3e - Data Protection


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

3e - Data Protection

  1. 1. Data Protection Legislation
  2. 2. Personal Privacy <ul><li>Right to privacy is a fundamental human right </li></ul><ul><li>Development of databases has led to storage of much personal information without the knowledge or permission of the individual </li></ul><ul><li>It is often felt that even the use of names and addresses for mail shots is an invasion of privacy </li></ul><ul><li>The Data Protection Act of 1984 grew out of concern about personal privacy </li></ul>
  3. 3. Data Protection Acts of 1984 and 1998 <ul><li>The act covers ‘personal data’ which are ‘automatically processed’ </li></ul><ul><li>It works on two levels: </li></ul><ul><ul><li>To give individuals certain statutory rights </li></ul></ul><ul><ul><li>To require those who record and use personal data on computers to be open about the use and follow proper procedures </li></ul></ul><ul><li>The Data protection Act of 1998 was passed to implement a European Data Protection Directive. </li></ul><ul><li>This sets a standard for data protection throughout all countries in the EU </li></ul><ul><li>It came into force in March 2000 </li></ul><ul><ul><li>Extended to include some manual records </li></ul></ul><ul><ul><li>Gave further rights to data subjects </li></ul></ul>
  4. 4. The Data Protection Registrar <ul><li>The 1984 Act established the office of Registrar </li></ul><ul><li>The 1998 Act changed the title to Data Protection Commissioner </li></ul><ul><li>With effect from 20 th January 2001 the title is now </li></ul><ul><ul><li>Information Commissioner </li></ul></ul><ul><li>whose duties include: </li></ul><ul><ul><li>administering a public register of Data Controllers with broad details of the data held; </li></ul></ul><ul><ul><li>Disseminating information on the Act and how it works </li></ul></ul><ul><ul><li>Promoting compliance with the Data Protection Principles </li></ul></ul><ul><ul><li>Considering complaints about breaches of Principles or the Act.; </li></ul></ul><ul><ul><li>Prosecuting offenders, or serving notices on those who are contravening the principles. </li></ul></ul>
  5. 5. The Data Protection Principles (1998) <ul><li>Personal data must be obtained and processed fairly and lawfully; </li></ul><ul><li>Personal data must be held for specified (limited) and lawful purposes; </li></ul><ul><li>Personal data must be adequate, relevant and not excessive; </li></ul><ul><li>Personal data must be accurate and up-to-date; </li></ul><ul><li>Personal data must not be kept longer than necessary; </li></ul><ul><li>Personal data must be p rocessed in accordance with the data subject's rights ; </li></ul><ul><li>Personal data must be kept secure; </li></ul><ul><li>Personal data must not be transferred to countries without adequate protection; </li></ul>
  6. 6. Useful Definitions from the 1984 Act <ul><li>‘ Personal data’ </li></ul><ul><ul><li>Information about living, identifiable individuals. Personal data do not have to be particularly sensitive information and can be as little as name and address. </li></ul></ul><ul><li>‘ automatically processed’ </li></ul><ul><ul><li>Processed by a computer or other technology such as document image processing systems. </li></ul></ul><ul><li>‘ data users’ now called ‘data controllers’ under 1998 Act </li></ul><ul><ul><li>Those who control the contents and use of a collection of personal data. They can be any type of company or organisation, large or small, within the public or private sector. Can also be a sole trader, partnership or an individual. A data user need not necessarily own a computer. </li></ul></ul><ul><li>‘ data subjects’ </li></ul><ul><ul><li>The individuals to whom personal data relate </li></ul></ul>
  7. 7. Similar Definitions from the 1998 Act <ul><li>Personal data </li></ul><ul><ul><li>means data which relates to a living individual who can be identified from those data or from those data and other information which is in the possession of the data controller. </li></ul></ul><ul><li>A data controller </li></ul><ul><ul><li>is a person who determines the purposes for which and the manner in which any personal data are, or are to be processed. </li></ul></ul><ul><li>Every data controller who is processing personal data must notify unless they are exempt. </li></ul><ul><li>These definitions found at: </li></ul><ul><ul><li>http://www.dpr.gov.uk/notify/4.html </li></ul></ul>
  8. 8. Data Controller’s Register entry <ul><li>This processing description includes: </li></ul><ul><ul><li>The purposes for which personal data are being or are to be processed e.g. provision of financial services and advice </li></ul></ul><ul><ul><li>a description of the data subjects about whom data are or are to be held e.g. customers and clients </li></ul></ul><ul><ul><li>a description of the data classes e.g. personal details, financial details </li></ul></ul><ul><ul><li>a list of the recipients of data e.g. financial organisations and advisors </li></ul></ul><ul><ul><li>information about whether data are transferred outside the European Economic Area (EEA) </li></ul></ul>
  9. 9. Possible Exemptions <ul><li>Some not for profit organisations </li></ul><ul><li>Processing of personal data for personal, family or household affairs (including recreational purposes). </li></ul><ul><li>Data controllers who only process personal data for the maintenance of a public register. </li></ul><ul><li>Data controllers who only process personal data for any one or all of the following purposes for their own business. </li></ul><ul><li>staff administration </li></ul><ul><li>advertising, marketing and public relations </li></ul><ul><li>accounts and records </li></ul><ul><li>Special categories under which data may be held </li></ul><ul><ul><li>National security </li></ul></ul><ul><ul><li>Prevention of crime </li></ul></ul><ul><ul><li>Collection of tax or duty </li></ul></ul>
  10. 10. Rights of Data subjects <ul><li>An individual is entitled, upon written request, to be supplied with a copy of any personal data held about yourself. </li></ul><ul><li>The data controller may charge a fee </li></ul><ul><li>Rights include: </li></ul><ul><ul><li>Right to compensation for unauthorised disclosure of data </li></ul></ul><ul><ul><li>Right to compensation for inaccurate data </li></ul></ul><ul><ul><li>Right of access to data and to apply for rectification or erasure where data are inaccurate </li></ul></ul><ul><ul><li>Right to compensation for unauthorised access, loss or destruction of data </li></ul></ul>
  11. 11. Implications of the Data Protection Legislation <ul><li>Under the current legislation: </li></ul><ul><ul><li>use of personal data must be registered </li></ul></ul><ul><ul><li>the public have a right to see what data is held about them by an organisation </li></ul></ul><ul><li>However, it is quite legal for an organisation to sell a mailing list for the purpose of direct mailing. </li></ul><ul><li>European Directive of 24 October 1995 </li></ul><ul><ul><li>Where data is to be transferred to a third party for the purposes of direct mailing, the subject must be informed and given the opportunity to require that the data be erased. </li></ul></ul><ul><ul><li>Many organisations collecting personal data include a check box to be ticked if you object to your data being passed on to other organisations. </li></ul></ul><ul><ul><li>Member states have three years to implement this legislation. </li></ul></ul>