Data protection — overview

The Data Protection Act 1998 (the DPA98) regulates the protection and handling of electronic and certain hard copy personal data in two ways:

• those handling personal data must comply with eight principles, and

• individuals have a right to know what information is held about them

Key defined terms

• Personal data is data which can be used to identify a living person. The DPA98 applies to such data held (or intended to be held) on computers, and manual records in a 'relevant filing system' (one structured to allow easy access to personal information)

• Data subject is a person to whom personal data relates

• Data controller is someone who decides for what purposes and how personal data will be processed

• Data processor is someone who processes data for a data controller (other than its employee), and

• Sensitive personal data is information regarding a person's ethnicity, religious beliefs, health and certain other matters

Data protection principles

Those holding personal data must ensure that it is:

• processed fairly and lawfully

• processed for specified, limited purposes

• adequate, relevant and not excessive (in relation to the purposes for which it is processed)

• accurate and up to date

• not kept for longer than necessary

• processed in accordance with the individual's rights

• kept secure, and

• not transferred to countries without adequate protection for individuals' rights

Fair and lawful processing entails compliance with conditions set out in the DPA98. Keeping personal data secure requires taking appropriate technical and organisational measures against unauthorised processing and accidental loss or damage.

Exceptions

Processing for certain purposes is not subject to the DPA98. These include:

• safeguarding national security

• preventing or detecting crime, apprehending or prosecuting offenders, or assessing or collecting taxes, and

• domestic purposes

Individual rights

A data subject may:

• see the personal data an organisation holds on him (subject access)

• request the correction of incorrect information

• require that personal data is not used in a way which causes damage or distress

• require that his personal data is not used for direct marketing

• require that the data controller does not make automated decisions about him

• complain to the Information Commissioner about the data controller's use of his personal data, and

• be entitled to compensation for inaccurate or wrongly-disclosed personal data

Information Commissioner's Office (ICO)

The ICO supervises the implementation of DPA98 (including its application to CCTV use) and various other legislation in the UK. Organisations processing personal information must register with the ICO, notifying it what processing they are carrying out and the type of personal data they store. There are exceptions for domestic processing and organisations carrying out staff administration and other basic processing. The registration must be renewed annually.

The Information Commissioner may require organisations to modify or delete personal data they hold, and compel them to take various steps in relation to data processing. He may do this either by requiring informal undertakings or by service of an enforcement notice.

The Information Commissioner's decisions may be reviewed by the courts and the Information Tribunal.