What is the Data Protection Act (DPA)?
The Data Protection Act 1998 seeks to strike a balance between the rights of individuals and the sometimes competing interests of those with legitimate reasons for using personal information.
The DPA gives individuals certain rights regarding information held about them. It places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual.
Anyone processing personal information must notify the Information Commissioner’s Office (ICO) that they are doing so, unless their processing is exempt. Notification costs £35 / year.
The eight principles of good practice
Anyone processing personal information must comply with eight enforceable principles of good information handling practice.
These say that data must be:
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. not kept longer than necessary
6. processed in accordance with the individual’s rights
7. secure
8. not transferred to countries outside European Economic area unless country has adequate protection for the individual
Promoting public access to official information and protecting your personal information
The six conditions at least one of the following conditions must be met for personal information to be considered fairly processed:
1. the individual has consented to the processing
2. processing is necessary for the performance of a contract with the individual
3. processing is required under a legal obligation (other than one imposed by the contract)
4. processing is necessary to protect the vital interests of the individual
5. processing is necessary to carry out public functions, e.g. administration of justice
6. processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual)
Sensitive data
Specific provision is made under the Act for processing sensitive personal information. This includes racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health condition, sex life, criminal proceedings or convictions.
For personal information to be considered fairly processed, at least one of several extra conditions must be met. These include:
• Having the explicit consent of the individual
• Being required by law to process the information for employment purposes
• Needing to process the information in order to protect the vital interests of the individual or another person
• Dealing with the administration of justice or legal proceedings
Rights under the Act
There are seven rights under the Data Protection Act.
1. The right to subject access
This allows people to find out what information is held about them
on computer and within some manual records.
2. The right to prevent processing
Anyone can ask a data controller not to process information relating to him or her that causes substantial unwarranted damage or distress to them or anyone else.
3. The right to prevent processing for direct marketing
Anyone can ask a data controller not to process information relating to him or her for direct marketing purposes.
4. Rights in relation to automated decision-taking
Individuals have a right to object to decisions made only by automatic means e.g. there is no human involvement.
5. The right to compensation
An individual can claim compensation from a data controller for damage and distress caused by any breach of the act.
Compensation for distress alone can only be claimed in limited circumstances.
6. The right to rectification, blocking, erasure and destruction
Individuals can apply to the court to order a data controller to rectify, block or destroy personal details if they are inaccurate or contain expressions of opinion based on inaccurate information.
7. The right to ask the Commissioner to assess whether the Act has been contravened
If someone believes their personal information has not been processed in accordance with the DPA, they can ask the Commissioner to make an assessment. If the Act is found to have been breached and the matter cannot be settled informally, then an enforcement notice may be served on the data controller in question.
Criminal Offences
A number of criminal offences are created by the Act and include:
Notification offences
This is where processing is being undertaken by a data controller who has not notified the Commissioner either of the processing being undertaken or of any changes that have been made to that processing.
Procuring and selling offences
It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller. There are some exceptions to this – for example, where such obtaining or disclosure was necessary for crime prevention/detection. If a person has obtained personal information illegally it is an offence to offer or to sell personal information.
Electronic Communications
The Privacy and Electronic Communications (EC Directive) Regulations 2003 cover, amongst other things, unsolicited electronic marketing communications. Unsolicited marketing calls should not be made to individual subscribers who have opted out either directly or by registering with the central stoplist, the Telephone Preference Service (TPS), or to corporate subscribers (e.g. companies) who have objected either directly or by registering on the Corporate TPS.
Unsolicited marketing faxes should not be sent to individuals without their prior consent or to any subscriber who has objected, either directly or by registering on the Fax Preference Service (FPS). Unsolicited marketing emails or SMS should not be sent to any individual subscriber who has not consented unless the email address or phone number was collected in the context of a commercial relationship. Wholly automated marketing calls, i.e. where a recorded message is played and the recipient does not speak to a human being, can only be made where the subscriber concerned (whether individual or corporate) has consented.
Additional Information
Additional guidance on the Data Protection Act is available on our website at www.informationcommissioner.gov.uk
To contact our helpline please telephone 01625 545 745.
To contact our press office please telephone 020 7282 2960.
The role of the Information Commissioner’s Office
The ICO has specific responsibilities for the promotion and enforcement of the DPA.
Under the Data Protection Act, the Information Commissioner may:
• serve information notices requiring data controllers to supply him with the information he needs to assess compliance.
• where there has been a breach, serve an enforcement notice (which requires data controllers to take specified steps or to stop taking steps in order to comply with the law). Appeals to these notices may be made to the Information Tribunal.
