Wake up call

Data Protection Act 1998

What is it?

The Data Protection Act 1998 became law on 1 March. It completely replaces the Data...

Data Protection Act 1998

What is it?

The Data Protection Act 1998 became law on 1 March. It completely replaces the Data Protection Act 1984 and implements the EU data protection directive into UK law.

The Act imposes obligations on "data controllers" who determine the manner and purposes of processing data, and lesser obligations on "data processors" - those who process data on behalf of the data controller (excluding employees). The Act also covers certain manual data.

The Act sets out eight data protection principles which data controllers must comply with. These include:

  • Fair processing of data
  • A ban on data transfers to countries outside the European Economic Area unless the data is "adequately protected" or meets a specified exemption
  • A security principle requiring "appropriate technical and organisational measures" to be taken "against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data"
  • A principle requiring that data is not kept for longer than is necessary for the purpose for which it was obtained
  • What is at stake?

    Offences under the new Act carry fines (up to £5,000 in the Magistrates Court and unlimited in the Crown Court) and directors and officers of businesses and organisations which do not comply can, in certain circumstances, be personally liable.

    The Data Protection Commissioner has the power to bring enforcement action against a data controller who has breached any of the principles. Individuals who are, or believe they are, directly affected by any processing of personal data can ask the commissioner to assess whether a data controller is complying with the provisions of the Act. The commissioner is under obligation to carry this out.

    The commissioner can also obtain a warrant to enter and search premises, to inspect papers and equipment used for processing data and to seize documents. In urgent circumstances, warrants can be issued without notice.

    The Act also provides rights of access to personal data and a new notification regime (previously called registration) for data controllers.

    What do you need to do?

    IT professionals will need to help assess compliance with the principles, particularly the security principle where technical, as well as organisational, security procedures are relevant. Organisations need to establish a security policy based on a risk audit of personal data. This would cover:

  • The use of passwords, how often they are changed and if others have access to an individual's password
  • The level of access to personal data given to users. For example, employees should not be given full access to a database holding personal data when they only need access to part of it
  • Ensuring that when media holding data are disposed of, the data is sufficiently deleted. This would also apply to destruction of printouts containing personal data
  • Security of the media holding the personal data and the premises where they are held. Back ups should be kept in separate secure premises
  • Back up and data recovery systems so that lost personal data can be retrieved
  • Reliability of staff who have access to the data. Training and awareness of the employer's security policy and how to treat personal data
  • Establishing procedures for breaches of data security and appropriate disciplinary procedures for staff
  • You must also be able to deal with requests for access to personal data held within the Act's time limits by, for example, maintaining up-to-date records of database design.

    Where a data controller has data processed on its behalf by a data processor, the processing must be carried out under a written contract. The data processor must agree in the contract to comply with the security principle. IT professionals should ensure that a contract is always used in these circumstances.

    For further details contact Catherine Hamilton at Dibb Lupton Alsop on 020-7796 6105.

    Read more on IT risk management

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.