Understanding the Data Protection Act

We live in an age where personal information is recorded, stored and used for lots of purposes, and so it is crucial that this data is adequately protected from abuse or misuse. This article is designed to help you with understanding the Data Protection Act, and how it affects your organisation. There are six sections covering:

  1. Introduction to Data Protection Act
  2. What the Data Protection Act means to your organisation
  3. What the exemptions are to the Act
  4. What rights individuals have in having their data used
  5. How to deal with data held about employees
  6. Guidance of using data for marketing

[divider scroll_text=””]

SECTION ONE – INTRODUCTION TO THE DATA PROTECTION ACT

This Section introduces you to the data protection act and how it is policed.

The Data Protection Act was introduced in 1998 and was designed to regulate how personal information is used. Organisations and individuals that handle personal information must comply with the legal requirements of the act.

The Act requires organisations to give details of the personal information that they process to the Information Commissioner’s Office through a notification process unless the information is exempt. The Act covers two main areas.

1. Organisations who handle and process personal information

Organisations who handle and process personal information must comply with the Data Protection Act’s eight basic principles.

  1. Information must be processed fairly and lawfully
  2. Data must be obtained for one or more specified purposes
  3. Data must be adequate, relevant and not excessive
  4. Information must be accurate and up-to-date
  5. Data must not be kept for longer than necessary
  6. Data must be processed in line with the right’s of the individual
  7. Information must be kept confidentially and securely
  8. Data must not be transferred to other countries outside the EEA without adequate protection

Section Two provides more information about the eight principles.

2. The rights of individuals regarding their personal information

The Data Protection Act gives individuals the right to stop organisations holding and processing personal information if it causes them damage or distress.

If an organisation contravenes the Data Protection Act, it may be required to pay compensation to the aggrieved person. Accordingly, if someone wishes to prevent an organisation from processing their information, they must contact them in writing stating:

  • their name,
  • the nature of the information they object to and why they object to it,
  • why it is causing them harm.

An individual can also write to an organisation if they believe the information they hold is inaccurate.  The organisation has 21 days to reply and explain what they intend to do. If they feel the request is unjustified, they should let the individual know in writing.

Exemptions

There are some exemptions to the data protection act where an individual cannot prevent an organisation from processing their information.

  • The individual gave their consent or actually requested the information
  • The information is necessary to enter into or carry out a contract
  • The information is necessary to carry out the legal obligations of the organisation or is required by an Act of Parliament
  • Steps have been taken to protect the individual’s legitimate interests

Section three examines general exemptions to the Data Protection Act.

Policing

An independent body called the Information Commissioner’s Office was set up to help people access official information concerning them and to promote good practice data usage.

What is the ICO’s role?

The ICO advises organisations on how to adhere to the stringent rules governing data and has a register of all organisations that hold and process personal information.

What is the ICO’s primary objective?

The primary objective of the ICO is to protect the rights of individuals while recognising that organisations need to handle and process information as part of their business activities.

What do organisations have to submit to the ICO?

Unless the information is exempt, all organisations must provide details to the ICO outlining their methods for processing personal information. This is called the notification process and it costs £35 a year. The details provided to the ICO are included in a public register.

What power does the ICO have?

If someone believes an organisation has not complied with the relevant regulations, they can complain to the ICO. If the ICO believes that an organisation is not complying with the Data Protection Act’s regulations, it can investigate and even prosecute the organisation concerned. The ICO therefore has considerable powers and will take action when necessary.

SECTION TWO – WHAT THE DATA PROTECTION ACT MEANS TO YOUR ORGANISATION

This Section looks at what the Data Protection Act means to your organisation. We have already examined the way the Data Protection Act works through eight principles which are based on the fair and lawful use of personal data. Now we will look at each of these principles to see how they affect your organisation’s handling of data.

1. “Personal data shall be processed fairly and lawfully and shall not be processed unless certain conditions are met.”

This relates to the initial obtaining of personal information – whether manually or electronically – and the way it is processed.

Keep subject informed

Your organisation must ensure they keep the subject of the data informed regarding their purposes.

Why and how

The data subject must be told how and why the information has been collected and how they can access these details or correct them if they are inaccurate.

