Organizational Structure Running A Successful Business
Data Protection Act 1998 (amended 2000)
1. Pathway Group
putting you first
Data Protection Act
1998 amended 2000
Pathway College
putting you first
2. Contents
Pathway Group Data Protection Act 1998 amended 2000 ................................................. 1
The Data Protection Act 1998 amended 2000......................................................................... 1
Aims........... ..............................................................................................................................................1
What does it do? .................................................................................................................................1
How? .......................................................................................................................................................1
What does the Act cover? ................................................................................................................2
When handling data questions to ask yourself ....................................................................... 2
How does DPA work? ........................................................................................................................2
There are three main roles ..............................................................................................................2
Data Commissioner ...........................................................................................................................3
A Data Controller ................................................................................................................................3
A Data Processor .................................................................................................................................3
Data .........................................................................................................................................................3
What is Personal Data? .....................................................................................................................3
What is Sensitive Personal Data ? .................................................................................................4
What you may do with this data (Data Processing)? .............................................................4
The Data Controllers must comply with eight principles .................................................... 4
Subjects .................................................................................................................................................5
Data Disclosure ...................................................................................................................................5
Complete exemptions from the Act ............................................................................................6
DPA and Business Use .......................................................................................................................6
Exceptions .............................................................................................................................................6
How to behave ....................................................................................................................................6
Consent ..................................................................................................................................................7
Explicit Consent ..................................................................................................................................7
Disclosing Information .....................................................................................................................7
Disclosure – An exception ...............................................................................................................7
What might these special purposes be and who might request the information .....7
Procedure for making a request ...................................................................................................7
Business and the Data Protection Act .........................................................................................8
Staff Responsibilities .........................................................................................................................8
Passing Information to external third parties: .........................................................................8
Off ences under the Act ....................................................................................................................8
Social Media .........................................................................................................................................9
Further Information ...........................................................................................................................9
Declaration ...........................................................................................................................................9
3. 1.
The Data Protection Act 1998 amended 2000
Aims:
This document is to explain the ‘Key Elements’ of the Data Protection Act and its
relevance to your employment.
What does it do?
The Data Protection Act (DPA) is designed to protect personal data stored on
computers or in an organised paper fi ling system.
How?
The DPA aims to protect the rights to privacy of an individual’s information by
regulating the processing of personal data.
Most people will say....
“I am not stupid you know, I do know............”
However, 1 in 3 people admit they throw away documents containing important
personal information without shredding the documents fi rst.
Examples of incidents include:
• Lancashire County Council left social work records in a fi ling cabinet that was
sold at an auction
• Sixty-two thousand Bank of Scotland mortgage customer details were put on a
CD and put in the post but it never turned up
People are aware of their rights;
• A senior academic at Lancaster University has received a written warning for
making “illicit disclosures” after he responded to a mother’s complaint about her
son’s tuition
• The professor replied immediately; listing the student’s modules, contact time
etc
However, when the student became aware of the exchange, he complained to the
University that it had released the information without his consent.
4. 2.
What does the Act cover?
• Paper Files
• Electronic Files, Databases, Spreadsheets & E-mail.
• Photographs
• CCTV
• Publications - for example, a Prospectus. Individuals would have to consent to
this
• Web Pages - To promote a culture of openness which includes publishing
staff names, job titles and extension numbers. Such publications in telephone
directories are also considered to be a normal business requirement
When handling data questions to ask your selves:
• Who could access this information?
• How accurate is it?
• Could it be copied?
• Is it possible to store information without the individual’s knowledge or
permission?
• Was a record kept of any changes?
• Who is liable
How does DPA at work?
1. The 1998 Data Protection Act was passed by Parliament to control the way
information is handled and to give legal rights to people who have information
stored about them.
2. Essentially it works by:
i. Setting up rules that people have to follow
ii. Having an ‘Information Commissioner’ to enforce the rules
However:
“It does not stop organisations storing and using information about people.
It just makes them follow rules.”
There are 3 main roles:
1. Information Commissioner
2. Data Controller
3. Data Subject
5. 3.
