Data Protection Act

Factsheet
Promoting public access to official information
and protecting your personal information
What is the Data Protection Act (DPA)?
The six conditions
The Data Protection Act 1998 seeks to strike a balance between the
rights of individuals and the sometimes competing interests of those At least one of the following conditions must be met for personal
with legitimate reasons for using personal information. information to be considered fairly processed:
1. the individual has consented to the processing
The DPA gives individuals certain rights regarding information held 2. processing is necessary for the performance of a contract with
about them. It places obligations on those who process information the individual
3. processing is required under a legal obligation (other than one
(data controllers) while giving rights to those who are the subject of that
imposed by the contract)
data (data subjects). Personal information covers both facts and
opinions about the individual. 4. processing is necessary to protect the vital interests of the
individual
Anyone processing personal information must notify the Information 5. processing is necessary to carry out public functions, e.g.
Commissioner’s Office (ICO) that they are doing so, unless their administration of justice
6. processing is necessary in order to pursue the legitimate
processing is exempt. Notification costs £35 / year.
interests of the data controller or third parties (unless it could
unjustifiably prejudice the interests of the individual)
The eight principles of good practice Sensitive data
Anyone processing personal information must comply with eight Specific provision is made under the Act for processing sensitive personal
enforceable principles of good information handling practice. information. This includes racial or ethnic origin, political opinions,
religious or other beliefs, trade union membership, physical or mental
These say that data must be: health condition, sex life, criminal proceedings or convictions.
1. fairly and lawfully processed
2. processed for limited purposes For personal information to be considered fairly processed, at least one of
3. adequate, relevant and not excessive several extra conditions must be met. These include:
4. accurate and up to date
5. not kept longer than necessary • Having the explicit consent of the individual
6. processed in accordance with the individual’s rights • Being required by law to process the information for employment
7. secure purposes
8. not transferred to countries outside European Economic
• Needing to process the information in order to protect the vital
area unless country has adequate protection for the
interests of the individual or another person
individual
• Dealing with the administration of justice or legal proceedings 1
Rights under the Act
Criminal Offences
There are seven rights under the Data Protection Act.
A number of criminal offences are created by the Act and include:
1. The right to subject access
This allows people to find out what information is held about them Notification offences
on computer and within some manual records. This is where processing is being undertaken by a data controller who
has not notified the Commissioner either of the processing being
2. The right to prevent processing undertaken or of any changes that have been made to that processing.
Anyone can ask a data controller not to process information relating
to him or her that causes substantial unwarranted damage or Procuring and selling offences
distress to them or anyone else. It is an offence to knowingly or recklessly obtain, disclose or procure the
disclosure of personal information without the consent of the data
3. The right to prevent processing for direct marketing controller. There are some exceptions to this – for example, where such
Anyone can ask a data controller not to process information relating obtaining or disclosure was necessary for crime prevention/detection. If
to him or her for direct marketing purposes. a person has obtained personal information illegally it is an offence to
offer or to sell personal information.
4. Rights in relation to automated decision-taking
Individuals have a right to object to decisions made only by Electronic Communications
automatic means e.g. there is no human involvement. The Privacy and Electronic Communications (EC Directive) Regulations
2003 cover, amongst other things, unsolicited electronic marketing
5. The right to compensation communications.
An individual can claim compensation from a data controller for
damage and distress caused by any breach of the act. Unsolicited marketing calls should not be made to individual subscribers
Compensation for distress alone can only be claimed in limited who have opted out either directly or by registering with the central stop-
circumstances. list, the Telephone Preference Service (TPS), or to corporate subscribers
(e.g. companies) who have objected either directly or by registering on
6. The right to rectification, blocking, erasure and destruction the Corporate TPS.
Individuals can apply to the court to order a data controller to rectify,
block or destroy personal details if they are inaccurate or contain Unsolicited marketing faxes should not be sent to individuals without
expressions of opinion based on inaccurate information. their prior consent or to any subscriber who has objected, either directly
or by registering on the Fax Preference Service (FPS).
7. The right to ask the Commissioner to assess whether the Act
has been contravened Unsolicited marketing emails or SMS should not be sent to any individual
If someone believes their personal information has not been subscriber who has not consented unless the email address or phone
processed in accordance with the DPA, they can ask the number was collected in the context of a commercial relationship.
Commissioner to make an assessment. If the Act is found to have
been breached and the matter cannot be settled informally, then an Wholly automated marketing calls, i.e. where a recorded message is
enforcement notice may be served on the data controller in played and the recipient does not speak to a human being, can only be
question. made where the subscriber concerned (whether individual or corporate)
has consented.
2
The role of the Information Commissioner’s Office Additional Information

The ICO has specific responsibilities for the promotion and Additional guidance on the Data Protection Act is available on our
enforcement of the DPA. website at [Link]

Under the Data Protection Act, the Information Commissioner may: To contact our helpline please telephone 01625 545 745.
• serve information notices requiring data controllers to supply him
with the information he needs to assess compliance. To contact our press office please telephone 020 7282 2960.
• where there has been a breach, serve an enforcement notice
(which requires data controllers to take specified steps or to stop
taking steps in order to comply with the law).

Appeals to these notices may be made to the Information Tribunal.