SlideShare a Scribd company logo

The Data Protection Act

S
SaimaRafiq

The Data Protection Act 1998 establishes rules for how personal data can be collected and used. It requires organizations that store personal data to register with the Information Commissioner and only collect data for specified purposes. The Act gives data subjects rights to access and correct their data and restricts processing and transfer of sensitive personal data. It establishes eight principles for data controllers around security, relevance, accuracy, and lawful processing and transfer of personal data. Some personal data processing is exempt from the Act for reasons such as national security or medical research.

1 of 15
The Data Protection Act 1998
Why the Data Protection Act was developed? give protection
lay down rules about “how data about people can be used?”The Data Protection Act (1998) states that organizations which store personal information must register and state the purpose for which they need the information.
The data protection act covers:Information or data stored on a computer or an organized paper filing system about living people in different departments such as: Tax OfficeDoctor / DentistNational InsuranceDVLC(Driver and Vehicle Licensing Centre)Police etc
How the Act works (basics):by setting up rules that people have to followhaving an Information Commissioner to enforce the rulesIt does not stop companies storing information about people. It just makes them follow rules.
Who's involved?The Information Commissioner , the person (and her office) who has powers to enforce the Act.A data controller , a person or company that collects and keeps data about people.A data subjectis someone who has data about them stored somewhere, outside their direct control.
Registration with the Information Commissioner Any organization or person who needs to store personal information must apply to register with the Information Commissioner.A register of data controllers is kept detailing the data that will be stored so they have to say in advance what information will be stored and how they will use it.Each register entry contains the following information:The data controller's name and address.A description of the information to be stored.What they are going to use the information for.Whether the data controller plans to pass on the information to other people or organizations.Whether the data controller will transfer the information outside the UK.Details of how the data controller will keep the information safe and secure.
Personal data and informationSome data and information stored on computer disks is personal and needs to be kept confidential. Such as pay, bank details, and medical records. If someone who is not entitled to see these details can obtain access without permission it is unauthorized access. The Data Protection Act sets up rules to prevent this kind of unauthorized access to personal data and information.
Types of Personal DataThe Act sets up two types of personal data:Personal data is about living people and could be:their nameaddressmedical details or banking details'Sensitive' personal data is also about living people, but it includes one or more details of a data subject's:racial or ethnic originpolitical opinionsreligionmembership of a trade unionhealthsexual lifecriminal activity There are more safeguards about sensitive data than ordinary personal data. Usually, a person must be asked specifically if sensitive data can be kept.
Responsibilities of data controllersAll data controllers must keep to the Eight Principles of Data Protection. a data controller is the nominated person in a company who applies to the data commissioner for permission to store and use personal data.
The Eight PrinciplesFor the personal data that controllers store and process:Data must be kept secure; Data stored must be relevant; Data stored must be kept no longer than necessary; Data stored must be kept accurate and up-to-date;Data must be obtained and processed lawfully;Data must be processed within the data subject rights;Data must be obtained and specified for lawful purposes;Data must not be transferred to countries without adequate data protection laws.
The rights of data subjectsPeople whose personal data is stored are called data subjects. The Act sets up rights for people who have data kept about them.
Peoples' rightsA Right of Subject AccessA data subject has a right to be supplied by a data controller with the personal data held about him or her. The data controller can charge for this: usually a few pounds.A Right of CorrectionA data subject may force a data controller to correct any mistakes in the data held about them.A Right to Prevent Distress A data subject may prevent the use of information if it would be likely to cause them distress.A Right to Prevent Direct Marketing A data subject may stop their data being used in attempts to sell them things (eg by junk mail or cold telephone calls.)A Right to Prevent Automatic DecisionsA data subject may specify that they do not want a data user to make "automated" decisions about them where, through points scoring, a computer decides on, for example, a loan application.A Right of Complaint to the Information CommissionerA data subject can ask for the use of their personal data to be reviewed by the Information Commissioner who can enforce a ruling using the Act. The Commissioner may inspect a controller's computers to help in the investigation.A Right to CompensationThe data subject is entitled to use the law to get compensation for damage caused ("damages") if personal data about them is inaccurate, lost, or disclosed.
What data is exempt from the Act?There are some complete exemptions and some partial exemptions where personal data is not covered by the 1998 Act.
Complete exemptionsAny personal data that is held for a national security reason is not covered. Personal data held for domestic purposes only at home, eg a list of your friends' names, birthdays and addresses does not have to keep to the rules.

