This article introduces the Data Protection Act 1998 - does your business comply?

What is Data Protection? Data Protection is the area of Law that Governs what may or may not be done with personal information. Such personal information may be in manual (hand-written, print outs etc) or electronic (Stored on a computer) form. It applies to the processing of personal data by "Data Controllers”.

Understanding the terms used. 1. Data Controller - any person/business who controls processing of personal data.

2. Personal Data - information (electronic or manual) which identifies a living individual. For example your name, address, Credit Card, DNA, finger print, email address.

3. Processing - any activity that can be carried out on personal data. For example obtaining, storing, copying and transferring. So what does the act do?

The Act can be broken down into three different functions:-

1. Notification - It requires every Data Controller to notify the relevant national authority of its processing operations.

2. Code of conduct - It obliges Data Controllers to comply with the "Data Protection Principles”, a code of conduct.

3. Individual Rights - It create a set of enforceable rights individuals can expect in the processing of their personal data.

Notification. The information Commissioner must be informed of the types of processing that Data Controllers are undertaking. Notification can be done in writing using the correct forms or online https://forms.informationcommissioner.gov.uk/cgi-bin/dprproc?page=7.html it currently costs £35 per year to register. There is a register available of all Data Controllers, it is a public document and can be searched online at http://www.esd.informationcommissioner.gov.uk/esd/search.asp

There are a few exemptions for the need to notify the Information Commission. Examples are employee records, membership or customer lists.

Data controllers should check if they are exempt as it is a criminal offence to process personal data without notification or to process data differently to the type notified.

Code of Conduct There are 8 principles of good information handling or processing. These can be seen as a Code of Conduct Data Controllers must comply with unless there are exempt.

These principles require the data controller to:

1. Process personal data fairly and lawfully.

2. Ob

tain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner which is incompatible with the purpose or purposes for which it was obtained.

3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.

4. Ensure that personal data is accurate and, where necessary, kept up to date.

5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.

6. Process personal data in accordance with the rights of the individuals to whom the information relates.

7. Ensure that personal data is kept secure.

8. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which the information is to be sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.

Individuals' Rights. The Act says that individuals have certain rights with respect to personal data that someone else holds about them:

1. To be informed by any data controller whether it is processing data concerning him, and to be given a copy of such data. 2. To prevent processing likely to cause him damage or distress. 3. To prevent direct marketing to him. 4. To prevent the taking of automated decisions concerning him. 5. To have inaccurate data corrected or erased. 6. To compensation for damage or distress caused by unlawful data processing. 7. To ask the Information Commissioner to investigate the activities of any data controller.

Summary. Data controllers holding personal Data must comply with the 8 principals of good information handling. Individuals have the right to see that data and have it changed if it is incorrect.

 Previous      Next