Data Protection Compliance in the UK

Data Protection Compliance in the UK: A Pocket Guide

ROSEMARY JAY
JENNA CLARKE
Copyright Date: 2010
Edition: 2
Published by: IT Governance Publishing
Pages: 54
https://www.jstor.org/stable/j.ctt5hh4g3
  • Cite this Item
  • Book Info
    Data Protection Compliance in the UK
    Book Description:

    Data Protection Compliance in the UK has been published to be an easy-read introduction for any employee required to support compliance with the DPA. This concise book covers: UK and EU data protection regulations, The rights of individuals, The security obligations of organisation, Key definitions, terms and requirements, Practical compliance check-lists, covering the steps you must take to reach DPA compliance, Additional topics including IT monitoring and interception, enforcement provisions and penalties for non-compliance.

    eISBN: 978-1-84928-048-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. FOREWORD
    (pp. 5-6)
    Alan Calder

    Secure management of personal digital information has become a key organisational challenge for both the public and private sectors in the 21stcentury’s information age.

    While headlines and news stories have been able to focus on a number of reported organisational failures to protect either personal or credit card data (or both), the reality is that there are many more organisations exposed to the sort of brand and market damage that prolonged negative headlines can have.

    Regulators, of course, have their own view about the steps that organisations should be taking and, for all organisations operating in the United Kingdom;...

  3. PREFACE
    (pp. 7-8)
  4. ABOUT THE AUTHORS
    (pp. 8-8)
  5. Table of Contents
    (pp. 9-9)
  6. CHAPTER 1: INTRODUCTION AND EU REGULATIONS
    (pp. 10-12)

    The Data Protection Act 1998¹ (DPA) came into force on 1 March 2000. It applies throughout England, Wales, Scotland and Northern Ireland. It is based on the EU Data Protection Directive of 1995² (DPD). Special rules cover the use of telecommunications data and the use of e-mail, telephone and fax for direct marketing. These are based on the EU Privacy and Electronic Communications Directive of 2002.³ In the UK, this was implemented by the Privacy and Electronic Communications Regulations 2003⁴ (PECR).

    The DPA, like other legislation, has to be interpreted in the light of the Human Rights Act 1998.⁵ This...

  7. CHAPTER 2: UNDERSTANDING THE DEFINITIONS
    (pp. 13-15)

    The DPA uses several specific terms and it helps to understand these. The DPA coverspersonal data. This means information which is held on a computer or in a relevantfiling systemand which relates to a living individual who can be identified from that information, or that and other information in the possession of thedata controller(see below). It does not matter that the other information is held by a different department. Where public authorities are concerned, an even wider range of information is covered when it comes to dealing with rights of access to the information. If...

  8. CHAPTER 3: NOTIFYING PROCESSING WITH THE INFORMATION COMMISSIONER
    (pp. 16-17)

    Ever since the first Data Protection Act in 1984, those who process personal data have had an obligation to register on a public register. This is now called notification. There are some exemptions from this obligation. These are quite narrow: however, organisations will not need to notify if the only reasons they process personal data are for what are called the core business purposes. These cover marketing, staff administration and accounting, but care should be taken when relying on these and reference should be made to the Information Commissioner’s website⁹ and the guidance available. Notification lasts for a year.

    From...

  9. CHAPTER 4: WHAT ARE THE RIGHTS OF INDIVIDUALS?
    (pp. 18-24)

    The DPA provides individuals with some important rights. These are:

    the right of subject access;

    the right to object to direct marketing;

    the right to object to processing in some circumstances;

    the right to object to automated decision making;

    the right to rectification of inaccurate data; and

    the right to compensation.

    In addition, under the PECR, data subjects can decide to register on the Telephone Preference Service (TPS).¹¹

    If a data subject makes a written application to a data controller, he or she is entitled to be told whether the controller has any personal data about that individual; and if...

  10. CHAPTER 5: UNDERSTANDING AND APPLYING DATA PROTECTION PRINCIPLES 1 TO 6
    (pp. 25-30)

    The rules for how personal data must be processed are found in the eight data protection principles. One of the principles deals with security and another with overseas transfer; these are dealt with in separate chapters. In this chapter, we look at principles 1 to 6:

    Principles 1 and 2 deal with the basic rules for allowing processing of personal data to take place and the restrictions on what data controllers can do with the data.

    Principles 3, 4 and 5 deal with data quality.

    Principle 6 deals with the rights of data subjects.

    Principle 1 requires a data controller...