Data Commissioner
The Information Commissioner’s offi ce is the UK’s independent authority set up
to uphold information rights in the public interest, promoting openness by public
bodies and data privacy for individuals.
A Data Controller
Someone who determines how the personal data is used is called the DATA
CONTROLLER. Companies are Data Controllers, as well as each individual employee
of the company.
As the Data Controller, you can be held personally liable for non-compliance with
the DPA.
A Data Processor
Any person who processes data on behalf of the Data Controller (apart from their
employees),is known as a Data Processor, e.g. Outsourcers used for mail shots.
N.B. The Data Processor cannot use the information for their own purposes. They
can only use it for the purpose for which it was given to them by the Data Controller.
Data
There are 2 types of data:
‘Personal Data’ and ‘Sensitive Personal Data’
What is personal data?
Anything that could identify an individual, for example:
• Name
• Address
• National Insurance number
• Opinions which a company may hold about the individual (think about the
implications of this before you write comments about someone on a fi le or
telephone note)
6. 4.
What is Sensitive Personal Data?
The Act also covers Sensitive Personal Data about an individual, for example:
• Political Opinions
• Religion
• Race or Ethnic Origin
• Sexual Orientation
• Convictions
• Medical Data
In other words, anything which could cause an individual to be discriminated
against.
N.B. Financial data (bank account / salary) is classed as confi dential data and does
not come under sensitive data.
If someone who is not entitled to see these details can obtain access without
permission it is deemed unauthorised access.
What you may do with this data (data processing)?
Data processing is any action taken with personal data including the collection, use,
disclosure, destruction & holding of data.
Processing is a very wide term and means anything you do with it; including:
• Filing
• Posting
• Compiling a Report
• Using it
• Just handing it to someone else.
The Data Controllers Must Comply with Eight Principles
For the personal data that Data Controllers store and process:
1. It must be collected and used fairly and inside the law
2. It must only be held and used for the reasons given to the Information
Commissioner
7. 5.
3. It can only be used for those registered purposes and only be disclosed to those
people mentioned in the register entry
4. The information held must be adequate, relevant and not excessive when
compared with the purpose stated in the register
5. It must be accurate and be kept up to date
6. It must not be kept longer than is necessary for the registered purpose
7. The information must be kept safe and secure
8. The fi les may not be transferred outside of the European Economic Area unless
the country that the data is being sent to has a suitable data protection law
Subjects
A subject is about whom/who the data is kept.
Remember the ‘Data Subjects’ also have rights, including:
1. A right of subject access
2. A right of correction
3. A right to prevent distress
4. A right to prevent direct marketing
5. A right to prevent ‘Automatic Decisions’
6. A right of complaint to the Information Commissioner
7. A right to compensation
Data Disclosure
In situations where information is requested it is important that you ensure that the
third party are aware that they must also comply with the Act and apply appropriate
security measures to any information that we share with them.
Unauthorised disclosure may result in disciplinary action!
However in some circumstances disclosure may be necessary. In these
circumstances certain rules and processes must be followed.
8. 6.
Complete exemptions from the Act
1. Any personal data that is held for a national security reason is not covered
2. Personal data held for domestic purposes only at home, e.g. a list of your friends’
names, birthdays and addresses does not have to keep to the rules
3. Partial exemptions; e.g. HMRC, School pupils, company planning documents,
health notes, statistics & employer references
DPA and Business Use
• If a business holds personal data then they may need to notify the Information
Commissioners offi ce. This costs £35, and has to be done every year
• Notifi cation means that the data controller’s details are added to the
Commissioner’s register
• The register has details of the data controller, the types of processing carried out
and for what purpose the processing is carried out
Exceptions
• There are exceptions for organisations which make only limited use of personal
data. However, they must still comply with the eight principles
• This covers information stored for, e.g. payroll, pensions and accounts
• Also information which cannot be disclosed for reasons of national security
• Information held about club members does not have to be notifi ed if all
members agree
How to behave
When companies collect data from individuals they should:
• Advise who they are
• Be honest regarding the reasons they want the information and how it will be
used
• Have a legitimate reason for processing the data
• Advise who they intend to pass the data onto
9. 7.