The Data Protection Act 1998 seeks to strike a balance between the rights of individuals and the sometimes competing interests of those with legitimate reasons for using personal information.
The DPA gives individuals certain rights regarding information held about them. It places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual.
Anyone processing personal information must notify the Information Commissioner’s Office (ICO) that they are doing so, unless their processing is exempt. Notification costs £35 / year.
The eight principles of good practice
Anyone processing personal information must comply with eight enforceable principles of good information handling practice.
These say that data must be:
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. not kept longer than necessary
6. processed in accordance with the individual’s rights
7. secure
8. not transferred to countries outside European Economic area unless country has adequate protection for the individual
Promoting public access to official information and protecting your personal information
The six conditions at least one of the following conditions must be met for personal information to be considered fairly processed:
1. the individual has consented to the processing
2. processing is necessary for the performance of a contract with the individual
3. processing is required under a legal obligation (other than one imposed by the contract)
4. processing is necessary to protect the vital interests of the individual
5. processing is necessary to carry out public functions, e.g. administration of justice
6. processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual)
Sensitive data
Specific provision is made under the Act for processing sensitive personal information. This includes racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health condition, sex life, criminal proceedings or convictions.
For personal information to be considered fairly processed, at least one of several extra conditions must be met. These include:
• Having the explicit consent of the individual
• Being required by law to process the information for employment purposes
• Needing to process the information in order to protect the vital interests of the individual or another person
• Dealing with the administration of justice or legal proceedings
Rights under the Act
There are seven rights under the Data Protection Act.
1. The right to subject access
This allows people to find out what information is held about them
on computer and within some manual records.
2. The right to prevent processing
Anyone can ask a data controller not to process information relating to him or her that causes substantial unwarranted damage or distress to them or anyone else.
3. The right to prevent processing for direct marketing
Anyone can ask a data controller not to process information relating to him or her for direct marketing purposes.
4. Rights in relation to automated decision-taking
Individuals have a right to object to decisions made only by automatic means e.g. there is no human involvement.
5. The right to compensation
An individual can claim compensation from a data controller for damage and distress caused by any breach of the act.
Compensation for distress alone can only be claimed in limited circumstances.
6. The right to rectification, blocking, erasure and destruction
Individuals can apply to the court to order a data controller to rectify, block or destroy personal details if they are inaccurate or contain expressions of opinion based on inaccurate information.
7. The right to ask the Commissioner to assess whether the Act has been contravened
If someone believes their personal information has not been processed in accordance with the DPA, they can ask the Commissioner to make an assessment. If the Act is found to have been breached and the matter cannot be settled informally, then an enforcement notice may be served on the data controller in question.
Criminal Offences
A number of criminal offences are created by the Act and include:
Notification offences
This is where processing is being undertaken by a data controller who has not notified the Commissioner either of the processing being undertaken or of any changes that have been made to that processing.
Procuring and selling offences
It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller. There are some exceptions to this – for example, where such obtaining or disclosure was necessary for crime prevention/detection. If a person has obtained personal information illegally it is an offence to offer or to sell personal information.
Electronic Communications
The Privacy and Electronic Communications (EC Directive) Regulations 2003 cover, amongst other things, unsolicited electronic marketing communications. Unsolicited marketing calls should not be made to individual subscribers who have opted out either directly or by registering with the central stoplist, the Telephone Preference Service (TPS), or to corporate subscribers (e.g. companies) who have objected either directly or by registering on the Corporate TPS.
Unsolicited marketing faxes should not be sent to individuals without their prior consent or to any subscriber who has objected, either directly or by registering on the Fax Preference Service (FPS). Unsolicited marketing emails or SMS should not be sent to any individual subscriber who has not consented unless the email address or phone number was collected in the context of a commercial relationship. Wholly automated marketing calls, i.e. where a recorded message is played and the recipient does not speak to a human being, can only be made where the subscriber concerned (whether individual or corporate) has consented.
Additional Information
Additional guidance on the Data Protection Act is available on our website at www.informationcommissioner.gov.uk
To contact our helpline please telephone 01625 545 745.
To contact our press office please telephone 020 7282 2960.
The role of the Information Commissioner’s Office
The ICO has specific responsibilities for the promotion and enforcement of the DPA.
Under the Data Protection Act, the Information Commissioner may:
• serve information notices requiring data controllers to supply him with the information he needs to assess compliance.
• where there has been a breach, serve an enforcement notice (which requires data controllers to take specified steps or to stop taking steps in order to comply with the law). Appeals to these notices may be made to the Information Tribunal.