Why is it critical for your organisation to comply with the Data protection Act?
The Data Protection Act 1998 (“DPA”), lays down eight data protection principles that any organisation processing data of folks have to comply with.
What does the DPA cover?
The DPA came into force on 1 March 2000. The DPA implemented the European Union (“EU”) Directive on data protection into UK law introducing radical alterations to the way in which personal information with regards to identifiable living individuals can be used. The constant want for companies to procedure individual data implies that the DPA impacts upon most organisations, irrespective of size. Additionally, the public’s growing awareness of their ideal to privacy signifies that information protection will remain an crucial issue.
The DPA tends to make a distinction between personal information and personal sensitive information. Individual information involves private information relating to personnel, customers, business enterprise contacts and suppliers. Sensitive information covers an individual’s ethnic origin, health-related situations, sexual orientation and eligibility to perform in the UK . The data protection principles set out the requirements which an organisation have to meet when processing private data. These principles apply to the processing of all private data, no matter whether these information are processed automatically or stored in structured manual files.
What is data?
Information means information and facts which is processed by laptop or computer or other automatic equipment, which includes word processors, databases and spreadsheet files, or information which is recorded on paper with the intention of becoming processed later by computer or details which is recorded as element of a manual filing method, exactly where the files are structured according to the names of men and women or other traits, such as payroll number, and where the files have adequate internal structure so that distinct information and facts about a unique individual can be found effortlessly.
What are the eight data protection principles?
The eight data protection principles are as follows:
Personal information have to be processed fairly and lawfully
Private information have to be obtained only for specified and lawful purposes and will have to not be processed additional in any manner incompatible with these purposes
Personal data must be sufficient, relevant and not excessive in relation to the purposes for which they have been collected
Personal data ought to be accurate and, where important, kept up to date
Personal data should not be kept longer than is necessary for the purposes for which they had been collected
Private data will have to be processed in accordance with the rights of data subjects
Personal information need to be kept secure against unauthorised or unlawful
processing and against accidental loss, destruction or damage
Private data must not be transferred to nations outside the European
Economic Area unless the nation of destination offers an adequate level of data protection for those data.
What data comprises private information?
Individual data relates to data of living folks who can be identified from those data, or from these data and other information which is in the possession of the data controller or which is likely to come into its possession for instance, names, addresses and property phone numbers of employees.
What information comprises sensitive information?
Individual Sensitive data (“sensitive data “) consist of information relating to a information subject’s (folks):
racial or ethnic origin
religious beliefs or other related beliefs
trade union membership
physical or mental overall health or situation
commission or alleged commission of any offences convictions or criminal proceedings involving the data topic.
convictions or criminal proceedings involving the data subject.
What is the which means of processing below the DPA?
The definition of ‘processing’ is quite broad. It covers any operation carried out on the information and incorporates, obtaining or recording data, the retrieval, consultation or use of information, the disclosure or otherwise generating readily available of data.
Who is a data controller?
A ‘data controller’ is any particular person who (alone or jointly with others) decides the purposes for which, and the manner in which, the personal data are processed. The data controller will thus be the legal entity which workouts ultimate control over the individual data. Person managers or staff are not information controllers.
Personal data about identifiable living folks
Deciding how and why individual data are processed
Details handling – complying with the eight information protection principles
Acquiring “data subjects” consent for processing sensitive data
Current procedures for handling sensitive or individual information
Security measures to safeguard personal information
Who is a data processor?
A ‘data processor’ is a person or organisation who processes the information on behalf of the information controller, but who is not an employee of the data controller.
Who is a information subject?
A ‘data subject’ is any living individual who is the topic of private information. There are no age restrictions on who qualifies as a data subject, but the definition does not extend to people who are deceased.
Are we essential to notify? What does notification mean?
An organisation will have to not procedure any personal data unless it has first notified the Data Commissioner of certain particulars, such as:
the organisation’s name and address
the purposes for which the data are to be processed
any proposed recipients of the data
nations outdoors the European Economic Area to which the data could be disclosed.