The Data Protection Act Why does it exist

The Data Protection Act

Why does it exist? Organisations have always kept information about people. The Data Protection Act was in part enacted because of the impact of computer systems.

Why does it exist? (cont’d) · Computers make it easy to copy information · Computers make it easy to distribute information · Computers make it easy to gather information from different sources in one place

What is it for? (cont’d) · Not all computer systems are secure · This can allow unauthorised access and the possibility of misuse The Act was brought in to prevent the misuse of personal data

The 1998 Act · Covers information or data - stored on a computer or an organised paper filing system, about living people. · It established the role of the Information Commissioner · All organisations holding personal data must be registered with the Information Commissioner and abide by the laws laid out in the act

Personal Data The act sets up two types of personal data: Personal Data: · name · address · medical details · banking details. Sensitive personal data: · racial or ethnic origin · political opinions- religion · membership of a trade union · Health · sexual life · criminal activity There are more safeguards about sensitive data than ordinary personal data.

Terms in the Act · Some key terms are: · Data Subject - is someone who has data about them stored somewhere, outside their direct control. · Data Controller - the person or organisation that stores personal data · You will also need to remember the Eight Data Protection Principles…

Eight Data Protection Principles 1. 2. 3. 4. 5. 6. 7. 8. Data should be processed fairly and lawfully. Data should be obtained for one or more specified lawful purposes. Data shall be adequate, relevant and not excessive. Data shall be accurate. Data is not kept longer than is necessary for its purpose. Data shall be processed in accordance with subject rights Appropriate measures shall be taken against unauthorised/unlawful processing, loss, destruction, damage to personal data. Data must not be transferred to countries which do not provide adequate protection

Data Subject Rights 1. 2. 3. 4. 5. 6. 7. Access A data subject has a right to be supplied by a data controller with the personal data held about him or her. Prevent Distress A data subject may prevent the use of information if it would be likely to cause them distress. Prevent Direct Marketing A data subject may stop their data being used in attempts to sell them things (e. g. by junk mail or cold telephone calls. ) To be informed about mechanics of automated decision taking process that will significantly affect them Prevent Automatic Decisions A data subject may specify that they do not want a data controller to make "automated" decisions about them To take action for compensation if they suffer damage by any contravention of the Act To take action to rectify, block, erase or destroy inaccurate data

Exemptions into one of two types: · Complete · Partial

Complete Exemptions 1. Personal data held for domestic purposes only at home, e. g. a list of your friends' names, birthdays and addresses does not have to keep to the rules. 2. Any personal data that is held for a national security reason is not covered. So MI 5 or MI 6 don't have to follow the rules. They do need to get a Government Minister to sign a certificate saying that they are exempt.

Partial Exemptions 1. 2. 3. 4. 5. 6. 7. The taxman or police do not have to disclose information held or processed to prevent crime or taxation fraud. A data subject has no right to see information stored about them if it is to do with their health. A school pupil has no right of access to personal files, or to exam results before publication. A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes. Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals. Employment references written by a previous employer are exempt. Planning information about staff in a company is exempt, as it may damage the business to disclose it.

Something to think about… The school cleaner notices that her personal details are visible on a secretary’s computer screen after the secretary has gone home. Her telephone number is recorded incorrectly and her address is out of date. Why should the cleaner concerned about this? How has the Data Protection Act been contravened?

References BBC Bitesize http: //www. bbc. co. uk/schools/gcsebitesize/ict/legal/index. shtml Information Commissioner http: //www. informationcommissioner. gov. uk/ Letts Education www. letts-education. com Loughborough University http: //www. lboro. ac. uk/admin/ar/policy/dpact/#8

Glossary · Data Protection Act - A law designed to protect personal data stored on computer. · Information Commissioner - The official who supervises the enforcement of the Data Protection Act. · data controller - The person or organisation that stores personal data. · data subject - The person about whom data is stored. · personal data - Information about a particular person.