Explanatory document

Most organisations provide an explanation of their procedures on official documents which are given to the data subject.

2. “Personal data shall be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.”

Your organisation must identify their purpose for storing and processing data and must only use it for that purpose. It is imperative that data is not passed to other organisations and used for different purposes without notifying the data subject.

Multiple purposes

Your organisation can identify more than one purpose when it first collects the data as this will cover it for any additional purposes. However, you must make sure the data subject is fully aware of all purposes.

3. “Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which it is processed.”

This relates to the amount of data kept and the reasons for doing so.

Justification

Your organisation must justify their purposes and ensure that the data is really necessary.

Periodic Reviews

It is also vital that the data is reviewed periodically to ensure it is still relevant and still needed for its original purpose.

4. “Personal data shall be accurate and, where necessary, kept up-to-date.”

This principle is emphasizing the importance of keeping data totally accurate and up to date.

Keep subject aware

The data subject must be made aware of their rights so that they know how to notify your organisation if their details change. For example, they should be able to contact you if they change their name, address or any other details.

Aware of procedures

The data subject may not contact your organisation to update their records, and you can do nothing about this, but the important thing is that the data subject is aware of the relevant procedures if they wish to update their details.

5. “Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose or those purposes.”

It is important that data is stored for a specific purpose which has been notified to the data subject.  It is vital that the data is not stored for longer than is necessary and, when the time comes to dispose of the information, this should be done securely and safely.  Talk to Shredsec about our secure shredding services

6. “Personal data shall be processed in accordance with the rights of data subjects under the Act.”

This principle governs the rights of data subjects and includes an individual’s rights to gain access to their personal data.

Scope of principle

It includes the right to amend data, the right to prevent direct marketing and the right to claim compensation if there has been a breach of the Act which has caused them harm or distress.

Automated decision-making procedures

This principle also covers automated decision-making procedures and states that data subjects must be told if decisions are made by automated methods.

7. “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This principle stipulates that measures must be taken to protect against unauthorised or unlawful processing of data.

Security

Personal data must be totally secure, particularly when data is processed off-site or in a public place. This is where you should contact Shredsec to discuss our shredding services.  We provide secure on-site or off-site shredding for a variety of organisations.

8. “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

This principle protects data from being transferred to a country outside the European Economic Area or EEA unless the country has adequate levels of data protection and security.

Security parameters

When data is transferred to another country, the level of security must be of the same level as that in the UK.

Consent

Before the data can be transferred to another country, it is necessary to get consent from the data subject who may wish to check the level of data protection in the country to where the data is being transferred.

SECTION THREE – WHAT THE EXEMPTIONS ARE TO THE ACT

This Section examines the exemptions to the Data Protection Act which mean that data handlers do not have to observe all of an individual’s rights.

  1. The information is for personal, family or household requirements
  2. The information is needed to protect national security
  3. The law states that the information must be made available to the public
  4. The information will be used for the purposes of art, literature or journalism
  5. The information will help prevent or detect a crime
  6. The information will help prosecute an offender
  7. The information is required to help with the assessment or collection of taxes
  8. The information is needed to prevent harm coming to the public or charities
  9. The information is required for historical or statistical purposes
  10. Where the law requires legal advice to be accessed or legal proceedings to take place
  11. The information is needed to provide a confidential employment reference
  12. The information is required by the armed forces prior to combat
  13. The information is needed to provide exam marks and scripts
  14. The information will help provide management forecasts
  15. The information is covered by legal privilege
  16. The information will be used to appoint judges, QCs, Honours etc
  17. The information is required by corporate finance services
  18. The information is related to aspects of health, education or social work

Questions

Here are some questions that you should answer in satisfying yourself that your organisation is complying with the Data Protection Act

Understanding The Data Protection ActInformed data subject?

Have I informed those whose information I hold and are they totally clear what their information will be used for.

Passing information

What would I do if I am asked to pass the personal information to another organisation? How would the people I hold information about feel about this?

Keeping information

Is it necessary to keep information about an individual? Do I know what it will be used for?

Security

Is the information held securely whether it’s held manually or electronically?

