The Data Protection Act (DPA) controls how businesses, the government and organisations use individuals’ personal information.
Data controllers and data processor must ensure they adhere to the strict rules known as The Data Protection Act 8 Principles.
The DPA Principles require that the controllers and processors of individuals personal data is:
Principle 1— Used fairly and lawfully—i.e. you must have legitimate grounds for collecting and using personal data. The data must not be used in unlawful ways or to the detriment of the individual, and it must be clear to the individual how you intend to use their personal data. At least one condition of Schedule 2 must be met; in the case of sensitive data, at least one of the conditions of Schedule 3 must also be met.
Principle 2 — Used for limited and specifically stated purposes—The data controller and processor must clearly state why the personal data is being requested and for what purpose it is intended to be used. It may not be used for any purpose other than stated.
Principle 3 – Used in a way that is adequate, relevant, and not excessive – only hold data about an individual that is sufficient for the purpose for which you have collected it and do not hold more information than required.
Principle 4 – Accurate – this means that the controller or processor needs to take reasonable steps to ensure the accuracy of personal data collected and ensure it is clear and up to date. Consideration needs to be made to update information when necessary.
Principle 5 – Kept for no longer than is absolutely necessary – personal data will need to be securely destroyed or archived once the purpose for its collection has been fulfilled or the information needs to be updated.
Principle 6 – Handled according to people’s data protection rights – Individuals have the right to access their personal data collected and object to the way it is being used. They also have the right to have inaccurate data altered or destroyed.
Principle 7 – Kept safe and secure – this requires the data controller and data processor to install appropriate security measures to prevent the unlawful or accidental loss, damage or use of personal data. The security measures relate to electronic safety, such as encryption of data, as well as authorised personnel usage.
Principle 8 – Not transferred outside of the European Economic Area without adequate protection – firstly it is important to ensure the individual whose data has been collected is aware of the intention to transfer their data outside of the EU. There is a checklist of rules to adhere to regarding the transfer of data outside of the EEA which a legal advisor will be able to help you with. It is often necessary to use data encryption or anonymity when transferring data to avoid any misuse of the individuals personal data.
There is stronger legal protection for more sensitive information, such as:
a. ethnic background
b. political opinions
c. religious beliefs
e. sexual health
f. criminal records.
The General Data Protection Regulation (GDPR) now imposes stricter regulations for organisations that are found to be in breach of the Data Protection Principles. These regulations include obtaining the consent of subjects for data processing, anonymising collected data to protect privacy, notifying the ICO and the individuals concerned of any breach of data and for larger companies the need to appoint a data protection officer to oversee the GDPR compliance.
In essence this means that in order to first collect personal data, your organisation needs to ensure that you have legitimate reasons for the collection of this data. You must show total transparency as to the reasons for collecting the data and all data must be handled in a lawful way as outlined in principle 1 above.
You must comply with the DPA’s fair processing requirements. For example, an employer may provide details of an employee’s earnings to the tax authorities with or without knowledge of that employee. However, if details of an employee’s taxable earnings are disclosed for purposes of setting a fine, due to a traffic infringement for example, and could cause detriment to that individual, this may not be considered fair processing. The proper use of personal data is always a necessity, and you will need to be sure that you are adhere to the lawful requirements.
All data collected needs to be secure as per the DPA’s requirements. This may involve digital encryption to avoid any breaches in data stored, depending on the sensitivity of the information held.
If an individual requests a copy of the data your company holds on them, you are required by law to provide it to them, a small fee may sometimes be applied for this service. There are certain exemptions to this.
An organisation may withhold information, for example if the information is about
a) the prevention, detection or investigation of a crime
b) national security or the armed forces
c) he assessment or collection of tax
d) judicial or ministerial appointments
You are not obliged to inform the data subject of your reasons for refusal, but they must be lawful.
Who do the DPA Principles apply to?
Rights and duties under DPA are designed to be applied generally. However there are a few exemptions depending on the purpose for processing the personal data in question.
For example, if the criminal justice service or taxation office require information held on an individual, then an organisation may be granted the right to disclose that information. However, any exemptions from the DPA Principles are judged on a case-by-case basis, so it is highly recommended that legal advice is sought prior to departing from the DPA’s general requirements.
Common DPA risks for data controllers
The DPA Principles are concerned with fairness to the individual from whom you are collecting the data from. As a vast area, it can be difficult without advice to establish what is considered under the Act as ‘fair’.
In general, you will be required to state who you are, or who your UK representative is, the purpose for gathering the data, and any other information you will need to provide to the individual to ensure fair processing of the information gathered.
To avoid unnecessary pitfalls, it is highly recommended that you seek legal advice for your organisation’s unique requirements in the gathering and use of any data.
Using personal data already collected for a new purpose is also strictly controlled. For example, companies that hold customer information and have been sending them regular catalogues for a specific product line, may fairly send that customer information or catalogues relating to a new venture. However, unless the customer has agreed, your company may not share a customer’s information with another company. To avoid your customers/clients claiming you have used their personal data unfairly, it is important to ensure that your customers have full clarity of any data you intend to share, and that you obtain their permission prior to any alternative use of their data.
Clarity of language used in all agreements regarding data protection is essential. If there is anything that can be considered misleading or confusing to the customer, you may find yourself in breach of the DPA Principles.
You will also need to ensure that your company does not breach any laws when processing personal data. These include committing a criminal offence, an infringement of copyright and a breach of a legally enforceable contract. Although this list is not exhaustive.
If your business collects, uses or stores personal information, you need to be aware of the offences under the Data Protection Act of 1998. In addition to the offences already mentioned, your organisation may incur any of the following penalties by the Information Commissioner’s Office (ICO):
a. Criminal prosecution for serious breaches
b. Non-Criminal enforcement
c. Audits to check the organisation is complying
d. Monetary penalties
The ICO can also issue:
a. An Enforcement Notice if it believes that the company has not complied with one or more of the Data Protection Principles
b. An Information Notice requesting an organisation supply any information needed to help the ICO assess if the DPA has been breached
You could also be liable for a financial penalty through the courts if you fail to notify, or fail to comply with an enforcement or information notice.
At present the ICO can impose a monetary penalty (without recourse through the courts) of up to £500,000.
It is highly recommended that you seek legal advice to ensure that your company has adhered to all the current DPA rules to avoid unnecessary penalties and that you are prepared for any changes coming through the General Data Protection Regulation (GDPR). Also if you are found to be in breach of any DPA Principles, it would be advisable to seek legal advise to help navigate your way successfully through the process.