Data Protection Act 1998What is it?
The Data Protection Act 1998 became law on 1 March. It
completely replaces the Data Protection Act 1984 and implements the
EU data protection directive into UK law.
The Act imposes obligations on "data controllers" who determine
the manner and purposes of processing data, and lesser obligations
on "data processors" - those who process data on behalf of the data
controller (excluding employees). The Act also covers certain
manual data.
The Act sets out eight data protection principles which data
controllers must comply with. These include:
- A ban on data transfers to countries outside the European
Economic Area unless the data is "adequately protected" or meets a
specified exemption
- A security principle requiring "appropriate technical and
organisational measures" to be taken "against unauthorised or
unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data"
- A principle requiring that data is not kept for longer than is
necessary for the purpose for which it was obtained
What is at stake?
Offences under the new Act carry fines (up to £5,000 in the
Magistrates Court and unlimited in the Crown Court) and directors
and officers of businesses and organisations which do not comply
can, in certain circumstances, be personally liable.
The Data Protection Commissioner has the power to bring
enforcement action against a data controller who has breached any
of the principles. Individuals who are, or believe they are,
directly affected by any processing of personal data can ask the
commissioner to assess whether a data controller is complying with
the provisions of the Act. The commissioner is under obligation to
carry this out.
The commissioner can also obtain a warrant to enter and search
premises, to inspect papers and equipment used for processing data
and to seize documents. In urgent circumstances, warrants can be
issued without notice.
The Act also provides rights of access to personal data and a
new notification regime (previously called registration) for data
controllers.
What do you need to do?
IT professionals will need to help assess compliance with the
principles, particularly the security principle where technical, as
well as organisational, security procedures are relevant.
Organisations need to establish a security policy based on a risk
audit of personal data. This would cover:
- The use of passwords, how often they are changed and if others
have access to an individual's password
- The level of access to personal data given to users. For
example, employees should not be given full access to a database
holding personal data when they only need access to part of
it
- Ensuring that when media holding data are disposed of, the data
is sufficiently deleted. This would also apply to destruction of
printouts containing personal data
- Security of the media holding the personal data and the
premises where they are held. Back ups should be kept in separate
secure premises
- Back up and data recovery systems so that lost personal data
can be retrieved
- Reliability of staff who have access to the data. Training and
awareness of the employer's security policy and how to treat
personal data
- Establishing procedures for breaches of data security and
appropriate disciplinary procedures for staff
You must also be able to deal with requests for access to
personal data held within the Act's time limits by, for example,
maintaining up-to-date records of database design.
Where a data controller has data processed on its behalf by a
data processor, the processing must be carried out under a written
contract. The data processor must agree in the contract to comply
with the security principle. IT professionals should ensure that a
contract is always used in these circumstances.
For further details contact Catherine
Hamilton at Dibb Lupton Alsop on 020-7796 6105.