What is the Data Protection Act?
Data protection is becoming an increasingly popular issue as our world continues to collect more and more data for various purposes. The Data Protection Act was established in 1998 and exists to protect the privacy of UK citizens as it relates to this collection of personal data. Specifically, it provides an extensive set of guidelines regarding the ethical and legal use of personal data.
Do you notice that the Act refers specifically to personal data?
If you’re wondering how personal data differs from general data, the term can be split into two components. First, we will understand what is meant by data and then apply the personal aspect to it.
Using simple terms, the Data Protection Act defines data in a couple of ways. First, it is any information that is collected and stored on a piece of equipment, such as a computer hard drive. The second interpretation for data refers to any other accessible information being held by public authorities. This refers to personal information records related to one’s health, education and more. Publicly held authorities typically refer to medical centres, schools or other publicly run organisations.
Now that we understand what is considered data, we must apply it to a more personal context.
When placing the word personal in front of data, we are no longer just referring to any piece of information that can be stored or is held by a public authority. So then you may be wondering what exactly is defined as personal data? Well, personal data refers to any data (as specified above) that can be used to identify an individual. This covers everything from general contact information to highly sensitive details. Also included under personal data is any expressions or opinions made toward that individual. Typically, this refers to a recommendation or evaluation by a medical professional, or even by an employer regarding an employee’s training status. Generally, this should give a clear idea of what information is protected by the Act.
This legislation address two parties – the data subjects and the data controllers. Data subjects are those whose information is being collected. The Act addresses an individual’s right to exercise discretion surrounding the collection of personal data. Specifically, they have the right to consent or refuse the collection of their personal information. Generally, this data collection if used for commercial or other related purposes which brings us to the second party – data controllers. The Data Protection Act requires that all organisations that engage in data processing activities must register with the Information Commissioner’s Office (ICO). These data controllers are then added to a database where the ICO can monitor them and ensure they abide by regulatory compliances.
In the final section of the article, we will look at the role of the ICO and its arsenal of tools used to enforce the Data Protection Act.
Data Protection Act of 1998
Prior to the recent events of Brexit, the UK had to stay up to speed with policy requirements of the European Union (EU). So in 1995 when the EU enacted its Data Protection Directive, the UK was encouraged to follow suit only a few years later. This was demonstrated by the UK when they legislated the Data Protection Act in 1998. Essentially, this newly legislated act combined the previous Data Protection Act of 1984, as well as the Access to Personal Files Act of 1987. The policies introduced by both the EU and UK are designed to protect the rights of its citizens surrounding the topic of personal data collection and protection.
The governance of the Data Protection Act 1998 is covered by eight fundamental principles. It can be used to guide the ethical and legal use of personal data. More generally, the policy refers to the activity of data processing. Data processing encompasses all aspects of handling information from the minute it is collected to the moment it can be disposed of. The specific activities are defined as follows:
- Collection and organisation of data: this involves obtaining data and inputting it into a system.
- Retrieval or consultation of data: this refers to any time you may use or reference the data.
- Dissemination or disclosure of data: this refers to sharing the data when permitted to do so.
- Erasure or destruction of data: this refers to the proper disposal of any data.
As you can see, the Act encompasses much more than just the use of information. It addresses all stages of the data collection process right up until you are ready to dispose of it or you are legally obliged to do so. The Data Protection Act provides protection at each of the stages mentioned above. Accordingly, all information should be processed according to the following eight data protection act principles:
- Fair and lawful use – this requires that you act in a transparent manner as the data controller when communicating with the data subject. By integrating integrity and transparency in your practices, then you will likely be following the Data Protection Act. In general, you should be open about the collection of data, the intended use of such data and who you are as the data controller.
- Clear purpose – you should have a clear purpose for collecting specific data and ensure that this is openly communicated to the data subject. It is vital that they understand why you are collecting certain data. Following that, you should only use the data for the specified purpose and not in other ways. However, you may later be given consent by the individual to use the data for other clearly defined purposes
- Adequacy, relevancy and reasonable use – in other words, you should not be seeking to extract excessive personal data about an individual beyond that of which you need. To determine what you need, it will be based on the purpose you’ve discussed with the data subject as outlined in the previous principle.
- Accuracy of information – all aspects of the data collection process should be as accurate as possible. This includes specifying where the data came from, what is meant by it and that it is kept up to date.
- Storage and retention – this principle refers to keeping data only for the necessary amount of time as determined by the initially intended purpose. Storing information beyond the completion of the agreed upon task could result in a breach of the Act. This also refers to the moment when you are ready or obliged to dispose of the personal information. It is essential that you safely and securely dispose of or destroy any personal data. Luckily, services exist that handle the proper disposal and destruction of both data and physical documents.
