Transcript Document
The Data Protection Act 1998 © Oxford University Press 2012 What it covers • The misuse of personal data. • Whether stored on an ICT system or not. © Oxford University Press 2012 Reasons for its introduction • Processing data by ICT systems was made easier and certain misuses started to occur. • All Member States in the EEA (European Economic Area) had data protection laws, so in order to conduct business, the UK needed such a law, too. © Oxford University Press 2012 Personal data Personal data is: • data about an identifiable person • who is living • and is specific to that person. It can include: name, address, date of birth, medical details, credit history, salary, qualifications, religious beliefs, etc. © Oxford University Press 2012 What the Data Protection Act does Gives rights to individuals: • to find out the personal information stored about them • to have the information corrected if it is wrong. © Oxford University Press 2012 The terms used in the Act You will need to be able to define each of the following terms: • Personal data – data about a living identifiable person, which is specific to that person. • Data subject – the living individual whom the personal information is about. • Data controller – the person whose responsibility it is in an organisation to control the way that personal data is processed. • Information Commissioner – the person responsible for enforcing the Act. They also promote good practice and make everyone aware of the implications of the Act. © Oxford University Press 2012 Processing personal data Under the Data Protection Act processing can mean: • data collection • recording data • carrying out any operation(s) on a set of data. © Oxford University Press 2012 Who is in charge of the Data Protection Act? • A person called the Information Commissioner is in charge of the Act. • The Information Commissioner is also in charge of the Freedom of Information Act. © Oxford University Press 2012 The duties of the Information Commissioner • To be responsible for the two Acts. • To run the Information Commissioner’s Office (ICO). • To promote good information handling. • To investigate complaints. • To provide guidelines. • To prosecute if necessary. © Oxford University Press 2012 Notification Why have notification? • The Information Commissioner needs to know that an organisation is processing personal information. • Notification involves telling the Information Commissioner what personal data is processed and why it is processed. © Oxford University Press 2012 What does notification involve? • Giving the name and address details of the data controller. • Data details (e.g., medical, employment, credit, etc.). • Brief description of reasons for storing personal data. • Lists of organisations data could be passed to. © Oxford University Press 2012 Exemptions from notification 1 • Not all use of personal data has to be notified. • There are exemptions from notification. • The data subjects would therefore be unable to gain subject access. © Oxford University Press 2012 Exemptions from notification 2 • Where data is used for personal, family or household use. • Where the data is used for preparing text (e.g., references). • Where the data is being used for the calculation of pay or pensions. • Where data is being used for mailing lists provided only name and address details are stored. © Oxford University Press 2012 Subject access Subjects are able to see information held. The purpose is to let them check it is correct. If information is wrong they can either: • have the right to compensation if they have incurred loss or injury as a result • have the right to have the information changed or deleted. © Oxford University Press 2012 Exemptions from subject access Some data where subject access could be refused: • Data used for the prevention or detection of crime. • Data used for the apprehension or prosecution of offenders. • Data used for the assessment or collection of tax or duty. © Oxford University Press 2012 Why are organisations able to pass personal information to others? • Consent – a data subject can give permission for data to be passed to others. • Often there is a box on a form which can be ticked to prevent this. • Unless you tick this (and most people don’t) you have given permission. © Oxford University Press 2012 The Data Protection Principles • The Data Protection Act 1998 contains Eight Data Protection Principles. • Anyone processing personal information has to process data according to these principles. © Oxford University Press 2012 Principle 1 Personal data shall be processed fairly and lawfully. © Oxford University Press 2012 Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. © Oxford University Press 2012 Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. © Oxford University Press 2012 Principle 4 Personal data shall be accurate and, where necessary, kept up to date. © Oxford University Press 2012 Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. © Oxford University Press 2012 Principle 6 Personal data shall be processed in accordance with the rights of data subjects under this Act. © Oxford University Press 2012 Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. © Oxford University Press 2012 Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. © Oxford University Press 2012