Consent
• Consent is needed in most cases for the processing of personal data although it
is implied in certain circumstances
• Consent would be implied if for example an individual takes out a pension policy
- it can be reasonably implied that they have given their consent for the data to
be processed
• It would be impossible to administer the pension without processing data (ie
retrieving it, altering it etc)
Explicit Consent
• If information is to be used for ‘DIRECT MARKETING’ purposes, then the data
subject should be made aware of this and given the opportunity not to have
their data used for this purpose. This is called explicit consent
• To opt out – Mailing preference service www.mpsonline.org.uk (there is also the
telephone preference service, fax preference service etc)
Disclosing Information
• Personal information should not be disclosed to anyone outside the categories
notifi ed to the Commissioner
• Information should not be disclosed to a third party unless there is a legitimate
reason to do so – even where the individual has provided their explicit consent
to do this
Disclosure – An exception
Under Section 29 of the Data Protection Act, Data Controllers are permitted to
disclose personal data for special purposes.
What might these special purposes be and who might request the information
• Prevention or detection of crime - Police
• Apprehension/prosecution of off enders - Police
• Assessment/collection of tax duty -Inland Revenue / Customs & Excise
Procedure for making a request
Disclosure requests should preferably:
• Be made in writing
10. 8.
• Confi rm the identity of the person making the request
• State that the disclosure is required under S.29 of the Data Protection Act
• Specify the data needed and confi rm their reasons for asking for the data
• Therefore, should there be a subsequent complaint the Data Controller can
demonstrate that they have taken reasonable precautions before disclosing the
data
Business and the Data Protection Act
Staff Responsibilities
All staff must ensure that:
• Personal data provided in connection with their employment is accurate and up-to-
date. It is important to inform the College of any errors, corrections or changes
for example, change of address, marital status etc
• Personal data pertaining to individuals that staff holds or processes, is kept
securely and treated as confi dential and is not disclosed either orally or in
writing, accidently or otherwise, to any un-authorised third party
Passing Information to external third parties:
• In such instances it is important that you ensure that the third party are aware
that they must also comply with the Act and apply appropriate security measures
to any information that we share with them
• Unauthorised disclosure may be disciplinary matter
Off ences underThe Act
• Obtain or disclose personal data without consent of data subject
• Knowingly or recklessly obtain or disclose information contained in personal
data
• Unlawfully sell/off er to sell personal data
• Failure to notify changes
• Failure to comply with a written request for particulars
So what does it mean for me ?
Personal liability:
You can be prosecuted for unlawful action under the legislation if:
11. 9.
• You use or disclose information about other people without consent or
authorisation
• You give information to another employee or student who does not need the
details to carry out their legitimate duties, even if it was accidental
Think and remember:
• Who can hear your phone call?
• Who are you really talking to?
• Do they really need to know?
• Who can see your PC/Laptop screen?
• Where does waste paper end up?
• What information is on your desk or in-tray?
Social media
Social Media ‘posts’ are subject to Data Protection legislation. This includes but is
not limited to Facebook, Twitter, and Linked-In (and other derivatives).
Remember:
• The internet does not forget.
• So, think before updating that Facebook status!
Further Information
For further information on the Data Protection act please visit: www.ico.gov.uk
Declaration
I ...................................................................................., DO HEREBY UNDERTAKE to abide by the
Data protection Act 1998 amended 2000.
I agree that I have received, read and understood the contents of the data
protection act documentation issued by Pathway Group. I am fully aware of my
responsibilities as related to data protection.
Signature: ...................................................................................................................................................
Date: .............................................................................................................................................................
12. Pathway College
putting you first
Pathway Group
putting you first
Pathway Group
Fairgate house, 205 Kings Road, Tyseley, Birmingham B11 2AA
Tel: 0800 955 0870 / 0121 707 0550
Email: info@pathwaygroup.co.uk
Web: www.pathwaygroup.co.uk