Access to information

Do a strictly limited number of people have access to the personal information?

Accuracy

Have I done all I can to ensure the information is accurate and up to date?

Data disposal

Do I have a policy in place to ensure personal information is deleted or destroyed if it is no longer needed?

ICO

Should the company register with the Information Commissioner? If this has been done, is the notification up to date?

Training

Have all staff members received training regarding the Act, and do they understand their obligations?

SECTION FOUR – WHAT RIGHTS INDIVIDUALS HAVE IN HAVING THEIR DATA USED

This Section looks at how the Data Protection Act protects individuals’ rights.

1. The right to access data

The right to access data gives individuals the right to know if an organisation has information about them as well as the right to access this data.

What information is being processed

They also have the right to know what information is being processed and why.

Request copies

They can request a copy, in writing, of all the information held about them

SAR

They must first send a subject access request or SAR and they may be charged up to £10 by the organisation concerned.  Your organisation has 40 days to respond to a SAR and can ask for additional information to enable you to respond to the request.

Communication media

You must provide the information in a permanent format such as a letter, form or computer printout which is easy to understand with any codes or abbreviations clearly explained.

Sensitive information

Certain information is classed as sensitive including data regarding:

  • race or ethnicity
  • religion
  • political beliefs
  • physical or mental health
  • sexual orientation
  • trade union membership
  • and criminal record/activity

Stricter rules

This information is covered by stricter rules and an organisation can only process this information if it meets the narrow conditions set by the ICO. Information of this type should only be used if absolutely necessary and you must have the consent of the data subject unless the information is required for legal or employment reasons.

2. The right to prevent marketing

There are a number of requirements that an organisation must adhere to when undertaking any form of direct marketing such as by phone, fax, mail or mail. More information is provided in Section 6.

3. The right to have incorrect information corrected

An individual can request that information is amended if they believe it is incorrect or misleading.

Consequences

If your organisation fails to correct the information, the individual can obtain a court order directing you to correct, delete or destroy the information. The court will then decide what action to take.

4. The right to compensation

An individual can claim damages if they have suffered physical or financial harm as a result of a breach of the Data Protection Act. Any compensation must be claimed through the courts.

Distress

In certain cases, an individual can claim compensation for distress but this must be claimed in conjunction with a claim for physical or financial harm.

5. The right to prevented automated decisions

Individuals can stop decisions being made about them if they are made solely by automated means where there is no human involvement. This type of automated decision-making is getting more and more common as businesses rely heavily on computer software to process information.

Types of application

This only applies to important decisions such as those regarding employment and credit worthiness.

Informed of decision-type

Individuals must be told when this type of decision has been made and if they are unhappy they can write to your organisation to ask them not to make decisions on this basis.

Organisational response

Your organisation must respond within 21 days and, if an individual is still not satisfied, they can apply to a court to intervene.

SECTION FIVE – HOW TO DEAL WITH DATA HELD ABOUT EMPLOYEES

The Section examines the Data Protection Act’s rules for employee records and the monitoring of staff.  For many organisations, the way in which they process employee records means that they will not need to notify the Information Commissioner’s Office.

You do not need to notify the ICO if your organisation processes data for staff administration purposes as this area is exempt.

You do not need to notify the ICO if your organisation processes data for sales, marketing and public relations information that is solely for the purpose of the organisation.  This includes company accounts.

Employee monitoring

The Act also covers the monitoring of staff including:

  • The interception of emails
  • The interception of faxes
  • The of interception phone calls
  • The interception of voicemail
  • The interception of Internet useage
  • Audio and video monitoring
  • The use of CCTV

To help organisations comply with the Data Protection Act regarding the monitoring of employees, the ICO provides a code of best practice called the Employment Practices Code.

Guidelines

The guidelines advise organisations to carry out an impact assessment which identifies:

  • The reasons why the organisation wishes to monitor their employees,
  • The impact of monitoring,
  • Any alternatives that may be used
  • Any procedures that will be introduced as a result of the monitoring.

It is important to keep staff fully informed and they must be told the reasons why your organisation intends to monitor its employees.

