Data Protection Act 1998
This new data protection act was, like the first, passed to comply with an EC Directive. The intention was to fill some of the gaps in the old legislation and to provide greater safeguards for the rights and privacy of the individual at a time when the use of personal data – particularly by large organisations – is rapidly increasing.
An important extension of the new act is its application to written records that are not intended for automated processing. In addition data used for payroll purposes, mailing list data, and membership data of members' clubs, all of which had far reaching exemptions under the old act, will now have no exemption under the new.
Although passed in 1998, the act was not be implemented until 1st March 2000 at which time the old 1984 act was repealed. All automatic data processing systems will have to comply with the 1998 act from 24th October 2001 when this first transitional period ends.
Manual data – written records – which were in use before 24 October 1998 are granted exemptions up to 23 October 2007. This is to allow for the greater impact that the act is likely to have in an area previously not covered by legislation.
Terms and Definitions
|| The 1998 Act applies to data relating to any identifiable living individual. It is not restricted to facts but includes expressions of opinion about the individual or other people's intentions regarding them. Thus the intention to promote or make an employee redundant would be covered by the act.
|| In order to be covered by the act the data must fall into one of the following categories
- be being processed automatically
- recorded in preparation for automatic processing
- stored in a structured way (not necessarily within a computer system) so that specific information about an individual can be accessed.
- Accessible records that do not necessarily fall into the first three categories (health, school, social services records)
These last two categories means that the act covers written records, not just those intended for automatic processing. This is an important extension over the provisions of the 1984 act and fills what many people saw as a gap in its provision.
||The Act applies to any operation carried out on the data. This includes data collection, storage, access and use, editing, and its final deletion. From the moment it is collected until it is finally erased, all aspects of the data's storage and use are covered by the act.
|| The data subject is any identifiable living individual about whom personal data is stored.
|| A data controller is anyone (person or organisation) who is responsible for deciding how and for what purpose the data is processed. In simple terms, the Data Controller will be the person or organisation that owns the data.
The Data Protection Commissioner is the person responsible for overseeing the working of the act and maintaining a register of data controllers. She is also responsible for making people aware of the act. The Commissioner has the power to issue enforcement notices if she considers that a data controller is breaching any of the data protection principles. She also has the power to obtain a search warrant if necessary to investigate suspected breaches of the act.