To the uninitiated, data processing conjures up frightening Orwellian images of 1984—machines of the new technology operated by the new elite, computer scientists, to maintain vast databanks, reducing each and every citizen to a cypher whose life history can be instantaneously reproduced merely by feeding a machine an identification number. The reality is usually more mundane. We all give out information about ourselves, usually in order to obtain some benefit, whether in goods, services or facilities. Thus our banker, doctor, accountant, school and university, employer, insurer and countless others, including commercial organizations and government bodies, have information about each one of us, which in most cases we have voluntarily provided. Only in a few cases is information gathered and held for potentially hostile purposes without our knowledge or consent, by, for example, the police and the security services.

But dangers do lie in the uncontrolled collection, storage, collation, rearrangement and dissemination of information about people. Information obtained by consent for one beneficial purpose may be used without consent for another purpose detrimental to the person concerned. Information which is personal and sensitive may be disclosed to others whom the person concerned may not wish to have such information. Information may be inaccurate or out of date yet be used or relied upon to the detriment of the person concerned.

These dangers are multiplied when the information is held and processed in computers and other electronic equipment capable of storing and retrieving it. The volume of information held, the speed at which it can be processed and the complexity and variety of operations which can be performed upon it by such equipment magnify the risk and the extent of potential damage. The revolution in new technology engendered by the development and exploitation of the microchip has resulted in such equipment’s being widely and cheaply available. Electronic typewriters with memories, word processors, microcomputers and automated office systems, often connected to main-frame computers, are common today in most organizations. All of this equipment is capable of and frequently used for the storage and processing of information about identifiable individuals. The risk of damage has thus become more widespread1.

Recognition of that risk has led most West European governments to legislate against the misuse of information held on computers and other automated equipment capable of storing or processing information2. Concern about the risk of international transfers of information held on such equipment, particularly to countries which do not have such protective legislation, led in 1981 to the European Convention on Data