Data Protection Act 1998
The focus of this report is to explain the requirements & imposes of Data Protection Act 1998. The 1998 act affects to all people who uses information or data about other individuals & Business. The DPA 1998 covers from the initial collection of data through its final deletion or destruction. The main term used in the IT industry is Data Processing which is extremely wide and it can be either usage of data, alteration of data, retrieval, data transmission or destruction of data.
The Data Protection Act 1998 is a United Kingdom Act of Parliament  which came into force early in 1999 and replaced the Data Protection Act 1984. The Act defines law on the processing data of living people. It is one of the main laws of legislation that governs the protection of personal data. Under this act, those who manage or use personal information have to follow rules or principles that are defined in the DPA. It also provides rights to individuals over their personal information. Some of the individual rights under DPA include access, compensation and the prevention of processing.
The basic principle of DPA is protecting privacy and a way in which each individual can control information about them. Also it defines a way in which organisations should carry their marketing strategy, through any communication media. Most of the act does not apply to domestic use, for example keeping personal address book. Well, if anyone holds personal data for other purpose he should follow this Act. The DPA also ensures that the data controller or the computer bureau will be liable for processing operation against the DPA Principles.
The Data Protection Act 1984 was introduced in UK legislation to provide special protection to individuals. The Act was adopted by the European Parliament after a lengthy discussion sessions. They adopted a proposal for a directive on the processing of personal data and on the transfer of such data. Certain protections where given in scenario where the personal information relating to them was handled, such as large business organisations and in emerging information technology. Data given from one party to another party may only be used for the specific purpose it was disclosed for. The data should be only kept for a limited period of time and must not be disclosed to other party without the authorisation of data owner. The term 'Processing' and 'Personal data' had a great impact in transformation during the DPA 1984. The 'Personal data' covers both the data in electronic and manual form. And the term 'Processing' became wide in such a way that nothing could be carried out in relation to personal data under this definition.
The Data Protection Registrar was the regulatory authority who oversees the implementation and functionality of the act. Later it was followed up by the Data Protection Act 1998, which is an implementation of European Union Directive 95/46/EC. In DPA 1998 it renamed the Data Protection Registrar to Data Protection Commissioner. The functionality of Data Protection Commissioner is to ensure the compliance by publics by taking the necessity steps. The current Information Commissioner is Richard Thomas, he has the authority to inform parliament directly. The other function of commissioner is to provide guidance, promote good practice which falls under the Act. It also provides helpline services by phone or written request. The commissioner also acts like a legal adviser to the data controller's and has developed & issued many documents for the data controller for implementing and interpretation of their duties.
Some of the documents include:
- Code of Practice for CCTV users;
- Code of Practice on Employment Practices, which include codes on Recruitment and Selection; Records Management; Monitoring at Work and Medical Information about the employees.
- Code of Practice on Telecommunications Directory Information and Fair Processing.
The Principles of DPA 1998
The DPA 1998 contains eight data protection principles in relation to the processing of personal data. They are
- Personal data should be processed fairly and lawfully.
- Personal data should only be obtained for one or more specified and lawful purposes, and it should not be further processed in any manner incompatible with these purposes.
- Personal data should be adequate, relevant and not excessive in relation to the purposes for which they were collected or processed.
- Personal data should be accurate and where necessary kept up to date.
- Personal data should not be kept longer than is needed for its intended purpose.
- Personal data should be processed in accordance with the rights of the individual which the information concerns.
- Appropriate technical measures should be taken against unauthorised or unlawful processing or destruction of personal data and against accidental loss or destructionor damage to personal data.
- Personal data should not be transferred outside the European Economic Area unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The First Data Protection Principle
The first data protection principle says that "Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
- At least one of the conditions in Schedule 2 is met, and
- In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."
In the first principle, by fairly and lawfully it means that any processing of personal data must be allowed by common law. Fair processing states that any all the processing must be fair without any misleading. The processing should be carried out without any deception. The important point of view of the first principle is obtaining and disclosing personal data, which covers the whole life cycle of personal data used by the data controller. The data controller should have legitimate reasons for collecting and processing the personal data and should not use the data in such a way that have unjustified adverse effects on the individual concerned.
The Lawful processing also defines that the data subjects should be provided with information during the time of collecting the data, on why and how their data are being processed. This information is provided in the Fair Processing Notice. The notice should include the basic information given below:
- The identity of the data controller who process the personal data.
