Category Archives: Data Protection Act 1998

Paperless and the Data Protection Act 1998

We have stated that the DPA can be a complex act to process and can contain sensitive information and personnel information about individuals.

So can a paperless system assist this act?

I think the main question we have to ask ourselves is to what degree do we store or hold this type of information and for how long.

If you have read the post within this section you will know that there are eight key areas within this act.

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

I think the first four key areas are straight forward and are not really a key area to the paperless system although the process to achieve these areas must be given serious consideration when applying this information to a PC or to a system which has been developed for your organization or company.

One of the areas that sometime can be overlooked is that of first “input”, some system allow the person to do this electronically and this information is transferred automatically into the main data bank, but there are still a lot of paper information which has to be transferred manually into the electronic data system.

At this stage paper can cause a problem not only in the sense of a paperless environment but also transferring that information without paper and obtaining a secure transfer, this is a more to do with the Electronic Signature Regulations 2022 and the ESR Data protection which has been covered with an other section of the blog.

The next two areas: Not kept for longer than is necessary and processed in line with your rights, once again this will depend on the type of organization and company where these are used in the contents of there application.

The last two are certainly two of the main concerns within this act which have caused problems with the design and also its potential damage weather its long term or short term damage.

Secure can mean a lot of areas within this section, secure form hackers, secure loss of data, secure of storage, secure within a day to day usage. Secure of transferring and secure of non active viewing and usage.

One of the area that I am totally confused about is that, sometimes we read and see on the news, that a USB stick was left on a train or lost in a public place, its not the reason that the information was lost, unfortunately people are human and mistakes are made, but it’s the lack of protected procedures that companies introduce when applying this act, its knowing that these incidents happened not because of human or computer error but the procedures allowed this to happen.

How was the information transferred on the stick in the first place, you can say that its like a person working in a bank taking some of the money out of the bank, taking it home and saying that he or she has to count it while he or she is at home, it should not happen in the first place, it should not even entered the person mind, never mind carrying out the act

I think this act and the paperless system is difficult to separate, not because it is complex but it would be difficult to design a totally paperless system which is separate from the standard PC installation and keep it connected within the organizations computerized frame work.

We must also ask our selves do we want to separate this information, I think it can only be answered to the type of information you have in the first place, although storage and input and also day to day activities may benefit from totally paperless environment.

Once again this section is really dependant to the type of information and how the organization and company is using this information in the first place


Data Protection Act 1998

The Data Protection Act is a complex act and generally gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

 Because of it’s complexity we will try to break down to the key areas and understandings and separate this into eight areas.

 The Act works in two ways it states that anyone who processes personal information must comply with the following, to make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

 The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

 Those are the eight principals which cover the act and are straight forward to the contents of which they state.

 We could break down the above eight principals and cover them to their contents and try to define them with in the areas of the law.

Data may only be used for the specific purposes for which it was collected.

Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information. It is an offence for other parties to obtain this personal data without authorization.

Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).

Personal information may be kept for no longer than is necessary and must be kept up to date.

Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.

Subject to some exceptions for organizations that only do very simple processing and for domestic use all entities that process personal information must register with the Information Commissioner’s Office.

Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organizational measures (such as staff training).

Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion)

The above information will give you a general background of the the act and as stated above it is a long and sometimes complex Act and certainly need professional advice in all areas if you require a more detailed analysis.

 The reason why Acts and Regulations are placed into this blog about the Paperless Office and systems is that if you have a good understanding of the various Acts and regulations then it will help you to understand how the paperless system and office has to be regulated to meet these needs.

 This blog entry is not intended to provide legal advice.