Data Protection Act 1998
What is it?
The Data Protection Act 1998 became law on 1 March. It completely replaces the Data Protection Act 1984 and implements the EU data protection directive into UK law.
The Act imposes obligations on "data controllers" who determine the manner and purposes of processing data, and lesser obligations on "data processors" - those who process data on behalf of the data controller (excluding employees). The Act also covers certain manual data.
The Act sets out eight data protection principles which data controllers must comply with. These include:
What is at stake?
Offences under the new Act carry fines (up to £5,000 in the Magistrates Court and unlimited in the Crown Court) and directors and officers of businesses and organisations which do not comply can, in certain circumstances, be personally liable.
The Data Protection Commissioner has the power to bring enforcement action against a data controller who has breached any of the principles. Individuals who are, or believe they are, directly affected by any processing of personal data can ask the commissioner to assess whether a data controller is complying with the provisions of the Act. The commissioner is under obligation to carry this out.
The commissioner can also obtain a warrant to enter and search premises, to inspect papers and equipment used for processing data and to seize documents. In urgent circumstances, warrants can be issued without notice.
The Act also provides rights of access to personal data and a new notification regime (previously called registration) for data controllers.
What do you need to do?
IT professionals will need to help assess compliance with the principles, particularly the security principle where technical, as well as organisational, security procedures are relevant. Organisations need to establish a security policy based on a risk audit of personal data. This would cover:
You must also be able to deal with requests for access to personal data held within the Act's time limits by, for example, maintaining up-to-date records of database design.
Where a data controller has data processed on its behalf by a data processor, the processing must be carried out under a written contract. The data processor must agree in the contract to comply with the security principle. IT professionals should ensure that a contract is always used in these circumstances.
For further details contact Catherine Hamilton at Dibb Lupton Alsop on 020-7796 6105.
