What you need to know about the Data Protection Act

The purpose of Data Protection laws is to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their businesses. There have been two data protection acts: The Data Protection Act 1984 later superseded by the Data Protection Act 1998 which came into force on the 1st March 2000.

When do data protection laws apply?

Data protection law applies whenever a data controller processes personal data.

Data Controller: A person who determines the purposes for which and the manner in which any personal data is processed.

Personal Data: Data that relates to a living individual who can be identified from this data or from this data and other information which is in the possession of the data controller.

Processing: Processing encompasses virtually any use of personal data collecting, storing even destroying it. The Data Protection Act applies when personal data is processed or is due to be processed by a computer or is recorded in a structured manual filing system. Whether or not manual files are covered by the act is a difficult question, the following need to be taken into account:

  • There must be a set of information relating to individuals.
  • Structured by reference to individuals or by reference to criteria relating to individuals.
  • So that individual files are readily accessible.

What must I do to comply with the Data Protection Act?

Eight principles were set out by the Data Protection Act, all of these must be complied with by the data controller:

  1. The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
  2. Data should be obtained only for specified and lawful purposes.
  3. Data should be adequate, relevant and not excessive.
  4. Data should be accurate and, where necessary, kept up to date.
  5. Data should not be kept longer than is necessary for the purposes for which it is processed.
  6. Data should be processed in accordance with the rights of the data subject under the Act.
  7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The first principle dictates that a data controller my only process personal data if they “can satisfy one of the conditions for processing set out in the Act” i.e.:

  • The subject of the data has given their consent to the processing.
  • The processing is necessary to fulfil a contract entered into with the data subject.
  • The processing is necessary to comply with a legal obligation of the data controller.
  • The processing is necessary to protect the vital interests of the data subject.
  • The processing is necessary for the administration of justice.
  • The processing is necessary for the pursuance of a legitimate interest of the data controller providing this does not harm the rights and freedoms of the data subjects.

What about any sensitive data I may hold? Are there further rules?

Sensitive personal data is information relating to the racial or ethnic origin of a data subject, their political opinions, religious beliefs, trade union membership, sexual life, physical or mental health, or criminal offences or record. Basically the data controller can process such sensitive personal data where:

  • The data subject has given consent.
  • The processing is required to comply with for example employment law.
  • It is necessary to establish, defend or exercise legal rights.

What must I do before I process data?

Data subjects themselves must be given information regarding the purpose of the processing. More often than not this is provided in the form of a data protection notice which can frequently be found in application forms, terms and conditions etc. The information must be set out in a data protection notice and must include a description of:

  • Data Controller details.
  • Purpose of the processing.
  • Recipients’ details of who they are and what their purposes are.
  • Opt Out/In to any marketing as appropriate.
  • Contact a description of the methods to be used for contracting individuals for marketing purposes.
  • Information any further information necessary to make the processing fair.

Are there any special security considerations I should take into account?

Data controllers must put in place adequate technical and organisational measures to safeguard personal data which they are processing from:

  • Destruction
  • Adequate Loss
  • Unauthorised Access
  • Disclosure

Furthermore the data controller must put in place contracts with their data processors dictating what they can and cannot do with the data and what safeguards they have to make. The Data Controller should though reserve the right to audit the data processors in order to ensure that they comply with these contracts.

How is my website affected by these Data Protection rules?

Principle eight of the Data Protection principles refers to the transfer of data overseas, if information is placed on a web site without specific consent from the individual then this would be a breach of the act as the data would be accessible in countries with less stringent data protection laws.

Do data subjects have any rights relating to their data?

Data controllers must give rights to the data subjects as follows:

  • The right of access to his/her personal data.
  • The right to object to certain processing causing substantial damage or stress.
  • The right to object to automated decision making, and
  • The right to object to direct marketing.

What happens if I don’t comply with the Data Protection Act?

Complaints regarding potential breaches can result in the issuing of an ‘information notice’ which requires the data controller to provide certain information within set time limits. Failure to comply with this notice or providing deliberately false information is a criminal offence. If it is deemed that there is a breach then an ‘enforcement notice’ can be served, this can force a data controller to cease processing personal data, or cease processing personal data in a particular way. Again failure to comply with this notice is a criminal offence.

Criminal liability does not lie solely with the data controller, officers of the company such as its directors and managers can also be personally criminally liable if the offence has commit with their consent, knowledge or neglect. Also employees can be criminally liable if they disclose or obtain personal data without authority given by the data subject.

Although these are criminal offences they are not punishable by way of imprisonment, instead an unlimited fine can be levied.

share this Article

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email

Recent Articles