The Act regulates the use of “personal data”. To understand what this means we need first to look at how the Act works or defines the word “data”
Data means; information which-
a) is being processed by operating automatically in response to instructions given for that purpose. b) Is recorded with the intention that it should be processed. c) Is recorded as part of a relevant filing system with the intention that it should form part of relevant filing system. d) Does not fall within paragraph (a) (b) or (c) but forms part of an accessible record as defined by section 68. e) Or is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d). The Data Protection Act requires you to process personal data fairly and lawfully. The main purpose of this principles is to protect the interest of individuals whose personal data is being processed the key to comply with the Data Protection is to follow the 8 data protection principals. PRINCIPAL 1
Personal Data should be processed fairly and lawfully and in particular shall not be processed unless – (a)at least one of the conditions in Schedule 2 is met and (b) in the case of sensitive personal data at least one of the conditions in Schedule 3 is also met. In practise it means that you must first have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data; handle people’s personal data only in ways they would reasonably expect and finally make sure you do not do anything unlawful with the data. EXAMPLE – Personal Data will be obtained fairly by the tax authorities if it is obtained from an employer who is under a legal duty to provide details of an employee’s pay, whether or not the employee consents to, or is aware of this. PRINCIPAL 2
Personal Data shall be obtained only for one or more specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose or those purposes. This requirement aims to ensure that organisations are open about their reasons for obtaining personal data and that what they do with the information is in line with the reasonable expectations of the individuals concerned. In practise this means that you first should be clear from the outset about why you are collecting personal data and what you intend to do with it; comply with the Act’s fair processing requirements-including the duty to give privacy notices to individuals when collecting their personal data; comply with what the Act says about notifying the information Commissioner; and finally to ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair. EXAMPLE - A not-for-profit chess club only uses personal data to organise a chess league for its members. The club is exempt from notification and the purpose for which it processes the information is so obvious that it does not need to give privacy to its members. The specified purpose of processing should be taken to be the organization of a member’s chess league.
INFORMATION STANDARDS (PRINCIPALS 3, 4, 5)
(PRINCIPAL 3) – Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. In practise it means that you should ensure that first you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual and you do not hold more information than you need for that purpose. EXAMPLE – A debt collection agency is engaged to find a particular debtor. It collects information on several people with similar name to...