Data Protection Act
Welcome to the training section for the Data Protection Act.
There are 9 sections below to help re-fresh the information within the internal training session followed by a short 10 question test. Click here to access the internal training session resources.
You must successfully complete the test to pass this training exercise.
- The need for the Data Protection Act
- Misuse and unauthorised access to information
- How the Data Protection Act works
- The roles of those involved
- Registration with the Information Commissioner
- Types of personal data
- Responsibility of data controllers
- The rights of data subjects
The need for the Data Protection Act
During the second half of the 20th century, businesses, organisations and the government began using computers to store information about their customers, clients and staff in databases. For example:
- contact information
- employment history
- medical conditions
- credit history
Databases are easily accessed, searched and edited. It’s also far easier to cross reference information stored in two or more databases than if the records were paper-based. The computers on which databases resided were often networked. This allowed for organisation-wide access to databases and offered an easy way to share information with other organisations.
Misuse and unauthorised access to information
With more and more organisations using computers to store and process personal information there was a danger the information could be misused or get into the wrong hands. A number of concerns arose:
- Who could access this information?
- How accurate was the information?
- Could it be easily copied?
- Was it possible to store information about a person without the individual’s knowledge or permission?
- Was a record kept of any changes made to information?
How the Data Protection Act works
The Data Protection Act was developed to give protection and lay down rules about how data about people can be used.
The 1998 Act covers information or data stored on a computer or an organised paper filing system about living people.
The basic way it works is by:
- setting up rules that people have to follow
- having an Information Commissioner to enforce the rules
It does not stop companies storing information about people. It just makes them follow rules.
The roles of those involved
- The Information Commissioner is the person (and his or her office) who has powers to enforce the Act.
- A data controller is an organisation or individual (for example, when self-employed) who determines what data the organisation collects, how it is collected and how it is processed.
- A data subject is someone who has data about them stored somewhere, outside of their direct control. For example, a bank stores its customers' names, addresses and phone numbers. This makes us all data subjects as there can be few people in the UK who do not feature in computer records somewhere.
Registration with the Information Commissioner
Any organisation or person who needs to store personal information must apply to register with the Information Commissioner.
Data controllers must declare what information will be stored and how it will be used in advance. This is recorded in the register.
Each entry in the register contains:
- the data controller's name and address
- a description of the information to be stored
- what they are going to use the information for
- whether the data controller plans to pass on the information to other people or organisations
- whether the data controller will transfer the information outside the UK
- details of how the data controller will keep the information safe and secure
Types of personal data
Some data and information stored on a computer is personal and needs to be kept confidential. People want to keep their pay, bank details, and medical records private and away from the view of just anybody. If someone who is not entitled to see these details can obtain access without permission it is unauthorised access. The Data Protection Act sets up rules to prevent this happening.
Two types of personal data
Personal data is about living people and could be:
- their name
- medical details or banking details
Sensitive personal data is also about living people, but it includes one or more details of a data subject's:
- racial or ethnic origin
- political opinions
- membership of a trade union
- sex life
- criminal activity
There are fewer safeguards for personal data than there are for sensitive personal data. In most cases a person must be asked specifically if sensitive data can be kept about them.
Responsibility of data controllers
All data controllers must keep to the eight principles of data protection.
When you read about these, you may find them called "The Data Protection Principles".
The eight principles of data protection
- For the personal data that controllers store and process:
- It must be collected and used fairly and inside the law.
- It must only be held and used for the reasons given to the Information Commissioner.
- It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with.
- The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the data.
- It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move.
- It must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most.
- The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone.
- The files may not be transferred outside of the European Economic Area (that's the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law. This part of the DPA has led to some countries passing similar laws to allow computer data centres to be located in their area.
The rights of data subjects
People whose personal data is stored are called data subjects. The DPA sets up rights for people who have data kept about them. They are:
- A right of subject access: A data subject has a right to be supplied by a data controller with the personal data held about him or her. The data controller can charge for this (usually around £10 pounds).
- A right of correction: A data subject may force a data controller to correct any mistakes in the data held about them.
- A right to prevent distress: A data subject may prevent the use of information if it would be likely to cause them distress.
- A right to prevent direct marketing: A data subject may stop their data being used in attempts to promote or sell them things (e.g. by junk mail or cold calling.)
- A right to prevent automatic decisions: A data subject may specify that they do not want a data user to make "automated" decisions about them where, through points scoring, a computer decides on, for example, a loan application.
- A right of complaint to the Information Commissioner: A data subject can ask for the use of their personal data to be reviewed by the Information Commissioner who can enforce a ruling using the DPA. The Commissioner may inspect a controller's computers to help in the investigation.
- A right to compensation: The data subject is entitled to use the law to get compensation for damage caused ("damages") if personal data about them is inaccurate, lost, or disclosed.
- these rights only practically exist if you know who has data stored about you
- some data controllers are exempt from the Act
There are some complete exemptions and some partial exemptions where personal data is not covered by the 1998 Act. These mean that the people storing data (the data controllers) do not need to keep to the rules.
- Any personal data that is held for a national security reason is not covered. So MI5 and MI6 don't have to follow the rules if the data requested could harm national security. If challenged, the security services are able to apply for a certificate from the Home Secretary as proof that the exemption is required.
- Personal data held by an individual only for the purposes of their personal, family or household affairs. e.g. a list of your friends' names, birthdays and addresses does not have to keep to the rules.
Some personal data has partial exemption from the rules of the DPA. The main examples of this are:
- The taxman or police do not have to disclose information held or processed to prevent crime or taxation fraud. Criminals cannot see their police files. Tax or VAT investigators do not have to show people their files.
- A data subject has no right to see information stored about him if it is to do with his/her health. This allows doctors to keep information from patients if they think it is in their best interests.
- A school pupil has no right of access to personal files, or to exam results before publication.
- A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes.
- Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals.
- Employment references written by a previous employer are exempt.
- Planning information about staff in a company is exempt, as it may damage the business to disclose it.
You have finished the reading material for the Data Protection Act Training.
You are now ready to take the Data Protection Test.