Why is it significant for your organisation to comply with the Data protection Act?
The Information Protection Act 1998 (“DPA”), lays down eight data protection principles that any organisation processing information of folks will have to comply with.
What does the DPA cover?
The DPA came into force on 1 March 2000. The DPA implemented the European Union (“EU”) Directive on data protection into UK law introducing radical modifications to the way in which individual information concerning identifiable living folks can be used. The continuous need to have for businesses to approach individual information signifies that the DPA impacts upon most organisations, irrespective of size. Moreover, the public’s expanding awareness of their correct to privacy means that data protection will remain an critical issue.
The DPA makes a distinction involving personal information and individual sensitive information. Personal information involves private data relating to workers, shoppers, business contacts and suppliers. Sensitive data covers an individual’s ethnic origin, medical circumstances, sexual orientation and eligibility to operate in the UK . The data protection principles set out the standards which an organisation should meet when processing individual information. These principles apply to the processing of all personal information, whether or not those data are processed automatically or stored in structured manual files.
What is data?
Information indicates information and facts which is processed by laptop or computer or other automatic gear, including word processors, databases and spreadsheet files, or information which is recorded on paper with the intention of being processed later by computer system or details which is recorded as portion of a manual filing method, where the files are structured according to the names of people or other characteristics, such as payroll quantity, and where the files have sufficient internal structure so that distinct information about a particular person can be identified quickly.
What are the eight data protection principles?
The eight information protection principles are as follows:
Private data will have to be processed relatively and lawfully
Personal data must be obtained only for specified and lawful purposes and should not be processed further in any manner incompatible with these purposes
Private data have to be adequate, relevant and not excessive in relation to the purposes for which they were collected
Private data need to be precise and, exactly where needed, kept up to date
Private data ought to not be kept longer than is important for the purposes for which they were collected
Personal information must be processed in accordance with the rights of data subjects
Individual data ought to be kept secure against unauthorised or unlawful
processing and against accidental loss, destruction or harm
Private data should not be transferred to countries outdoors the European
Economic Region unless the country of destination offers an sufficient level of information protection for these information.
What information comprises individual data?
Personal data relates to data of living people who can be identified from those information, or from these information and other details which is in the possession of the data controller or which is most likely to come into its possession for example, names, addresses and home phone numbers of workers.
What data comprises sensitive data?
Personal Sensitive data (“sensitive data “) consist of data relating to a data subject’s (individuals):
racial or ethnic origin
political opinions
religious beliefs or other equivalent beliefs
trade union membership
physical or mental overall health or condition
sexual orientation
commission or alleged commission of any offences convictions or criminal proceedings involving the information subject.
convictions or criminal proceedings involving the information subject.
What is the which means of processing beneath the DPA?
The definition of ‘processing’ is pretty broad. https://www.dflegal.com/ covers any operation carried out on the data and includes, acquiring or recording data, the retrieval, consultation or use of information, the disclosure or otherwise generating offered of data.
Who is a information controller?
A ‘data controller’ is any person who (alone or jointly with others) decides the purposes for which, and the manner in which, the individual information are processed. The data controller will thus be the legal entity which workouts ultimate manage over the individual information. Individual managers or staff are not information controllers.
The information controller is responsible for:
Individual data about identifiable living people
Deciding how and why personal information are processed
Info handling – complying with the eight data protection principles
Acquiring “data subjects” consent for processing sensitive data
Current procedures for handling sensitive or personal data
Security measures to safeguard individual data
Notification
Who is a data processor?
A ‘data processor’ is a particular person or organisation who processes the information on behalf of the data controller, but who is not an employee of the data controller.
Who is a information subject?
A ‘data subject’ is any living individual who is the topic of personal information. There are no age restrictions on who qualifies as a data topic, but the definition does not extend to people who are deceased.
Are we needed to notify? What does notification mean?
An organisation need to not procedure any personal information unless it has initial notified the Facts Commissioner of specific particulars, such as:
the organisation’s name and address
the purposes for which the data are to be processed
any proposed recipients of the information
countries outdoors the European Financial Area to which the data may be disclosed.