Data Protection Act 1998

The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER Hold personal information Obligations DATA SUBJECT Rights

Personal Data means data or information from which it is possible to identify a living data subject + opinions about and intentions of the data subject

Sensitive Data … includes ethnic origin, political opinion, religion, trade union membership, physical/mental condition & past convictions. … to be considered fairly processed at least ONE of several conditions must be met, e.g.  explicit consent of the individual has been obtained first  a company is required by law to process the data  data is used to protect the vital interests of the individual  etc.

8 Data Protection Principles : Personal data shall: 1.be processed fairly & lawfully 2.be obtained for lawful & specified purposes 3.be processed in accordance with the rights of data subjects 4.not be excessive for the purpose(s) for which they are processed 5.be accurate and, where necessary, up to date 6.not be kept for longer than is necessary 7.be protected from accidental loss/damage by appropriate technical & organisational measures 8.not be transferred outside the European Economic Area (EEA) unless adequate levels of protection are ensured.

7 Rights of the data subject : 1.Know about what information is held 2.A right to correction/erase inaccurate data 3.Prevent use of information causing distress 4.Prevent processing of information, e.g. marketing 5.Prevent automated decisions 6.Seek an assessment from the Commissioner 7.Compensation for breach of the DPA

Costs Anyone processing personal information must notify the Information Commissioners Office (ICO) that they are doing so, unless their processing is exempt. £35/notification A fee of £500 applies to organisations with a turnover of £25.9M and 250 or more members of staff or if they are a public authority with 250 or more members of staff