Legal framework / Data Protection Act

Data Protection Act

The Data Protection Act (DPA) is a law designed to protect personal data stored on computers or in an organised paper filing system.

The need for the Data Protection Act

During the second half of the 20th century, businesses, organisations and the government began using computers to store information about their customers, clients and staff in databases. For example:

names
addresses
contact information
employment history
medical conditions
convictions
credit history
Databases are easily accessed, searched and edited. It’s also far easier to cross reference information stored in two or more databases than if the records were paper-based. The computers on which databases resided were often networked. This allowed for organisation-wide access to databases and offered an easy way to share information with other organisations.
The data, information and databases section has more on searching databases.
Misuse and unauthorised access to information
With more and more organisations using computers to store and process personal information there was a danger the information could be misused or get into the wrong hands. A number of concerns arose:
- Who could access this information?
- How accurate was the information?
- Could it be easily copied?
- Was it possible to store information about a person without the individual’s knowledge or permission?
- Was a record kept of any changes made to information?
The purpose of the Data Protection Act
The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give legal rights to people who have information stored about them.
Other European Union countries have passed similar laws as often information is held in more than one country.
How the Data Protection Act works
The Data Protection Act was developed to give protection and lay down rules about how data about people can be used.
The 1998 Act covers information or data stored on a computer or an organised paper filing system about living people.
The basic way it works is by:
setting up rules that people have to follow
having an Information Commissioner to enforce the rules
It does not stop companies storing information about people. It just makes them follow rules.
The roles of those involved
The Information Commissioner is the person (and his or her office) who has powers to enforce the Act.
A data controller is an organisation or individual (for example, when self-employed) who determines what data the organisation collects, how it is collected and how it is processed.
A data subject is someone who has data about them stored somewhere, outside of their direct control. For example, a bank stores its customers' names, addresses and phone numbers. This makes us all data subjects as there can be few people in the UK who do not feature in computer records somewhere.
Registration with the Information Commissioner
Any organisation or person who needs to store personal information must apply to register with the Information Commissioner.
Data controllers must declare what information will be stored and how it will be used in advance. This is recorded in the register.
Each entry in the register contains:
the data controller's name and address
a description of the information to be stored
what they are going to use the information for
whether the data controller plans to pass on the information to other people or organisations
whether the data controller will transfer the information outside the UK
details of how the data controller will keep the information safe and secure
Types of personal data
Some data and information stored on a computer is personal and needs to be kept confidential. People want to keep their pay, bank details, and medical records private and away from the view of just anybody. If someone who is not entitled to see these details can obtain access without permission it is unauthorised access. The Data Protection Act sets up rules to prevent this happening.
Two types of personal data
Personal data is about living people and could be:
their name
address
medical details or banking details
Sensitive personal data is also about living people, but it includes one or more details of a data subject's:
racial or ethnic origin
political opinions
religion
membership of a trade union
health
sex life
criminal activity
There are fewer safeguards for personal data than there are for sensitive personal data. In most cases a person must be asked specifically if sensitive data can be kept about them.
Responsibilities of data controllers
All data controllers must keep to the eight principles of data protection.
When you read about these, you may find them called "The Data Protection Principles".
Remember: a data controller is the nominated person in a company who applies to the data commissioner for permission to store and use personal data.
The eight principles of data protection
For the personal data that controllers store and process:
1. It must be collected and used fairly and inside the law.
2. It must only be held and used for the reasons given to the Information Commissioner.
3. It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with.
4. The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the data.
5. It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move.
6. It must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most.
7. The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone.
8. The files may not be transferred outside of the European Economic Area (that's the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law. This part of the DPA has led to some countries passing similar laws to allow computer data centres to be located in their area.
The rights of data subjects
People whose personal data is stored are called data subjects. The DPA sets up rights for people who have data kept about them. They are:
A right of subject access: A data subject has a right to be supplied by a data controller with the personal data held about him or her. The data controller can charge for this (usually around £10 pounds).
A right of correction: A data subject may force a data controller to correct any mistakes in the data held about them.
A right to prevent distress: A data subject may prevent the use of information if it would be likely to cause them distress.
A right to prevent direct marketing: A data subject may stop their data being used in attempts to promote or sell them things (eg by junk mail or cold calling.)
A right to prevent automatic decisions: A data subject may specify that they do not want a data user to make "automated" decisions about them where, through points scoring, a computer decides on, for example, a loan application.
A right of complaint to theInformation Commissioner: A data subject can ask for the use of their personal data to be reviewed by the Information Commissioner who can enforce a ruling using the DPA. The Commissioner may inspect a controller's computers to help in the investigation.
A right to compensation: The data subject is entitled to use the law to get compensation for damage caused ("damages") if personal data about them is inaccurate, lost, or disclosed.
Remember:
these rights only practically exist if you know who has data stored about you
some data controllers are exempt from the Act