Transcript Document
The Data Protection Act 1998 © Folens 2008 What it covers • The misuse of personal data. • Whether stored on an ICT system or not. © Folens 2008 Reasons for its introduction • Processing data by ICT systems was made easier and certain misuses started to occur. • All Member States in the EEA (European Economic Area) had data protection laws, so in order to conduct business, the UK needed such a law, too. © Folens 2008 Personal data Personal data is: • data about an identifiable person; • who is living; • and is specific to that person. It can include: name, address, date of birth, medical details, credit history, salary, qualifications, religious beliefs, etc. © Folens 2008 What the Data Protection Act does • Gives rights to individuals: • to find out the personal information stored about them; • to have the information corrected if it is wrong. © Folens 2008 The terms used in the Act You will need to be able to define each of the following terms: • Personal data – data about a living identifiable person, which is specific to that person. • Data subject – the living individual whom the personal information is about. • Data controller – the person whose responsibility it is in an organisation to control the way that personal data is processed. • Information Commissioner – the person responsible for enforcing the Act. They also promote good practice and make everyone aware of the implications of the Act. © Folens 2008 Processing personal data Under the Data Protection Act processing can mean: • data collection • recording data • carrying out any operation(s) on a set of data. © Folens 2008 Who is in charge of the Data Protection Act? • A person called the Information Commissioner is in charge of the Act. • The Information Commissioner is also in charge of the Freedom of Information Act. © Folens 2008 The duties of the Information Commissioner • To be responsible for two Acts. • To run the Information Commissioner’s Office (ICO). • To promote good information handling. • To investigate complaints. • To provide guidelines. • To prosecute if necessary. © Folens 2008 Notification Why have notification? • The Information Commissioner needs to know that an organisation is processing personal information. • Notification involves telling the Information Commissioner what personal data is processed and why it is processed. © Folens 2008 What does notification involve? • Giving the name and address details of the data controller. • Data details (e.g., medical, employment, credit, etc.). • Brief description of reasons for storing personal data. • Lists of organisations data could be passed to. © Folens 2008 Exemptions from notification • Not all use of personal data has to be notified. • There are exemptions from notification. • The data subjects would therefore be unable to gain subject access. © Folens 2008 Exemptions from notification • Where data is used for personal, family or household use. • Where the data is used for preparing text (e.g., references). • Where the data is being used for the calculation of pay or pensions. • Where data is being used for mailing lists provided only name and address details are stored. © Folens 2008 Subject access Subjects are able to see information held. Purpose is to let them check it is correct. If information is wrong they can either: • have the right to compensation if they have incurred loss or injury as a result. • have the right to have the information changed or deleted. © Folens 2008 Exemptions from subject access Some data where subject access could be refused: • Data used for the prevention or detection of crime. • Data used for the apprehension or prosecution of offenders. • Data used for the assessment or collection of tax or duty. © Folens 2008 How come organisations are able to pass personal information to others? • Consent – a data subject can give permission for data to be passed to others. • Often there is a box on a form which can be ticked to prevent this. • Unless you tick this (and most people don’t) you have given permission. © Folens 2008 The Data Protection Principles • The Data Protection Act 1998 contains 8 Data Protection Principles. • Anyone processing personal information has to process data according to these principles. © Folens 2008 Principle 1 Personal data shall be processed fairly and lawfully. © Folens 2008 Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. © Folens 2008 Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. © Folens 2008 Principle 4 Personal data shall be accurate and, where necessary, kept up to date. © Folens 2008 Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. © Folens 2008 Principle 6 Personal data shall be processed in accordance with the rights of data subjects under this Act. © Folens 2008 Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. © Folens 2008 Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. © Folens 2008