With the exception of Ireland and Luxembourg, all European Union countries have now amended their laws to meet the requirements of the 1995 Data Protection Directive.

In principle, therefore, the laws for processing personal information are now harmonised across most of Europe.

In the UK, the directive was implemented by means of the Data Protection Act (DPA) 1998, which came fully into force last October.

This has seen a number of significant changes to the 1984 legislation, not least the extension of the law to cover non-computerised records, including material in filing cabinets, index cards, microfilm and video collections.

The rules of the DPA
The purpose of the DPA is to impose strict rules on the processing of personal data identifying living individuals.

Data here includes factual information - name, address, email and so on - but also expressions of opinion about individuals or indications of intentions towards them. Processing implies a wide range of activities, including obtaining, storing, copying, disclosing and even disposing of the data.

There are additional rules concerning the processing of 'sensitive' personal information, such as racial or ethnic origin or political opinions.

Finally, the DPA provides a set of enforceable expectations for data subjects, the individuals on whom information is held.

They can, for instance, demand to see the data held on them and, in many cases, prevent it being processed, including for the purposes of direct marketing. In addition, they can sue data controllers, those holding the information, for distress or damages incurred as a result of improper processing. Criminal prosecution is also possible.

Essentially, data controllers have three responsibilities. First, they have to notify the relevant national authority, in the UK the Information Commissioner, of their processing activities.

Second, they are required to comply with a code of conduct, the data protection principles, when processing data.

Third, they are obliged to respond to requests from individuals for details of information held on them, so-called 'subject access requests'.

Data protection principles
There are eight data protection principles. These include the requirement that personal data should be processed fairly and lawfully; that it should be obtained only for one or more specified and lawful purposes; that it should be accurate and, where necessary, up to date; that appropriate measures are taken to secure it; and that it should not be transferred to a country outside the EU unless that country has similar protection.

There are, however, exemptions to complying with the principles where, for instance, processing is undertaken for national security purposes; for the prevention and detection of crime; for the assessment and collection of tax; or where the information is published for journalistic, literary or artistic purposes.

The implications for librarians of this new legislation are open to debate.

In May 2000, for instance, Professor Charles Oppenheim, of Loughborough University, produced a briefing document for the Society of College, National and University Libraries (SCONUL).

He argued that there was a strong case for believing that "LIS databases that involve 'public' personal information, such as author's names on OPACs and on data downloaded from databases" might well be exempted from many of the data protection principles, on the ground that the data is collected and published in the public interest.

In effect, he suggested that this data "will come under the 'literary work' exemptions".

Michael Heaney, head of service assessment and planning at Oxford University Library Services, disagrees. "There is no doubt that library catalogues are repositories of personal data within the meaning of both the old and new Data Protection acts," he wrote in the Summer 2001 issue of Catalogue & Index.

Clearly, establishing precisely what new responsibilities data protection laws impose on libraries is not straightforward. Moreover, when the Office of the Information Commissioner (OIC) was asked to clarify matters it responded that it would be necessary to do some research before answering.

However, an announcement on the OIC's website shows the office has a backlog of queries to clear.

Nevertheless, it should not be doubted that data protection laws have implications for librarians. As Oppenheim went on to point out in his SCONUL document, whatever the situation with library catalogues, many LIS activities - such as records of patrons' use of facilities, bibliographic details of books on order and records of searches - will not be exempt.

Oppenheim advises: "Such data should be treated as standard personal data and so, for example, patrons should be informed that data is being collected about them, what data is being collected, and who such data is passed to."

Hazards of web-based information
As libraries increasingly provide web-based information and services, so a greater degree of LIS activity is likely to fall within the scope of the data protection laws.

For this reason, Amanda McKenzie, writing in Aslib's Handbook of Information Management, says it is important to "consider whether the [library] website is providing access to personal data and/or whether it is gathering personal data from visitors".

Particular activities of which to be mindful, she adds, include publication on the web of such things as public and internal directories, and staff biographical details; the use of online registration forms, online research surveys and email subscription lists; and the utilisation of profiling technologies such as cookies or spyware.

The greatest danger, however, could be the assumption that, as specialists in handling information, librarians have little to learn about data protection.

"Data protection hasn't emerged as a big issue for librarians," explained Toby Bainton, SCONUL administrator. "They have been managing data about people for years, and on the whole they have been fairly good at it."