More Related Content

The Data Protection Act

  • 2. Why the Data Protection Act was developed? give protection
  • 3. lay down rules about “how data about people can be used?”The Data Protection Act (1998) states that organizations which store personal information must register and state the purpose for which they need the information.
  • 4. The data protection act covers:Information or data stored on a computer or an organized paper filing system about living people in different departments such as: Tax OfficeDoctor / DentistNational InsuranceDVLC(Driver and Vehicle Licensing Centre)Police etc
  • 5. How the Act works (basics):by setting up rules that people have to followhaving an Information Commissioner to enforce the rulesIt does not stop companies storing information about people. It just makes them follow rules.
  • 6. Who's involved?The Information Commissioner , the person (and her office) who has powers to enforce the Act.A data controller , a person or company that collects and keeps data about people.A data subjectis someone who has data about them stored somewhere, outside their direct control.
  • 7. Registration with the Information Commissioner Any organization or person who needs to store personal information must apply to register with the Information Commissioner.A register of data controllers is kept detailing the data that will be stored so they have to say in advance what information will be stored and how they will use it.Each register entry contains the following information:The data controller's name and address.A description of the information to be stored.What they are going to use the information for.Whether the data controller plans to pass on the information to other people or organizations.Whether the data controller will transfer the information outside the UK.Details of how the data controller will keep the information safe and secure.
  • 8. Personal data and informationSome data and information stored on computer disks is personal and needs to be kept confidential. Such as pay, bank details, and medical records. If someone who is not entitled to see these details can obtain access without permission it is unauthorized access. The Data Protection Act sets up rules to prevent this kind of unauthorized access to personal data and information.
  • 9. Types of Personal DataThe Act sets up two types of personal data:Personal data is about living people and could be:their nameaddressmedical details or banking details'Sensitive' personal data is also about living people, but it includes one or more details of a data subject's:racial or ethnic originpolitical opinionsreligionmembership of a trade unionhealthsexual lifecriminal activity There are more safeguards about sensitive data than ordinary personal data. Usually, a person must be asked specifically if sensitive data can be kept.
  • 10. Responsibilities of data controllersAll data controllers must keep to the Eight Principles of Data Protection. a data controller is the nominated person in a company who applies to the data commissioner for permission to store and use personal data.
  • 11. The Eight PrinciplesFor the personal data that controllers store and process:Data must be kept secure; Data stored must be relevant; Data stored must be kept no longer than necessary; Data stored must be kept accurate and up-to-date;Data must be obtained and processed lawfully;Data must be processed within the data subject rights;Data must be obtained and specified for lawful purposes;Data must not be transferred to countries without adequate data protection laws.
  • 12. The rights of data subjectsPeople whose personal data is stored are called data subjects. The Act sets up rights for people who have data kept about them.
  • 13. Peoples' rightsA Right of Subject AccessA data subject has a right to be supplied by a data controller with the personal data held about him or her. The data controller can charge for this: usually a few pounds.A Right of CorrectionA data subject may force a data controller to correct any mistakes in the data held about them.A Right to Prevent Distress A data subject may prevent the use of information if it would be likely to cause them distress.A Right to Prevent Direct Marketing A data subject may stop their data being used in attempts to sell them things (eg by junk mail or cold telephone calls.)A Right to Prevent Automatic DecisionsA data subject may specify that they do not want a data user to make "automated" decisions about them where, through points scoring, a computer decides on, for example, a loan application.A Right of Complaint to the Information CommissionerA data subject can ask for the use of their personal data to be reviewed by the Information Commissioner who can enforce a ruling using the Act. The Commissioner may inspect a controller's computers to help in the investigation.A Right to CompensationThe data subject is entitled to use the law to get compensation for damage caused ("damages") if personal data about them is inaccurate, lost, or disclosed.
  • 14. What data is exempt from the Act?There are some complete exemptions and some partial exemptions where personal data is not covered by the 1998 Act.
  • 15. Complete exemptionsAny personal data that is held for a national security reason is not covered. Personal data held for domestic purposes only at home, eg a list of your friends' names, birthdays and addresses does not have to keep to the rules.
  • 16. Partial exemptionsSome personal data has partial exemption from the rules of the Act. The main examples of this are:The taxman or police do not have to disclose information held or processed to prevent crime or taxation fraud. Criminals cannot see their police files. Tax or VAT investigators do not have to show people their files.A data subject has no right to see information stored about him if it is to do with his/her health. This allows doctors to keep information from patients if they think it is in their best interests.A school pupil has no right of access to personal files, or to exam results before publication.A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes.Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals.Employment references written by a previous employer are exempt.Planning information about staff in a company is exempt, as it may damage the business to disclose it.