- The purposes for which the personal data are intended to be processed.
- To whom the personal data may be disclosed to, for example, a government department or agency.
- And any further information regarding the processing, to ensure the subject, that the data controller does not do anything unlawful with the data.
Conditions to be Satisfied for Fair Processing
In addition to the Fair Processing Notice, there are some more conditions that should be met. The conditions are listed in Schedule 2 of the Act. There are six conditions for processing personal data in Schedule 2; the personal data should not be processed unless one of the conditions is met.
Schedule 2 conditions
- The data subject has given his consent for processing.
- If it is for performing or entering a contract with the data subject.
- The data controller is under a legal obligation, other than under contract
- For the purpose of protecting the vital interest of the data subject.
- It is for the administration of justice, exercising functions under an enactment, exercising of government functions, or the exercise of any other functions of a public nature in the public interest
- It is for the pursuit of the legitimate interests of the data controller.
In the case of sensitive personal data, one of the conditions in Schedule 2 and Schedule 3 must also be met for Fair Processing.
Schedule 3 Conditions
- explicit consent has been given by the data subject
- it is for the exercise of rights or obligations in connection with employment
- it is to protect the vital interests of the data subject or anyone else
- it is part of the legitimate activity of a not for profit organisation
- the personal data have already been made public by the data subject
- it forms part of legal proceedings, including obtaining legal advice, and exercising or defending legal rights
- it is for the administration of justice, or exercising functions under an enactment, or exercising of government functions
- it is for medical purposes
- it is for the purpose of monitoring equality of opportunity
The Second Data Protection Principle
The Second Principle "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes", explains the requirement for specifying the purpose for which it obtains the personal data. It also means that, the organisation who obtains the personal data should clearly specify the reason to the ICO, why they are collecting and what they intend to do with the personal data. The organisation should also notify the process to the Information Commissioner.
The data controller can send privacy notices regarding the process to make it more effective. Privacy notices are generally given at the time of collecting personal data. Data controller should also need to get prior consent to use or disclose the personal data for the purpose other than he originally obtained for.
The Third Data Protection Principle
The third principle of the Data Protection Act states three conditions or requirements to the data controller. The data controller should not obtain any more personal data than they need for the processing nor they should discard any personal data. The data must be adequate, relevant and not excessive. Also the data controller is not authorised to process whatever information he likes about the individual.
The third principle also states that the data controller should identify the minimum required information on each individual to fulfil their purpose. Only in certain cases he can hold additional information about certain individuals for the processing. A simple example for this is a surgeon before performing a surgery he should know about the patient medical conditions, such as his medical history, his habits (like drinking, smoking... etc), information from medical checkups. If the patient has to undergo a major heart operation, the surgeon will also look upon patient family member's medical history also. If the parents have asthma, blood pressure, etc.
In organisation the same process is taking place in a different manner during the recruitment process. The employees are asked same in depth question regarding their personal information. The third principle is strongly linked to the first principle. Processing of personal data which is inadequate, irrelevant or excessive is unfair to the data subject. The first principle requires fairness in processing. The excessive information can be something that the organisation keeps for certain conditions, like in a manufacturing factory they will keep the blood group of their entire employee who works in a hazardous environment and this information is needed only in case of accidents. Such information are likely to be irrelevant and excessive for the rest of the employees.
The Fourth Data Protection Principle
The Act says that "Personal data shall be accurate and, where necessary, kept up to date". Once the data controller overcomes the first and second principles of DPA, the next main fact to consider is the data quality, in which accuracy plays the main role. There are two obligations in the fourth principle that should be taken care off.
Firstly, the data should be accurate. The data controller should take necessary steps to ensure the accuracy of data in regard to the purpose for which it is collected and further processed. Incomplete information will be inaccurate if it misleads. Even though if the actual given data happens to be true, there will be a misleading if the two data subjects are identical. In such cases more information will be needed to keep it more accurate for the data controller to identify. If the data controller makes decision on the result of inaccurate processed data, then he will be breaking the first data protection principle which indicates the strong link between accuracy and fairness in data processing.
Secondly, the data controller should also see that the personal data are kept up-to-date. This condition depends upon the case where personal data are subjected to repeated use for a long period of time. In such cases data controller has to take more review on personal data. If the data subject notifies the data controller that the data is inaccurate, then he should ensure the changes are made to the data to keep it up-to-date.
