The Act introduces new rules to protect personal privacy, the eight data protection 'principles', that restrict how information identifying a living person, such as their name and address or a photograph, can be processed.
The new rules limit information collected for one purpose being used for another without the consent of the individual concerned (unfair processing); oblige organisations to take measures to ensure data quality, and put in place tough new regulations to safeguard data from security lapses or unauthorised disclosure.
Individuals also have the right to a copy of their information; and the transfer of data outside the European Economic Area is restricted unless suitable safeguards have been put in place. (The EEA consists of the 15 member states of the European Union, plus Norway, Iceland and Liechtenstein).
The principles have implications not just for the users of systems that process personal information, but also for those designing and building them.
Organisations can spend millions training staff and establishing processes for compliance, but inadequate computer systems can mean they still find themselves in breach of the law.
But some simple procedures can help avoid having to correct potentially expensive problems in the future.
These requirements are likely to include:
Existing systems can present greater difficulties, as attempting to make the sort of changes detailed above to legacy systems could prove both difficult and costly.
BSI-DISC, in conjunction with The Data Protection Commissioner has published Practical Guidance on Managing Databases. BSI-DISC also provides a data protection update service.
For more information about the guide or update service contact BSI on 020 8996 9000.
Further information is also available from Nicola Mckilligan of the data protection consultancy Virtual Privacy. Mckilligan can be contacted at [email protected]
The eight data protection principles
Personal information must be: