UK Data Protection Act

The UK Data Protection ACT1998 implications for the general population
The 1998 Act now replaces The Data Protection Act 1984 and the Access to Personal Files Act 1987. At the same time it aimed to implement the European Data Protection Directive. In some aspects, notably electronic communication and marketing, it has been refined by subsequent legislation for legal reasons.

There are 8 key principals of the Data Protection Act
• Personal information must be fairly and lawfully processed
• Personal information must be processed for limited purposes
• Personal information must be adequate, relevant and not excessive
• Personal information must be accurate and kept up to date
• Personal information must be kept for not longer than is necessary
• Personal information must be processed in line with the data subjects rights
• Personal data must be held in a secure environment
• Personal information must not be transferred to other countries without adequate protection


Summary of the key principals
• Data can only be used for the specific purposes it was collect for.

• It must not be in any circumstances disclosed to third parties without the prior permission of the data subject (unless there is an overriding legitimate reason to share the information (i.e. crime prevention, tax evasion)

• Data must be updated as it evolves
• Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.

• Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner's Office.

• The departments of a company that are holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

• Data subjects have the right to correct inaccurate data (referred to as a notice of correction)

The act covers any data related to the identified data subject. Anonymised or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or Email address.
Data Subjects Rights (Your rights)

For a nominal fee usually £10.00s you have the right to access all the data a specific organisation has relating to you, the organisation has 40 days from the subject access request.
In corrections must be corrected, and if a firm does not correct these in corrections the data subject can apply for a court order to correct them.

Require that data is not used in any way that may potentially cause damage or distress.

The data subject can also require that their personal data is not used for direct marketing
The 6 conditions relevant to the DPA first principal
• Personal information must be fairly and lawfully processed

1. Data subject has consented to the processing of their data
2. Processing is necessary for the processing or start of a contract
3. Processing is required under a legal obligation
4. Processing is required to protest the interest of the data subject
5. Processing is required for a public function
6. Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject).
Definition of personal data
The definition of personal data is data which relates to a living individual who can be identified:—
• from that data, or
• from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
Sensitive personal data concerns the subject's race, ethnicity, politics, religion, trade union status, health, sex life or criminal record

Subject access
Personal data which is normally held for under 40 days may be legitimately denied in subject access requests under The Act. This is a consequence of the time limit data controllers must meet in making their response. If the data has been deleted by the normal procedures of the business by the time the data controller responds to a request, that data cannot be supplied. For data such as Closed-circuit television images which are routinely overwritten, it may be impossible for a subject to exercise their data access rights.
Regulation

Compliance with the Act is regulated and enforced by an independent authority, the Information Commissioner's Office, which maintains guidance relating to the Act. Full details can be found here

We hope all the information in this article is what you are looking for but if you need any further assistance from KPM Financial Services please visit our website