If a data subject suspects that the information held about him is inaccurate, he will have to see the personal data which the data controller holds. The data subject can make an access request under section 7, for accessing a copy of his personal data held by the data controller. If the court is satisfied with the data subject, then the court may order the data controller to rectify, block, erase, or destroy the personal data. If the processing had caused damage to the data subject then the court will order to give compensation.
The Fifth Data Protection Principle
The Fifth Act says that "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes". The data controller should review, for how long the personal data is retained. He shall also retain the data for performing purpose other than the original purpose for which it was obtained. The main element of the fifth principle is to show the reason for which the personal data is held. If the data controller fails to show a sufficient reason for holding the data then, he should get rid of the data.
If the personal data is kept for a long time there is a chance that the information will go out of date causing error. It also becomes difficult to ensure that the information is accurate. Even if the information is no more needed, the data controller should make sure that it is held securely. Reviewing personal data regularly and deleting those no longer needed is a good practice. The data that should be retained must be archived or put offline.
The personal data are retained only in certain scenarios depending upon the current and future scope of the information. Major concerned things for retaining data are the cost, liability and risks for retaining the personal information.
The Sixth Data Protection Principle
The sixth DPA principle says that "Personal data shall be processed in accordance with the rights of data subjects under this Act" . The sixth principle gives rights to the individual in respect of personal data the organisation hold about them. Under this principle certain rights for individual are mentioned they are:
- Access to personal data.
- Preventing process likely to cause damage or distress.
- Prevent direct marketing.
- Automated decision making.
- Correcting inaccurate personal data.
Access to personal data is commonly referred to as subject access. It is created by section 7 of the DPA. This is mostly used by data subjects who want to see the copy of personal data which the organisation holds about them. The data subjects are entitled only to their own data. By giving a written request an individual is entitled to know whether any personal data is being processed. The organisation should also inform him the reasons it is being processed and whether it will be given to any other organisation.
The second right says that the data subject can demand the organisation to stop the processing if it causes damage or distress to the data subject. The individual can write an objection stating the damage or distress faced by them to the data controller. This is called "Objection to processing". The objection should clearly specify the effect of processing.
For example, consider the scenario where a person is refused a job in an manufacturing company because the company came to know from a third party that the man is unsuitable for job because he was one among the trade union activists. The third party will be having a blacklist containing names of people who are unsuitable to be employed in a manufacturing company. The suffering person can write to the data controller who maintains the blacklist and ask him to remove his name from the list. He can show that he is suffering damage and distress because of this processing. In this case the data controller should cease processing the persons information and respond to his mail within 21 days.
The data subjects also have the right to prevent their data being processed for Direct Marketing. They can give an 'objection to processing' to halt the usage of their data for direct marketing. Direct marketing includes junk mails that are not addressed to a particular person but to the occupier. For example, mails posted through every letter box in a street, like leaflets, shop advertisements, etc. The direct marketing does not just refer to selling items to customers but also includes promotions and campaigns. The data subject may ask the organisation to delete these details from database. But it is preferable to suppress the personal data. Suppressing involves just retaining only enough information about the customers. It also ensures that the organisation not sends marketing to people who have asked not to and helps retaining individual information in the database.
Data subjects also have the right to inform the data controller, not to make automated decision using their personal data and can ask to reconsider the decision taken by automated means. The data controller should inform the data subject when such a situation is taken. These types of decision are taken without any human intervention. For example, consider a person who transfers his cash from one account to other and the transfer gets declined automatically. This might have happened because the individual's information did not match the pre-defined criteria in the automated system. He may undertake manual process to do the transfer.
According to the fourth principle the data should be accurate. If the data is inaccurate, the data subject has the right to apply the court for releasing an order to block, rectify, erase or destroy the inaccurate information. The court may investigate whether this statement is true or not. If the individual has suffered from damage or distress then he will be awarded compensation.
The Seventh Data Protection Principle
The seventh DPA ensures the security of personal data undergoing process. The principle says that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". This principle is often called security principle. The data controller should take proper care of data which he holds not accidentally or deliberately compromise. He should also need to design and organise the security to fit to the process. Also make sure about the person in his organisation that is responsible for the data information security. The data controller should adopt appropriate measures against
- Unauthorised processing of personal data.
- Unlawful processing of personal data.
- Accidental destruction, damage or loss to personal data.
