Data Protection Act

Organisations who handle and process personal information must comply with the Data Protection Act’s eight basic principles as detailed below.  The Information Commissioner’s Office (ICO) can impose fines of up to £500,000 on organisations who breach Data Protection Act.

Data Protection Act1. “Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met.”

Your organisation must ensure they keep the subject of the data informed regarding their purposes. The data subject must be told how and why the information has been collected and how they can access these details or correct them if they are inaccurate. Most organisations provide an explanation of their procedures on official documents which are given to the data subject.

2. “Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.”

Your organisation must identify their purpose for storing and processing data and must only use it for that purpose. It is imperative that data is not passed to other organisations and used for different purposes without notifying the data subject.

3. “Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which it is processed.”

Your organisation must justify their purposes and ensure that the data is really necessary. It is vital that the data is reviewed periodically to ensure it is still relevant and still needed for its original purpose.

4. “Personal data shall be accurate and, where necessary, kept up-to- date.”

This principle is emphasizing the importance of keeping data totally accurate and up to date. The data subject must be made aware of their rights so that they know how to notify your organisation if their details change. For example, they should be able to contact you if they change their name, address or any other details.

The data subject may not contact your organisation to update their records, and you can do nothing about this, but the important thing is that the data subject is aware of the relevant procedures if they wish to update their details.

5. “Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose or those purposes.”

It is important that data is stored for a specific purpose which has been notified to the data subject.  It is vital that the data is not stored for longer than is necessary and, when the time comes to dispose of the information, this should be done securely and safely.

6. “Personal data shall be processed in accordance with the rights of data subjects under the Act.”

This principle governs the rights of data subjects and includes an individual’s rights to gain access to their personal data. It includes the right to amend data, the right to prevent direct marketing and the right to claim compensation if there has been a breach of the Act which has caused them harm or distress.

This principle also covers automated decision-making procedures and states that data subjects must be told if decisions are made by automated methods.

7. “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This principle stipulates that measures must be taken to protect against unauthorised or unlawful processing of data. Personal data must be totally secure, particularly when data is processed off-site or in a public place.

Shredsec’s shredding services can help you handle the safe disposal and destruction of your data.

8. “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

This principle protects data from being transferred to a country outside the European Economic Area or EEA unless the country has adequate levels of data protection and security.

When data is transferred to another country, the level of security must be of the same level as that in the UK. Before the data can be transferred to another country, it is necessary to get consent from the data subject who may wish to check the level of data protection in the country to where the data is being transferred.

Contact Shredsec to ensure you are destroying your data in compliance with the Data Protection Act.