New rules come into force next Wednesday to give greater rights to private individuals faced with leviathan organisations and their filing systems. And that will give consumers and others who want to know what information is held on them a cause to cheer.
The subtantially strengthened Data Protection Act - enacted in 1998 - goes live on Wednesday. Besides reinforcing the individual against the corporate machine, it throws a fresh light on data collection which could see many individuals exercising rights to opt out and others insisting organisations turn out their filing cabinets afresh. It could also lead to many employees asking bosses, for the first time, to reveal what is in personnel department files.
But there could well be another sound coming from offices up and down the country - the whirr of shredding machines as firms try to frustrate individuals exercising some of their new rights.
Information on every individual is probably held on average in 50 places - for those who frequently buy over the internet or by mail order, and for those with complicated financial arrangements, the number can easily top 100.
Some of it is essential. If you have an account with NatWest Bank, then the bank must keep some details about you. Shareholders in British Telecom need the comfort of knowing that a registrar has their personal details - otherwise they would not get their dividends or annual reports as this country has no tradition of anonymous bearer bonds and shares. And if you buy a fridge from John Lewis, the store needs to know your address in case there is a safety recall or you have a guarantee quibble and cannot find the receipt.
But information creates more information. Putting lots of individual facts together - someone banks with NatWest, has BT shares and has recently bought a fridge from John Lewis - creates a marketing profile. This person is likely to have different tastes and aspirations to someone with no bank account or shares and who buys domestic goods from the local second hand store. Many organisations exist to buy and sell this information.
The resulting material can be used to select prospects for marketing purposes; it is also routinely used in decision making. Most of us are only dimly aware of all this. We treat it as an irritant of life - until something goes wrong.
We might be turned down for credit because of an error at a reference agency such as Experian or Equifax, we might want to complain about being mis-sold a financial product or we might just want to know why we have been selected for the latest round of telephone torture sales.
One huge advance - and the reason for those shredding machines - is that the new act includes "manual data" rather than just the computer records in the original 1984 legislation.
Mike Bradford, the recently appointed data protection director at Experian, says the act gives "data" a very broad definition. He says: "It now includes manual data in any form that is "structured and accessible". That could include filing cabinets, card index boxes and piles of lifestyle questionnaires provided they are in some order such as being sorted by name or by postcode. It could even include a contacts list in a Filofax. But the act will exclude personal lists however they are kept. Nor would information kept in a random order count.
The exclusion of manual data from the old law allowed "blacklisting agencies" such as the old Economic League to keep records in a paper form rather than on computer files so the subject could not demand to inspect them.
Back in the early 70s, actor Ricky Tomlinson was a politically active building worker who became involved in a construction site strike in Shrewsbury. The police alleged he had taken part in violence; the court concurred and Tomlinson - one of the Shrewsbury three - was sentenced to prison.
Since then, he has become a successful actor, first in the Channel 4 soap Brookside, and most recently as Jim, the largely armchair-bound father of the television watching kin in BBC 1's The Royle Family.
But between construction site activism and television fame, Tomlinson found himself blacklisted by an employers' organisation. He was not alone: thousands of others were similarly on warning lists circulated to employers, unable to find work due to union or political activities.
None of these could use the old Data Protection Act. They could use the new version - provided they can discover who is keeping records on them. Most employee records from the original application to the latest disciplinary action have usually been kept as manual data.
It is often easier to file away handwritten notes, while locking them away in a physical filing cabinet can ensure more confidentiality than a computer system.
But up to now, these files have escaped data protection provisions. With some exceptions, employers will now have to be honest with their staff. Some will react by filing less - many lawyers believe material kept by date order in a notebook does not count for the "structured and accessible" rule.
Once the act is up and running - and companies which were registered under the previous data laws by October 1998 have until October 2001 for full compliance - Data Protection Registrar Elizabeth France will bring in a code of practice governing the uses of personal data by employers.
The code will introduce tighter control over the use of employee records in three key areas:
1. Employee surveillance involving collection of data to monitor performance or detect problems
2. Automated processing such as aptitude and psychometric testing and the extent to which employment decisions might be taken by computers analysing results
3. Sensitive information including genetic tests or results of alcohol or drug testing.
Once the new code is fully in place, failure to comply could lead to enforcement action by the Registrar, or a claim for compensation by any individual who has suffered as a result.
Mrs France says: "The development of new technology is threatening personal privacy in the workplace. Employers want to know more and more about their staff who are often not in a position to resist. This code will set out clear ground rules to ensure fairness to employees."
Another group who might be able to use the "manual data" provisions are those who were mis-sold pensions and endowments. While financial and investment companies have had to hand over formal factfinds for a decade, many unscrupulous sellers made separate records on paper which could reveal the real reasons they sold the products.
Companies and other organisations which fear that their manual files will have to be revealed and which could then expose them to potential legal action will be keeping their shredding machines working overtime.
Andersen Legal have already warned clients to "clean up" old files so that only essential and relevant information is retained.
The new law contains other new rights. Individuals can object to their personal data being used for direct marketing - existing opt-outs are toughened with new penalties for non-compliance.
But there will be some areas where personal records will be subject to secrecy - for example, national security and crime prevention and apprehension.
Companies will be able to claim exclusions for price sensitive information while files kept for "journalism and other literary purposes" are not included.
Main changes
Records kept on paper to be revealed in addition to computer data
New rights to know who holds information on you
Being told the identity of the person in a business nominated as responsible for data protection issues
Rights to have a photocopy of personal information held
Greater rights to object to anyone holding personal data
New rules to prevent data being sent to a foreign country outside the European Economic Area to escape the legislation
A new range of non-compliance rules which can lead to individuals being held personally responsible for breaches.
