The Data Protection Act contains eight Data Protection Principles. These state that all data must be:
- Processed fairly and lawfully
- Obtained & used only for specified and lawful purposes
- Adequate, relevant and not excessive
- Accurate, and where necessary, kept up to date
- Kept for no longer than necessary
- Processed in accordance with the individuals rights (as defined)
- Kept secure
- Transferred only to countries that offer adequate data protection
The legislation underpinning these principles is extremely complex. It is not suitable for direct devolution to all the (lay) staff/managers who may have responsibility for personal data. Nor does it, on its own, provide a measure of compliance. Hence the need for supporting products and information.
Terms and definitions.
PERSONAL DATA- In this Act, unless the context otherwise requires-
"data" means information which-
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68;
"data controller" means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
"data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
"data subject" means an individual who is the subject of personal data;
"personal data" means data which relate to a living individual who can be identified-
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
"processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;
"relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference ...
This is a preview of the whole essay
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;
"relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
(2) In this Act, unless the context otherwise requires-
(a) "obtaining" or "recording", in relation to personal data, includes obtaining or recording the information to be contained in the data, and
(b) "using" or "disclosing", in relation to personal data, includes using or disclosing the information contained in the data.
(3) In determining for the purposes of this Act whether any information is recorded with the intention-
(a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or
(b) that it should form part of a relevant filing system,
it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.
(4) Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.
DATA- In this Act "sensitive personal data" means personal data consisting of information as to-
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
PROCESSING- In this Act "the special purposes" means any one or more of the following-
(a) the purposes of journalism,
(b) artistic purposes, and
(c) literary purposes.
DATA SUBJECT- References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.
(2) Those principles are to be interpreted in accordance with Part II of Schedule 1.
(3) Schedule 2 (which applies to all personal data) and Schedule 3 (which applies only to sensitive personal data) set out conditions applying for the purposes of the first principle; and Schedule 4 sets out cases in which the eighth principle does not apply.
(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
DATA CONTROLLER- Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if-
(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or
(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.
(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.
(3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom-
(a) an individual who is ordinarily resident in the United Kingdom,
(b) a body incorporated under the law of, or of any part of, the United Kingdom,
(c) a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and
(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom-
(i) an office, branch or agency through which he carries on any activity, or
(ii) a regular practice;
and the reference to establishment in any other EEA State has a corresponding meaning.
COMMISSIONER- The office originally established by section 3(1)(a) of the Data Protection Act 1984 as the office of Data Protection Registrar shall continue to exist for the purposes of this Act but shall be known as the office of Data Protection Commissioner; and in this Act the Data Protection Commissioner is referred to as "the Commissioner".
(2) The Commissioner shall be appointed by Her Majesty by Letters Patent.
(3) For the purposes of this Act there shall continue to be a Data Protection Tribunal (in this Act referred to as "the Tribunal").
(4) The Tribunal shall consist of-
(a) a chairman appointed by the Lord Chancellor after consultation with the Lord Advocate,
(b) such number of deputy chairmen so appointed as the Lord Chancellor may determine, and
(c) such number of other members appointed by the Secretary of State as he may determine.
(5) The members of the Tribunal appointed under subsection (4)(a) and (b) shall be-
(a) persons who have a 7 year general qualification, within the meaning of section 71 of the Courts and Legal Services Act 1990,
(b) advocates or solicitors in Scotland of at least 7 years' standing, or
(c) members of the bar of Northern Ireland or solicitors of the Supreme Court of Northern Ireland of at least 7 years' standing.
(6) The members of the Tribunal appointed under subsection (4)(c) shall be-
(a) persons to represent the interests of data subjects, and
(b) persons to represent the interests of data controllers.
(7) Schedule 5 has effect in relation to the Commissioner and the Tribunal.
Data Protection Principles
. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Notification
Any data controller who wishes to be included in the register maintained under section 19 shall give a notification to the Commissioner under this section.
(2) A notification under this section must specify in accordance with notification regulations-
(a) the registrable particulars, and
(b) a general description of measures to be taken for the purpose of complying with the seventh data protection principle.
(3) Notification regulations made by virtue of subsection (2) may provide for the determination by the Commissioner, in accordance with any requirements of the regulations, of the form in which the registrable particulars and the description mentioned in subsection (2)(b) are to be specified, including in particular the detail required for the purposes of section 16(1)(c), (d), (e) and (f) and subsection (2)(b).
(4) Notification regulations may make provision as to the giving of notification-
(a) by partnerships, or
(b) in other cases where two or more persons are the data controllers in respect of any personal data.
(5) The notification must be accompanied by such fee as may be prescribed by fees regulations.
(6) Notification regulations may provide for any fee paid under subsection (5) or section 19(4) to be refunded in prescribed circumstances.
Exemtions
EXEMPTION FROM SECTION 22 19. Processing which was already under way immediately before 24th October 1998 is not assessable processing for the purposes of section 22.
Offences Under The Act
(1) If section 17(1) is contravened, the data controller is guilty of an offence.
(2) Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 20(1) is guilty of an offence.
(3) It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty.