OCR Nationals Level 3 Unit 3

 To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To understand what restrictions might be in place on the data you collect and store  To identify specific ways in which you will have to comply with the Act March 2012 M Morison 2

 You are going to collect and use data from real people in this unit.  It is important that you know how to deal with this data under the terms of the DPA  You must include a section that demonstrates how your work is affected by the DPA, and the measures you will take to comply with it. March 2012 M Morison 3

Pass Candidates will demonstrate an understanding of Data Protection legislation and give a brief explanation of how they will comply with this. Merit Candidates will demonstrate an understanding of Data Protection legislation and explain how they will comply with this. Distinction Candidates will demonstrate an understanding of Data Protection legislation and explain how they will comply with this. March 2012 M Morison 4

 What is the Data Protection Act and why is it necessary? Describe the reasons why the DPA came about.  What is the DPA designed to do? March 2012 M Morison 5  What are advantages and disadvantages to you of being able to collect, store and process your data using computers?

 What is the difference between personal data and sensitive data? Give examples of each.  Which of the data you collect will be personal, and which will be sensitive?  What rights do your data subjects have? March 2012 M Morison 6

 Briefly describe the eight principles of the DPA, saying how you are going to ensure that you comply with each one.  What exemptions might apply to you as a researcher? March 2012 M Morison 7 You will find help with these in the “Resources to help you” section

March 2012 M Morison 8 Personal vs. Sensitive data The 8 Principles of the DPA Rights of Data Subjects Exemptions

PERSONAL DATA Personal data covers both facts and opinions about a living individual. Facts would include name, address, date of birth, marital status or current bank balance. Results in examinations, details of driving offences, record of medicine prescribed and financial credit rating are further examples of facts that could relate to an individual. SENSITIVE DATA This is data which is sensitive or personal to an individual. If a company was to collect this data, it cannot be disclosed or told to anyone else. Some things which are classed as Sensitive Personal Data are: racial or ethnic origin; membership of a trade union; criminal convictions or offences; political opinions or religious beliefs March 2012 M Morison 9 Back to Resources Index

March 2012 M Morison 10 1: Fairly & lawfully processed 1: Fairly & lawfully processed 2: Held for specified purpose 2: Held for specified purpose 3: Adequate & relevant 4: Accurate & up to date 5: Not kept for longer than necessary 5: Not kept for longer than necessary 6: Processed within the rights of the subject 6: Processed within the rights of the subject 7: Prevention of unauthorised access 7: Prevention of unauthorised access 8: Not transferred abroad Back to Resources Index

Personal data should be obtained and processed fairly and lawfully  This means that you should be told that data is being collected about you, and you should know what the data will be used for. March 2012 M Morison 11

Personal data can be held only for specified and lawful purposes  The Data Controller has to state why they want to collect and store information when they apply for permission to be able to do so.  If they use the data they have collected for other purposes, they are breaking the law. March 2012 M Morison 12

Personal data should be adequate, relevant and not excessive for the required purpose  Organisations should only collect the data that they need and no more. Your school needs to know your parent's phone number in case they need to contact them in an emergency. However, they do not need to know what your grandmother's name is, nor do they need to know your eye co lour.  They should not ask, nor should they store such details since this would be excessive and would not be required to help with your education. March 2012 M Morison 13

Personal data should be accurate and kept up-to-date  Companies should do their best to make sure that they do not record the wrong facts about a data subject. Your school probably asks your parents to check a form once a year to make sure that the phone number and address on the school system is still correct.  If a person asks for the information to be changed, the company should comply if it can be proved that the information is indeed incorrect. March 2012 M Morison 14

Personal data should not be kept for longer than is necessary  Organisations should only keep personal data for a reasonable length of time. Hospitals might need to keep patient records for 25 years or more, that is acceptable since they may need that information to treat an illness later on.  However, there is no need for a personnel department to keep the application forms of unsuccessful job applicants. March 2012 M Morison 15

Data must be processed in accordance with the rights of the data subject  People have the right to inspect the information held on them (except in certain circumstance - see later). If the data being held on them is incorrect, they have the right to have it changed. March 2012 M Morison 16

Appropriate security measures must be taken against unauthorised access  This means information has to be kept safe from hackers and employees who don't have rights to see it. Data must also be safeguarded against accidental loss. March 2012 M Morison 17

Personal data cannot be transferred to countries outside the E.U. unless the country has similar legislation to the D.P.A.  This means that if a company wishes to share data with an organisation in a different country, that country must have similar laws to our Data Protection Act in place. March 2012 M Morison 18 Back to Resources Index

Data subjects have the right to: 1.see data held on themselves. They must apply in writing and pay a small fee (often around £10). The company must respond to the request within forty days. 2.have any errors corrected 3.claim compensation for any distress caused if the Act has been broken 4.prevent processing likely to cause damage or distress 5.prevent processing for automated decision taking by writing to the data controller to inform them that no decisions should be taken based on automatic processing. Some banks decide whether a customer should be given a mortgage on the basis of a computer program. The data subject has the right to prevent that happening. March 2012 M Morison 19 Back to Resources Index

Personal data processed for research purposes is exempted if the following two conditions are met: 1. The data is not processed to support measures or decisions with respect to a specific individual 2. The processing of the data does not cause substantial damage or distress to a data subject March 2012 M Morison 20 Back to Resources Index