  11. CHAPTER 6: SECURITY OBLIGATIONS AND DATA PROCESSORS
    (pp. 31-33)

    Principle 7 is an important provision of the DPA. It states that data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. The DPA explains what should be weighed in deciding whether security measures are appropriate. The data controller has to consider the harm that might result from the unauthorised or unlawful processing or accidental loss or destruction or damage to data and the nature of the data to be protected, and must ensure an appropriate level of security taking into...

  12. CHAPTER 7: TRANSFERRING DATA OVERSEAS
    (pp. 34-38)

    Principle 8 is another important provision. It limits the transfer of personal data to countries outside the EEA unless the data controller can bring themself within one of the exceptions to this prohibition, or they can be sure that equivalent protection is provided for the personal data in the country to which it is being sent.

    Simply putting information on a website hosted within the EEA does not amount to a transfer of personal data, but if information is deliberately pushed onto a website outside the EEA or is transferred, whether electronically or by disc or other mechanism outside the...

  13. CHAPTER 8: APPLYING EXEMPTIONS
    (pp. 39-39)

    The DPA imposes a regime which controls the processing of personal data and imposes obligations on the data controller to provide information to individuals. In Chapter 4, the exemptions to the obligation to provide subject access were noted. The data controller may also be relieved from the obligation to provide notice to individuals in certain circumstances. The exemptions only apply on a case by case basis. A data controller who plans to rely on these should make a proper record of the justification for doing so. In other circumstances, restrictions on disclosure are lifted so that a disclosure may be...

  14. CHAPTER 9: MARKETING USING ELECTRONIC METHODS
    (pp. 40-41)

    PECR includes special rules for marketing by fax, e-mail and telephone. Faxes for marketing purposes must not be sent to individual subscribers unless those subscribers have agreed to receive them. Corporate subscribers may opt out by registering with the Fax Preference Service.¹⁸ They also have the right to notify the marketer that the organisation does not wish to receive marketing faxes.

    Telephone marketing must not be carried out to any subscriber, whether a corporate subscriber or an individual subscriber, who has either told the caller that they do not want to receive such calls, or that they have registered with...

  15. CHAPTER 10: IT MONITORING AND INTERCEPTION
    (pp. 42-43)

    The monitoring of electronic communications and the interception of the content of calls is a serious issue for most businesses. Monitoring is the activity of listening to calls while they are taking place but not keeping an electronic record; interception is both listening and keeping a record, that is, taking a copy or retaining a copy of the call. Communications data is the information generated as a result of calls showing the numbers called, time spent on the call and other information about the call.

    An organisation’s IT policy should make clear that monitoring will take place, if this is...

  16. CHAPTER 11: ENFORCEMENT PROVISIONS
    (pp. 44-45)

    The DPA is enforced by the Information Commissioner who is also responsible for the FOIA. Among other roles, the Commissioner issues codes of practice. Most recently, the Commissioner has revised the code of practice for the use of CCTV, and issued a draft code covering data protection on line. The Commissioner’s website also provides useful guidance on a whole range of topics. The Information Commissioner has an obligation to maintain the register and to provide advice on the DPA.

    An individual, who is aggrieved because they believe there has been a breach of the DPA or of the PECR, may...

  17. CHAPTER 12: PENALTIES FOR NON-COMPLIANCE
    (pp. 46-47)

    Some actions give rise to criminal proceedings under the DPA. The most serious of these is the offence under Section 55 of obtaining or disclosing personal data, or procuring the disclosure of personal data without the consent of the data controller. In order to commit the offence, the accused must know or be reckless that they do not have such consent. There are various defences, including the possibility that, in the particular circumstances, the activity was justified in the public interest. The Information Commissioner has recommended that this offence should carry a custodial sentence, and it is likely that the...

  18. CHAPTER 13: COMPLIANCE CHECKLIST FOR STAFF
    (pp. 48-50)

    This checklist is intended as a good practice guide for staff (particularly those in the IT section). It is not a general checklist for the organisation as a whole.

    Know who the data protection officer is in your organisation, so that queries can be raised with the appropriate person.

    Check that your registration with the Information Commissioner covers everything for which your section is responsible and, if there are any gaps, ensure your data protection officer is alerted to this.

    Be aware of those circumstances in which personal data may be collected by your section or your business unit, and...

  19. APPENDIX: ABBREVIATIONS
    (pp. 51-51)
  20. ITG RESOURCES
    (pp. 52-54)