NowtAdminCase Studiesmodule1Module2Module3Module4Module5Module6Glossary

  
nowtKnowledge,Data,informationValue of InformationControl of informationLimits of InformationSocial ImpactCommunicationsProfessionalsCrimeThe LawHealth and Safetynowt
endHistory of Data Protection ActDPA definitionsDPA contentCompuyter Misuse ActDPA QuestionsCMA Questionsend
 

Data Protection Principles

The eight principles of the 1999 Act apply to all processing of personal data. Data Controllers may be able to claim exemption from one or more of the principles but unless this is so they must comply with them. If a Data Controller has not or does not need to notify the Commissioner of the use, the principles still apply unless there is special exemption

  1. Data must be processed fairly and lawfully. With the wider meaning of the word processing used in the act this will include all the actions carried out on the data, including its collection. In addition the data subject must have given their consent for the data to be processed. In some situations it can be assumed that the subject has given consent but where sensitive personal data (e.g. political opinions, race, sexual orientation, criminal record etc.) there are additional safeguards unless the data subject has given explicit consent.
    In some cases where the processing is necessary then the data subject's consent is not needed. This applies to situations where the data controller is legally required to process the data or where the processing is necessary because of a contract with the subject. Consent would not therefore be needed in situations such as supplying mail-order goods to the subject, collecting data for an electoral register or in processing data in connection with legal proceedings.
  2. Data must be collected for specified purposes and cannot be used in ways that are incompatible with those purposes.
  3. Data must be adequate, relevant and not excessive for the purposes.
  4. Data must be accurate and kept up to date.
  5. Data must not be kept longer than necessary
  6. Data must be processed in accordance with the data subject's rights under the act. (See the next section.)
  7. The data must be protected against unauthorised access and against accidental loss or damage.
  8. Data must not be transferred to a country which does not have appropriate data protection legislation.

Data Subject Rights

The data subject has seven rights under the 1998 Data Protection Act.

  1. Right of Subject Access.   This requires the data controller tell the subject if his or her personal data is being processed and to be given a copy of the data in printed form. This must include a key to any codes used that would otherwise be unintelligible. A reasonable fee can be charged for this service to cover administrative costs.
  2. Prevention of Processing.  The data subject can give the data controller written notice to halt or prevent processing that would cause damage or distress to them.
  3. Prevention of Direct Marketing  .  The data subject can give the data controller written notice to halt or prevent the sending of advertising or marketing material to them.
  4. Prevention of Automated Decision Taking.  The data subject can give written notice to prevent decisions affecting them being made on the basis of automatic processing. An example of this might be the to prevent a bank deciding on whether or not to grant a bank loan or credit card based on the output of an expert system alone.
  5. Compensation. The data subject can claim compensation where they have suffered damage and distress when the act has been contravened.
  6. Correction. The data subject can obtain a court order to have inaccurate data corrected or erased.
  7. Assessment. Anyone can ask the Commissioner to assess whether or not personal data is being processed in accordance with the act.

Note that if the data subject does not object to the processing, direct marketing and automated decision making processes described above, then the data controller is entitled to continue with that processing – as long as the data protection principles are complied with.

Notification

A data controller responsible for automated processing of personal data must notify the Commissioner. If manual records only are processed then there is no requirement to register. The controller must supply:-

  • their name and address.
  • a description of the data being processed.
  • the purposes for which the data is being processed.
  • details of anyone to whom the data may be disclosed.
  • details of countries the data may be transferred.
  • a general description of security measures taken to protect the data.

It is an offence to process personal data without notification unless the data is exempt from the need for registration.

Exemptions

There are a number of exemptions to the act where data controllers need not comply with one or more of the principles or where the data subject does not have one or more of the rights normally granted by the act. A selection of them is given below.

  • National Security  The data protection principles need not apply, the subject has no rights and the Commissioner cannot enforce the act if a government minister signs a certificate of exemption because it is necessary to safeguard national security.
  • Crime and Taxation  Data to do with the prevention and detection of crime and the collection of taxes is exempt from the first principle although the additional protection for processing sensitive data still applies. It is also exempt from the subject access requirement. However these exemptions only apply where investigations or operations would be adversely affected by application of the first principle or subject access
    • In addition data is exempt from the non-disclosure provisions (second, third, fourth and fifth principles) and application of the principles would prejudice the purpose. - Essentially these provisions are to allow the authorities to process data about crimes and criminals without giving the suspected criminals the right to prevent the processing or access the data where this would hamper their work.
  • Special Purpose exemptions  Journalists amongst others are exempt from all the principles apart from the seventh (data security) as long as the data is being processed for publication and it is a matter of public interest. In addition the data subject does not have the right of access to the data nor can he or she prevent processing likely to cause damage or distress.
  • Available by Law  If  information is  made available to the public by law then it is exempt from the first principle, the subject access right, correction right, prevention of processing rights,  the accuracy requirement (fourth principle) and the fifth principle.
  • Domestic Purposes  Personal data processed by an individual and relating to family or household affairs are exempt from the Data Protection Principles. The Data Subject's rights do not apply and the data controller need not notify the Commissioner.
   

© LEV