3e - Data Protection

Data Protection Legislation

Personal Privacy
Right to privacy is a fundamental human right
Development of databases has led to storage of much personal information without the knowledge or permission of the individual
It is often felt that even the use of names and addresses for mail shots is an invasion of privacy
The Data Protection Act of 1984 grew out of concern about personal privacy

Data Protection Acts of 1984 and 1998
The act covers ‘personal data’ which are ‘automatically processed’
It works on two levels:
To give individuals certain statutory rights
To require those who record and use personal data on computers to be open about the use and follow proper procedures
The Data protection Act of 1998 was passed to implement a European Data Protection Directive.
This sets a standard for data protection throughout all countries in the EU
It came into force in March 2000
Extended to include some manual records
Gave further rights to data subjects

The Data Protection Registrar
The 1984 Act established the office of Registrar
The 1998 Act changed the title to Data Protection Commissioner
With effect from 20 th January 2001 the title is now
Information Commissioner
whose duties include:
administering a public register of Data Controllers with broad details of the data held;
Disseminating information on the Act and how it works
Promoting compliance with the Data Protection Principles
Considering complaints about breaches of Principles or the Act.;
Prosecuting offenders, or serving notices on those who are contravening the principles.

The Data Protection Principles (1998)
Personal data must be obtained and processed fairly and lawfully;
Personal data must be held for specified (limited) and lawful purposes;
Personal data must be adequate, relevant and not excessive;
Personal data must be accurate and up-to-date;
Personal data must not be kept longer than necessary;
Personal data must be p rocessed in accordance with the data subject's rights ;
Personal data must be kept secure;
Personal data must not be transferred to countries without adequate protection;

Useful Definitions from the 1984 Act
‘ Personal data’
Information about living, identifiable individuals. Personal data do not have to be particularly sensitive information and can be as little as name and address.
‘ automatically processed’
Processed by a computer or other technology such as document image processing systems.
‘ data users’ now called ‘data controllers’ under 1998 Act
Those who control the contents and use of a collection of personal data. They can be any type of company or organisation, large or small, within the public or private sector. Can also be a sole trader, partnership or an individual. A data user need not necessarily own a computer.
‘ data subjects’
The individuals to whom personal data relate

Similar Definitions from the 1998 Act
Personal data
means data which relates to a living individual who can be identified from those data or from those data and other information which is in the possession of the data controller.
A data controller
is a person who determines the purposes for which and the manner in which any personal data are, or are to be processed.
Every data controller who is processing personal data must notify unless they are exempt.
These definitions found at:
http://www.dpr.gov.uk/notify/4.html

Data Controller’s Register entry
This processing description includes:
The purposes for which personal data are being or are to be processed e.g. provision of financial services and advice
a description of the data subjects about whom data are or are to be held e.g. customers and clients
a description of the data classes e.g. personal details, financial details
a list of the recipients of data e.g. financial organisations and advisors
information about whether data are transferred outside the European Economic Area (EEA)

Possible Exemptions
Some not for profit organisations
Processing of personal data for personal, family or household affairs (including recreational purposes).
Data controllers who only process personal data for the maintenance of a public register.
Data controllers who only process personal data for any one or all of the following purposes for their own business.
staff administration
advertising, marketing and public relations
accounts and records
Special categories under which data may be held
National security
Prevention of crime
Collection of tax or duty

Rights of Data subjects
An individual is entitled, upon written request, to be supplied with a copy of any personal data held about yourself.
The data controller may charge a fee
Rights include:
Right to compensation for unauthorised disclosure of data
Right to compensation for inaccurate data
Right of access to data and to apply for rectification or erasure where data are inaccurate
Right to compensation for unauthorised access, loss or destruction of data

Implications of the Data Protection Legislation
Under the current legislation:
use of personal data must be registered
the public have a right to see what data is held about them by an organisation
However, it is quite legal for an organisation to sell a mailing list for the purpose of direct mailing.
European Directive of 24 October 1995
Where data is to be transferred to a third party for the purposes of direct mailing, the subject must be informed and given the opportunity to require that the data be erased.
Many organisations collecting personal data include a check box to be ticked if you object to your data being passed on to other organisations.
Member states have three years to implement this legislation.

3e - Data Protection

by ISHCMCCC

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 4

Statistics

3e - Data Protection Presentation Transcript