All those who in any way hold data that are notifiable under the Data Protection Act have up to Wednesday to pay their fees and, come Thursday, a new cycle begins with fees due for next near.

According to Data Protection Commissioner Paul Mifsud Cremona, the concession for people to pay their fees were first extended to April and then again to next Wednesday. Speaking to The Sunday Times in his office in Republic Street, Valletta, he defined his job as "to protect the privacy of the individual. Now, to do that one has to regulate the persons (known as data controllers) who process the personal data of these data subjects (defined as any person on whom the information is kept).

"So, data protection speaks about individuals, not companies or organisations. I can also see the Data Protection Act as the extension of the privacy rights which are enshrined in the Constitution. The principles are there but are not enforceable; but the Data Protection Act is enforceable because it is tangible."

More fundamentally, Mr Mifsud Cremona sees his role as managing a change in mentality and culture to enable people to know what their rights to privacy are and not to presume they have rights they do not have.

On the other hand, the Act is not intended to stifle any kind of operation. "But we need to have a clear understanding of the respect for the privacy of the individual... and data controllers have to change their work practices to ensure they are in conformity with the Act," Mr Mifsud Cremona stressed. Once all the notifications have been made, the Office of Data Protection can hold a public register that is accessible by everyone.

The Data Protection Act was enacted in 2001 and parts of the Act came into force in 2002, including the appointment of the first Commissioner, Professor John Mamo. Last January, after Professor Mamo's resignation following amendments in the Act, which might have caused a conflict of interest, Mr Mifsud Cremona took up the post, which is for a five-year term.

Under the Act, anyone who "processes" data, which has an extremely wide definition - even keeping something you don't use on a shelf as well as storage is "processing" - has to notify the Office of Data Protection.

I asked him to consider the classic example of the Electoral Register. "There are data of a public nature and data that are not of a public nature," he said. "It does not mean that the way data are published should facilitate the extrapolation of a multitude of data which is not what is contained in the register itself. In terms of data being used for mail shots and commercial purposes, it is to my mind not what it should be used for.

"In terms of other personal data, to what extent is my personal file as an employee with my employer accessible? I will have the right of access to the information that is contained in my file. This is a new concept not only in terms of regulating how and why data should be kept; also regulating that consent is required and (other conditions under the law)."

There are also sensitive data, like personal medical information, and also deadlines for the retention of data. Mr Mifsud Cremona gave the example of income tax data, where the prescription period is eight years.

In this context the Data Protection Commissioner is currently undertaking an exercise to meet the various sectors - insurance, banking, medical, education and, last week, journalism - to develop a code of practice for all those operating in their sector. "We are trying to build a relationship with the aim of establishing a clear understanding of the law," he said.

Mr Mifsud Cremona, 61, spent 17 years in the civil service, mainly in the Attorney General's office. He then spent some years as secretary general of the Institute of Accountants and then worked as a management consultant in various ministries, sitting on government councils, especially in the Office of the Prime Minister.

He then took up a position with the Management Systems Unit, later the Management Efficiency Unit, finishing up as chief executive, before taking up his post with the Office of Data Protection.

As part of the capacity building within the Office of Data Protection, a twinning covenant has just been concluded with the UK Commissioner's Office of Data Protection, which will be sending experts from early in September. The aim of this capacity building is to avoid mistakes that were done overseas.

During the coming year, Mr Mifsud Cremona intends to conclude many of the discussions with the various professional and commercial sectors, issuing guidelines in areas of a general nature, like human resources, and working with unions and employers to come to an agreement.

"Another exercise I am doing at the moment is looking at the law to see where we can improve. I was joint author of the law when it was enacted but when you come to implement it, there is need for (fine tuning the) regulations.

"One thing that worries me a lot is the penalties. They are quite heavy: a Lm10,000 fine and six months' imprisonment; but the law does not distinguish between the level of severity. I can also impose administrative penalties, which are similarly hefty - Lm10,000.

"But the only reason the commissioner can impose these administrative fines is in terms of not being allowed access (to data) or being given the information which I request. So, for example, if I have a person failing to notify as he should, that person would incur a penalty and I would have to take that person to court.

"We come from a background where all offences were criminal. But now the trend is different, to depenalise and decriminalise. So, I will be looking very closely at what I will be proposing to government because at the end of the day it is government that has to decide (on) a more acceptable penalty structure."

Finally, Mr Mifsud Cremona is taking an active part in the Article 39 Working Party of the European Commission, which formulates policy in relation to data protection, following Malta's accession to the European Union on May 1.