The Data Protection Act 1998
When does the Act apply?
The Act applies whenever a person or organisation processes personal data.
The words “processing” and “personal data” both have technical meanings under the Act, but generally it is sufficient to know that:
- processing covers virtually all conceivable uses to which data can be put, including its collection and destruction; and:
- personal data essentially means all information relating to an individual from which they can be identified, which is stored on a computer, or to a certain extent, in organised manual files.
What does the Act require?
The Act requires the data controller (the person or organisation who determines the purposes for which the personal data is used) to ensure the personal data is processed in accordance with the following 8 principles:
Data protection principles – data must be:
- fairly and lawfully processed;
- processed for specified and lawful purposes;
- adequate, relevant and not excessive;
- kept accurate and up to date;
- not kept for longer than is necessary;
- processed in line with the rights of the data subject;
- kept secure; and
- not transferred to other countries without adequate protection.
If you are a data controller, you must register with the Information Commissioner, unless you hold and use personal information only for the following purposes: staff administration and payroll; marketing your own business; or accounts and records (ie records of work done and accounts for goods and services that you provide).
Fair processing
In order to satisfy the first data principle (“fair and lawful processing”) the data controller must ensure that the processing meets one of the following conditions:
Fair processing conditions - that:
- the data subject has consented to the processing; or
- the processing is necessary for performing a contract to which the data subject is a party, or taking steps at the request of the data subject with a view to entering into a contract; or
- the processing is necessary for compliance with any legal obligation to which the data controller is subject (other than a contractual obligation); or
- the processing is necessary in order to protect the vital interests of the data subject; or
- the processing is necessary for the administration of justice or to fulfil a statutory, Crown, Ministerial, governmental or other public function; or
- the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where it unwarrantedly interferes with the rights or legitimate interests of the data subject.
Sensitive personal data
Where the data controller processes “sensitive personal data”, one of the following further conditions must be met.
Fair processing conditions for sensitive personal data – that:
- the data subject has given explicit consent to the processing; or
- the processing is necessary for exercising or performing a right or obligation of the data controller under employment law; or
- the processing is necessary in order to protect the vital interests of the data subject and where consent cannot be obtained or is unreasonably withheld; or (we have removed here a condition which only applies to certain not-for-profit organisations)
- the data subject has deliberately made public the data that is being processed; or
- the processing is necessary for the administration of justice or to fulfil a statutory, Crown, Ministerial or governmental function.
What rights do individuals have under the Act?
Individuals are entitled to request a copy of their personal data from a data controller. The request must be made by the data subject in writing. There are certain limited exemptions which can justify the data controller not providing a copy of some personal data.
Individuals also have the following additional rights:
- A right to have inaccurate data about them corrected (deriving from the fourth data protection principle and supported by a right to apply to court to have inaccurate data rectified);
- A limited right to object to automated decision making by a computer with no human involvement (for example, decisions about credit worthiness or school or work performance);
- A right to prevent processing of their personal data for direct marketing; and
- A right to prevent processing where it is likely to cause substantial damage or substantial.distress.
The Information Commissioner’s Office has powers of investigation andm enforcement in relation to complaints made by members of the public regarding non-compliance with the Act. Individuals may also have the right to claim compensation through the courts in some cases
How can we assist?
- Auditing your organisation’s data protection compliance.
- Drafting privacy policies and fair processing notices which give appropriate information to your customers in order to comply with the Act’s requirements for fair processing.
- Advising you in relation to specific data protection issues, such as requests for personal data from data subjects or third parties.
- Drafting ‘data processing agreements’ which impose appropriate obligations on organisations to which you outsource processing of personal data.
For Further information please contact:
Austin Flynn by email or telephone 0131 247 1260
Callum Murray by email or telephone 0131 247 1237