Covert monitoring

Covert monitoring must only be done in exceptional circumstances if your organisation has good grounds to suspect criminal activity.

Police involvement

In many cases, an organisation may involve the police although this may not always be necessary.

ICO advice

If an organisation suspects serious malpractice such that it warrants covert monitoring, they should contact the ICO for further advice.

Considering monitoring

Organisations who are considering carrying out monitoring should set out their plans in their policies and procedures document. This should state the nature and reasons for any monitoring so that all members of staff are informed from the outset. Staff can be given a copy to sign with their employment contract.

Care

Remember that great care must be taken when dealing with employee records and monitoring issues:

Best practice

As part of its commitment to best practice, your organisation should ensure that all staff members who deal with confidential information or monitoring tasks are familiar with the Data Protection Act and understand the full implications of failing to follow these regulations.

Employee rights

Employees have a right to see all of the information their organisation holds on them and they must be given an opportunity to correct any mistakes.

Interviews

During job interviews, the interviewer must not be unnecessarily intrusive and should not ask for sensitive, personal information. Applicants have a right to ask to see any notes made by an interviewer.

Limited access

Many organisations appoint a small number of staff to be responsible for storing and processing personal data.

Data expert

Human resources departments are responsible for staff administration including a variety of confidential information for payroll and other admin purposes. It is a good idea to appoint one person to be responsible for complying with the Data Protection Act. They can then register as the organisation’s data controller through the ICO website and represent the organisation in all areas regarding data protection.

ICO help

The ICO provides information packs and videos as well as information days to enable organisations to learn more about the Data Protection Act.

Off-site data

Where data is processed off-site, it is important to ensure that the data is secure.

SECTION SIX – GUIDANCE OF USING DATA FOR MARKETING

This Section looks at unsolicited marketing and the steps your organisation must take to comply with the Data Protection Act.

Direct Marketing

Individuals have the right to ask organisations to stop sending them any sales or marketing literature.

Data Processing

Individuals have the right to ask organisations to stop processing their personal information for the purpose of direct marketing within a certain time limit.

Individuals must notify your organisation to stop direct marketing or data processing following these guidelines:

  • Request must be made in writing and dated
  • Instructions must be clear
  • Request must specifically state the identity of the individual
  • Request must specifically state the reason for the objection
  • Request must specifically state the date when the data processing must stop

If any of these details are missing, you should ask the individual to forward them to you as soon as possible.

Reference copies

You organisation should keep copies of all such correspondence including the date when the request was initially made and details of any replies sent.

Marketing Opt-outs

There are a number of ways that an individual can stop receiving unsolicited marketing material including:

Mailing Preference Service

The Mailing Preference Service is an opt-out register where a record is kept of the type of mail an individual is happy to accept. Organisations must use these records to ensure that they do not send unsolicited marketing literature to someone on the list without their permission.

Telephone Preference Service

The Telephone Preference Service enables people to record their telephone preferences. This allows them to block unsolicited sales and marketing calls to their landline or mobile telephone numbers.

Automated calls

Organisations who make automated, pre-recorded marketing calls must get prior consent from the receiver.

Fax Preference Service

The Fax Preference Service prevents the sending of unsolicited sales and marketing faxes and works differently for organisations and individuals. Organisations should not send marketing faxes to private individuals but may be able to send them to organisations unless they have opted out.

ICO intervention

If an organisation does not stop phoning, faxing or mailing an individual or organisation, even though they have opted out of receiving marketing material, a complaint may be lodged with the ICO who will investigate.

Spam

Spam is a term that describes unwanted and unsolicited marketing emails.  Your organisation should not send marketing electronic mail messages to individuals without their prior permission within the EU.  However, if your organisation obtained an individual’s details through a sale, or if the individual failed to opt out of communications when they were given the opportunity to do so, then you can continue to send marketing messages.

Generic Opt-outs

With every form of electronic communication, individuals must be given the opportunity to opt out in every message, usually through the inclusion of an ‘unsubscribe’ link or something similar.  There is currently no specific legislation to cover electronic communications sent to business addresses.

Disclosure

Organisations that target individuals and organisations with marketing material must remember that they must disclose the information they hold if requested to do so.