data protection act 1998

Overview

Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights were revised and superseded by the Data Protection Act 1998 which came into force on 1st March 2000. This Guide explains what you should know about data protection under the Data Protection Act 1998 ('the Act').

When does data protection law apply?

Data protection law applies whenever a data controller processes personal data. These words are given special meanings by the Act.

Data controllers

A data controller is the person who determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. In other words, you will be a data controller if the processing of personal data is undertaken for your benefit and you decide what personal data should be processed and why. A typical example of a data controller is an employer.

Personal data

Personal data means data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. For example, most organisations will process personal data relating to employees, customers, suppliers and business contacts. These individuals are referred to in the Act as 'data subjects'.

Processing

The Act applies when personal data is processed or is to be processed by a computer, or is recorded or to be recorded in a structured manual filing system. There are other types of system covered by the Act, but these are the most common.
Whether or not manual files are covered by the Act is not always an easy question to answer. To be covered:

• there must be a set of information relating to individuals,
• which is structured either by reference to individuals or by criteria relating to individuals,
• in such a way that specific information relating to particular individuals is readily accessible. If your manual files fall within this definition, you will have to comply with the Act.

The term 'processing' covers virtually any use which can unsecured loans be made of personal data, from collecting the data, storing it and using it to destroying it.

What are the obligations?

The data protection principles

In order to comply with the Act, a data controller must comply with the following eight principles:

1. The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
2. Data should be obtained only for specified and lawful purposes.
3. Data should be adequate, relevant and not excessive.
4. Data should be accurate and, where necessary, kept up to date.
5. Data should not be kept longer than is necessary for the purposes for which it is processed.
6. Data should be processed in accordance bad credit loans with the rights of the data subject under the Act.
7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.