What is the Data Protection Act?
The Data Protection Act (1998) is legislation which regulates the processing of personal data by organisations. Hence it regulates the acquisition, holding, use and disclosure of personal data.

Who has to comply with the Data Protection Act?
Compliance with the Act is consigned to the 'data controller', i.e. the individual, company or organisation who determines the purposes for which the personal data are held and the manner in which they will be processed.

What is 'personal data'?
The Data Protection Act defines 'personal data' as data which relates to a living individual, who can be identified from that data and other information which is in possession of the data controller.

How to comply with the Data Protection Act?
The legal obligations imposed by the Act can be adhered to by:

• Notifying the Information Commissioner of processing of personal data. The Information Commissioner maintains a public register of data controllers, each entry including name and address of data controller, types of information held and purposes for processing of personal data. To notify, the data controller has to add their details to the register.
• Following the eight principles of good information handling - the Data Protection Principles. These principles lay down the acceptable conduct for the lawful management of personal data. In essence, they are a set of rules describing lawful personal data handling practices and procedures.

The Eight Data Protection Principles

1. Personal data should be processed fairly and lawfully.
2. Personal data should be obtained only for one or more specified and lawful purposes and should not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data should be adequate, relevant and not excessive in relation to the purpose/s for which they are processed.
4. Personal data should be accurate and kept up to date as necessary.
5. Personal data should not be kept longer than is required for the purpose for which it was obtained.
6. Personal data should be processed in accordance with the rights of the individual to whom the information pertains.
7. Ensure that appropriate technical and organisational measures are in place in order keep personal data secure.
8. Personal data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals (in relation to the information) to which the personal data relates.

The Rights of the Data Subject
The 'data subject' is the person to whom the personal data pertains. The data subject has certain rights under the Act as follows:

• The right to be told if personal data is held about them upon written request.
• The right to see all the personal data held about them by the controller (subject to exemptions). The maximum fee that can be charged for this is £10 and the data controller has 40 days to respond.
• The right to know if the data controller is processing data about him / her in order to make an automated decision about him / her, including a description of the decision making process. An example of this would be credit rating of an individual by a computer.
• The right to prevent within a reasonable time any processing which is causing or likely to cause substantial damage and distress. This right cannot be exercised if the data subject has given consent, the processing is for entering a contract in which he / she is a party and if processing is required to protect the vital interests of the data subject.
• The right to ask for the rectification of inaccurate data.
• The entitlement to claim compensation for any breach of the Act that has caused any damage.
• The right to complain to the Information Commissioner where the data subject is dissatisfied by the outcome of any requests for personal data.

Who Enforces the Data Protection Act?
The Act is enforced by the Office of the Information Commissioner , headed by Richard Thomas, who is the Information Commissioner. This supervisory body ensures that the provisions of the Act are obeyed and has the power to serve notices and prosecute for offences under the Act.

If you would like to find out further information, please contact us.