The Data Protection Act is a complex act and generally gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
Because of it’s complexity we will try to break down to the key areas and understandings and separate this into eight areas.
The Act works in two ways it states that anyone who processes personal information must comply with the following, to make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
Those are the eight principals which cover the act and are straight forward to the contents of which they state.
We could break down the above eight principals and cover them to their contents and try to define them with in the areas of the law.
Data may only be used for the specific purposes for which it was collected.
Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information. It is an offence for other parties to obtain this personal data without authorization.
Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
Personal information may be kept for no longer than is necessary and must be kept up to date.
Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
Subject to some exceptions for organizations that only do very simple processing and for domestic use all entities that process personal information must register with the Information Commissioner’s Office.
Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organizational measures (such as staff training).
Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion)
The above information will give you a general background of the the act and as stated above it is a long and sometimes complex Act and certainly need professional advice in all areas if you require a more detailed analysis.
The reason why Acts and Regulations are placed into this blog about the Paperless Office and systems is that if you have a good understanding of the various Acts and regulations then it will help you to understand how the paperless system and office has to be regulated to meet these needs.
This blog entry is not intended to provide legal advice.
- Data Protection Act costs country £53m every year (independent.co.uk)
- Accused of Illegal File-Sharing? Complain to the Government (torrentfreak.com)
- Privacy code of practice issued (news.bbc.co.uk)
- Data protection policy and your business [Iain Mackintosh] (ecademy.com)