Data protection act: what you need to know

The Data Protection Act 1998 is a British act enforced by the parliament of Great Britain and Northern Ireland.  It was developed to bring British law in line with the European Union’s data protection directive of 1995 which required member states to protect the individual’s fundamental rights and freedoms, explicitly the right to privacy regarding the processing of personal data.

There are 8 main principles that the Data Protection Act focuses on and it is important that business owners are not only familiar with these principles but also implement them in their businesses.

What activities are regulated by the Data Protection Act?

The activity regulated by the Data protection act is processing of data. Processing has a very wide definition which includes: obtaining, recording, holding or carrying out any operation or set of operations on the information or data.

Non-compliance with the act could result in a heavy fine and possibly arrest.

Who has rights and obligations under the Data Protection Act?

The act protects the rights of individuals whom the data is about (data subjects), by placing duties on those who decide how and why such data is processed (data controllers). The act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.

Data controllers must be a person as recognised in law. So a data controller may be:

• individuals
• organisations
• other corporate and unincorporated bodies of persons

Data controllers are responsible for ensuring that any processing of personal data conforms to the act. Failure to comply can result in prosecution and compensation claims from individuals.

How long do data protection rights and duties last?

The act is applicable throughout the period when a data controller is processing personal data – as do the rights of individuals in respect of that personal data. Companies must comply with the act from the moment the data is obtained until the time when the data has been returned, deleted or destroyed.

The data controller’s responsibilities extend to the way that personal data is disposed of when it is no longer needed. Data must be disposed of securely and in a way which does not compromise the wellbeing of the individuals concerned.

Changes in a business’s circumstances does not alter the individual’s rights under the act. Even if a company closes, individuals are still entitled to expect that their personal data will be processed in accordance with the data protection principles. However, accountability for guaranteeing this happens may change, subject to the situation.

Data Protection Act principles

The Data Protection Act lists the data protection principles as follows:

• Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
  • at least one of the conditions in Schedule 2 is met, and
  • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
• Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
• Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
• Personal data shall be accurate and, where necessary, kept up to date.
• Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
• Personal data shall be processed in accordance with the rights of data subjects under this Act.
• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data protection act USA

In the United States Data privacy is not highly legislated or regulated. While there is not one sole act that governs the use, acquisition or storage of private data there are partial regulations. In the U.S., whoever captures the data, is deemed to own the right to store and use it, even if the data were collected without permission.

California is the only state that recognizes an individual’s right to privacy, and notes this in its constitution and has enacted several pieces of legislation aimed at protecting the right to privacy. The California Online Privacy Protection Act (OPPA) of 2003 requires operators of commercial websites or online services that collect personal information on California residents to visibly post a privacy policy on the site and to comply with its policy.

In order to facilitate the operation of US companies in Europe or trading with Europe, the Safe Harbor Arrangement was development by United States Department of Commerce to help US companies comply with stringent European privacy legislation. Companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive sufficient levels of protection.

The protection can either be at a country level, if the country’s laws are considered to offer equal protection, or at a company level, where a multinational organization produces and documents its internal controls on personal data.

The Safe Harbor Privacy Principles allows US companies to register their certification if they meet the European Union requirements.

Some US data protection acts include:

• The Health Insurance Portability and Accountability Act (HIPAA) which ensures individuals privacy regarding information discussed with health care providers.
• The Fair Credit Reporting Act (FCRA) allows individuals to opt out of unwanted credit offer.
• The Fair and Accurate Credit Transactions Act, each person can obtain a free and accurate annual credit report.
• The Fair Debt Collection Practices Act limits dissemination of information about a consumer’s financial transactions
• The Electronic Communications Privacy Act (ECPA) establishes criminal sanctions for the interception of electronic communication.

Data protection act 1998 summary

A quick summary if the data protection act 1998 is that companies are legally responsible for keeping information that can identify their customers secure and private. The act is part of the United Kingdom’s bid towards bringing British law into line with the European Union’s data protection directive of 1995. The law required member states to protect individual’s fundamental rights and freedoms,  specifically the right to privacy regarding the handling of personal data.

You can download a data protection act 1998 pdf here.

Data protection act software

Cibecs is a data backup and protection software that can assist companies in complying with the data protection act easily from one centrally managed location.

Cibecs offers enforced and secure data backup guaranteeing Corporate Governance Compliance, this is achieved by:

• Archiving all previous versions of data and ensuring that they are easily recoverable through an easy-to-use restore wizard.
• Preventing unauthorised access to data through encryption of backed up data.
• Intuitive business and technical reporting, including protection rating

You will also get complete endpoint protection guarding against data loss through:

• Automatically encrypting all business files on a user’s computer.
• Remotely wiping data or revoking user access from a control centre in the event of a lost or stolen machine.
• Data Theft Prevention automatically revokes access to files based on a time period.
• Powerful multi-layered protection against data theft and unauthorized access to business files.