The Act gives rights to individuals about whom data is recorded on computer. They may find out information about themselves, challenge it if appropriate and claim Compensation in certain circumstances.
The Act places obligations on those who record and use personal data in that they have to be open about that use, by registering it on the Data Protection Register, and follow sound and proper practices known as the Data Protection Principles.
The Act only applies to automatically processed information broadly speaking information which is processed by a computer. It does not cover information which is held and processed manually i.e. ordinary paper files.
The Act does not cover all computerised information but only that which refers to living individuals. So it does not cover information which relates only to a company or an organisation.
Some definitions are used in the Act which are listed below.
- Information recorded on a computer about living, identifiable individuals.
Statements of fact and expressions of opinion about an individual are personal data but an indication of the data user's intentions towards an individual is not.
- An individual to whom personal data relates.
- People or organisations who control the contents and use of a collection of personal data. A data user will usually be a company, corporation or other organisation but it is possible for an individual to be a data user.
- People or organisations who process personal data for data users or who allow data users to process personal data on their computers.
The Act does not apply to all personal data, some purposes are exempt.
personal data held by an individual in connection with personal, family and household affairs or for recreational purposes.
personal data used only for calculating and paying wages and pensions, keeping accounts or keeping records of purchases in order to ensure that appropriate payments are made
personal data used for distributing articles or information to the data subjects - under this exemption only a very small amount of data can be held usually only the name and address. personal data held by an unincorporated members club if the members all agree.
personal data which the law requires the user to make public, e.g.. personal data in the electoral register kept by an Electoral Registration Officer.
personal data which are required to be exempt to safeguard national security.
Every data user who holds personal data must be registered, unless all the data are exempt.
The data user's register is compiled by the Registrar from the information given in the application. This entry contains the data user's name and address together with broad descriptions of
the personal data which the data user holds
the purposes for which the data are used
the sources from which the data user intends to obtain the information
the people to whom the data user may wish to disclose the information
any overseas countries to which the data user may wish to transfer personal data
The Registrar can refuse registration if they contain insufficient information.
Data users and computer bureaux who should have registrar but have not commit a criminal offence.
Registered data users commit a criminal offence if they knowingly or recklessly operate outside the descriptions contained in their register entries.
The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
In considering whether information has been unfairly obtained the Registrar will take account of all the circumstances of obtaining and the method by which it was obtained.
Processing is defined by the Act to mean amending, adding to, deleting or re-arranging the data or extracting the information that forms the data. The Registrar takes the view that fairness will need to be judged by reference to the purpose of the processing, the nature of the processing itself and to its consequences for the individual affected by it. E.g.. it would be unfair for a data user to process personal data with the result that unsolicited marketing material is sent to an individual who has informed the data user hat he does not wish to receive such material.
Personal data shall be held only for one or more specified and lawful purposes.
A specified purpose is one described in the register entry of the data user.
Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes.
Use of personal data for any purpose is permitted, without breach of the Act, so long as the use of those personal data for that purpose is described in the data user's register entry.
Disclosure of personal data to any person is permitted, without breach of the Act, so long as the data user has registered that he intends, or may wish, to disclose those personal data to people of that description.
It is important to understand that the Act does not prevent a data user from disclosing information about an individual if the user wishes to do so provided
the person to whom the disclosure is made is described in the disclosures section of the part of the data user's register entry which relates to those data or
the disclosure is made in circumstances covered by on the non-disclosure exemptions.
Personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or those purposes.
Whether or not information is adequate, relevant and not excessive will inevitably depend on the facts of a particular case.
If personal data are not kept up to date they may well become inadequate. If the data are kept for longer than is necessary then they may well be both irrelevant and excessive.
Personal data shall be accurate and, where necessary, kept up to date.
Accurate means correct and not misleading as to any matter of fact, the Registrar will not merely seek to establish that there is a factual inaccuracy but will also wish to see whether the data user has taken all reasonable steps to prevent the inaccuracy.
The purpose for which the data are held or used will be relevant in deciding whether updating is necessary.
Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Data users need to review their personal data regularly and to delete the information which is no longer required for their purposes.
An individual shall be entitled
(a) at reasonable intervals and without undue delay or expense-
(i) to be informed by any data user whether he holds personal data of which that individual is the subject; and
(ii) to access to any such data held by a data; and
(b) where appropriate , to have such data corrected or erased.
In deciding what intervals are reasonable the Act says that three things must be considered the nature of the personal data
the purpose for which the data are held and
how often the data are altered.
A data subject has no right to have personal data deleted merely because he would prefer that the data user should not keep that information about him
Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.
The prime responsibility for creating and putting into practice a security policy must rest with the computer user. The policy should seek to achieve
that personal data can only be accessed, altered, disclosed or destroyed by authorised people that those people only act within the scope of their authority and
that, should the data be accidentally lost or destroyed, they can be recovered so as to prevent any damage or distress being caused to the data subjects
To ensure compliance with the principles the Registrar can serve three types of notices an enforcement notice, requiring the data user to take a specified action to comply with the particular principle. Failure to comply with the notice would be a criminal offence
a de-registration notice, cancelling the whole or part of a data user's register entry. The data user would then be committing an offence if it continued to treat the personal data subject to the notice as thought they were registered.
a transfer prohibition notice, preventing the data user from transferring personal data overseas if the Registrar is satisfied that the transfer is likely to lead to a principle being broken. Failure to comply would be a criminal offence
A person on whom a notice is served is entitled to appeal against the Registrars decision to the Data Protection Tribunal who consist of a legally qualified Chairman together with lay members to represent the interests of data users and data subjects.
The Data Protection Registrar is an independent officer who is appointed by Her Majesty the Queen and who reports directly to Parliament. Her duties are to
establish the Register of data users and computer bureaux and make it publicly available spread information on the Act and how it works
promote compliance with the Data Protection Principles
encourage, where appropriate, the development of Codes of Practice to help data users to comply with the Principles
consider complaints about breaches of the Principles or the Act and , where appropriate, prosecute offenders or serve notices on registered data users and computer bureaux who are breaking the Principles.
Return to Practising Engineer Index
Return to Main Index