Data Protection Act - Essay Example

Data Protection issues Introduction: The Data Protection Act (DPA) of 1998 is an expansion of the Data Protection Act of 1984 and is the legislationthat forms the legal basis for the manner in which the personal information of any citizen of the United Kingdom is handled in the country. There is an international flavour to the Act in that it owes it antecedents to European legislation, as data protection is an issue of international concern. (1). The Act in itself carries no mention of privacy of the personal information of an individual, but contains the means that an individual can use to make sure that privacy is maintained with regard to personal information, for it contains a framework of rules that ensure privacy is maintained through the proper handling of personal information. There are three major aspects to the Data Protection Act (DPA). The first is that it makes it obligatory for any and everyone who processes personal information to comply with eight principles set down by it, which offers privacy for this information. The second aspect is that it also provides the right for individuals to seek and get the details of information that is held as soft copies and most of the information held as hard copies. The final aspect is that it offers the individual a forum, in the form of the Information Commissioners Office, to redress any grievances with respect to the first two aspects of the DPA. (2). Activities Controlled by the Data Protection Act: The DPA affects the activities of data controllers, as it regulates the manner in which they process the personal data of an individual. Data controllers include any and all government departments, public bodies, and other organizations. Processing of data in terms of the DPA translates into any action that may be done to personal data, which includes obtaining, holding, using, disclosing or destroying the data. As per the DPA, data consists of all automatically processed information, in essence computerised information and some of the manual records containing personal data. Personal data of individual are available in the data banks of the public sector and when such data pertains to information regarding identified or identifiable individuals, is shared the regulations of the DPA come into force. In the case of certain categories of personal information that may be considered as sensitive like racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health status, sexual life, the commission or alleged commission of any offence or criminal proceedings the regulations of the DPA are even more stringent. (3). There are eight principles to the DPA, which in effect regulate the activities of obtaining, holding, using, disclosing or destroying data. These eight principles in simple terms require that personal data is processed fairly and lawfully; processed for the limited purposes it was obtained for; is adequate, relevant and not in excess of the requirement; is accurate and current; not retained for longer than is necessary; is stored in a secure manner; and not transferred out of the country without providing adequate protection. (2). Given that the first principle of the requires that the personal data be processed in a fair and in lawful manner means that the legal obligations of the statutory and common law needs to be complied, which in essence means that the DPA does not deny the right of the public sector to obtain, process and share data that is provided under the domestic statute and common law, as long as the processing is in compliance with the Human Rights Act, the European Commission for Human Rights and any applicable principles of the European Union law. (3) The principle of fairness however requires that when data has been sought and obtained on the basis of the resident statutory powers the individuals have to be given details which include the identity of the data controller and the details of the purpose for which the data has been obtained and processed. (3) The second principle of the DPA clearly brings into the picture the specificity in the use of personal data in that data that has been obtained for one or more specified and lawful purposes cannot be processed additionally in any manner that is incompatible to the purpose or purposes for which it was obtained. In other words restriction is placed on additional processing of personal data by the DPA. (3). However the DPA itself provides for a number of exemptions to data processing and sharing and the disclosure provisions. These exemptions include national security, crime and taxation, and certain types of processing for research. (3). From a private organization or voluntary organization perspective any activity of a private organization or voluntary organization or an individual whereby personal information of an individual is obtained there is the legal requirement to comply with that eight principles of the DPA. These activities may relate to business activities, like marketing or research of products, providing of all kinds of services, charitable activities social activities, and employee database, whereby personal information of customers, suppliers and other contacts are obtained.