Data Protection Act?
The 1998 Act covers information or data stored on a computer or an organised paper filing system about living people. For clarity, it does not stop companies storing information about people. It just makes them follow rules.
The basic way it works is by:
- setting up rules that people have to follow
- having an Information Commissioner to enforce the rules
Who does the act involve?
- The Information Commissioner is the person (and his/her office) who has powers to enforce the Act.
- A data controller is a person or company that collects and keeps data about people.
- A data subject is someone who has data about them stored somewhere, outside of their direct control. For example, a bank stores its customers’ names, addresses and phone numbers. This makes us all data subjects as there can be few people in the UK who do not feature in computer records somewhere.
Data controllers must declare what information will be stored and how it will be used in advance by registering with the Information Commissioner.
8 Principles of the Data Protection Act
- It must be collected and used fairly and inside the law. What is fair? You can only do with peoples’ data what you tell them you are going to do with it or what they give you permission to do with it.
- It must only be held and used for specific purposes – the purposes given to the Information Commissioner. That means you can’t start using data for different purposes without telling people and the Commissioner about them.
- It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with.
- The information you hold must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the data. You can’t just collect a load of extra data that you don’t need in case it becomes useful in the future.
- It must be accurate and be kept up to date. There is a duty to keep it up to date, for example, to change an address when people move.
- It must not be kept longer than is necessary for the registered purposes. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most unless you have a good reason.
- The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone. The security of information is the Controllers responsibility – even if they have employed someone else to store it or work on it.
- The personal data cannot be transferred outside of the European Economic Area (that’s the EU plus some other European countries) unless the country that the data is being sent to has suitable data protection laws. This part of the DPA has led to some countries passing similar laws to allow computer data centres to be located in their territory.
Am I Exempt?
- Any personal data that is held for a national security reason is not covered. So MI5 and MI6 don’t have to follow the rules. They do need to get a Government Minister to sign a certificate saying that they are exempt.
- Personal data held for domestic purposes only at home, eg a list of your friends’ names, birthdays and addresses do not have to keep to the rules.