- Rights – there are various rights an individual has under the Data Protection Act. These include a right to access the information about themselves as the subject, as well as the means to decline the use of information that may be damaging or distressful. Individuals also have the right to secure the collected data from any being used in any means of direct marketing or other automated purposes. Another right is to ensure the accuracy of all information and destruction of that which isn’t. Lastly, the right to compensation for damages resulting from any breaches to the Act.
- Security – this refers to security at all stages of data processing. From proper collection to storage and eventual disposal. This act protects individuals from any accidental loss or unlawful use of information beyond their control.
- International use – the data cannot be transferred to other nation’s unless they have similar standards or ones that are higher regarding the processing of personal data. This protects individuals from exposure in other nations who do not offer a similar level of protection as the UK.
Beyond these eight principles, some data may be referred to as sensitive personal data. For this type of data, stronger security measures exist to offer additional protection. Information considered to be sensitive is related to an individual’s ethnicity, health, political views, religion, sex, or criminal record.
We have now outlined each of the guiding principles for proper data use and recognised the certain areas that offer additional protection. At this point, have you stopped to wonder if there’s any exceptions to the legislation?
Well as a matter of fact, there are. These generally have to do with purposes regarding national security, crime and taxation, or the individual’s own domestic use. However, in any other situations where unauthorized access and mishandling of personal data exists, we are dealing with a potential data protection breach – we will discuss this next.
Data Protection Breach
A data protection breach occurs when any one of the eight principles mentioned above are violated. Of course, this excludes any reasons we’ve briefly mentioned that may qualify as an exemption. A breach refers to any destruction, disclosure, distribution, or modification of persona data that is not authorised by the data subject or in their best interest. Although the idea of breaching sounds like a deliberate action, this may also occur unintentionally. Nonetheless, these are still acts of a data protection breach. The following situations demonstrate the different ways a breach may occur:
- An outsider gains unauthorised access to personal data
- An insider accesses and uses personal data in an illegal or unethical manner
- An insider accidentally alters or deletes personal data from its original state
One of the biggest scandals in the UK related to a data protection breach involved T-Mobile. In this event, members of the company’s sales force were caught selling the information of customers who were nearing the ends of their contracts to brokers. These brokers would turn around and begin contacting these customers for various, unsolicited marketing purposes. This is a severe breach of the Data Protection Act. Specifically, T-Mobile was disclosing personal information of their current customers without consent or permission to do so. Going back to our discussion earlier, T-Mobile was using this personal data for purposes beyond those initially described to customers when they signed up for a mobile phone agreement. The perpetrators included two individuals who were fined £73,000 by the ICO for the breach of personal data
The Information Commissioner’s Office (ICO) is an independent organisation that exists to serve the people of the UK. Specifically, the organisation focuses on protecting individual’s personal data rights and encouraging corporate transparency. This is the official body that enforces the Data Protection Act and is equipped with the means to do so effectively.
If the ICO feels as though you can improve your policies and measures regarding data privacy, they will take action to encourage such improvement. In other cases, the ICO could surprise you with a fine for any breaches related to personal data. The ICO has a few options in terms of different methods they can use to uphold the Data Protection Act, which include:
- Fines – the ICO can charge you with fines for violations to the Data Protection Act. Regardless of whether it is deliberate or accidental, if you are not upholding the required standards pertaining to data privacy protection, you could be slapped with a hefty financial fine.
- Prosecutions – in extreme cases, the ICO is able to prosecute those found guilty of criminal offenses according to the Data Protection Act. This is for those who are deliberately acting against the legislation of the Act.
- Undertakings – the ICO can engage in undertakings in which they create a detailed plan for improving a firm’s adherence to the Act. This includes a process of improvements so a firm will better uphold its data privacy duties.
- Audits – at any time, the ICO can conduct an audit to ensure a firm is keeping up with regulations and standards pertaining to data privacy. They can also request certain information to ensure compliance.
- Enforcement notices – this is when the ICO issues a notice requiring a firm to halt operations. Until the changes or improvements have been made as outlined by the ICO, a firm may be required to suspend operations.
With data protection become an increasingly popular topic and widespread issue, the ICO has used and continues to use the tactics mentioned above. It is said that the ICO is coming down hard in the past year (2015-2016) since the organization has issued twice the amount of total fine charges for data protection breaches
So, to be safe, make sure you are familiar with and abide by the Data Protection Act to avoid catching the attention of the ICO.