2. ObjectivesObjectives
By the end of this topic you will be able to:By the end of this topic you will be able to:
Identify the provisions of the 1998 DataIdentify the provisions of the 1998 Data
Protection ActProtection Act
Identify the responsibilities of data usersIdentify the responsibilities of data users
Identify the rights of data subjectsIdentify the rights of data subjects
Identify the full and partial exemptions to theIdentify the full and partial exemptions to the
actact
3. ObjectivesObjectives
By the end of this Lesson you will be ableBy the end of this Lesson you will be able
to:to:
Identify the provisions of the 1998 DataIdentify the provisions of the 1998 Data
Protection ActProtection Act
ALL – Will know why and when it was introducedALL – Will know why and when it was introduced
MOST – Will define 4 of the principles and explainMOST – Will define 4 of the principles and explain
SOME – Will define 8 of the principles and explainSOME – Will define 8 of the principles and explain
4. The Data Protection ActThe Data Protection Act
WHY was it introduced?WHY was it introduced?
The Data Protection Act grew out of publicThe Data Protection Act grew out of public
concern about personal privacy in the face ofconcern about personal privacy in the face of
rapidly developing computer technology.rapidly developing computer technology.
It works in two ways, giving individuals certainIt works in two ways, giving individuals certain
rights whilst requiring those who record and userights whilst requiring those who record and use
personal information on computer to be openpersonal information on computer to be open
about that use.about that use.
5. The Data Protection ActThe Data Protection Act
WHEN was it introduced?WHEN was it introduced?
The Data Protection Act became law onThe Data Protection Act became law on
1212thth
July 1984 and was updated in 1998July 1984 and was updated in 1998
It states that anyone processingIt states that anyone processing ‘personal‘personal
data’data’ must comply with themust comply with the 88 enforceableenforceable
principles of good practice.principles of good practice.
Personal Data – Information about living,
identifiable individuals. Personal data do not
have to be particularly sensitive information,
and can be as little as a name and address
6. The Data Protection PrinciplesThe Data Protection Principles
Data must be:Data must be:
1.1. Fairy and lawfully processedFairy and lawfully processed
2.2. Processed for specified purposesProcessed for specified purposes
3.3. Adequate, relevant and not excessiveAdequate, relevant and not excessive
4.4. Accurate and, where necessary, up to dateAccurate and, where necessary, up to date
Processing personal data includes
collecting, storing, accessing, changing and
destroying any information about you.
So this must be done fairly, which means telling the subject why the data is
being collected and not obtaining it from third parties
You must notify the Data Protection
Commissioner of all intended uses of data
and any processing must match one of
those uses
Adequate – meeting the requirements of a task.
If someone asks for “Extra” information (for
example “Are you married” when booking in to a
hotel), just quote Principle 3 when declining
If details about individuals change then the
data kept must be updated so as to be
accurate
7. Quick CheckQuick Check
QuestionQuestion (objective - ALL)(objective - ALL)
Why was the data protection actWhy was the data protection act
introduced?introduced?
AnswerAnswer
Because the public were concerned aboutBecause the public were concerned about
personal privacy in the face of rapidlypersonal privacy in the face of rapidly
developing computer technologydeveloping computer technology
8. Quick CheckQuick Check
QuestionQuestion (objective - ALL)(objective - ALL)
When was the data protection actWhen was the data protection act
introduced? And when was it updated?introduced? And when was it updated?
AnswerAnswer
Introduced - 12Introduced - 12thth
July 1984July 1984
Updated - 1998Updated - 1998
9. Quick CheckQuick Check
QuestionQuestion
What is meant by personal data?What is meant by personal data?
AnswerAnswer
Information about living identifiableInformation about living identifiable
individualsindividuals
10. Quick CheckQuick Check
QuestionQuestion (objective - MOST)(objective - MOST)
Tell me the first 4 principles of the DataTell me the first 4 principles of the Data
Protection Act?Protection Act?
AnswerAnswer
Data must be:Data must be:
1.1. FFairy and lawfully processedairy and lawfully processed
2.2. PProcessed for specified purposesrocessed for specified purposes
3.3. AAdequate, relevant and not excessivedequate, relevant and not excessive
4.4. AAccurate and, where necessary, up to dateccurate and, where necessary, up to date
11. The Data Protection PrinciplesThe Data Protection Principles
Data must be:Data must be:
5.5. Not kept longer than necessaryNot kept longer than necessary
6.6. Processed in accordance with the dataProcessed in accordance with the data
subject’s rightssubject’s rights
7.7. SecureSecure
8.8. Not transferred to countries withoutNot transferred to countries without
adequate protectionadequate protection
With regard to retaining data, ask yourself
why it needs to be kept beyond a certain
date
Data Subjects – the individuals to whom the
personal data relate
Dead persons are not regarded as data subjects
Data subjects can notably ask for copies of data held about them . The data controller
has a maximum of 40 days in which to respond. But the data subject is also entitled to
compensation if (s)he can prove "substantial damage or substantial distress" as a result
of improper use of data, or the failure to stop processing when that has been requested.
