Data Protection Act 1998

Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your personal data. It provides a set of rules which prohibit the misuse of your information without stopping it being used for legitimate purposes.

The Data Protection Principles The details of the Data Protection Act are quite complex, but at the heart of it, there are eight common-sense rules known as the Data Protection Principles. These require personal information to be: fairly and lawfully processed; fairly and lawfully processed; processed for limited purposes; processed for limited purposes; adequate, relevant and not excessive; adequate, relevant and not excessive; accurate; accurate; not kept longer than necessary; not kept longer than necessary; processed in accordance with your rights; processed in accordance with your rights; kept secure; kept secure; not transferred abroad without adequate protection. not transferred abroad without adequate protection. Data Controllers using personal information must comply with all of these Principles. Data Controllers using personal information must comply with all of these Principles.

Data Controllers The data controller is the person who is responsible for the personal information stored by the organisation and is therefore sometimes liable for any breech of the Data Protection Act.

Data Subjects A Data Subject is the person whose personal information is being stored by the Data Controller. The data protection act creates rights for Data Subjects, and responsibilities for Data Controllers. The Data Subject who has their data processed has the right to: View the data an organisation holds on them, for a small fee, known as 'subject access‘. View the data an organisation holds on them, for a small fee, known as 'subject access‘. Request that incorrect information be corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded. Request that incorrect information be corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded. Require that data is not used in a way which causes damage or distress. Require that data is not used in a way which causes damage or distress. Require that their data is not used for direct marketing. Require that their data is not used for direct marketing.

Exemptions The Act is structured in a way that all processing of personal data is covered by the act, while providing a number of exemptions in Part IV. Notable exemptions are: Section 28 - National security. Any processing for the purpose of safeguarding national security are exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data). Section 28 - National security. Any processing for the purpose of safeguarding national security are exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data). Section 29 - Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle. Section 29 - Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle. Section 36 - Domestic purposes. Processing by an individual only for the purposes of that individual's personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification). Section 36 - Domestic purposes. Processing by an individual only for the purposes of that individual's personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification).

Offences Section 55 - Unlawful obtaining of personal data. This Section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data. Section 55 - Unlawful obtaining of personal data. This Section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data. Section 56 - This section makes it a criminal offence to require an individual to make a Subject Access Request relating to cautions or convictions for the purposes or recruitment, continued employment, or the provision of services. As of 2007 this section has not yet been enabled. According to the government, this section will not be enabled until the Criminal Records Bureau is providing a service. The provision of a Basic Disclosure service is dependent on s.112 of the being enacted, which provides for "Criminal Conviction Certificate". Section 56 - This section makes it a criminal offence to require an individual to make a Subject Access Request relating to cautions or convictions for the purposes or recruitment, continued employment, or the provision of services. As of 2007 this section has not yet been enabled. According to the government, this section will not be enabled until the Criminal Records Bureau is providing a service. The provision of a Basic Disclosure service is dependent on s.112 of the being enacted, which provides for "Criminal Conviction Certificate".