Data Protection Legislation

Personal Privacy Right to privacy is a fundamental human right Development of databases has led to storage of

much personal information without the knowledge or permission of the individual

It is often felt that even the use of names and addresses for mail shots is an invasion of privacy

The Data Protection Act of 1984 grew out of concern about personal privacy

Data Protection Acts of 1984 and 1998 The act covers ‘personal data’ which are ‘automatically

processed’ It works on two levels:

– To give individuals certain statutory rights– To require those who record and use personal data on computers to

be open about the use and follow proper procedures The Data protection Act of 1998 was passed to implement a

European Data Protection Directive. This sets a standard for data protection throughout all

countries in the EU It came into force in March 2000

– Extended to include some manual records– Gave further rights to data subjects

The Data Protection Registrar

The 1984 Act established the office of Registrar The 1998 Act changed the title to Data Protection

Commissioner With effect from 20th January 2001 the title is now

– Information Commissioner whose duties include:

– administering a public register of Data Controllers with broad details of the data held;

– Disseminating information on the Act and how it works– Promoting compliance with the Data Protection Principles– Considering complaints about breaches of Principles or the Act.;– Prosecuting offenders, or serving notices on those who are

contravening the principles.

The Data Protection Principles (1998)

1. Personal data must be obtained and processed fairly and lawfully;

2. Personal data must be held for specified (limited) and lawful purposes;

3. Personal data must be adequate, relevant and not excessive;4. Personal data must be accurate and up-to-date;5. Personal data must not be kept longer than necessary;6. Personal data must be processed in accordance with the

data subject's rights;7. Personal data must be kept secure;8. Personal data must not be transferred to countries without

adequate protection;

Useful Definitions from the 1984 Act ‘Personal data’

– Information about living, identifiable individuals. Personal data do not have to be particularly sensitive information and can be as little as name and address.

‘automatically processed’– Processed by a computer or other technology such as document

image processing systems. ‘data users’ now called ‘data controllers’ under 1998 Act

– Those who control the contents and use of a collection of personal data. They can be any type of company or organisation, large or small, within the public or private sector. Can also be a sole trader, partnership or an individual. A data user need not necessarily own a computer.

‘data subjects’– The individuals to whom personal data relate

Similar Definitions from the 1998 Act

Personal data– means data which relates to a living individual who can

be identified from those data or from those data and other information which is in the possession of the data controller.

A data controller– is a person who determines the purposes for which and

the manner in which any personal data are, or are to be processed.

Every data controller who is processing personal data must notify unless they are exempt.

These definitions found at:– http://www.dpr.gov.uk/notify/4.html

Data Controller’s Register entry This processing description includes:

– The purposes for which personal data are being or are to be processed e.g. provision of financial services and advice

– a description of the data subjects about whom data are or are to be held e.g. customers and clients

– a description of the data classes e.g. personal details, financial details

– a list of the recipients of data e.g. financial organisations and advisors

– information about whether data are transferred outside the European Economic Area (EEA)

Possible Exemptions Some not for profit organisations Processing of personal data for personal, family or

household affairs (including recreational purposes). Data controllers who only process personal data for the

maintenance of a public register. Data controllers who only process personal data for any

one or all of the following purposes for their own business. staff administration advertising, marketing and public relations accounts and records Special categories under which data may be held

– National security

– Prevention of crime

– Collection of tax or duty

Rights of Data subjects

An individual is entitled, upon written request, to be supplied with a copy of any personal data held about yourself.

The data controller may charge a fee Rights include:

– Right to compensation for unauthorised disclosure of data

– Right to compensation for inaccurate data– Right of access to data and to apply for rectification or

erasure where data are inaccurate– Right to compensation for unauthorised access, loss or

destruction of data

Implications of the Data Protection Legislation Under the current legislation:

– use of personal data must be registered– the public have a right to see what data is held about them by an

organisation However, it is quite legal for an organisation to sell a mailing

list for the purpose of direct mailing. European Directive of 24 October 1995

– Where data is to be transferred to a third party for the purposes of direct mailing, the subject must be informed and given the opportunity to require that the data be erased.

– Many organisations collecting personal data include a check box to be ticked if you object to your data being passed on to other organisations.

– Member states have three years to implement this legislation.