Technical measures/security includes the use of passwords and other authentication techniques, encryption and anti-virus software to detect malwares. . He should also ensure to keep up to date with the development of security technologies, make sure that well trained and reliable staffs with robust physical and technical security are used. As a part of notification process the data controller should describe the Information Commissioner about the security arrangements made in the organisation to keep the personal data.
The Eight Data Protection Principle
The eighth DPA says that "Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data". The data controller requires informing individuals about the disclosure of their personal data to other overseas parties. Before making the data transfer to a third party, the data controller should consider whether he can achieve his aims without processing the original data and there should be some substantive processing conducted on the personal data in the third country. The condition will not apply in the case where it is not possible to identify individuals from the information. In this type of cases the data controller are free to transfer the information outside the EEA.
A transfer is said to have occurred when the personal data is send to other country. If the data controller puts the personal data on a website will often results in data transfer to other countries outside the EEA. The transfer occurs when someone outside the EEA access the website. The data controller should also consider the fact that a transfer occurs while putting personal data on websites and sees whether it is fair for the concerned data subject. Currently, there are no restrictions on personal data transfer to EEA countries. They are: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, and Slovenia.
The European Commission will also undergo a case to case assessment of the level of protection affordable by the third country. All the circumstances surrounding the data transfer are assessed. In addition to this consideration must be also given to:
- The nature of personal data.
- How long will the proposed process last.
- The country of origin of personal data and the destination to which it will be transferred.
- The security measures and professional rules in the destination country.
Certain countries have been considered for having adequate protection by the European Commission. They are Argentina, Canada, Guernsey, Isle of Man, Switzerland, and Jersey.
I hope this report would have given a brief idea about the Data Protection Act 1998. This report also mentions the different principles concerned with DPA, the way that a data controller should follow for lawful and fairness processing. Proper care should be taken while handling personal data, still cyber threats are done by accruing the mobile numbers of individuals and pinpointing them by identifying the co-ordinates of the SIM location. So the firms or organisation should ensure that they pay more attention to DPA for the safety and privacy of people.
- DPA - Data Protection Act 1998
- ICO - Information Commissioner's Office
- EEA - European Economic Area
- SIM - Subscriber Identification Module Card
- Stewart Room, 2007, "Data Protection & Compliance in Context", Published by CAPDM.
- City Of London, Data Protection Act, Available at: http://www.cityoflondon.gov.uk/Corporation/LGNL_Services/Council_and_democracy/Data_protection_and_freedom_of_information/Data_protection_act.htm Accessed on [Jan 10,2010]
- Wikipedia, Data Protection Act 1998, Available at: http://en.wikipedia.org/wiki/Data_Protection_Act_1998 Accessed on [Jan15,2010]
- Lancaster University Data Protection Project, 2001, the Data Protection Principle. Available at: http://www.dpa.lancs.ac.uk/principles.htm Accessed on [Jan16, 2010].
- ICO, Processing personal data for specified purposes (Principle 2), Available at : http://www.ico.gov.uk/for_organisations/data_protection_guide/principle_2_processing_personal_data_for_specified_purposes.aspx Accessed on [Jan 24,2010]
- ICO, Keeping personal data accurate and up to date (Principle 4)Available at : http://www.ico.gov.uk/for_organisations/data_protection_guide/principles_3_to_5_information_standards/keeping_personal_information_accurate_and_up_to_date.aspx . Accessed on [Jan 24,2010]
- ICO, Retaining personal data (Principle 5).Available at: http://www.ico.gov.uk/for_organisations/data_protection_guide/principles_3_to_5_information_standards/retaining_personal_data.aspx . Accessed on [Jan 24,2010]
- ICO, The rights of individuals (Principle 6).)Available at: http://www.ico.gov.uk/for_organisations/data_protection_guide/principle_6_the_rights_of_individuals.aspx . Accessed on [Jan 26,2010]
- ICO, Information security (Principle 7).Available at: http://www.ico.gov.uk/for_organisations/data_protection_guide/principle_7_information_security.aspx . Accessed on [Jan 26,2010]
- ICO, Sending personal data outside the European Economic Area (Principle 8).Available at: http://www.ico.gov.uk/for_organisations/data_protection_guide/principle_8_sending_personal_data_outside_the_eea.aspx . Accessed on [Jan 26,2010]
- Peter Carey,2004, "Data Protection Handbook", Published by Law Society.
Piers Leigh-Pollitt & James Mullock, 1999, "The Data Protection Act Explained", Second Edition 2000,Publlished by Osborne Clarke.