DATA PROTECTION ACT

DPA
The Data Protection Act is a law that controls how your personal information is used by
organisations, businesses or the Government.
In the UK, it is the implementation of the European Union’s General Data Protection Regulation
(GDPR).
DPA last updated was in 2021
Data Protection Principle
Personal data should be obtained and processed fairly and lawfully

Personal data can be held only for specified and lawful purposes

Personal data should be adequate, relevant and not excessive for the required purpose

Personal data should be accurate and kept up-to-date

Personal data should not be kept for longer than is necessary

Data must be processed in accordance with the rights of the data subject

Appropriate security measures must be taken against unauthorised access

Personal data cannot be transferred to countries outside the E. U. unless the country has
similar legislation to the D.P.A.
 Principle Meaning
Personal data should be obtained and This means that you should be told about data which is being collected about you and should
processed fairly and lawfully be asked for your permission to collect it.
You should also be made aware of the reason why the data is to be collected and for what it
will be used.
Personal data can be held only for specified The Data Controller has to state why they want to collect and store information when they
and lawful purposes apply for permission to be able to do so. If they use the data they have collected for other
purposes, they are breaking the law.
Personal data should be adequate, relevant Organisations should only collect the data that they need and no more. Your school needs to
and not excessive for the required purpose know your parent's phone number in case they need to contact them in an emergency.
However, they do not need to know what your grandmother's name is, nor do they need to
know your eye colour. They should not ask, nor should they store such details since this
would be excessive and would not be required to help with your education.
Personal data should be accurate and kept up- Companies should do their best to make sure that they do not record the wrong facts about
to-date a data subject. Your school probably asks your parents to check a form once a year to make
sure that the phone number and address on the school system is still correct.If a person asks
for the information to be changed, the company should comply if it can be proved that the
information is indeed incorrect.
Personal data should not be kept for longer Organisations should only keep personal data for a reasonable length of time. Hospitals
than is necessary might need to keep patient records for 25 years or more, that is acceptable since they may
need that information to treat an illness later on. However, there is no need for a personnel
department to keep the application forms of unsuccessful job applicants.
Data must be processed in accordance with People have the right to inspect the information held on them (except in certain
the rights of the data subject circumstance - see later). If the data being held on them is incorrect, they have the right to
have it changed.
Appropriate security measures must be taken This means information has to be kept safe from hackers and employees who don't have
against unauthorised access rights to see it. Data must also be safeguarded against accidental loss.
 DPA Terms
There are a number of terms that are often used when discussing the DPA. You must
be familiar with them:
Personal Data
◦ Personal data covers both facts and opinions about a living individual.

Data Subject
◦ This is the person that the data is being collected from or stored about. This could be you!

Data Processor / Data User

◦ A data processor/ user is someone who accesses, uses and processes personal data as part of
their jobs. This could be a customer service advisor who needs to look at a customer's account so
that they can answer a query. It might be a school secretary who needs to look up contact details
for a particular student.
DPA Terms
Data Controller
◦ This is often the person in charge of the organisation - but it doesn't necessarily have to be.
This person decides what data the organisation needs to collect and what it will be used for.
This is the person who must apply for permission to collect and store data in the first place.
The Data Controller is responsible for ensuring that any collection, storage and processing of
data is done in accordance with the DPA.

Information Commissioner
◦ This is the person who has overall responsibility for enforcing the Data Protection Act across
the UK.
◦ This is the person that organisations need to apply to in order to gain permission to collect
and store personal data.
◦ The Information Commissioner provides advice to companies and to the Government about
issues related to the DPA. They also investigate complaints that are raised about any issues
related to the DPA.
DPA-Recap
Data protection laws can be defined as the legislation
enacted to protect:
✓ personal data
✓ commercial data
✓ and government data
from:
- unauthorized access
- alteration (corruption),
- destruction
DPA-Recap
The Act works in two ways :

1. It gives people rights about the way in which their

personal information is used

2. It ensures that data controllers are open about how

the information is used, and that they follow the eight
rules cited below.
Sensitive Data
Sensitive Data
Your Rights
Right to subject access

Right to rectify, block or remove incorrect data

Right to compensation if damage and distress is suffered by the Act
being contravened
Right to prevent processing likely to cause damage or distress

Right to prevent processing for the purposes of direct marketing

Rights in relation to automated decision making

Exemptions
Exemptions
References
https://www.teach-ict.com/gcse_new/legal/dpa/miniweb/index.htm