Web Design - Data Protection Act
Web Design - Data Protection Act Guidelines
The Data Protection Act 1998 has been garnering much attention in recent times. It is referenced regularly in the media when companies accidentally lose confidential data or information security is topic of the day. But what is the Data Protection Act exactly and why does it exist?
What is the Data Protection Act?
The Data Protection Act 1998, in its current form, was implemented in March 2000 to give individuals a right of access to ‘personal data’. This personal data qualifies as any information held by a company that relates to an individual. Personal data is often collected when an individual completes the purchase of a good or service from a company. It can consist of contact, bank or any other necessary details needed to facilitate an exchange.
However, much of the data that is collected is sensitive and if it were to fall into the wrong hands could result in fraudulent activities against the individual. This is regarded to be a direct breach of civil liberties.
With so much personal data held by an increasing number of organisations, there needs to be some benchmark for companies to follow if they are to ensure that data is handled fairly. The Data Protection Act acts as a foundation for providing that benchmark.
Who needs to comply with the Data Protection Act?
Any company or professional that needs to store personal data from clients in order to perform business activities is classified as a ‘data controller’. As a data controller they must notify the Information Commissioner’s Office (ICO) that they are responsible for the availability, integrity and security of that data under the Act.
Most companies in the UK who process customer data fall under requirements of the Data Protection Act. Some of the key regulatory bodies responsible for promoting faithfulness to the Act include the Financial Services Authority (FSA) and the Solicitors Regulation Authority (SRA).
What are the requirements of the Data Protection Act?
The Data Protection Act can be complex and difficult to interpret. It mainly consists of eight key principles that must be adhered to. We have tried to make those principles as easy to understand as possible.
Principle 1 – Information must be processed fairly and lawfully
This means that any personal data collected by an organisation must be provided with the consent of the individual. This is commonly identified by written disclaimers in purchase contracts that are signed. To be seen as acting fairly, the collecting company must be transparent and ensure clients are fully informed and understand what will happen to their personal information.
In other words - be honest. You must gain permission to use any collected data and let the individuals know exactly what it will be used for.
Principle 2 – Information collected must be processed for limited purposes
This means that collected information must only be held and used for the reasons given to the ICO and the customer. Personal information must not be processed in any manner incompatible with the original purpose(s). If a company wishes to use certain information for purposes outside of the original need they must gain further permission from the individual.
In other words - don’t be cheeky. Only use the data that you have collected for the reasons you promised.
Principle 3 – Information collected must be adequate, relevant and not excessive
This means that all data collected must be necessary to complete the needs of the company. An organisation should not ask for or hold any personal data that is outside their concern. They will be in breach of the Data Protection Act if they hold data irrelevant to their purpose.
In other words - don’t be greedy. Collect only data that you need to know and not additional data that may be useful to you in the future.
Principle 4 – Information collected must be accurate and up to date
Data controllers must make every effort available to ensure the information they use is accurate. This is because often the information held is sensitive and its inaccurate use could result in misrepresentation on behalf of the customer.
In other words – make sure your data is true. If any suspicion exists that the information is inaccurate – check with the individual.
Principle 5 – Information must not be held for longer than is necessary
The Data Protection Act states that a company must not hold onto data for any longer than is necessary. For example, if a company were to keep a credit card detail several years after a contract has terminated. Companies are encouraged conduct regular reviews of the personal data they hold and securely destroy any information that is no longer relevant.
In other words - don’t hoard. Only keep hold of old files if really needed or if you are required to by law.
Principle 6 – Information must be processed in accordance with the individual’s rights
The individual’s rights that this principle refers to include:
- A right of access to a copy of their information which is held;
- A right to object to processing their data;
- A right to prevent processing for direct marketing;
- A right to have inaccurate personal data rectified, blocked, erased, or destroyed;
- A claim to compensation for damaged caused by a breach of the act.
In other words – give the individual access. It is their data you’re holding, they should have a say in how it is used.
Principle 7 – Information must be kept secure
If a company is holding and using data on behalf of a third-party, it is their duty to ensure it is kept secure. The most common breaches of the Data Protection Act relate to data exposure – where a company or organisation loses a computer device containing personal data. As well as the obvious distress this can have on the individuals involved (often having to cancel credit card details or other details susceptible to fraud) it can also act as a significant black spot on a firm’s reputation. The ICO is also not adverse to fining organisations responsible for negligence.
In other words – don’t be careless. You must ensure that measures exist to keep the personal data you are responsible for out of the wrong hands.
Principle 8 – Information should not be transferred outside the European Economic Area.
This means that any data relating to third-parties must not be stored overseas – unless adequate safe harbouring laws are met. For example, if you are planning to store personal information overseas you must inform the individuals concerned in accordance with principle one (fair and lawful processing). Should a company wish to store personal data overseas, they must receive consent from the individual clients. They should also be given clear and free access to remove that data from storage when desired.
In other words – keep your customers informed. Don’t store their data in grey areas without their specific consent.
Data subject rights
Under the Data Protection Act (DPA) individuals may ask, in writing, to see information that is held about them. This is known as a 'subject access request. A data controller may ask for the following before processing a subject access request:
- a fee of £10 to be paid
- and adequate proof of identity from the applicant before considering the request
- A response to a subject access request will be given within forty calendar days of receipt of the above.
Relationship with FOIA
Requests for access to personal data that are made by someone who is not the subject of that personal data are not subject access requests. These should be considered under the Freedom of Information Act, but the information will not be shared if doing so will breach one of the data protection principles.
There are a number of exemptions contained in the Act. These may apply to the right of subject access or to the duty to comply with one or all of the principles. Examples of exemptions include:
- crime and taxation
- parliamentary privilege
- research, history and statistics
- confidential references
- legal professional privilege