We decided to publish a Data Protection Act (1998) Summary to help companies assessing their compliance needs in relation to data. The act has a reputation for its complexity: this Summary will provide you with a good knowledge of its key provisions.
Who must comply with the Act, and for what?
The 1998 Act sets rules for organisations, businesses and the government. Let’s clarify what the Act implies when talking about “personal information”, and therefore, “data”.
Any element that identifies an individual, or makes an individual identifiable, will qualify as personal data. The DPA provisions do not apply to (truly) anonymised data. Sensitive information, such as ethnic background, political opinions, religious beliefs, health, sexual health and criminal records, receive a stronger legal protection from the Act.
Individuals refers to both customers or staff. The act does apply for data stored in computers or connected filing systems, but does not apply to data used for domestic purposes, such as an address book.
Different companies, different obligations.
If a Company needs to store customers’ and staff personal data in order to perform business activities, it will classify as a ‘Data Controller’ under the DPA 1998. A Data controller has a legal obligation to notify the Information Commissioner’s Office (ICO) that they are dealing with data in compliance with the DPA.
If a Company processes data on behalf of a controller, it will qualify instead as ‘Data Processor’. As a data processor, a company has no obligations to notify the ICO about its status, but it is still required to follow the DPA principles. Among the conditions that make processing lawful, a key feature is the legitimate interest of a processor: that is to say, a business that processes data just to comply with its core business needs is more likely to be in compliance.
Data Protection Act 1998: a summary of the key principles.
Understanding the principles underlying the DPA 1998 will provide a Company with guidance whenever unsure on how it should handle its data.
The data obtained must used fairly and lawfully, which implies due diligence and good faith in the way a Company processes and benefits from the information it holds. Data must be used for limited, specifically stated purposes, in a way that is adequate, relevant and not excessive. Data minimisation is key: the use and amount of data must be proportionate to the business needs, and never exceed them. The information should be Accurate, to avoid misrepresentation of your customers and staff. The data must be kept for no longer than is absolutely necessary, safe and secure. For the purpose of the Act, timing and storage methods form part of the “data minimisation and security” concept: they can draw a line from use to abuse.
As a company, you must guarantee subject access to his/her data.
A Company must ensure that data is handled according to people’s data protection rights: this means that an organisation must put in place mechanisms to ensure that those rights can be fully enjoyed by their owners. In particular, each organisation must ensure that the individual can: access to a copy of their information which is held; object to processing their data; prevent processing for direct marketing; have inaccurate personal data rectified, blocked, erased, or destroyed; claim compensation for damaged caused by a breach of the act.
Data travelling abroad
Data should not be transferred outside the European Economic Area without adequate protection. If your company stores data in the cloud, run an e-commerce business or use third party services on the data, this requires extra attention. “Adequate protection” is not subject to personal judgment: there are relevant lists of countries, standard contractual clauses and corporate rules that may concern you. We strongly advise Company to seek qualified help to ensure this type of compliance.
You need to obtain individual consent
The individual always need to express consent for the collection of his/her information: consent must cover the purposed for which this information will be stored and processed.
The 1998 Act does not specifically define consent. However, the DPA was originally enacted to comply with the the 1995 European Data Protection Directive. The Directive defines consent as a freely given, informed and specific expression of an individual wishes. There is scope to obtain consent in different form than writing, but non communication or silence on the matter never qualifies as consent. Sensitive data will always require explicit consent.
Individuals have a right to withdrawn their consent. The expression of consent, and the content of it, must be adequate to the individual age and also to the nature of the relationship. For instance, keeping data after a business relationship has ended require a specific agreement on behalf of the individual. Crime, national security, taxation and domestic use of data are general exception to the principle of obtaining consent.
Data Protection Act 1998: a summary of offences and breaches
Processing personal information without registration, failure to comply with notification regulation, obtaining unlawfully personal data (and therefore without consent) and forcefully require an individual to obtain information about its criminal records for the purpose of recruitment are among the offences listed in the Act. Generally speaking, performing an operation contrary to the Act principles will ultimately entail a breach of its provisions.