Data Protection Act 1998: Difference between revisions
Appearance
Content deleted Content added
m Reverted edits by 82.16.27.50 to last revision by Majorly (HG) |
←Replaced content with ':D' |
||
Line 1: | Line 1: | ||
:D |
|||
The '''Data Protection Act 1998''' (DPA) is a [[United Kingdom]] [[Act of Parliament]] which defines UK law on the processing of data on identifiable living people. It is the ''main'' piece of legislation that governs the [[data protection|protection of personal data]] in the UK. Although the Act does not mention [[privacy]], in practice it provides a way in which individuals can control information about themselves. Most of the Act does not apply to domestic use,<ref name= "exemptions">''Data Protection Act 1998'', [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_5#pt4-l1g36 Part IV (Exemptions), Section 36], [[Office of Public Sector Information]], accessed 6 September 2007</ref> for example keeping a personal address book. Anyone holding personal data for other purposes is legally obliged to comply with this Act, subject to some exemptions. The Act defines eight '''data protection principles'''. |
|||
== History == |
|||
The 1998 Act replaced the [[Data Protection Act 1984]], and was intended to bring UK law into line with the [[Data Protection Directive|European Directive of 1995]]. In some aspects such as consent for Email marketing it has been refined by subsequent legislation. For example the [[Privacy and Electronic Communications (EC Directive) Regulations 2003]] altered the consent requirement for most electronic marketing to "positive consent" such as an opt in box. Though exemptions remain for the marketing of "similar products and services" to existing customers and enquirers, which can still be permissioned on an opt out basis. |
|||
==Plain-language summary of key principles== |
|||
This section provides a quick overview of what the Key Principles of information-handling practice mean. The Key Principles themselves are discussed below in the context of their definition in law. |
|||
* Data may only be used for the specific purposes for which it was collected. |
|||
* Data must not be disclosed to other parties without the [[consent]] of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation. |
|||
* Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime). |
|||
* Personal information may be kept for no longer than is necessary and must be kept up to date. |
|||
* Personal information may not be sent outside the [[European Economic Area]] unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data. |
|||
* Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must [[Register of data controllers|register]] with the [[Information Commissioner's Office]]. |
|||
* Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training). |
|||
* Subjects have the right to have ''factually incorrect'' information corrected (note: this does not extend to matters of ''opinion'') |
|||
==Personal data== |
|||
{{Out of date|date=June 2009}}<!--Does no deal with the extension of the Act by the Freedom of Information Act 2000 for public authorities; or the Durant ruling--> |
|||
The Act covers any data about a living and identifiable individual. Anonymised or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or Email address. The Act applies only to data which is held, or intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'. |
|||
In some cases even a paper address book can be classified as a 'relevant filing system', for example diaries used to support commercial activities such as a salesperson's diary. |
|||
==Subject rights== |
|||
The Data Protection Act creates rights for those who have their data stored, and responsibilities for those who store, process or collect personal data. |
|||
The person who has their data processed has the right to<ref>''[http://www.ico.gov.uk/what_we_cover/data_protection/your_rights.aspx Your rights,]'', ICO, accessed 6 September 2007</ref> |
|||
* View the data an organisation holds on them, for a small fee, known as 'subject access fee'<ref>As of 2006, the maximum fee is £10 per individual, ''[http://www.ico.gov.uk/Global/faqs/data_protection_for_the_public.aspx#f5EED57A6-1B5C-4032-A7A3-22ECBBF66D3D FAQs]'', ICO</ref> |
|||
* Request that incorrect information be corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases [[Damages|compensation]] can be awarded.<ref>''[http://www.ico.gov.uk/Home/what_we_cover/data_protection/your_rights/correcting_information.aspx Correcting information]'', ICO</ref> |
|||
* Require that data is not used in a way which makes damage or distress.<ref>''Data Protection Act 1998'', [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_3#pt2-l1g10 Part III (Notification by Data Controllers), Section 10], [[Office of Public Sector Information]], accessed 6 September 2007</ref> |
|||
* Require that their data is not used for [[direct marketing]].<ref>''Data Protection Act 1998'', [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_3#pt2-l1g11 Part III (Notification by Data Controllers), Section 11], [[Office of Public Sector Information]], accessed 6 September 2007</ref> |
|||
==Data protection principles== |
|||
# Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- |
