The Data Protection Act 1998 in UK Abstract Data protection influences positively attitudes and decision making in people’s everyday life
The Data Protection Act 1998 in UK
Abstract
Data protection influences positively attitudes and decision making in people’s everyday life. Understanding the acts and the attitudes, as well as the citizen participant’s motivations is an important component of all of this. Thus, this study examines the special role that data protection has in our everyday life. Within this framework the need for data protection legislation as well as its purpose is examined. Background of the data protection act is a primary factor of the legislation in the area. One of the ways that society might influence all of this is to understand the principles, security and subject rights as well as the penalties of the act.
Key words: data, protection, principles, security, penalties
Introduction
The need for data protection legislation
The Data Protection Act mission was to replace earlier legislation such as Data Protection Act 1984 and to implement the European Data Protection Directive. In some aspects, notably electronic communication and marketing, it has been refined by subsequent legislation for legal reasons. The Privacy and Electronic Communications (EC Directive) Regulations 2003 altered the consent requirement for most electronic marketing to “positive consent” such as an opt in box. Exemptions remain for the marketing of “similar products and services” to existing customers and enquirers, which can still be given permission on an opt out basis.
The purpose of DPA
The Act’s definition of “personal data” covers any data that can be used to identify a living individual. Anonymized or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or Email address. The Act applies only to data which is held, or intended to be held, on computers (‘equipment operating automatically in response to instructions given for that purpose’), or held in a ‘relevant filing system’. In some cases even a paper address book can be classified as a ‘relevant filing system’, for example diaries used to support commercial activities such as a salesperson’s diary.
The Freedom of Information Act 2000 modified the act for public bodies and authorities, and the Durant case modified the interpretation of the act by providing case law and precedent. The Data Protection Act creates rights for those who have their data stored, and responsibilities for those who store, process or transmit such data. The person who has their data processed has the right to:
View the data an organization holds on them. A ‘subject access request’ can be obtained for a nominal fee. As of January 2014, the maximum fee is £2 for requests to credit reference agencies, £50 for health and educational request, and £10 per individual otherwise,
Request that incorrect information be corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded.
Require that data is not used in any way that may potentially cause damage or distress.
Require that their data is not used for direct marketing.
Background of DPA– EU Law
The background of the Data Protection Act from 1998 lies in 1995 when the European Commission adopted the Data Protection Directive. The basic aim of the Directive was to harmonize data protection legislation throughout the European Union. That was basically the reason why each member state had the obligation to implement it in its national legislation by 24 October 1998.
Research question and objectives
The Eight Principles of Data Protection – an explanation of each of the eight principles of the Data Protection Act.
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
at least one of the conditions in Schedule 2 is met, and
in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. About the rights of individuals e.g. personal data shall be processed in accordance with the rights of data subjects (individuals).
7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Personal data should only be processed fairly and lawfully. In order for data to be classed as ‘fairly processed’, at least one of these six conditions must be applicable to that data (Schedule 2).
The data subject (the person whose data is stored) has consented (“given their permission”) to the processing;
1. Processing is necessary for the performance of, or commencing, a contract;
2. Processing is required under a legal obligation (other than one stated in the contract);
3. Processing is necessary to protect the vital interests of the data subject;
4. Processing is necessary to carry out any public functions;
5. Processing is necessary in order to pursue the legitimate interests of the “data controller” or “third parties” (unless it could unjustifiably prejudice the interests of the data subject).
In the first principle emphasis is placed on “clear language” because hiding your processing in complex terms is not to be regarded as fair. Neither is it regarded as fair to have a fair processing notice in tiny print at the foot of your form.
Lawful means that other relevant laws in connection with the data must be complied with at the same time as the fair processing code. For example, laws such as copyright and the common law of confidentiality.
Principle 2 amplifies Principle 1 by adding that your school must have a very specific reason or purpose for processing data. Further, the data can only be processed for that purpose and no other and what’s more, all other processing must be comparable with the specified purpose. In short, if data are collected for personnel administration then personnel administration is all that you can do with it.
Principle three is especially important in respect of data collection exercises that have been undertaken repeatedly over a long period of time. Often in such cases, the information originally collected becomes embellished with other information that is collected because it might become useful. This is a classic example of excessive and irrelevant data collection.
Principle four states the reasons for having accurate personal data is to avoid inconvenience or even damage or distress. For example, if you need to contact a parent or carer in an emergency, yet do not have the correct telephone number this could result in distress for both parent and child. The Data Protection Act conveys the right to receive compensation where substantial damage or distress takes place so this could also be costly for school.
Principle five has implications in terms of accuracy. The longer you hold “live” files, the longer you will need to ensure that they are accurate. Also, the longer that information is retained after its useful life, the less it becomes relevant and thus inconsistent with the Third Principle. Holding information that no longer has any useful purpose could also be regarded as excessive, which again is inconsistent with the Third Principle.
The sixth principle has implications for how personal information can be used by your school. They are particularly important when it comes to disclosing information, or using information for more than one purpose.
