Sole practitioners, click here for Pay-As-You-Go access to LexisPSL
Get the information you need to practice law Quickly, Easily and No Subscription Required.
What is KnowHow?
Detailed Practice Notes written by our Professional Support Lawyers, guiding you through the key issues in each topic.
What is Precedents?
Precedents with drafting notes written by our Professional Support Lawyers, plus selected key precedents from authoritative Butterworths® titles.
Data protection - overview
The Data Protection Act 1998 (DPA 1998) regulates the protection and handling of electronic and certain hard copy personal data in two ways:
those handling personal data must comply with eight principles, and
individuals have a right to know what information is held about them
Key defined terms
personal data is data which can be used to identify a living person. DPA 1998 applies to such data held (or intended to be held) on computers, and manual records in a relevant filing system, ie one structured to allow easy access to personal information
a data subject is a person to whom personal data relates
a data controller is someone who decides for what purposes and how personal data will be processed
a data processor is someone who processes data for a data controller (other than its employee)
sensitive personal data is information regarding a person's ethnicity, religious beliefs, health and certain other matters
Data protection principles
Those holding personal data must ensure that it is:
processed fairly and lawfully
processed for specified, limited purposes
adequate, relevant and not excessive (in relation to the purposes for which it is processed)
accurate and up to date
not kept for longer than necessary
processed in accordance with the individual's rights
kept secure
not transferred to countries without adequate protection for individuals' rights
Fair and lawful processing entails compliance with conditions set out in DPA 1998. Keeping personal data secure requires taking appropriate technical and organisational measures against unauthorised processing and accidental loss or damage.
Exceptions
Processing for certain purposes is not subject to DPA 1998. These include:
safeguarding national security
preventing or detecting crime, apprehending or prosecuting offenders, or assessing or collecting taxes
domestic purposes
Individual rights
A data subject may:
see the personal data an organisation holds on them (subject access)
request the correction of incorrect information
require that personal data is not used in a way that causes damage or distress
require that their personal data is not used for direct marketing
require that the data controller does not make automated decisions about them
complain to the Information Commissioner about the data controller's use of their personal data
be entitled to compensation for inaccurate or wrongly disclosed personal data
Information Commissioner's Office
The Information Commissioner's Office (ICO) supervises the implementation of DPA 1998 (including its application to CCTV use) and various other legislation in the UK. Organisations processing personal information must register with the ICO, notifying it what processing they are carrying out and the type of personal data they store. There are exceptions for domestic processing and organisations carrying out staff administration and other basic processing. The registration must be renewed annually.
The Information Commissioner may require organisations to modify or delete personal data they hold and compel them to take various steps in relation to data processing. He may do this either by requiring informal undertakings or by service of an enforcement notice.
The Information Commissioner's decisions may be reviewed by the courts and the Information Tribunal.
To find out more about PSL Contact us or call 0207 400 2984