|||
## at least one of the conditions in Schedule 2 is met, and |
|||
## in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. |
|||
# Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. |
|||
# Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. |
|||
# Personal data shall be accurate and, where necessary, kept up to date. |
|||
# Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. |
|||
# Personal data shall be processed in accordance with the rights of data subjects under this Act. |
|||
# Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. |
|||
# Personal data shall not be transferred to a country or territory outside the [[European Economic Area]] unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. |
|||
===Conditions relevant to the first principle=== |
|||
Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions must be applicable to that data (Schedule 2). |
|||
# The data subject (the person whose data is stored) has consented ("given their permission") to the processing; |
|||
# Processing is necessary for the performance of, or commencing, a contract; |
|||
# Processing is required under a legal obligation (other than one stated in the contract); |
|||
# Processing is necessary to protect the vital interests of the data subject; |
|||
# Processing is necessary to carry out any public functions; |
|||
# Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject). <ref>[http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_10#sch2] Data Protection Act 1998 Schedule 2</ref> |
|||
Sensitive personal data must be processed according to a stricter set of conditions, in particular any consent must be explicit. |
|||
==Exceptions== |
|||
The Act is structured such that all processing of personal data is covered by the act, while providing a number of exceptions in Part IV.<ref name= "exemptions"/> Notable exceptions are: |
|||
* Section 28 - National security. Any processing for the purpose of safeguarding national security are exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data). |
|||
* Section 29 - Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle. |
|||
* Section 36 - Domestic purposes. Processing by an individual only for the purposes of that individual's personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification). |
|||
==Offences== |
|||
The Act details a number of civil and criminal offences for which data controllers may be liable if a data controller has failed to gain appropriate consent from a data subject. However 'consent' is not specifically defined in the Act; consent is therefore a common law matter. |
|||
* Section 21 - This section makes it an offence to process personal information without Registration or to fail to comply with the notification regulations.<ref>''Data Protection Act 1998'', [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_4#pt3-l1g21 Part III (Notification by Data Controllers), Section 21], [[Office of Public Sector Information]]</ref> |
|||
* Section 55 - Unlawful obtaining of personal data. This Section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data.<ref>''Data Protection Act 1998'', [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_7#pt6-pb2-l1g55 Part VI (Miscellaneous and General), Section 55], [[Office of Public Sector Information]], accessed 14 September 2007</ref> |
|||
* Section 56 - This section makes it a criminal offence to require an individual to make a Subject Access Request relating to [[Police caution|cautions]] or [[conviction]]s for the purposes of recruitment, continued employment, or the provision of services.<ref>''Data Protection Act 1998'', [http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_7#pt6-pb3-l1g56 Part VI (Miscellaneous and General), Section 56], [[Office of Public Sector Information]], accessed 14 September 2007</ref> As of 2007 this section has not yet been enabled.<ref name="emplaws56">[http://www.emplaw.co.uk/researchfree-redirector.aspx?StartPage=data%2f023007.htm British Employment Law website (emplaw.co.uk)], Criminal law aspects / vetting of job applicants / position under Police Act 1997</ref> According to the government, this section will not be enabled until the [[Criminal Records Bureau]] is providing a 'basic disclosure' service.<ref>[http://www.publications.parliament.uk/pa/cm200506/cmhansrd/cm050628/text/50628w18.htm Hansard, 28 Jun 2005 : Column 1451W]</ref> The provision of a basic disclosure service is dependent on s.112 of the [[Police Act 1997]] being enacted, which provides for "Criminal Conviction Certificate".<ref name="emplaws56"/> |
|||
==Complexity== |
|||
The UK Data Protection Act is a large Act that has a reputation for complexity.<ref>Bainbridge, D: "Introduction to Computer Law - Fifth Edition", page 430. Pearson Education Limited, 2005</ref> While the basic principles are honoured for protecting privacy, interpreting the act is not always simple. Many companies, organisations and individuals seem very unsure of the aims, content and principles of the DPA. Some hide behind the Act and refuse to provide even very basic, publicly available material quoting the Act as a restriction.<ref>''[http://www.ico.gov.uk/upload/documents/library/data_protection/introductory/data_protection_myths_and_realities.pdf Data Protection myths and realities]'', [[Information Commissioner's Office]], accessed 30 August 2008</ref> The act also impacts on the way in which organisations conduct business in terms of who can be contacted for marketing purposes, not only by telephone and direct mail, but also electronically and has led to the development of permission based marketing strategies. |