(4). Complying with the Data Protection Act: In essence complying with the Data Protection Act is meeting the requirements laid out in the eight principles of the act that govern the obtaining and processing of data. As such complying with the data protection act requires that prior to the obtaining of personal data, a clear cut purpose requiring such data is established and the concerned individuals informed about how the data collected is going to be used. In simple terms this means that individuals whose data is to be collected are informed of the same and that they are provided the information of the use of the data in a manner that they understand the implications. There should be no attempt to confuse the individuals, whose data is planned to be obtained and processed, on the purpose for which the data is sough and the manner in which it is to be employed. In this it is implied that only personal information that the individuals wish to provide can be collected and there should be no be no attempts to coerce the individuals to provide their personal data. (5). Once the data has been collected, the next issue for proper compliance with the DPA is the security in the storage of the information collected irrespective of whether it is in the soft form in a personal computer or in the hard form on paper. Even information collected online or through a web site needs to be secured. The provisions of security include access to this personal information of individuals to only those that have the strict need for the personal information based on the original purpose for which it was collected. This is also true in case of information collected on line and on web sites, for example job application forms, whereby the information is not accessible by any other unauthorised individual or organization. (5). The data thus collected can be processed only towards the needs of the objectives, as expressed initially and not for any other un-stated purpose. This implies that the personal information collected cannot be passed on to any other individual or organization for their purposes. When for any reason outsourcing is resorted to for any of the functions of the individual or organizational functions that require the use of the personal information collected, it is essential that in the transfer and processing of the personal information, there is no misuse of the data, as per the principles of the DPA. There is also to ensure that the personal information collected and stored for processing is accurate and current in nature. (5) Once the requirement of the personal data collected is over it needs to be destroyed totally and completely. If they are maintained as hard copies, all the paper copies of the personal data need to be destroyed in such a manner that there is no possibility of recovering the information that was available on those papers. In case they are maintained as soft copies in personal computers all the softy copies in the personal computer or in any other devices used for storage of the data temporarily or permanently needs to be erased in such a manner that they cannot be retrieved by any means. (5). In organizations many employees are required to handle personal data sought in the functions of obtaining the data, storing the data and processing the data. It is not enough if the management of such organizations alone are aware and comply with the DPA. It is the responsibility of the management to ensure that every employee of the organization is aware of their duties and responsibilities in the collection, storing and processing of personal information as per the DPA and further ensure that these duties and responsibilities are adhered to in their activities concerned with personal information. (5). Any individual whose personal data held by any business or organization in the private or public sector is given the right by the DPA to see such personal information. Thus in case there is a request by such individuals to see their personal information, it is necessary that this be done within forty days from the date of receipt of such a request, though a fee of ten pounds may be charged. In addition individuals, on the basis of the DPA do have the right to have inaccurate data corrected, destroyed, blocked or erased and such instructions from individuals with regard to their personal information needs to be complied with. (6). Organizations and individuals in the field of activity related to personal information collection and processing, need to notify the Office of the Information Commissioner, from time to time for the purpose of openness and transparency and hence this requirement also needs to met in the collection and processing of personal information. (7). Role of the Information Commissioners Office: As per the DPA, the supervisory authority for the purposes of data protection was called the Data Protection Commissioner. The Freedom of Information Act 2000 changed the name of the supervisory authority for data protection to the Information Commissioner. (8). This data protection power of the Information Commissioners Offices gives the Office of the Information Commission a multi-role capacity to protect personal information data. The Office of the Information Commissioner conducts assessments on organizations to ascertain whether they are in compliance with the DPA. When deviations are observed the Office of the Information Commissioner serves information notices that requires the organizations to provide the Office with specified information within a specific time frame. Based on the information received the Office of the Information Commissioner serves enforcement notices and stop orders, when there have been breaches of the DPA. These enforcement notices require the organizations in breach of the DPA to take or refrain from taking specified steps, so that they are in compliance with the DPA. It is also the Office of the Information Commissioner that prosecutes offenders, when the breaches of the DPA constitute criminal offences. It is also The Office of the Information Commissioner is responsible for evaluating whether organizational practices in the processing of personal data are in keeping with the DPA and to this end it conducts audits to evaluate the same. It is also the Office of the Information