There are essentially 8 basic principles, which stipulate how information described as personal should be managed. This essay will only observe those principles referred to in the question.
The first of which is security for which the Act dictates that all personal data must be kept under tight controls and protected from unauthorized access. As such technical measures such as password encryption and backup contingencies are strongly advised. Furthermore, adopting security policies and restricting staff access to sensitive data is a DPA pre-requisite.
The DPA also tackles the issue of privacy referring to the handling of 'sensitive' or 'personal' data. This relates to the context of the employee/employer relationship. Thus the data controller (i.e. employer) has to take particular care when handling personal data to ensure it does not discriminate on the grounds of race, gender, age or disability. Similarly the processing of staff medical records would also be considered 'sensitive' and therefore required under the Act to be handled by a health professional or one working under an equivalent duty of confidence (i.e. occupational doctor).
The disclosure of information to third parties is also a major principle in the Act under what is termed 'lawful processing'. Accordingly the forwarding of personal data to third parties must only take place with the prior approval of the original data subject. Thus a banking corporation may not forward their client details to third parties for marketing purposes without ones consent. Similarly recipients of such information must be certain they have the approval of the data subject before making use of the information for marketing or any other purpose.
In theory these principles were introduced to serve as a mutual benefit to both employee and employer. Indeed Sue Weeks expressed in Personal Today that the aim of the Act on Data Protection was to 'strike a balance between preserving workers legitimate rights to a private life, and an employees legitimate need to run its business' (Weeks. 2004:19).
One may argue however that the reality is far different. I. E although the legal requirements are expected to be adhered to wherever possible there are some genuine concerns over the practicalities of these directives given the nature of working environments.
For instance the principle relating to privacy has elementary problems even with the definition of what is classed as 'personal'. The Act defines personal data as that which identifies a living individual in conjunction with other information, which is in the possession of the data controller. Thus telephone directories, which contain sets of names, addresses, and numbers, would clearly fall under this category. Strict adherence to the Act would therefore require companies to keep addresses and numbers in isolation thereby ensuring complete anonymity, a secure but unrealistic expectation.
Practicality problems also exist with regard to the issue of security. For instance the DPA clearly recommends companies to take security measures which may involve installing back up systems. However the duration for which some records must be kept (such as tax records) is often up to 6 years, possibly longer for legal documentation. As such backup systems in place when the data was originally installed may well be redundant by the time it is called upon for reference.
Also the ability to maintain not only secure by accurate data may also prove unpractical for several reasons . Firstly unless an organisation is actually utilising the data it stores, the burden to maintain accuracy will be minimal unless those maintaining the records take such responsibilities extremely seriously. Also from a business perspective companies often...