Good afternoon / 08.09.08
Corporate Solutions
Corporate Solutions
The Data Protection Act 1998 (DPA) is a law that governs the use of individuals' personal data. The 1998 Act came in to force in 1st March 2000 and replaced the Act of 1984.
To obtain a full copy of the DPA please go to www.hmso.gov.uk/
Every UK-based business holding personal information must register and comply with the DPA. Consumers are now more aware of their rights and an organisation's obligations as to the use of their personal data. Businesses now rely heavily on retaining long-standing customers and so must show priority to the security and use of personal information. Therefore ignoring these responsibilities can have serious consequences commercially and could seriously damage a company's reputation.
The Information Commissioner, currently Richard Thomas, regulates the DPA and his key responsibilities are also outlined in the DPA The Information Commissioners Office, the ICO, also holds and maintains the Data Protection Register which contains a list of all companies who hold personal information, as well as stating their purposes for the use of the information.
Companies can register with the ICO online at: http://www.informationcommissioner.gov.uk/ or by telephone on 01625 545740. The cost of the licence is £35 per year and can be paid by Direct Debit. The ICO also offers full guidance on issues relating to the DPA for businesses and helpful guidance for consumers. Once again details can be found on their website.
The ICO launched their Annual Report on the 14th July 2004 – a full version of which can be seen by clicking on the link below:
The DPA is made up of 8 main principles. In summary these are:
"Personal Data" – any personal information relating to living identifiable individuals that is processed automatically. Any personal information, which although held in non-automated form, is readily accessible because the information is stored in a structured filing system.
"Sensitive, Personal Data" – such as political opinions, religious beliefs, ethnic origin, health information, sexual life, criminal convictions or membership of a trade union, require a Data Controller to establish higher levels of justification before such data can be processed lawfully.
"Processing" – relates to any activity performed on the personal data including use, disclosure, storage or collection of personal data.
"Data Controller" – is the name for an organisation that is ultimately responsible for the processing; the person who controls and benefits from the processing activity.
"Data Processor" – is any service provider who, in order to deliver services to the Data Controller, processes personal data on behalf of that Controller.
"Data Subject" – is the individual about whom the personal data relates; individuals who are customers, contacts or clients of a Data Controller are also Data Subjects.
When determining if data processing is fair a Data Controller would have to consider the consequences of the processing to the Data Subject as well as ensuring it is for a legitimate business purpose. Lawful processing would be any that complies with relevant law whether derived from statute or common law. Principle One also states that data should not be processed unless at least one of the conditions in Schedule 2 is met, or in the case of Sensitive personal data, one of the conditions in Schedule 3 is met:
Conditions of Schedule 2
Consent
Consent is defined in the Act as, ".. Any freely given specific and informed indication of his wishes by which the Data Subject signifies his agreement to personal data relating to him being processed."
Necessary
Processing would be deemed necessary if it would enable the Data Controller to comply with any legal obligations to which they are subject. Or if it is in the Data Subjects vital interests.
Conditions of Schedule 3
These are identical that that of Schedule 2 but relate specifically to sensitive personal data. Therefore specific consent would need to be obtained from the Data Subject. The Data Controller would also need to give special consideration as to whether or not the processing of sensitive personal data is necessary.
Data must be processed within the specified purpose(s). Data Controllers must specify the purpose(s) of their data processing in a notice to the Data Subject and through notification to the ICO. Usually notification to the Data Subject is carried out through the consent and fair obtaining clauses.
This Principle applies to the type of data held and ensuring that it is adequate in relation to the purposes of processing. The Data Controller would need to consider factors such as the number of individuals on whom the data is held and weigh this against the number of individuals on whom the data is actually processed. As well as the nature of the personal data and the way it was obtained.
Personal data must be accurate in that it must not be "factually misleading". A Data Controller would need to take steps to ensure data accuracy as well as ensuring procedures are in place for amending or updating the data when necessary. In essence a Data Controller must not knowingly hold inaccurate personal data on an individual.
Under this Principle a Data Controller must review their personal data regularly and delete the information that is no longer required for their purposes. The industry standard for the length of time credit related data should be held is six years. However each Data Controller needs to assess individually the type of data they hold and make a commercial decision based upon whether or not the data is still required for their own data processing.
A Data Controller would contravene this principle if they failed to supply information following a Subject Access Request from the Data Subject and if they fail to comply with the most common notices under the act. These are:
Under this Principle a Data Controller has to ensure that appropriate technical and organisational measures are in place to prevent unlawful access to and accidental damage or destruction of personal data. This would apply to areas of the business such as the security access to information, ensuring a Disaster Recovery Plan is in place, staff selection and training and having systems in place to detect and deal with breaches of security.
Personal data is not to be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures, an adequate level of protection. The Eight Principle will not be breached where the transfer is to a country or territory that the European Commission has deemed 'adequate'.
An up to date list of 'adequate' places can be found at: http://www.europa.eu.int/comm/internal_market/privacy/adequacy_en.htm