Security is crucial – organisations must enforce
‘Appropriate’ technical and organisational measures
against unauthorised or unlawful processing of personal
data
"Appropriate" means that it must be adequate for the nature of the data in question - but also that it
must take account of technological advances (for example, forms of encryption).
This has a specific meaning in that it relates to transfers to
particular countries, but it also applies nicely to the Web.
You can object to having your picture or phone number shown on the web. Without your consent it
is illegal.
12. DefinitionsDefinitions
Personal Data – Information about living,
identifiable individuals. Personal data do
not have to be particularly sensitive
information, and can be as little as a name
and address
Data Subjects – The individuals to whom
the personal data relate.
13. DefinitionsDefinitions
Data Controller – Those who control the
contents and use of a collection of
personal data.
They can be any type of company or
organisation
A data controller does not necessarily own a
computer
14. Quick CheckQuick Check
QuestionQuestion (objective - Most)(objective - Most)
Tell me the last 4 principles of the DataTell me the last 4 principles of the Data
Protection Act?Protection Act?
AnswerAnswer
Data must be:Data must be:
5.5. NNot kept longer than necessaryot kept longer than necessary
6.6. PProcessed in accordance with the data subject’srocessed in accordance with the data subject’s
rightsrights
7.7. SSecureecure
8.8. NNot transferred to countries without adequateot transferred to countries without adequate
protectionprotection
17. Data ControllersData Controllers
With few exceptions, all data users have toWith few exceptions, all data users have to
register with the ICO.register with the ICO.
They must give their name and address togetherThey must give their name and address together
with broad descriptions of:with broad descriptions of:
The items of data heldThe items of data held
The purpose for which the data are heldThe purpose for which the data are held
Who will have access to the dataWho will have access to the data
The types of organisations to whom the informationThe types of organisations to whom the information
may be disclosed i.e. shown or passed on tomay be disclosed i.e. shown or passed on to
Any overseas countries or territories to which the dataAny overseas countries or territories to which the data
may be transferred.may be transferred.
Information Commissioner’s Office – Maintains a register
of data users, which are publicly available. They also
have other duties, like, considering complaints about
breaches and prosecuting offenders.
18. Information Commissioner’s OfficeInformation Commissioner’s Office
The information Commissioner’s Office enforces and oversees theThe information Commissioner’s Office enforces and oversees the
Data Protection Act 1998 and the Freedom of information Act 2000.Data Protection Act 1998 and the Freedom of information Act 2000.
The Commissioner Office reports annually to Parliament.The Commissioner Office reports annually to Parliament.
They promote good information handling and provide guidelines.They promote good information handling and provide guidelines.
They investigate complaints (act as Ombudsman) and provide helpThey investigate complaints (act as Ombudsman) and provide help
Their mission is to:Their mission is to:
““uphold information rights in the public interest, promoting openness byuphold information rights in the public interest, promoting openness by
public bodies and data privacy for individuals. We rule on eligiblepublic bodies and data privacy for individuals. We rule on eligible
complaints, give guidance to individuals and organisations, and takecomplaints, give guidance to individuals and organisations, and take
appropriate action when the law is broken”appropriate action when the law is broken”
http://www.ico.gov.uk/about_us.aspxhttp://www.ico.gov.uk/about_us.aspx
20. The Rights of Data SubjectsThe Rights of Data Subjects
Apart from the right to complain to the registrar,Apart from the right to complain to the registrar,
data subjects also have a range of rights, thesedata subjects also have a range of rights, these
are:are:
Right to compensation for unauthorised disclosure ofRight to compensation for unauthorised disclosure of
datadata
Right to compensation for inaccurate dataRight to compensation for inaccurate data
Right to access to data and to reply for rectification orRight to access to data and to reply for rectification or
erasure where data are inaccurateerasure where data are inaccurate
Right to compensation for unauthorised access, lossRight to compensation for unauthorised access, loss
or destruction of dataor destruction of data
21. Exemptions from the ActExemptions from the Act
The act does not apply to payroll, pensions andThe act does not apply to payroll, pensions and
accounts data;accounts data;
Registration may not be necessary when theRegistration may not be necessary when the
data are for personal, family, household ordata are for personal, family, household or
recreational use;recreational use;
Subjects do not have a right to access data if theSubjects do not have a right to access data if the
sole aim of collecting it is for statistical orsole aim of collecting it is for statistical or
research purposes;research purposes;
22. Exemptions from the ActExemptions from the Act
Data can be disclosed to the data subjectsData can be disclosed to the data subjects
agent (e.g. lawyer or accountant);agent (e.g. lawyer or accountant);
Additionally, there are exemptions forAdditionally, there are exemptions for
special categories, including data held:special categories, including data held:
In connection with national securityIn connection with national security
For prevention of crimeFor prevention of crime
For the collection of tax or dutyFor the collection of tax or duty
23. TRUE or FALSETRUE or FALSE
You only have to register with the DataYou only have to register with the Data
Protection Registrar if you keep sensitiveProtection Registrar if you keep sensitive
information on computer?information on computer?
