“Having Fun with the Data Protection Act”

Trevor Ellis - June 2009

Trevor Ellis

Trainee Programmer
(1981 – 28 years ago)

Contractor
(since 1992 – for 17 years)

…. and Master of None !

1
“Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

European Directive 95/46/EC

– Protection of Individuals with Regard to the
Processing of Personal Data and on the Free
Movement of Such Data

Data Protection Act 1998

Information Commissioner’s Office

• Data Protection Act
• Freedom of Information Act
• plus……

2
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

•Not Legal Advice !

•Non-Expert
•I deny saying everything
•I wasn’t even here today

Information Commissioner’s Office

www.ico.gov.uk

3
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Data Protection Act

• Includes
– rights for individuals re personal data
– processors register (notify) with the ICO
– processing must comply with 8 Principles
• Applies to
– computer, CCTV, some photographic, and
many paper records
4
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Only time for a couple….

– What rights do individuals have?
– What is Personal Data?
– What are the Eight Principles?
– Who has to Register?
– Who is the responsible ‘Data Controller’?
– What is the affect on system testing?
– What impact of other legislation?
• Freedom of Information Act

5
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

What is Personal Data?

Data that relates to an

identifiable living individual

(whether in personal or family

life, business or profession)

6
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Identifiable

Can a living individual be identified

from the data itself

or from that data plus other

available information reasonably
likely to be available

7
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Context is Everything
An individual is 'identified' if you have distinguished
that individual from other members of a group.

• Trevor Ellis 
• Trevor Ellis + EX15 3XX 

• .Net Dev Net member + EX15 3XX 

8
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Context is Everything
The ‘data’ may enable you to
identify an individual whose name
you do not know and may never
intend to discover

Photo of UWE that includes someone standing outside 

Photo of shifty looking person standing outside UWE 
9
“Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Eight Principles
that processing must comply with…

1. Processed Fairly
2. Only for specified reasons
3. Adequate and not excessive
4. Accurate and up to date
5. Not held longer than necessary
6. In accordance with subject’s rights
7. Kept safe
8. Not transferred outside EU

www.ico.gov.uk 10
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 1
Personal data shall be processed fairly
lawfully and only as necessary*

* except with the explicit consent of the subject

11
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 2
Personal data shall be obtained only for
the specified purpose, and shall not be
further processed in any manner
incompatible with those purposes

12
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 3
Personal data shall be adequate,
relevant and not excessive in relation to
the purposes for which they are
processed

13
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 4
Personal data shall be accurate and,
where necessary, kept up to date

14
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 5
Personal data processed for any purpose
or purposes shall not be kept for longer
than is necessary for that purpose or
those purposes

15
“Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 6
Personal data shall be processed in
accordance with the rights of data
subjects under this Act

16
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 7 (pt1)

Appropriate technical measures shall be

taken to protect personal data*

* against unauthorised or unlawful processing,

accidental loss or destruction, and damage

17
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 7 (pt2)
Appropriate organisational measures
shall be taken to protect personal data*

* against unauthorised processing, accidental loss or

destruction, and damage

18
 “Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Principle 8
Personal data shall not be transferred to
outside the European Economic Area*

* unless that country ensures the same level of protection

19
“Having Fun with the Data Protection Act”
Trevor Ellis - June 2009

Summary – www.ico.gov.uk

Eight Principles
1. Processed Fairly
2. Only for specified reasons
3. Adequate and not excessive
4. Accurate and up to date
5. Not longer than necessary
6. In accordance with subject’s rights
7. Kept safe
8. Not transferred outside EU

20