Scribd Logo
Upload

Welcome to Scribd!

  • The Data Protection Act

    Uploaded by

    Sharnitha A/p Seethaiah
    5 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views4 pages

    The Data Protection Act

    Uploaded by

    Sharnitha A/p Seethaiah

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    The Data Protection Act

    This course provides an overview of the Data Protection Act, the complementary legislation to the
    GDPR in the UK.

    What is the UK Data Protection Act?

    The Data Protection Act controls how your personal data (or information) is used by organisations,
    businesses or the government. Everyone responsible for using data has to follow strict rules called
    ‘data protection principles.'

    This module will provide an overview of the key areas of the Data Protection Act and the UK ICO
    (Information Commissioners Office).

    What is Personal Data?

    The UK ICO defines personal data - or Personal Identifiable Information (PII) - as data which relates to
    a living individual who can be identified:

    (a) from those data, or

    (b) from those data and other information which is in the possession of, or is likely to come into the
    possession of, the data controller, and includes any expression of opinion about the individual and
    any indication of the intentions of the data controller or any other person in respect of the individual.

    What is sensitive and personal data?

    The UK ICO defines sensitive personal data - or Sensitive Personal Information (SPI) - as personal data
    consisting of information as to:

    (a) the racial or ethnic origin of the data subject

    (b) their political opinions

    (c) their religious beliefs or other beliefs of a similar nature

    (d) whether they are a member of a trade union (within the meaning of the Trade Union and Labour
    Relations (Consolidation) Act 1992)

    (e) their physical or mental health or condition

    (f) their sexual life

    (g) the commission or alleged commission by them of any offence, or

    (h) any proceedings for any offence committed or alleged to have been committed by them, the
    disposal of such proceedings or the sentence of any court in such proceedings

    What activities are regulated by the Data Protection Act?

    The act regulates the “processing” of personal data. Processing, in relation to information or data,
    means obtaining, recording or holding said information or data, or carrying out any operation or set
    of operations on it, including:

    (a) organisation, adaptation or alteration of the information or data


    (b) retrieval, consultation or use of the information or data

    (c) disclosure of the information or data by transmission, dissemination or otherwise making


    available, or

    (d) alignment, combination, blocking, erasure or destruction of the information or data

    Principle 1 – Fair and Lawful

    This is the first data protection principle. In practice, it means that you must:

    Have legitimate grounds for collecting and using the personal data

    Not use the data in ways that have unjustified adverse effects on the individuals concerned

    Be transparent about how you intend to use the data, and give individuals appropriate privacy
    notices when collecting their personal data

    Handle people’s personal data only in ways they would reasonably expect

    Make sure you do not do anything unlawful with the data

    Principle 2 – Purposes

    The second data protection principle means that you must:

    Be clear from the outset about why you are collecting personal data and what you intend to do with
    it

    Comply with the Act’s fair processing requirements – including the duty to give privacy notices to
    individuals when collecting their personal data

    Comply with what the Act says about notifying the ICO

    Ensure that, if you wish to use or disclose the personal data for any purpose that is additional to, or
    different from the originally specified purpose, the new use or disclosure is fair

    Principle 3 – Adequacy

    This is the third data protection principle. In practice, it means you should ensure that:

    Any personal data held is adequate and relevant to the purpose for which it was processed

    Unnecessary, excessive data is not held

    Principle 4 – Accuracy

    This is the fourth data protection principle. In practice, it means you should:

    Take reasonable steps to ensure the accuracy of any personal data you obtain

    Ensure that the source of any personal data is clear

    Carefully consider any challenges to the accuracy of information

    Consider whether it is necessary to update the information

    Principle 5 – Retention

    This is the fifth data protection principle. In practice, it means that you will need to:
    Review the length of time you keep personal data

    Consider the purpose or purposes you hold the information for in deciding whether, and for how
    long, to retain it

    Securely delete information that is no longer needed for this purpose or these purposes

    Update, archive or securely delete information if it goes out of date

    Principle 6 - Rights

    This is the sixth data protection principle, and the rights of individuals that it refers to are:

    A right of access to a copy of the information comprised in their personal data

    A right to object to processing that is likely to cause, or is causing, damage or distress

    A right to prevent processing for direct marketing

    A right to object to decisions being taken by automated means;

    A right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased or
    destroyed

    A right to claim compensation for damages caused by a breach of the Act

    Principle 7 - Security

    This is the seventh data protection principle. In practice, it means you must have appropriate security
    to prevent the personal data you hold being accidentally or deliberately compromised. In particular,
    you will need to:

    Design and organise your security to fit the nature of the personal data you hold, and the harm that
    may result from a security breach

    Be clear about who in your organisation is responsible for ensuring information security

    Make sure you have the right physical and technical security, backed up by robust policies and
    procedures, and reliable, well-trained staff

    Be ready to respond to any breach of security swiftly and effectively

    Principle 8 - Sending personal data outside the European Economic Area

    Personal data shall not be transferred to a country or territory outside the EEA unless that country or
    territory ensures an adequate level of protection for the rights and freedoms of data subjects in
    relation to the processing of personal data.

    What can you do?

    Understand your organisation's data protection policy and processes

    Understand your obligations as an employee working for your organisation

    Understand your rights as an individual/consumer

    Further reading is available on the UK Information Commissioners (ICO) website.


    I have read and understood this course

    Yes

    You might also like