FALSEFALSE
The act does not differentiate between sensitive and nonThe act does not differentiate between sensitive and non
sensitive information. Even a simple name and addresssensitive information. Even a simple name and address
might be sensitive in certain circumstancesmight be sensitive in certain circumstances
24. TRUE or FALSETRUE or FALSE
Information can be stored on computer andInformation can be stored on computer and
passed on without my permission?passed on without my permission?
TRUETRUE
Your consent is not required before information is storedYour consent is not required before information is stored
or passed on about you. However, the act requires thator passed on about you. However, the act requires that
the source of the data (usually you) is properly notifiedthe source of the data (usually you) is properly notified
about what is happening to the information when it isabout what is happening to the information when it is
given.given.
25. TRUE or FALSETRUE or FALSE
You have to have a computer to be a dataYou have to have a computer to be a data
user?user?
FALSEFALSE
The act defines a data user as the person inThe act defines a data user as the person in
control of the contents and use of thecontrol of the contents and use of the
information being processed, this could meaninformation being processed, this could mean
manual records too.manual records too.
26. TRUE or FALSETRUE or FALSE
ANYONE who holds and processesANYONE who holds and processes
personal data must comply with the Act?personal data must comply with the Act?
FALSEFALSE
There are exceptions (e.g. payroll, pensions andThere are exceptions (e.g. payroll, pensions and
accounts data)accounts data)
27. Quick CheckQuick Check
QuestionQuestion (objective - ALL)(objective - ALL)
Why was the data protection actWhy was the data protection act
introduced?introduced?
AnswerAnswer
Because the public were concerned aboutBecause the public were concerned about
personal privacy in the face of rapidlypersonal privacy in the face of rapidly
developing computer technologydeveloping computer technology
28. Quick CheckQuick Check
QuestionQuestion (objective - ALL)(objective - ALL)
When was the data protection actWhen was the data protection act
introduced? And when was it updated?introduced? And when was it updated?
AnswerAnswer
Introduced - 12Introduced - 12thth
July 1984July 1984
Updated - 1998Updated - 1998
29. Quick CheckQuick Check
QuestionQuestion (objective - SOME)(objective - SOME)
Tell me the 8 principles of the Data Protection Act?Tell me the 8 principles of the Data Protection Act?
AnswerAnswer
Data must be:Data must be:
1.1. FFairy and lawfully processedairy and lawfully processed
2.2. PProcessed for specified purposesrocessed for specified purposes
3.3. AAdequate, relevant and not excessivedequate, relevant and not excessive
4.4. AAccurate and, where necessary, up to dateccurate and, where necessary, up to date
5.5. NNot kept longer than necessaryot kept longer than necessary
6.6. PProcessed in accordance with the data subject’s rightsrocessed in accordance with the data subject’s rights
7.7. SSecureecure
8.8. NNot transferred to countries without adequate protectionot transferred to countries without adequate protection
30. Activity/HomeworkActivity/Homework
Come up with a way of remembering the 8Come up with a way of remembering the 8
principles of the Data Protection act (notprinciples of the Data Protection act (not
an acronym)an acronym)
FF PP AA AA NN PP SS NN
31. FFourour
PPeopleeople
AAndnd
AA
NNoisyoisy
PPotatoeotatoe
SSatat
NNearear
FFairy and lawfully processedairy and lawfully processed
PProcessed for specified purposesrocessed for specified purposes
AAdequate, relevant and not excessivedequate, relevant and not excessive
AAccurate and, where necessary, up to dateccurate and, where necessary, up to date
NNot kept longer than necessaryot kept longer than necessary
PProcessed in accordance with the data subject’s rightsrocessed in accordance with the data subject’s rights
SSecureecure
NNot transferred to countries without adequate protectionot transferred to countries without adequate protection