Commissioner that receives complaints from the public on any issue relevant to personal data protection, investigates these complaints and takes the relevant action. The Office of the Information Commissioner has a responsibility to Parliament in that it has to report to the Parliament any issues of concern arising over data protection. (9). There is an international role also ascribed to the Office of the Information Commissioner in keeping with it being the supervisory authority for data protection. In keeping with this role it is responsible for the exchange of information with the other supervisory authorities in the European Economic Area (EEA) and also with the European Commission (EC). The Office of the Information Commissioner also performs the duty of assisting other supervisory authorities in their investigations with regard to complaints in the processing of personal data outside the United Kingdom, when the data controller is based in the United Kingdom. The Office of the Information Commissioner also has a specified role to play in relations to the decisions taken about the international transfer of personal information. Besides these functions, the Office of the Information Commissioner also plays a role in influencing the European policy on privacy protection issues through its participation in the Article 29 Working Party, which established by the Data Protection Directive 95/46/EC. (10). Impact of the UK Data Protection Act on Organizations: The data UK Data Protection Act has had a huge impact in the manner that organizations collect and process personal information to avoid being in breach of the DPA. To meet the obligations to the DPA organizations make it clear to the individuals from whom they are collecting he personal data the purpose of obtaining the data and where it is likely to be sent and necessarily get the consent of the individual where it is essential. Organizations conduct an audit from time to time of all their e-commerce activities and processes to verify for their selves that all these activities and processes are in keeping with the requirements of the DPA. Since it is essential to maintain the acquired personal in a safe manner to comply with seventh principle of the DPA, organizations take steps towards the security of the data obtained. The first is the detailed assessment of the security risks associated in the storage of the personal data. The next step is the creation of security policies to eliminate or minimise the security risks associated in the storage of the personal data. The final step is to ensure that the security policies created for the safety of the personal data are complied with. (11). Breaches of the Data Protection Act: The DPA requires that an organization give particulars of the personal information that an organization possesses, when it is sought. Media Logistics (UK) sent Mr. Nigel Roberts an unsolicited marketing email. Mt. Roberts sought from the company the information of where they had got his personal details and when the company declined he sued the company for breach of the DPA. The court ruled in favour of Mr. Roberts, but the case was settled through the small claims system, wherein a settlement for three hundred pounds including costs was made. (12) The Office of the Information Commissioner found that Marks & Spencer PLC was in breach of the DPA as a result of the theft of an unencrypted laptop containing the personal information of its 26,000 employees. An enforcement notice has been issued to Marks and Spencer requiring them to have all laptop hard drives fully encrypted by April 2008. Early this year Carphone Warehouse and its sister company TalkTalk were found in breach of the DPA by the Office of the Information Commissioner regarding the manner in which the companies stored and processed personal information. Enforcement notices have been issued to both the companies by the Office of the Information Commissioner. (13). Conclusion: The Data Protection Act 1998 us the result of political action towards the prevention of misuse of personal information of the citizens of the United Kingdom. The Office of the Information Commissioner is the supervisory authority with the responsibility to ensure that the eight principles of the DPA are complied with in the obtaining, storage, processing and transfer of personal data. As a result of the DPA organizations have become more vigilant with regard to personal information to ensure that they are not in breach of the DPA. Breaches do occur however, with the resultant action against such organizations. Works Cited 1. “Data Protection”. Department of Constitutional Affairs. Feb 17. 2008. . 2. “The basics”. Information Commissioner’s Office. Feb 17. 2008. . 3. “Public Sector Data Sharing: Guidance on the Law”. 2003. Department of Constitutional Affairs. Feb 17. 2008. . 4. “Information and Data Sharing”. UK Resilience. Feb 17. 2008. . 5. “Your Legal Obligations”. Information Commissioner’s Office. Feb 17. 2008. . 6. “Data Protection – Frequently Asked Questions”. Department of Constitutional Affairs. Feb 17. 2008. . 7. “Notification under the Data Protection Act 1998”. Feb 17. 2008. . 8. “Part I ACCESS TO INFORMATION HELD BY PUBLIC AUTHORITIES”. Office of PUBLIC SECTOR INFORMATION. Feb 17. 2008. . 9. “Our legal powers”. Information Commissioner’s Office. Feb 17. 2008. . 10. “International”. Information Commissioner’s Office. Feb 17. 2008. . 11. “The Data Protection Act 1998 and its Impact on Electronic Commerce”. ZDNet.co.uk. Feb 17. 2008. . 12. “The Data Protection Act 1998 and how much is a breah of a person’s privacy actually worth?” Anderson Strathern Solicitors. Feb 17. 2008. . 13. “Enforcement”. Information Commissioner’s Office. Feb 17. 2008. . Read More