The Data Protection Act

The Data Protection Act 1998 can be a difficult piece of legislation to fully understand and interpret, but the principles of data protection can be simple in concept and its implementation needn't be complicated nor difficult.

For any individual, organisation, private company or public authority engaged in handing personal data, including that of its own employees, customers, members of the public and so on, the Data Protection Act 1998 defines minimum standards and expectations that due care and diligence should be applied to the day-to-day handling of such personal information.

Handling personal data entails a certain level of risk in light of the Data Protection Act 1998. It is important for those that work with and handle personal information to be adequately prepared to understand these main areas of risk, and take appropriate action to manage such risks.

Principle of data protection

The Data Protection Act 1998 (DPA) enshrines the principle of data protection, and at its simplest it's all about treating information concerning individuals with proper respect. Following the European Directive (the Directive) on data protection 95/46/EC1 which lays down basic principles and rules on handling personal data, the DPA Act was the UK's domestic legislation satisfying its own requirements as a Member State of the European Union.

The European Directive states clearly its objective in Article 1: "In accordance with this directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data."

In order to achieve this general objective, the law prescribes certain standards and rules. These deal with the collection and use of information, the quality and security of information and the rights of individuals with respect to information about themselves.

When applying the rules, never forget the principal objective of the Act: that of protecting the rights of individuals. Recognise always you should treat other people's information in the same way as you would expect information about yourself to be treated, and you have already taken an important first step towards compliance.

Data protection brings many positive benefits to the management of information and is not simply an add on inconvenience and cost. When properly applied, it is not a barrier to effective business practice in either the public or the private sector.

At the heart of the Act is a set of eight principles known as the Data Protection Principles (Schedule 1 of the Act). They deal with the collection, use, quality and security of personal data and with data subjects' rights and are summarised below:

Personal data shall be:
1. processed fairly and lawfully
2. processed only for specified, lawful and compatible purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. kept for no longer than necessary
6. processed in accordance with the rights of data subjects
7. kept secure
8. transferred outside the European Economic Area only if there is adequate protection.

Implications and implementation

The Act has implications which affect implementation of IT systems in the areas of quality of data, security of the system and records management practices.

Under Data Protection Principles 3, 4 and 5 above, data should be fit for the purpose for which they are to be used. You should always seek to get good quality information in the first place. How you then approach maintaining accuracy, relevance, keeping information up to date and other data quality matters will depend on the circumstances.

In the case of obtaining information about data subjects from third party sources, you need to take reasonable steps to ensure the accuracy of the data. One way to do this is to check with the data subject at a suitable opportunity. Indeed, you should ask data subjects to check the accuracy of their information from time to time. This will help to ensure that information is kept up to date. The frequency with which such checks need to be made will depend on the volatility of the data.

You should take steps to correct data following any notification of inaccuracy by a data subject. If there is disagreement over accuracy, and you have reason to continue to hold data which is regarded as inaccurate by the data subject, the data should carry an indication of that fact. This is particularly so when you are relying on data obtained from third party sources.

There is an express requirement in the Act (in Principle 7) to maintain an appropriate level of security in the processing of personal data. Controlling disclosure and access is made easier if good security systems and procedures are in place. Safeguarding the quality and integrity of data requires effective backup and recovery systems. It is the responsibility of all staff to make sure that those measures are properly applied.

Data protection is a management issue and should be acknowledged at senior management level in an organisation as an integral part of that organisation's information management strategy, along with information security and records management. Good records management is essential to underpin an integrated approach to information management.