The seventh principle puts main emphasis is on surrounding personal data with a suitable degree of security. This does not just mean security on computer systems (such as password protection and the positioning of screens etc.), it also includes organizational security such as locking filing cabinets wherever possible; clearing confidential files from desks (or at least covering them up); making sure that waste personal data is disposed of confidentially by shredding, etc. The eight principle is more profoundly explained in the topics below.
Data Security and Subject Rights – the importance of data security, real life cases, what is expected of businesses, how to deal with lost data and subject access requests and data subjects’ rights.
Using globalization as a starting point I must state that data security in small, or large companies, in public or private institutions should be built in from the start. That is the reason why that chapter of my study will reveal the way in which global process intersect, overlap and clash when the issue of data storage is concerned.
If we have one major company that experiences a serious information breach, then as a consequence we will have millions of people potential victims of identity theft. All these makes sense, because big companies often have access to the personal data of millions of people.
However, the fact is that no matter how big the company is – it is put on risk. When a transcription company that worked with Boston Medical Center suffered from a data breach due to mediocre security measures, it exposed the sensitive medical information of nearly 15,000 patients.
While this number is small relative to Target’s massive data breach, it’s still significant—not only to the people whose information was stolen, but also to the transcription company that made the error. Boston Medical Center cut its ties with the company, its reputation was tarnished, and it opened itself up to the possibility of numerous lawsuits and government action.
That is why the data subject’s rights should be addressed. In brief, they state that there exists a right of access to a copy of the information comprised in the personal data; there is a right to prevent processing for the purposes of the direct marketing; there exist the right to object to decisions being taken by automated means and there is a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act.
In order to verify such issues, of course, more empirical simultaneous comparative studies are required. Unfortunately, few studies on the Data Protection Act have adopted comparative approach; most of them used the method of the cabinet study of the Act itself, which gives rise to a certain type of problems. These aspects are even widely considered in the topics below.
Sharing Data and Penalties – registering with the ICO, sharing data securely, transferring data outside of the EEA, marketing communications, potential penalties and the ICO’s involvement
Registration under the Data Protection Act requires every data controller (e.g. organization, sole trader) who is processing personal information to register with the ICO, unless they are exempt. For most of the organizations the fee they must pay is £35 each year. However, in an attempt to narrow the gap between the businesses and the registration the procedure is more than simplified.
Echoing the principles of the Data Protection Act, the transfer of personal data to countries outside of the EEA is strictly prohibited, unless in the following cases:
The destination country ensures an “adequate level” of protection for the individuals, or
One or more preconditions which allow the transfer to take place applies.
In determining what makes a destination country adequate, it is possible to either rely on a published European Commission decision, or to make an assessment of adequacy based on a number of factors such as the nature of the data being transferred and the purposes for which they are being transferred, the law in the country in question and any security measures being taken. Very few countries outside of the EEA are deemed by the Commission to have adequate protection. . The United States has put in place an agreement with the Commission known as “safe harbor”, whereby US businesses who sign up to a set of privacy principles (similar to the Data Protection Principles under the Act) may be considered as offering adequate protection.
Today, the Information Commissioner’s Office (ICO) has several options when it finds an organization in breach of the UK Data Protection Act:
Monetary penalty notices: fines of up to £500,000 for serious breaches of the DPA.
Prosecutions and possible prison sentences for deliberately breaching the DPA.
Undertakings: organizations have to commit to a particular course of action to improve their compliance and avoid further action from the ICO.
Enforcement notices: organisations in breach of legislation are required to take specific steps in order to comply with the law.
Audit: the ICO has the authority to audit government departments without consent.
Conclusion
Summary of the Data protection principles and their importance
This study investigated and discussed the controversial question of the Data Protection, as it poses sensitive questions in the society as a whole. All these were instigated by the principles lying behind the Act.
The first principle- fair and lawful means that the institution must have legitimate grounds for collecting and using one’s personal data. Moreover, it should be transparent how it intends to use the data, and how all these should be handled. The institution must make sure that nothing unlawful will be done with the data.
The second principle- purpose is a continuation of the first one and according to it the aim of collecting the data should be perfectly clear. Although there are different types of data collection the act of doing it must comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data. It also must ensure the fact that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
The third principle – adequacy means that one must hold a personal data about an individual that is sufficient for the purpose they are holding it and that one must not hold more information than necessary. Then comes the fourth principle which is connected with the accuracy of the information and of the way that it should be kept. In line with the findings of the other studies is the fifth principle – retention. It means that one must review the length of time one keeps one’s personal data and securely delete information that is no longer necessary for the purposes of the personal data protection.
The last three principles concern the rights, the security and the international scope of the data transfer.
It is all a vast amount of information and that is the reason why in this study I tried to represent it in the most precise way possible. The main goal of my study was to present to the reader the legislation in the area of the data protection and its basic principles. This being the purpose of the research, I appeared to use the most appropriate method possible, so I hope the reader has got to know the idea.
Bibliography
