This document provides an overview of data protection laws and principles. It summarizes the key aspects of the UK Data Protection Act, including its purposes of balancing individual privacy rights with legitimate data use by organizations. It outlines the 8 data protection principles around fair and lawful processing, purpose limitations, data minimization, accuracy, storage limitations, individual rights, security safeguards, and international data transfers. The roles of the Information Commissioner's Office and common data protection concepts and compliance requirements are also summarized.

1. Data Protection – an overview
By Ian C. Oultram
Compliance Officer
Business Link Northwest
Presented 16th March 2009

2. What is the Act for?
• Maintains balance between the individual
and government/industry
• Regulates demands for data by government
and industry
• Protects privacy of individual
• Privacy is a basic human right

3. Data Protection history
• Original Act passed in 1984
• Replaced by 1998 Act
• Brought UK into line with European Data
Protection Directive
• Information Commissioner’s Office established
in Wilmslow

4. Key Definitions
• Personal data – uniquely identifies individual
• Sensitive data – ethnic, health or criminal
• Processing – obtaining, storing, sharing, using
• Data subject – the individual concerned
• Data controller – organisation using and owning
data
• Data processor – organisation sub-contracted to
use data by the controller
• Notification – informing Commissioner of
processing purposes or a breach
• Purpose – broad area of use

5. The 8 Principles
• Fair and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept longer than necessary
• Processed in accordance with subject rights
• Kept secure
• Not transferred to other countries without
protection

6. Fair and lawfully processed
• Need consent OR contract OR legal obligation
OR statutory power OR public interest
• Fair processing statement (privacy policy)
made available at time data is obtained
• Statement should include details of purposes
and data sharing
• Comply with all relevant laws including
confidentiality and Human Rights Convention
• Act within limits of any statutory powers
• Process within specific but broad purpose
• Cannot obtain data and do nothing with it
1st Principle

7. Sensitive personal data
• At least one schedule 2 condition plus explicit
consent OR
• Necessary for statutory obligation regarding
employment OR
• Necessary to monitor equal opportunities
• Does not involve sharing or a new purpose
without consent
• Sickness and injury records should be kept
separate from other employment records
• Medical reports should concentrate on fitness
• Staff should know what BUPA data is shared
Business Link
1st Principle

8. Consent
• Individual must be aware of ways data will be
processed
• Cannot be inferred from non-response to opt-
out
• ‘Opportunity to object’ with another condition
such as public interest may provide basis
• Consent does not last forever
• Can be transferred from/to third party where
there is clear prior opt-in for sharing
• Explicit consent to processing of sensitive data
1st Principle

9. Opt-in and opt-out
• Opting-in by ticking a box, clicking an icon,
sending an email
• Prominent opt-out box along with clear and
bold message can establish consent
• Opt-in is always for the time being
• Remains valid until recipient objects
• Recipient can opt out at any time and must be
complied with
• Corporate subscriber has no right of opt-out
unless recipient is a named individual
1st Principle

10. Encore project
• Hewlett Packard and London School of
Economics involved
• Vision to make giving and revoking consent as
easy as turning a tap
• Tap as common on data gathering pages as
padlock is on payment sites
1st Principle

11. Telephone marketing
• Must identify ourselves and provide address or
Freephone number if asked
• Must regularly screen CRM against TPS and
CTPS registers
• Must not call numbers on TPS or CTPS registers
unless subscriber gives specific opt-in consent
• Provide opportunity to opt out and terminate call
• Must comply with request to opt out by ticking
CRM do not call
• Responsible even if agency calls on our behalf
1st Principle

12. Electronic marketing
• Includes email, text, sound, image, video,
voicemail and answer-phone messages
• Only send marketing to named individuals who
opt-in or who are clients (or implied opt-in)
• Can send emails to organisations or non-
personal emails addresses
• Must provide opportunity to opt out
• Must comply with opt-outs by clicking ‘no email’
• Should not use tracking devices unless
recipients can turn them off
• Should not use viral marketing techniques
• Subject to Privacy and Electronic
Communications Regulations Act
1st Principle

13. Direct mail
• Must inform individuals that we may use
details for marketing
• Individuals can opt-out of direct mail by
writing or ticking a box
• Should not mail-shot named individuals
who have opted-out or registered with MPS
• MPS does not carry legal obligation
• Non-personal letters are not subject to Data
Protection or MPS
1st Principle

14. Processed for limited purposes
• Data obtained for one purpose cannot be used
for another without consent
• Data cannot be obtained without purposes
being aligned
• Change in purpose needs consent which
cannot be obtained retrospectively
• Purpose should be stated in fair processing
statement
• Subjects must not be deceived or misled
regarding purpose
• Commissioner must be notified of new
purposes within 28 days
2nd Principle

15. Adequate, relevant, not excessive
• All processing must be necessary and
proportionate
• Data needs at least one valid purpose
• Minimum amount of data necessary to fulfil
purpose
• Information necessary for one individual
should not be kept for all subjects
• Data cannot be kept on basis that it might be
useful in the future
• Data should be kept up to date and relevance
reviewed
3rd Principle

