The Data Protection Act 1998 What Data is

The Data Protection Act 1998

What Data is Held on Individuals? • By institutions: – – – – Criminal information, Educational information; Medical Information; Financial information; Employment information; Marketing information; Other: consider: mobile phones, ATM’s, city centre cameras, store loyalty cards, credit cards, the Internet.

• Data protection legislation: • The nature, purpose and provisions of the current data protection legislation of the Public Register. • The type of data covered and various exemptions from the legislation. • The definitions of processing and consent to process. • Explain how the requirements of the legislation impact on data collection and use. • Describe the obligations of data users under the legislation. • The rights of individuals under the legislation. • The role of the Commissioner in encouraging good practice, acting as Ombudsman and enforcing legislation.

The Data Protection Act 1998 • The widespread use of computers to store data in the 1980’s let to the 1984 Act. This has been updated to include networks and the Internet and even more widespread use by the 1998 Act. • The main purpose is to prevent the misuse of personal data and to give certain rights to individuals if they find out that stored information is incorrect.

Definitions • Personal Data: is about a person who is alive and can be identified by that data. • Data Subject: is the living individual that the personal data is about. • The Data Controller: is the person who is responsible for the control and use of the data in a business or organisation. • The Commissioner: is the person responsible for enforcing the law, including ensuring the owners of the data use good practice, and the individuals are aware of their rights.

The Data Protection Act 1998 1. Personal data must be obtained and processed fairly and lawfully, the subject has given consent, and the processing is necessary for: a contract, legal obligations, justice etc. • • • Some data is sensitive including: race, ethnicity, politics, union membership, health, lifestyle etc. The processing of sensitive data is possible if it passes certain conditions and the data subject has given their consent. (On most forms it is not compulsory to give your ethnic details). It is normally use to help the organisation treat individuals from minority groups fairly.

The Data Protection Act 1998 2. Personal data should be obtained for only one or more specified purposes, and not processed further in any manner incompatible with the original purpose. 3. Personal data should be adequate, relevant and not excessive in relation to the purpose for which they are processed. 4. Personal data should be accurate and where necessary, be kept up to date.

The Data Protection Act 1998 5. Personal data should not be kept for longer than is necessary for that purpose. 6. Personal data should be processed in accordance with the rights of data subjects. 7. Appropriate technical measures should be taken against unauthorised or unlawful processing of personal data, and against accidental loss, damage, destruction of personal data.

The Data Protection Act 1998 8. Personal data should not be transferred to a country outside the Europe economic area unless that country has an adequate method of data protection by law. The Data Protection Act is supposed to be a common law for Europe.

The Data Protection Register • Administer a public register of data users with broad details of the data held. Data users not registered may be fined. • Investigating complaints and initiating prosecutions for breaches of the Act. • Publish guideline documents to data users. • All data users have to register and give: – – Name and address and Company name and address. Description of the data held and for what purpose. Description of the sources where the data was obtained. Description of the persons to whom the data will be disclosed to.

Exemptions from the Act • Payroll, pensions and accounts data, and the names and addresses. • Personal, family, household and recreational use. • Statistical and research purposes, or back-up. • Mailing lists of only names and addresses and where the individual is asked if they mind if more data is collected. • National security.

Exemptions From Public Access • There are some cases where the data is not open to public access, these would include: • The prevention and detection of crime and criminal surveillance/activity. • The apprehension or prosecution of offenders. • The assessment or collection of taxes, duties, including Customs and Excise.

Obligations • The use of personal data must be registered, allowing members of the public the right to see what data is held about them by a particular organisation. • The organisation may sell the data legitamately to other companies, i. e. a mailing list to a mail order company. • The individual must have the choice not to allow their details to be given to third parties. Usually the person will give/not give consent for this by checking a tick box on the data gathering form when submitting their personal details.

Rights of the Individual (Data Subject) • These rights may be enforceable in a Court of Law: • Right to compensation for unauthorised disclosure. • Right to compensation for inaccurate data. • Right of access to data, and to apply for rectification or erasure where the data is inaccurate. • Right to compensation for unauthorised access, loss or destruction of data.

Data Protection Commissioner • The commissioner is an independent officer who reports to Parliament. The role of the Data Protection Registrar includes: – the maintenance of the register of data users, – publicising the Act and how it works, – encouraging organisations and individuals to comply with the law, – encouraging the development of codes of practice to help users stay within the law, – considering all complaints fairly, – prosecuting offenders who disregard the basic principals of the Act.