The Data Protection Act 1998 has the twin aims of furthering the protection of individuals’ rights and freedoms with regard to personal data processing, and of harmonising data protection rules amongst European Union member states. Although there are two transitional periods in which to update from the 1984 Act, any processing of personal data of living people that began on or after the 24th October 1998 comes under the terms of the new Act. The aim of these notes is to give a very brief guide to what is contained in the 1998 Act, and to show how it differs from the 1984 Act, for the general information of staff.
For further information please go to: http://www.informationcommissioner.gov.uk/
Both Acts apply to automated data, but the 1998 Act also encompasses relevant filing systems and accessible records. Relevant filing systems are any non-automated systems structured by reference to individuals and organised to allow ready access to specific information about individuals. It therefore applies to manual records such as card index systems, microfiche records, and - though this has not yet been tested in court - personnel records. Having legislation for accessible records consolidates access rights; data protection principles will extend to medical, social work, education and housing records. Under the 1984 Act, individuals who were the subject of any data held by an organisation had the right to be informed that information was being held on them, and to be given a copy of that information along with any entry codes to access it. Under the 1998 Act, you also have the right to know why information is being held on you, and the nature of decisions taken on the basis of that information (though not necessarily the results). Individuals can also object to direct marketing and to other processing of the data.
Notification rather than registration will take place, and only data controllers will have to notify the Registrar (as opposed to registration under the old Act by both data users and computer bureaux). There will be exemptions from notification for national security or for various domestic purposes. An example of the latter would be that previously both head teachers and governing bodies of a school had to register; now, only one need register. There is a group registration scheme, allowing local authorities to register all departments as one organisation, but one point of central control must be identified as the data controller. In the case of Powys County Council, this is being administered through the Legal Section.Prosecution can arise for non-notification, failure to keep notification up-to-date, and unauthorised disclosure of data. The 1998 Act gives greater legal rights to individuals, enabling claims for compensation to be made for damage caused by information processed in breach of the Act.
There are eight data protection principles set out in the 1998 Act:
1 Personal data shall be processed fairly and lawfully.
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4 Personal data shall be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights of data subjects under this Act.
7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8 Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The 1998 Act therefore requires data controllers to be aware of the legitimacy of data processing. Personal data must be processed fairly and lawfully, and in particular, shall not be processed unless the data meets the following criteria:
1 That the data subject (the individual who is the subject of the data) has given their consent for processing
2 That processing is necessary for the performance of a contract, compliance with legal obligations, the protection of a subject’s vital interests, the administration of justice, and for crown and public functions.
There are also separate conditions for the processing of "sensitive personal data", such as an individual’s political opinions or physical or mental health or condition.
You will need to fill out a Subject Access Request form. This can be obtained online below or by contacting Information Management.