16. Accurate and up-to-date
• Take reasonable steps to ensure accuracy
• Update individual or third party data regularly
• Individuals can request their data is updated or
deleted
• Record when information was recorded or
updated
• Aware that data may not reflect current situation
• Objections should be noted
• Avoid false matches and unfounded inferences
• Exceptions are historical records of
‘transactions’
4th Principle

17. Not kept longer than necessary
• Data not kept for longer than purpose it was
originally obtained
• Not gathered or held indefinitely without a
purpose
• Reviewed regularly and deleted when no
longer required
• Deleted when relationship ceases
• Historical or statistical data can be kept
indefinitely
5th Principle

18. Processed in accordance with
subject rights
• Must supply information relating to a subject
access right
• Must rectify or delete inaccurate or illegitimate
data
• Must stop processing if causes damage or
distress when requested
• Must cease direct marketing when consent
withdrawn or not given
• Subject has right to seek compensation for
damage or distress
• Must know purpose
6th Principle

19. Subject access rights
• Entitled to copy of data unless cost, time and effort
is disproportionate
• Respond to written request within 40 calendar days
after identity of requester is established
• Data supplied should include archived data but not
management forecasts nor employment references
• Not obliged to comply where similar request has
been met
• Routine amendments are allowed but must not
cover-up or tamper with data
• Must not disclose to anyone else unless required
by law, warrant, for legal advice or proceedings
6th Principle

20. Employees’ subject access rights
• Emails and word documents should be
disclosed where individual is the subject
• References received by us should be disclosed
unless subject to strict confidentiality
• References given by us are exempt from
access
• Personal references are not covered
• Do not disclose when investigating criminal or
harassment allegations
• Taxation or management information need not
be disclosed
6th Principle

21. Kept secure
• Take appropriate technical, management and
organisational measures during processing
• Prevent accidental loss, damage, destruction or
unlawful access and keep audit trails
• Design security measures into new data projects
• Adopt ISO 27001 standard and undertake
security risk analysis
• Prepare security incident response plan
• Adopt privacy enhancing techniques and
encryption
• Ensure staff reliability and train staff in data
protection
• Ensure business continuity
7th Principle

22. Not transferred to other countries
without protection
• Not transferred outside European Economic
Area without adequate level of data protection
• Safe countries and ‘safe harbours’ allowed
• Model contracts available
8th Principle

23. Information Commissioner’s role
• Registers data controller notifications
• Makes register available for public inspection
• Investigates requests for assessments
• Issues information notices
• Issues data subject notices
• Issues enforcement notices
• Has powers of entry and inspection under
warrant
• Can endorse a code of practice

24. Offences
• Processing without notification
• Failure to notify changes in purpose within 28
days
• Failure to comply with Commissioner’s
‘information notice’ request
• Failure to comply with enforcement notice
• Obstructing warrant
• Obtaining or disclosing data without
permission of data controller
• Selling or offering to sell data without
permission of data controller

25. Data sharing
• Check notification includes all classes of
organisation we wish to share with
• Obtain consent unless processing and
disclosure is in public interest
• Explicit consent before sensitive data can be
shared
• Should not share personal data where
anonymised data will do
• Conduct privacy impact assessment and
prepare code of practice
• Commissioner recommends creating fast-track
to dispense with existing barriers to sharing
• Data sharing review encourages research and
statistical analysis and change in culture

26. Code of practice
• Define data sharing and business case
• Describe negative effect on individuals
• State whether consent is needed
• Outline legal provisions which allow data
sharing
• Include less invasive alternatives such as
anonymous data
• Describe data to be shared and list
organisations to share with
• Evaluate security standards and training which
need to be adopted
• Can take form of privacy impact assessment
• Review regularly and develop privacy strategy

27. Paper-based files
• Act covers computer input and output
documents
• Includes organised and structured document
files (relevant filing systems)
• Review paper-based filing systems to check
whether they become ‘organised’
• Documents should be securely disposed
• Commissioner recommends shredders for
home-workers
• No requirement to notify Commissioner of
paper-based files

28. Monitoring at work
• Should be open and not covert unless part of
criminal or malpractice investigation
• Subject to Regulation of Investigatory Powers
Act and European Convention on Human Rights
• Right for privacy even in workplace
• Personal emails should not be opened
• Staff should be aware that business emails or
voicemails may be checked while away
• Manager can listen/record calls for staff training
and quality when caller receives message

29. CCTV
• Cameras should not be angled towards staff
• May need a new purpose to cover CCTV
• Signs should be placed at entrance to
surveilled zone
• Recordings should be stored to safeguard
images and rights of individuals
• Restrict access and viewing and delete when
no longer needed
• Included in subject access rights and can be
disclosed to Police
• European Convention on Human Rights applies
• Commissioner recommends new statutory
code of practice

30. The end
• Any final questions?
• Thank you for your kind attention