Data Protection

1
Data Protection

• History current legislation

2
History

• First attempts to introduce legislation in 1967
  as a result of growing pressure on governments to
  give citizens the right to access and the right
  to correct errors.
• British Governments response
• Younger Committee (1970)
• Lindop Committee (1975)

3
Origins of D P Act

• Council of Europe Convention (for the protection
  of individuals with regard to automatic
  processing of personal data - 1980
• Organisation for Economic Co-operation
  Development (OECD) guidelines for the protection
  of privacy and transborder flows of data - 1980

4
Summary of UK events
5
Data Protection Act 1998

• EU Directive (95/46/EC) requires Member States
  to protect the fundamental rights and freedoms of
  natural persons, in particular their right to
  privacy with respect to the processing of
  personal data.
• First country to implement

6
Definitions

• Data
• Personal data
• Processing
• Data subject
• Data controller

• Data processor
• Recipient
• Third party

7
Principles (1)

• First principle
• Personal data shall be processed fairly and
  lawfully and, in particular, shall not be
  processed unless certain conditions are met.
• One of the conditions is that the data subject
  has given their consent to the processing

8
Principles (2)

• Second principle
• Personal data shall be obtained only for one or
  more specified and lawful purposes, and shall not
  be processed in any manner incompatible with that
  purpose or those purposes

9
Principles (3)

• Third principle
• Personal data shall be adequate, relevant and
  not excessive in relation to the purpose or
  purposes for which they are processed.

10
Principles (4)

• Fourth principle
• Personal data shall be accurate and, where
  necessary, kept up to date.
• Fifth principle
• Personal data processed for any purposeshall
  not be kept for longer than is necessary.

11
Principles (5)

• Sixth principle
• Personal data shall be processed in accordance
  with the rights of data subjects under this Act.

12
Principles (6)

• Seventh principle
• Appropriate technical and organisational
  measures shall be taken against unauthorised or
  unlawful processing of personal data and against
  accidental loss or destruction of, or damage to,
  personal data.

13
Principles (8)

• Eighth principle
• Personal data shall not be transferred to a
  country or territory outside the EEA, unless that
  country or territory ensures an adequate level of
  protection for the rights and freedoms of data
  subjects in relation to the processing of
  personal data.

14
Individuals rights (1)

• Right of subject access
• A request for access must be in writing and the
  Data Controller may make a charge (up to 10
  under the 1984 Act)
• You have the right to be told by the Data
  Controller if your personal data is being
  processed and, if so, to be given a description
  of the data, the purposes for which it is being
  processed and to whom it may be disclosed

15
Individuals rights (2)

• Subject access (continued)
• You have the right to be told, in an intelligible
  manner, of all the information which forms such
  personal data, normally in hard-copy and from
  whom the Data Controller acquired the data.
• The Data Controller must provide this within 40
  days of the receipt of your request.

16
Individuals rights (3)

• Right to prevent processing likely to cause
  damage or distress
• There are some occasions when this right is not
  available
• Data Controller has 21 days to respond stating
  the action taken.
• If the Data Controller does not comply you can
  seek a court order. If the court agrees it can
  order the Data Controller to comply

17
Individuals rights (4)

• Right to prevent processing for Direct Marketing
  purposes
• A court order can be applied for
• Rights in relation to automated decision making
• You are entitled to require a Data Controller to
  ensure that no decision which significantly
  affects them is based solely on automatic
  processing (e.g., credit rating)

18
Individuals rights (5)

• Right to compensation
• If you suffer damage or damage and distress as a
  result of any contravention of the Act you are
  entitled to compensation
• Rectification, blocking, erasure and destruction
• Request for assessment
• Anyone may request the Commisioner to assess
  processing for compliance

19
Exemptions (1)

• There are a number of exemptions, the main ones
  being
• National security
• Crime and taxation
• Health, education and social work
• Regulatory activity
• Special purposes

• Research, history and statistics
• Information available to the public by/under
  enactment
• Disclosures required by law
• Disclosures in connection with legal procedings
• Domestic purposes

20
Exeptions (2)

• Miscellaneous exemptions
• Confidential references given by the Controller
• Armed forces
• Judicial appointments and honours
• Examination scripts and marks

• Crown employment and Crown or Ministerial
  appointments
• Management forecasts/plannimg
• Negotiations
• Corporate finance
• Legal professional privilege
• Self incrimination

21
The Commissioner

• Promote good practice
• Spread information
• Encourage development of codes of practice
• Make assessments
• Serve notices

22
Notification

• Telling the Commissioner about the personal data,
  purposes, disclosures, etc
• Regulations not yet defined
• Even if a Data Controller does not need to notify
  they must still comply with all other provisions
  of the Act

23
Notification information

• Name and address and that of a representative if
  any
• description of the personal data and categories
  of data subject
• description of purpose(s)

• Description of any recipient(s)
• Name or description of anywhere outside the EEA
  where the data may be transferred
• General description of security measures