Data protection is a bigger issue than traditional notions of librarianship. It is also now a legal responsibility. Moreover, there is evidence to suggest that librarians may not even be living up to their own self-image.

A recent survey of 300 academic and special libraries by Loughborough University, for instance, discovered what Paul Sturges, professor of information science at Loughborough University, describes as a "serious gap between policy and practice".

While the libraries surveyed claimed to regard security of user data and the protection of individual privacy as very high service priorities, very few of them had a privacy policy; one third did not have a data protection policy; and the librarians contacted were frequently unaware of the necessary procedures for dealing with enquiries about user data.

"We weren't very impressed by the level of preparedness amongst librarians for dealing with privacy and data protection issues," said Sturges.

Should we be concerned? Bainton thinks not. "Libraries may be a bit disorganised when it comes to meeting requests for information and it is probably reprehensible not to have a policy," he conceded.

"But I would be surprised if they are doing anyone any harm. I would take it more seriously if they were breaching the Act in terms of the principles: not destroying records properly or divulging them to other people."

Nevertheless, failure to supply information in response to a subject access request is itself a breach of data protection principles. Moreover, without a data protection policy, libraries are at greater risk of unwittingly breaching other aspects of the DPA.

One particular hazard, according to Paul Ticher, author of Aslib's Data Protection for Library and Information Services, is processing patron data beyond the original purpose for which it was collected where, for instance, libraries are "part of a larger organisation, such as a local authority, which expects them to participate in any kind of data sharing".

With many libraries taking a more pro-active approach to marketing their services, the risks are increasing. West Lothian libraries, for instance, has begun to harvest patron email addresses and create profiles of users, with the aim of mapping these profiles against stock additions and firing off email marketing messages with details of new books.

"This is a very significant development for West Lothian Libraries," explained support services manager George Kerr in a recent paper.

While West Lothian Libraries has looked at data protection issues, it is clear that any library seeking to market its services in such a manner risks straying into dangerous territory.

"There is a lot to be said for making more use of these records but this has to be done within clear guidelines," said Sturges. "There is a thin line between using the data to bring back lapsed readers, or to give a better service to existing readers, and starting to think: 'This data could be used for other purposes and in fact is very saleable.' So it introduces a potential temptation."

Peter Carey, a consultant solicitor with Charles Russell Solicitors, and author of Data Protection in the UK, said that the OIC has recently stated that it intends to enforce the DPA more proactively next year.

"It will also be doubling its staff to 360, which means that more people will be dedicated to enforcing this statute than any other single statute in the history of English law," he said.

No excuses
Clearly, libraries are unlikely to prove a very high enforcement priority. Nevertheless, if they are seen to be neglecting patrons' legal rights then at the very least they risk jeopardising the high level of trust they currently enjoy.

Besides, as Eric Davies, director of Loughborough University's Library and Information Statistics Unit, says: "There is no excuse for librarians to get it wrong, because their whole training and ethos is about managing information properly."

Of course, librarians are not the only ones to handle data about library users. Information vendors do too, and some are concerned that libraries could be held responsible if vendors were to invade patrons' privacy.

"There is a small but growing concern about contracts that libraries sign with information vendors," said Bainton. "When they subscribe to electronic services, for example, the question arises as to whether content providers track who is reading what."

Is this a real danger? What information do vendors such as Lexis-Nexis and Factiva hold on their customers in any case? Unfortunately, despite several requests, both companies proved unwilling to comment.

Via its PR company, Factiva would only state that it chose not to comment, since the topic was "more relevant to consumer-driven companies, not business-to-business [companies] like Factiva".

However, a search on the Data Protection Register reveals that both companies maintain personal information on users.

In the case of Factiva, this consists of a surprising amount of data, including marital status, details of family and household members, property and possessions, career history, pension details and 'lifestyle'. This information is held on current customers, on past and potential customers, and on 'other contacts'.

The Loughborough survey, of course, suggests that many librarians are equally reticent. Moreover, when, during the writing of this article, a number of university libraries were contacted and asked how access requests could be made, the response was decidedly patchy.

Some failed to reply to the request, and in one case the librarian refused to explain the procedure on the grounds that data subjects should first explain why they want the information.

One fundamental principle of the DPA, according to Chris Pounder, a consultant at law firm Masons, is that there is a "very strong commitment to transparency of processing, so you have to tell people what you are doing".

However, this need for transparency appears to be something few librarians and information vendors appreciate.

Richard Poynder is a freelance journalist.