The Data
Protection Act 1998 is designed to implement the requirements of
the Directive in UK law. The requirements of the Directive only
apply within the legal competence of the European Union. The
government decided to introduce primary legislation in order to
avoid the possibility of having two different Data Protection
regimes within the UK according to whether the processing were
within or without the EU legal competence. It is open for all EU
countries to introduce stricter requirements than the Directive
but they cannot reduce the rights and requirements set in the
Directive, except where specific exceptions are permitted. The
definitions and requirements are set out in the Directive and
they are not optional although the Directive provides a number of
options that can be chosen by Member States.
In the event of a legal challenge, the
requirements of the Directive would take precedence over UK law,
if that law has not adequately implemented the requirements of
the Directive.
The Eight Principles
The 1998 Act incorporates Eight Data
Protection Principles, as before, but the details and
interpretation is different. A new Principle 8 is concerned with
transfers of Personal Data outside the European Economic Area
while the first three Principles have been condensed into two.
First Principle
Personal data shall be processed fairly
and lawfully and, in particular, shall not be processed unless:
A - at least one of the conditions in
Schedule 2 is met and
B - in the case of sensitive personal
data, at least one of the conditions in Schedule 3 is also met.
In considering whether personal data are
processed fairly, consideration must be given to the way in which
they are obtained:
-
Was any person (from whom the data
were obtained) deceived or misled about the purpose for which the
data are to be processed.
-
Was the provider of the data
authorised by law or required to supply the data under an
international obligation on the UK.
Where the data are provided by the
data subject, the data controller must tell the data subject:
- The identity of the data controller
or his nominated representative.
- The purpose for which the data are
intended to be processed.
- Anything else necessary to enable the
processing to be fair.
If the personal data contain an identifier
(e.g. NI or NHS number), which relates to an individual and
similar identifiers are in general use, then lawful processing
must obey the conditions that have been laid down for such a
general identifier.
The Second Principle
Personal data shall be obtained only for one or more
specified and lawful purposes, and shall not be further processed
in any manner incompatible with that purpose or those purposes.
The purposes for which personal data are to
be used can be specified in many ways. In particular, a notice to
the data subject issued because of the first principle will
satisfy the requirement. Equally, a notification to the Data
Protection Commissioner will suffice.
Where the data are disclosed to a third
party, the purposes for which that third party uses the data,
must also be considered.
The Third Principle
Personal data shall be adequate,
relevant and not excessive in relation to the purpose or purposes
for which they are processed.
Ensuring that the personal data are adequate
is normally straightforward but care should be taken with default
settings. Although default settings can substantially simplify
the process of data, it is vital that those using the systems
should properly record the information that is obtained without
either making assumptions because their system
requires an amount or because they too rapidly accept
default values suggested by the system.
Maintaining relevance and avoiding the
collection of excessive items of personal data is vital to the
collection and processing of Personal Data because it
might be useful would contravene this Data Protection
Principle. For example asking for both daytime and an evening
telephone number. This is clearly irrelevant and excessive where
the only telephone contact will be during the day and no
emergency action may be required. The uncontrolled use of free
format fields completed by end users may breach this principle
and be particularly dangerous.
The Fourth Principle
Personal data shall be accurate and,
where necessary, kept up to date.
Data are inaccurate if they are
incorrect or misleading as to any matter of fact.
It is not always possible to have accurate
and up to date data. However, data controllers must make
reasonable efforts to ensure the accuracy of the data.
Furthermore they must take appropriate steps to ensure that their
data are kept up to date where this is necessary to address the
notified purposes of the processing. If the data subject notifies
the data controller of his or her view that the data are
inaccurate, the data must either be corrected or indicate the
view of the data subject.
The Fifth Principle
Personal data processed for any purpose
or purposes shall not be kept for longer than is necessary for
that purpose or those purposes.
This is a straightforward requirement. The
collection and storing of data is within the definition of
processing, so the data protection principles apply for as long
as personal data are kept. By ceasing to keep personal data, data
controllers remove these obligations.
Erasing and destroying data are also within
the definition of processing, so the protection continues until
the data are no longer kept by the data controller.
The Sixth Principle
Personal data shall be processed in
accordance with the rights of data subjects under this Act.
The data subject has the following rights
under the Act:
-
A right of access to personal data.
-
A right to prevent processing likely
to cause damage or distress.
-
A right to prevent processing for
purposes of direct marketing.
-
Rights in relation to automated
decision making including the right to have logic explained.
The Seventh Principle
|