Data Protection Legislation

1
Data Protection Legislation
2
Personal Privacy

• Right to privacy is a fundamental human right
• Development of databases has led to storage of
  much personal information without the knowledge
  or permission of the individual
• It is often felt that even the use of names and
  addresses for mail shots is an invasion of
  privacy
• The Data Protection Act of 1984 grew out of
  concern about personal privacy

3
Data Protection Acts of 1984 and 1998

• The act covers personal data which are
  automatically processed
• It works on two levels
• To give individuals certain statutory rights
• To require those who record and use personal data
  on computers to be open about the use and follow
  proper procedures
• The Data protection Act of 1998 was passed to
  implement a European Data Protection Directive.
• This sets a standard for data protection
  throughout all countries in the EU
• It came into force in March 2000
• Extended to include some manual records
• Gave further rights to data subjects

4
The Data Protection Registrar

• The 1984 Act established the office of Registrar
• The 1998 Act changed the title to Data Protection
  Commissioner
• With effect from 20th January 2001 the title is
  now
• Information Commissioner
• whose duties include
• administering a public register of Data
  Controllers with broad details of the data held
• Disseminating information on the Act and how it
  works
• Promoting compliance with the Data Protection
  Principles
• Considering complaints about breaches of
  Principles or the Act.
• Prosecuting offenders, or serving notices on
  those who are contravening the principles.

5
The Data Protection Principles (1998)

• Personal data must be obtained and processed
  fairly and lawfully
• Personal data must be held for specified
  (limited) and lawful purposes
• Personal data must be adequate, relevant and not
  excessive
• Personal data must be accurate and up-to-date
• Personal data must not be kept longer than
  necessary
• Personal data must be processed in accordance
  with the data subject's rights
• Personal data must be kept secure
• Personal data must not be transferred to
  countries without adequate protection

6
Useful Definitions from the 1984 Act

• Personal data
• Information about living, identifiable
  individuals. Personal data do not have to be
  particularly sensitive information and can be as
  little as name and address.
• automatically processed
• Processed by a computer or other technology such
  as document image processing systems.
• data users now called data controllers under
  1998 Act
• Those who control the contents and use of a
  collection of personal data. They can be any type
  of company or organisation, large or small,
  within the public or private sector. Can also be
  a sole trader, partnership or an individual. A
  data user need not necessarily own a computer.
• data subjects
• The individuals to whom personal data relate

7
Similar Definitions from the 1998 Act

• Personal data
• means data which relates to a living individual
  who can be identified from those data or from
  those data and other information which is in the
  possession of the data controller.
• A data controller
• is a person who determines the purposes for which
  and the manner in which any personal data are, or
  are to be processed.
• Every data controller who is processing personal
  data must notify unless they are exempt.
• These definitions found at
• http//www.dpr.gov.uk/notify/4.html

8
Data Controllers Register entry

• This processing description includes
• The purposes for which personal data are being or
  are to be processed e.g. provision of financial
  services and advice
• a description of the data subjects about whom
  data are or are to be held e.g. customers and
  clients
• a description of the data classes e.g. personal
  details, financial details
• a list of the recipients of data e.g. financial
  organisations and advisors
• information about whether data are transferred
  outside the European Economic Area (EEA)

9
Possible Exemptions

• Some not for profit organisations
• Processing of personal data for personal, family
  or household affairs (including recreational
  purposes).
• Data controllers who only process personal data
  for the maintenance of a public register.
• Data controllers who only process personal data
  for any one or all of the following purposes for
  their own business.
• staff administration
• advertising, marketing and public relations
• accounts and records
• Special categories under which data may be held
• National security
• Prevention of crime
• Collection of tax or duty

10
Rights of Data subjects

• An individual is entitled, upon written request,
  to be supplied with a copy of any personal data
  held about yourself.
• The data controller may charge a fee
• Rights include
• Right to compensation for unauthorised disclosure
  of data
• Right to compensation for inaccurate data
• Right of access to data and to apply for
  rectification or erasure where data are
  inaccurate
• Right to compensation for unauthorised access,
  loss or destruction of data

11
Implications of the Data Protection Legislation

• Under the current legislation
• use of personal data must be registered
• the public have a right to see what data is held
  about them by an organisation
• However, it is quite legal for an organisation to
  sell a mailing list for the purpose of direct
  mailing.
• European Directive of 24 October 1995
• Where data is to be transferred to a third party
  for the purposes of direct mailing, the subject
  must be informed and given the opportunity to
  require that the data be erased.
• Many organisations collecting personal data
  include a check box to be ticked if you object to
  your data being passed on to other organisations.
• Member states have three years to implement this
  legislation.