Data Protection Survival Guide
11 December 2007
The seriousness of the Government’s debacle over the loss ‘in the post’ of two discs containing the personal information of 25 million people is a timely reminder to us all to keep data protection and compliance at the forefront of our minds. The Data Protection Act 1998 safeguards the individual’s right to privacy and security of personal data about them.
Someone who controls personal data (ie determines the purposes for which and how personal data is processed) must, under the Act, notify their activities to the Information Commissioner and name a point of contact each year (at a small cost). This will include explaining the purposes for which the data will be processed and those to whom the data may be disclosed. Some data, such as paper filing systems are exempt from notification. Data Controllers have to comply with the eight Data Protection Principles.
A data processor is someone who processes data on behalf of a data controller, but they themselves do not need to notify for this reason alone. The data controller and data processor must have a written contract between relating to Principle 7 below.
A data subject has various legal rights. These include having access to data, getting information about the data controller and the purposes, preventing processing which could lead to damage or distress, objecting to direct marketing and certain types of data processing and getting rectification or destruction of inaccurate data. The data subject may get compensation if a data controller has not complied with his obligations.
Whilst there are some exemptions, failure to comply with the law may also lead to enforcement notices from the Information Commissioner, or even to criminal prosecution. An offence by an organisation with the consent of or due to the neglect of a senior person of that organisation can mean that individual has committed a criminal offence. It will be interesting to see where the enquiry into the loss of data discs by HMRC will lead!
The eight data protection principles broadly state that personal data must:
1. be processed fairly and lawfully;
2. be processed only for one or more specified purposes;
3. not be excessive for those purposes;
4. be accurate and up to date;
5. not be kept longer than is necessary for those purposes;
6. processed in accordance with the rights of data subjects;
7. processed in accordance with the rights of data subjects; be adequately protected from loss, destruction or damage; and
8. not be transferred to countries outside Europe which do not have adequate protection for personal data (note this includes the USA).
The rules as to how to observe these principles are in the Act; for instance, there is a set of criteria to be satisfied relating to Principle 1 such as the data subject must have given their consent.
The criteria to be satisfied are stricter in relation to ‘sensitive’ data, such as race, political opinions, religion, trade union membership, health, sex life or criminal record.
Brachers can advise on your activities relating to this legislation and help organise internal audits.
The Information Commissioner has also recently produced a training framework to help in understanding these obligations
Latest Events
- July 2008
Forthcoming Events
