Why is it important for your organisation to comply with the Data protection Act?
The Data Protection Act 1998 (“DPA”), lays down eight data protection principles that any organisation processing data of individuals must comply with.
What does the DPA cover?
The DPA came into force on 1 March 2000. The DPA implemented the European Union (“EU”) Directive on data protection into UK law introducing radical changes to the way in which personal data regarding identifiable living individuals can be used. The constant need for businesses to process personal data means that the DPA impacts upon most organisations, irrespective of size. Furthermore, the public’s growing awareness of their right to privacy means that data protection will remain an important issue.
The DPA makes a distinction between personal data and personal sensitive data. Personal data includes personal data relating to employees, customers, business contacts and suppliers. Sensitive data covers an individual’s ethnic origin, medical conditions, sexual orientation and eligibility to work in the UK . The data protection principles set out the standards which an organisation must meet when processing personal data. These principles apply to the processing of all personal data, whether those data are processed automatically or stored in structured manual files.
What is data?
Data means information which is processed by computer or other automatic equipment, including word processors, databases and spreadsheet files, or information which is recorded on paper with the intention of being processed later by computer; or information which is recorded as part of a manual filing system, where the files are structured according to the names of individuals or other characteristics, such as payroll number, and where the files have sufficient internal structure so that specific information about a particular individual can be found easily.
What are the eight data protection principles?
The eight data protection principles are as follows:
Personal data must be processed fairly and lawfully
Personal data must be obtained only for specified and lawful purposes and must not be processed further in any manner incompatible with those purposes
Personal data must be adequate, relevant and not excessive in relation to the purposes for which they were collected
Personal data must be accurate and, where necessary, kept up to date
Personal data must not be kept longer than is necessary for the purposes for which they were collected
Personal data must be processed in accordance with the rights of data subjects
Personal data must be kept secure against unauthorised or unlawful
processing and against accidental loss, destruction or damage
Personal data must not be transferred to countries outside the European
Economic Area unless the country of destination provides an adequate level of data protection for those data.
What data comprises personal data?
Personal data relates to data of living individuals who can be identified from those data, or from those data and other information which is in the possession of the data controller or which is likely to come into its possession for example, names, addresses and home telephone numbers of employees.
What data comprises sensitive data?
Personal Sensitive data (“sensitive data “) consist of information relating to a data subject’s (individuals):
racial or ethnic origin;
religious beliefs or other similar beliefs;
trade union membership;
physical or mental health or condition;
commission or alleged commission of any offences; data sgp convictions or criminal proceedings involving the data subject.
convictions or criminal proceedings involving the data subject.
What is the meaning of processing under the DPA?
The definition of ‘processing’ is very broad. It covers any operation carried out on the data and includes, obtaining or recording data, the retrieval, consultation or use of data, the disclosure or otherwise making available of data.