Data controllers must notify the Commissioner as to what data is to be processed, the reasons for processing and the destinations to which it will be sent.

The information will be recorded in a public register.

In addition, the Commissioner has powers to deal with breaches of the Act (but not to order compensation), to require by notice the provision of information and to serve enforcement notices on data controllers.By the data subject:The rights of the individual subject include access to the personal data itself and information as to the nature of the data being processed, the purpose of the processing, the potential recipients and as to the sources of the data.

Furthermore, in certain cases within Schedule 2 where the processing of data would be likely to cause unwarranted and substantial damage or distress, the subject can restrain the data controller from processing the data in question.

In addition, the subject can, by service of a notice in writing, prevent the processing of personal data for use in direct marketing.By the criminal law:Examples of criminal offences include processing without notification to the Commissioner, unauthorised access to disclosure of personal data, the sale or advertisement of data without authority and failing to comply with information or enforcement notices.TelecommunicationsThe EU Data Protection Telecommunications Directive was also incorporated into English law on 1 March, and restricts the use of telephones and faxes for unsolicited marketing.ExemptionsThese include data required for purposes of national security or where disclosure is required in the public interest, for example in relation to crime, in certain cases involving literary, arti stic or journalistic matters, where the data is required by law to be publicly available, such as company records, and where the data is required in relation to actual or proposed legal proceedings.Powers of the courtThese include orders for enquiry as to the accuracy of data, orders for the rectification, blocking, erasure or destruction of data and of opinions based on data, orders requiring data controllers to re-take, on a non-automated basis, decisions taken by computers on matters such as applications for credit or evaluation of performance at work, orders for the supplementation of inaccurate or misleading data, orders requiring data controllers to notify third parties of corrections or supplements to data and orders restraining the processing of data for the purpose of direct marketing.

The courts will also be empowered to award damages arising from failures to comply with the Act.The potential for expansion of your litigation practice after 1 March may already be apparent, but, as in other fields, this is likely to be further enhanced when the Human Rights Act 1998 is implemented in October.The use of personal data is firmly within Article 8 and interference with those rights will only be permitted where permitted by law, for a legitimate public purpose and where it is both necessary in a democratic society and is proportionate to the end to be achieved.It will often not be difficult for an individual to argue that these exceptions do not apply in this case.-- Further information can be found in a booklet entitled The Data Protection Act 1998 -- An Introduction, available from the commissioner's office or from the Web site http://www.dataprotection.gov.uk