|||
==Apparent flaws in the Act== |
|||
{{Unreferenced section|date=March 2009}} |
|||
{{Original research|section|date=June 2009}} |
|||
Several apparent flaws may be found in the text of The Act. One potential effect of such flaws is that data processing systems can readily be devised which circumvent the spirit but not the letter of The Act. |
|||
===Definition of personal data=== |
|||
The definition of personal data is data which relates to a living individual who can be identified:— |
|||
* from that data, or |
|||
* from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, |
|||
This is a subjective definition since whether particular data is personal data depends on which data controller is referred to in the definition. However, the Act is generally drafted as if the definition were explicit.<!--The effect of this is that personal data encrypted with [[asymmetric cryptography]] using a third party's public key is not itself personal data. Such encrypted data alone cannot be used to identify an individual, and the necessary private key is not likely to come into the possession of the data controller. Since the encrypted data is not personal data, none of the provisions of The Act apply. DRAFTING NOTE: This is surely self-evident, and is the reason why the public sector is now obliged to use encryption!--><!--Another issue arises from the mutually recursive definition of 'data controller'. The data controller is a person who determines the purposes for which and the manner in which any personal data is, or is to be, processed. However the personal data is defined above according to the likely availability of information available to the data controller. This mutual recursion makes the determination of what is and what isn't personal data [[Independence (mathematical logic)|formally undecidable]] in some circumstances. DRAFTING NOTE: This is not at all recursive and must be someone's unsourced opinion--> |
|||
Sensitive personal data concerns the subject's race, ethnicity, politics, religion, trade union status, health, sex life or criminal record.<ref>http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980029_en_2</ref> |
|||
===Subject access=== |
|||
Personal data which is normally held for under 40 days may be legitimately denied in subject access requests under The Act. This is a consequence of the time limit data controllers must meet in making their response. If the data has been deleted by the normal procedures of the business by the time the data controller responds to a request, that data cannot be supplied. For data such as [[Closed-circuit television]] images which are routinely overwritten, it may be impossible for a subject to exercise their data access rights. |
|||
==Regulation== |
|||
{{Expand|date=June 2009}} |
|||
Compliance with the Act is regulated and enforced by an independent authority, the [[Information Commissioner's Office]], which maintains guidance relating to the Act.<ref>''Guidance - The Data Protection Act'', [http://www.ico.gov.uk/what_we_cover/data_protection/guidance.aspx Page of Assorted Guidance], [[Information Commissioner's Office]], accessed 20 October 2007</ref> |
|||
==See also== |
|||
*[[Computer Misuse Act 1990]] |
|||
*[[Data privacy]] |
|||
*[[Freedom of Information Act 2000]] |
|||
*[[Gaskin v. the United Kingdom]] |
|||
*[[List of UK government data losses]] |
|||
*[[Privacy and Electronic Communications (EC Directive) Regulations 2003]] |
|||
*[[Data Protection Directive]] (EU) |
|||
==References== |
|||
{{reflist|2}} |
|||
==External links== |
|||
*[http://www.ico.gov.uk Information Commissioner's Office] |
|||
*{{UK-SLD|3190610}} |
|||
*[http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm Data Protection Act 1998] (full text from [[Office of Public Sector Information]]) |
|||
*[http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm Council of Europe - ETS no. 108 - Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data] (1981) - basis for Data Protection Act 1984 |
|||
*[http://ec.europa.eu/archives/ISPO/legal/en/dataprot/directiv/directiv.html Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data] - basis for Data Protection Act 1998 |
|||
*[http://www.dca.gov.uk/foi/datprot.htm The Department for Constitutional Affairs] |
|||
*[http://www.dataprotectionact.org The Data Protection Act Explained] |
|||
*[http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/employment_practice_code_-_supplementary_guidance.pdf The Employment Practice Code (an explanation of employees rights from the Data Protection Act)] (full text) |
|||
{{UK legislation}} |
|||
[[Category:United Kingdom Acts of Parliament 1998]] |
|||
[[Category:Data privacy]] |
|||
[[Category:Computer crimes]] |
|||
[[Category:Computer law]] |
|||
[[Category:Privacy law]] |
|||
[[simple:Data Protection Act]] |
Revision as of 15:16, 25 November 2009
- D