The purpose of Data Protection laws is to strike a balance between the rights of individuals toÂ privacy and the ability of organisations to use data for the purposes of their businesses. ThereÂ have been two data protection acts: The Data Protection Act 1984 later superseded by the DataÂ Protection Act 1998 which came into force on the 1st March 2000.
When do data protection laws apply?
Data protection law applies whenever a data controller processes personal data.
Data Controller: A person who determines the purposes for which and the manner in which anyÂ personal data is processed.
Personal Data: Data that relates to a living individual who can be identified from this data orÂ from this data and other information which is in the possession of the data controller.
Processing: Processing encompasses virtually any use of personal data collecting, storing evenÂ destroying it. The Data Protection Act applies when personal data is processed or is due to beÂ processed by a computer or is recorded in a structured manual filing system. Whether or notÂ manual files are covered by the act is a difficult question, the following need to be taken intoÂ account:
- There must be a set of information relating to individuals.
- Structured by reference to individuals or by reference to criteria relating toÂ individuals.
- So that individual files are readily accessible.
What must I do to comply with the Data Protection Act?
Eight principles were set out by the Data Protection Act, all of these must be complied with byÂ the data controller:
- The data should be processed fairly and lawfully and may not be processed unless the dataÂ controller can satisfy one of the conditions for processing set out in the Act.
- Data should be obtained only for specified and lawful purposes.
- Data should be adequate, relevant and not excessive.
- Data should be accurate and, where necessary, kept up to date.
- Data should not be kept longer than is necessary for the purposes for which it is processed.
- Data should be processed in accordance with the rights of the data subject under the Act.
- Appropriate technical and organisational measures should be taken against unauthorised orÂ unlawful processing of personal data and against accidental loss or destruction of, or damageÂ to, personal data.
- Data should not be transferred to a country or territory outside the European Economic AreaÂ unless that country or territory ensures an adequate level of protection for the rights andÂ freedoms of data subjects in relation to the processing of personal data.
The first principle dictates that a data controller my only process personal data if they Âcan satisfy one of the conditions for processing set out in the ActÂ i.e.:
- The subject of the data has given their consent to the processing.
- The processing is necessary to fulfil a contract entered into with the data subject.
- The processing is necessary to comply with a legal obligation of the data controller.
- The processing is necessary to protect the vital interests of the data subject.
- The processing is necessary for the administration of justice.
- The processing is necessary for the pursuance of a legitimate interest of the dataÂ controller providing this does not harm the rights and freedoms of the data subjects.
What about any sensitive data I may hold? Are there further rules?
Sensitive personal data is information relating to the racial or ethnic origin of a data subject,Â their political opinions, religious beliefs, trade union membership, sexual life, physical orÂ mental health, or criminal offences or record. Basically the data controller can process suchÂ sensitive personal data where:
- The data subject has given consent.
- The processing is required to comply with for example employment law.
- It is necessary to establish, defend or exercise legal rights.
What must I do before I process data?
Data subjects themselves must be given information regarding the purpose of the processing. MoreÂ often than not this is provided in the form of a data protection notice which can frequently beÂ found in application forms, terms and conditions etc. The information must be set out in a dataÂ protection notice and must include a description of:
- Data Controller details.
- Purpose of the processing.
- RecipientsÂ details of who they are and what their purposes are.
- Opt Out/In to any marketing as appropriate.
- Contact a description of the methods to be used for contracting individuals for marketing purposes.
- Information any further information necessary to make the processing fair.
Are there any special security considerations I should take into account?
Data controllers must put in place adequate technical and organisational measures to safeguardÂ personal data which they are processing from:
- Adequate Loss
- Unauthorised Access
Furthermore the data controller must put in place contracts with their data processors dictatingÂ what they can and cannot do with the data and what safeguards they have to make. The DataÂ Controller should though reserve the right to audit the data processors in order to ensure thatÂ they comply with these contracts.
How is my website affected by these Data Protection rules?
Principle eight of the Data Protection principles refers to the transfer of data overseas, ifÂ information is placed on a web site without specific consent from the individual then this wouldÂ be a breach of the act as the data would be accessible in countries with less stringent dataÂ protection laws.
Do data subjects have any rights relating to their data?
Data controllers must give rights to the data subjects as follows:
- The right of access to his/her personal data.
- The right to object to certain processing causing substantial damage or stress.
- The right to object to automated decision making, and
- The right to object to direct marketing.
What happens if I donÂt comply with the Data Protection Act?
Complaints regarding potential breaches can result in the issuing of an Âinformation noticeÂ whichÂ requires the data controller to provide certain information within set time limits. Failure toÂ comply with this notice or providing deliberately false information is a criminal offence. If itÂ is deemed that there is a breach then an Âenforcement noticeÂ can be served, this can force a dataÂ controller to cease processing personal data, or cease processing personal data in a particularÂ way. Again failure to comply with this notice is a criminal offence.
Criminal liability does not lie solely with the data controller, officers of the company such asÂ its directors and managers can also be personally criminally liable if the offence has commit withÂ their consent, knowledge or neglect. Also employees can be criminally liable if they disclose orÂ obtain personal data without authority given by the data subject.
Although these are criminal offences they are not punishable by way of imprisonment, instead anÂ unlimited fine can be levied.