The Data Protection Act exists to protect personal data held by organisations against misuse.
If an organisation holds any information about clients, employees or suppliers, it is legally required to protect that information. To comply with the regulations in the Data Protection Act, organisations must do a number of things. These behaviours are encapsulated in the following points:
- Process held personal data fairly and lawfully
- Personal data must be obtained lawfully and only for specified purposes
- Personal data will be kept to a minimum and only for specified purposes
- Ensure that the data is accurate and up-to-date
- Ensure that the data is not held for longer than is necessary
- Data will only be used for a specified purpose
- Data is protected against unauthorised access, processing, and loss
- Data may only be transferred to a country outside the European Economic Area if the receiving country also provides adequate data protection
Individuals have the right to see all personal information that is held on them by an organisation. The maximum charge for providing this information is £10.
Note: Personal information is defined as data that can be used to identify a living individual. This does not have to be specific and can be descriptive eg.
’the old man with the greyhound, who stays in Hamilton Street’
Although not naming the person specifically, many people could nevertheless identify the individual from the information given.
The use of CCTV may also fall under the Data Protection Act.
An organisation may have to register with the Information Commissioner’s Office (ICO) if they are processing data automatically. The only exception is if this is being done for standard business purposes e.g. payroll.
Check the website www.ico.org.uk which contains a lot of useful guides on the Data Protection Act and how to process data in accordance with its guidelines.