Data Protection Act – The Basics
The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details. The legislation itself is complex and, in places, hard to understand.
However, it is underpinned by a set of eight straightforward, common-sense principles. If you make sure you handle personal data in line with the spirit of those principles, then you will go a long way towards ensuring that you comply with the letter of the law.
Does the Data Protection Act apply to me?
This might seem an obvious question. However, the Act applies to a particular activity – processing personal data – rather than to particular people or organisations. So, if you “process personal data”, then you must comply with the Act and, in particular, you must handle the personal data in accordance with the data protection principles. Broadly, however, if you collect or hold information about an identifiable living individual, or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of the Data Protection Act is therefore very wide as it applies to just about everything you might do with individuals’ personal details.
Do I need to notify the Information Commissioner?
If you are processing personal data you usually have to notify the Information Commissioner about this. Failure to notify is a criminal offence.
Notification is how an organisation informs us of certain details about its processing of personal data. The Information Commissioner is required to maintain a register and we use these details to make an entry in the register describing the processing.
The main purpose of notification and the public register is transparency and openness. It is a basic principle of data protection that the public should know (or be able to find out) who is processing personal data, plus other details about the processing (such as why it is being carried out).
So notification serves the interests of individuals by helping them understand how organisations process personal data.
However, it is not intended (nor practical) that the register should contain very detailed information about an organisation’s processing. The aim is to keep the content general, with enough detail to give an overall picture of the processing. You only need to give more detail to satisfy specific statutory requirements or if there is particular sensitivity.
The Act provides an exemption from notification for some organisations. The exemption is available for:
- organisations that process personal data only for:
- staff administration (including payroll);
- advertising, marketing and public relations (in connection with their own business activity); and
- accounts and records;
- some not-for-profit organisations;
- organisations that process personal data only for maintaining a public register;
- organisations that do not process personal information on computer; and
- individuals who process personal data only for domestic purposes.
Are there any other exemptions from the Act?
The Data Protection Act contains a number of other exemptions from the rights and duties in the Act. You must process personal data in accordance with the Act unless one of these exemptions applies.
The exemptions either allow for the disclosure of information where there would otherwise be a breach of the Act or allow information to be withheld that would otherwise need to be disclosed. They are designed to accommodate special circumstances, for example when processing personal data:
- in connection with criminal justice, taxation or regulatory activities;
- that is required to be made public;
- where disclosure is required by law or is necessary for legal proceedings; or
- to provide a confidential reference.
It is important to note that each exemption is intended to apply only in very specific circumstances. So just because, for example, you are using personal data in connection with the criminal justice system or for regulatory purposes, you cannot disregard the whole of the Data Protection Act.
Even if you are entitled to an exemption for your processing, this will not be a blanket exclusion of the rights and duties in the Act. You will need to look at the exemption carefully, in the light of your particular circumstances, to see what effect it has.
Do I have to reply to a subject access request?
Yes, unless an exemption applies. One of the main rights which the Act gives to individuals is the right of access to their personal data. An individual may send you a “subject access request” requiring you to tell them whether you are processing their personal data and, if so, to provide them with a copy and with certain other information.
In most cases you must respond to a valid subject access request within 40 calendar days of receiving it. However, you do not have to grant subject access in respect of personal data to which an exemption applies. An exemption might apply because of the special circumstances in which you are processing (see previous page) or because of the nature of the data. This is sometimes the case, for example, with data relating to an individual’s physical or mental health.
In addition, certain restrictions similar to exemptions are built into the Act’s subject access provisions. For example, there are restrictions on the disclosure of personal data about more than one individual.
Subject Access Request Summary
What should I do if an individual complains about what I am doing with their personal data?
You should carefully consider such a complaint. It is good practice to provide a reasoned response to all complaints and, depending what the complaint is about, the Data Protection Act may require you to do so. The Act may also require you to stop, or change, what you are doing with an individual’s personal data following a complaint. In particular, you might have to:
- correct or delete information about an individual which is inaccurate;
- stop processing their personal data for direct marketing; or
- stop processing their data completely or in a particular way (depending upon the circumstances).
What does “fair processing” mean?
The first data protection principle requires you to process personal data fairly and lawfully. Ensuring fairness in everything you do with people’s personal details is central to complying with your duties under the Data Protection Act. In practice, it means that you must:
- have legitimate reasons for collecting and using the personal data;
- not use the data in ways that have unjustified adverse effects on the individuals concerned;
- be open and honest about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
- handle people’s personal data only in ways they would reasonably expect; and
- make sure you do not do anything unlawful with the data.
Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with you. Assessing whether the information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.
What is a privacy notice?
One of the requirements of the Act’s fair processing provisions is that certain information is given to the individuals concerned. The oral or written statement that individuals are given when information about them is collected is often called a “privacy notice” or a “fair processing notice”.
In general terms, a privacy notice should state:
- your identity and, if you are not based in the UK, the identity of your nominated UK representative;
- the purpose or purposes for which you intend to process the information; and
- any extra information you need to give individuals (in the circumstances) to enable you to process the information fairly
When deciding how to draft and communicate a privacy notice, try to put yourself in the position of the people you are collecting information about. Ask yourself:
- do they already know who is collecting the information and what it will be used for?
- is there anything they would find deceptive, misleading, unexpected or objectionable?
- are the consequences of providing the information, or not providing it, clear to them?
Can I use personal data for a new purpose or disclose it to a third party?
It depends. You should explain why you want to use an individual’s personal data at the outset, based on your intentions at the time you collect it. If over time you devise new ways of using that information, perhaps because of changes in technology, you will be able to use their personal data for the new purpose if it is fair to do so.
As you develop the goods and services you offer, you should think about whether your customers are likely to reasonably expect you to use their personal data to offer them these products. If you are unsure about this, you should explain your intentions and, at the very least, give your existing customers an easy way to opt out. If you intend to make a significant change to what you do with personal data, you will usually need to get your customers’ consent.
Individuals should generally be able to choose whether or not their personal data is disclosed to another organisation, unless one of the Act’s specific exemptions applies. If you did not make your intention to disclose information to a third party absolutely clear at the outset, at a time when the individual could choose not to proceed, then you will usually need to get the individual’s consent before making such disclosures.
Can I send personal data overseas?
You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK. However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data.
Must I encrypt all the information I store on computer?
Not necessarily. The Data Protection Act does not require you to encrypt personal data. However, it does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction. Encryption might be a part of your information security arrangements – for example, in respect of confidential personal data stored on laptops or portable storage devices. On the other hand, you might not need to encrypt data which always remains on your premises, provided you have sufficient other controls on who can access it and for what purpose. Even where you do encrypt personal data, you will probably need to take additional steps to comply with the Act’s information security requirements
What should I do if I lose personal data?
If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on your systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. However the breach occurs, you must respond to and manage the incident appropriately. You will need a strategy for dealing with the breach, including:
- a recovery plan, including damage limitation;
- assessing the risks associated with the breach;
- informing the appropriate people and organisations that the breach has occurred; and
- reviewing your response and updating your information security.
Published with thanks to the Information Commissioner’s Office.