Get the information you need to practice law Quickly, Easily and No Subscription Required.
What is KnowHow?
Detailed Practice Notes written by our Professional Support Lawyers, guiding you through the key issues in each topic.
Data protection - overview
The Data Protection Act 1998 (DPA 1998) regulates the protection and handling of electronic and certain hard copy personal data in two ways:
those handling personal data must comply with eight principles, and
individuals have a right to know what information is held about them
Key defined terms
Personal data is data which can be used to identify a living person. The DPA 1998 applies to such data held or intended to be held on computers, and manual records in a 'relevant filing system' ie one structured to allow easy access to personal information
Data subject is a person to whom personal data relates
Data controller is someone who decides for what purposes and how personal data will be processed
Data processor is someone who processes data for a data controller, other than its employee, and
Sensitive personal data is information regarding a person's ethnicity, religious beliefs, health and certain other matters
Data protection principles
Those holding personal data must ensure that it is:
processed fairly and lawfully
processed for specified, limited purposes
adequate, relevant and not excessive (in relation to the purposes for which it is processed)
accurate and up to date
not kept for longer than necessary
processed in accordance with the individual's rights
kept secure, and
not transferred to countries without adequate protection for individuals' rights
Fair and lawful processing entails compliance with conditions set out in the DPA 1998. Keeping personal data secure requires taking appropriate technical and organisational measures against unauthorised processing and accidental loss or damage.
Processing for certain purposes is not subject to the DPA 1998. These include:
safeguarding national security
preventing or detecting crime, apprehending or prosecuting offenders, or assessing or collecting taxes, and
A data subject may:
see the personal data an organisation holds on him (subject access)
request the correction of incorrect information
require that personal data is not used in a way which causes damage or distress
require that his personal data is not used for direct marketing
require that the data controller does not make automated decisions about him
complain to the Information Commissioner about the data controller's use of his personal data, and
be entitled to compensation for inaccurate or wrongly-disclosed personal data
Information Commissioner's Office (ICO)
The ICO supervises the implementation of DPA 1998 including its application to CCTV use and other related UK legislation. Organisations processing personal information must register with the ICO, notifying it what processing they are carrying out and the type of personal data they store. There are exceptions for domestic processing and organisations carrying out staff administration and other basic processing. The registration must be renewed annually.
The Information Commissioner may require organisations to modify or delete personal data they hold, and compel them to take various steps in relation to data processing. He may do this either by requiring informal undertakings or by service of an enforcement notice.
The Information Commissioner's decisions may be reviewed by the courts and the Information Tribunal.
To find out more about PSL Contact us or call 0207 400 2984