Learn about what the Data Protection Act is in this article.
The Data Protection Act (DPA) is a piece of legislation introduced in 1998 about how businesses and organisations handle and use personal data. The Data Protection Act covers digital data stored on computers, paper, and audio data. The main goal of this legislation was to protect the privacy of individuals by ensuring that their personal data is stored safely, securely, and ethically.
Breaches of the Data Protection Act can lead to fines. The Information Commissioners Office (ICO) is a regulatory body responsible for investigating possible data protection breaches. If it is found a business or organisation has breached the data protection act, it can be fined up to £500,000.
For more sensitive data, like race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health or medical information, sex life, and sexual orientation, there is stronger legal protection.
Principles
Each business or organisation responsible for using personal data must follow the data protection principles. The eight principles of the Data Protection Act are:
Personal data must be processed fairly and lawfully. For example, personal data must not be used in a way that individuals would not reasonably expect or would have negative effects on them. Companies must also have legitimate reasons for collecting data.
Personal data must be relevant and kept up to date. For example, steps should be taken to ensure the accuracy of personal data and it should be updated if necessary.
Personal data must be safely and securely stored. For example, procedures must be put in place to prevent unauthorised or unlawful processing of personal data and organisations should quickly respond to data breaches.
Personal data must be processed in accordance with people's data protection rights. For example, organisations must make sure that individuals have access to information stored on their personal data and can prevent processing for certain reasons. Individuals can also claim compensation for poor handling of personal data.
Personal data must be adequate and not excessive. For example, the data collected must be sufficient for the purpose and no unnecessary information should be held that organisations do not need for that purpose.
Personal data must not be kept for longer than necessary. For example, data should be regularly reviewed for its purpose and securely deleted if no longer needed or out of date.
Personal data shall be obtained for limited, specifically stated purposes. For example, organisations must be clear from the start as to why the data is being gathered and ensure that it is fair if they want to use the data for another purpose.
Personal data must not be transferred to countries outside the European Union without adequate protection. For example, it must not be shared with others in countries that do not have appropriate data protection.
Rights
Under the Data Protection Act, people have the right to:
Be informed about how their data is being used.
Access their personal data.
Have their personal data securely disposed of.
Stop or restrict the processing of their personal data.
Have incorrect data about them updated.
Object to how their data is processed in certain circumstances.
Compliance
To comply with the Data Protection Act, organisations should:
Use passwords. Without passwords, anyone can gain access to accounts, which could enable people to gain unauthorised access to personal data.
Avoid giving away personal data to people that don't need it. For example, if someone asked an organisation if they could have a database of all employees, that would be unnecessary.
Make sure that personal data is still up to date and relevant after a 5-year period.
Only ask for necessary personal data. For example, if someone was buying a car, it would be unnecessary for them to ask for information about someone's pet.
Securely dispose of personal data when it is no longer necessary to keep.
Securely shred confidential documents and not leave them in places where they could be seen by other people.
Be careful when speaking to people on the phone in public and ensure that they do not accidentally share confidential information, where it can be heard by everyone.