Why is it important for your organisation to comply with the Data protection Act?
The Data Protection Act 1998 (“DPA”), lays down eight data protection principles that any organisation processing data of individuals must comply with.
What does the DPA cover?
The DPA came into force on 1 March 2000. The DPA implemented the European Union (“EU”) Directive on data protection into UK law introducing radical changes to the way in which personal data regarding identifiable living individuals can be used. The constant need for businesses to process personal data means that the DPA impacts upon most organisations, irrespective of size. Furthermore, the public’s growing awareness of their right to privacy means that data protection will remain an important issue.
The DPA makes a distinction between personal data and personal sensitive data. Personal data includes personal data relating to employees, customers, business contacts and suppliers. Sensitive data covers an individual’s ethnic origin, medical conditions, sexual orientation and eligibility to work in the UK . The data protection principles set out the standards which an organisation must meet when processing personal data. These principles apply to the processing of all personal data, whether those data are processed automatically or stored in structured manual files.
What is data?
Data means information which is processed by computer or other automatic equipment, including word processors, databases and spreadsheet files, or information which is recorded on paper with the intention of being processed later by computer; or information which is recorded as part of a manual filing system, where the files are structured according to the names of individuals or other characteristics, such as payroll number, and where the files have sufficient internal structure so that specific information about a particular individual can be found easily.
What are the eight data protection principles?
The eight data protection principles are as follows:
Personal data must be processed fairly and lawfully
Personal data must be obtained only for specified and lawful purposes and must not be processed further in any manner incompatible with those purposes
Personal data must be adequate, relevant and not excessive in relation to the purposes for which they were collected
Personal data must be accurate and, where necessary, kept up to date
Personal data must not be kept longer than is necessary for the purposes for which they were collected
Personal data must be processed in accordance with the rights of data subjects
Personal data must be kept secure against unauthorised or unlawful
processing and against accidental loss, destruction or damage
Personal data must not be transferred to countries outside the European
Economic Area unless the country of destination provides an adequate level of data protection for those data.
What data comprises personal data?
Personal data relates to data of living individuals who can be identified from those data, or from those data and other information which is in the possession of the data controller or which is likely to come into its possession for example, names, addresses and home telephone numbers of employees.
What data comprises sensitive data?
Personal Sensitive data (“sensitive data “) consist of information relating to a data subject’s (individuals):
racial or ethnic origin;
political opinions;
religious beliefs or other similar beliefs;
trade union membership;
physical or mental health or condition;
sexual orientation;
commission or alleged commission of any offences; convictions or criminal proceedings involving the data subject.
convictions or criminal proceedings involving the data subject.
What is the meaning of processing under the DPA?
The definition of ‘processing’ is very broad. It covers any operation carried out on the data and includes, obtaining or recording data, the retrieval, consultation or use of data, the disclosure or otherwise making available of data.
Who is a data controller?
A ‘data controller’ is any person who (alone or jointly with others) decides the purposes for which, and the manner in which, the personal data are processed. The data controller will therefore be the legal entity which exercises ultimate control over the personal data. Individual managers or employees are not data controllers.
The data controller is responsible for:
Personal data about identifiable living individuals
Deciding how and why personal data are processed
Information handling – complying with the eight data protection principles
Acquiring “data subjects” consent for processing sensitive data
Existing procedures for handling sensitive or personal data
Security measures to safeguard personal data
Notification
Who is a data processor?
A ‘data processor’ is a person or organisation who processes the data on behalf of the data controller, but who is not an employee of the data controller.
Who is a data subject?
A ‘data subject’ is any living individual who is the subject of personal data. There are no age restrictions on who qualifies as a data subject, but the definition does not extend to individuals who are deceased.
Are we required to notify? What does notification mean?
An organisation must not process any personal data unless it has first notified the Information data hk Commissioner of certain particulars, including:
the organisation’s name and address;
the purposes for which the data are to be processed;
any proposed recipients of the data;
countries outside the European Economic Area to which the data may be disclosed.
What is the meaning of a subject access?
This is a request by an individual to be granted access to, and be provided with a copy of, any personal data which an organisation holds about him or her. This includes the right to be provided with information about the purposes for which the organisation processes those personal data, the source of the data, the identity of any person to whom the data have been disclosed and the logic behind any automated decision making processes. A subject access request is a request to be granted access to, certain personal data which an organisation holds about an individual. This includes the right to be provided with information about:
the purposes for which the organisation processes those personal data
the source of the data, the identity of any person to whom the data have been disclosed; and
the logic behind any automated decision making processes
preventing processing which is likely to cause the data subject damage or distress
preventing processing which is taking place for the purposes of direct marketing
objecting to automated decisions being taken about him or her (i.e. decisions which do not have any human involvement);
Claiming compensation for any ‘damage’ or ‘damage and distress’ which is caused to the data subject (or another person) as a result of the Company’s breach of the DPA.
What is a data subject entitled to, if he or she makes a successful claim for compensation?