The Data Protection Act 1998 (DPA) is the principal piece of legislation in the UK governing personal data, and includes restrictions on processing data, gives data subjects certain rights, as well as creating eight legally enforceable 'data protection principles' with which organisations must comply.
It is vital that companies understand the DPA and how it applies to them, particularly in light of the Information Commissioner's power to fine organisations up to £500,000 for serious breaches, not to mention the business implications that stem from adverse publicity surrounding data protection breaches.
The DPA regulates the ‘processing’ of ‘personal data’ held on a computer, intended to be held on a computer, or held in paper form in a ‘relevant filing system’ by a ‘data controller’.
Anyone processing personal data as a data controller must comply with the eight data protection principles contained in the DPA. These say that data must:
- be fairly and lawfully obtained and processed;
- be processed for limited purposes and not in any manner incompatible with those purposes;
- be adequate, relevant and not excessive;
- be accurate and where necessary kept up to date;
- not be kept for longer than necessary;
- be processed in line with the data subject’s rights;
- be secure; and
- not be transferred to countries outside the EEA without adequate protection.
Individuals who have had their personal data processed otherwise than in accordance with the DPA may claim compensation for any damage or distress caused, such as where a security breach puts sensitive personal data in the public domain. They may also obtain a court order for the rectification, blocking, erasure or destruction of inaccurate data.
Data protection eLearning is an introductory level eLearning course designed to introduce people who work with data to the key principles of theUK’s Data Protection Act 1998 (DPA), the practical steps that can be taken to ensure compliance and how the basics of data protection in the workplace.