Data Protection Act
It defines a legal basis for the handling in the UK of information relating to living people.
If your business or organisation requires that you store people's personal details, such as customer or employee records, then you must comply with the Act.
Compliance with the Act is overseen by an independent government authority, the Office of the Information Commissioner (OIC).
The Data Protection Act contain 8 principles of information-handling practice.
These state that all data must be:
- Processed fairly and lawfully
- Obtained and used only for the specific and lawful purposes for which it was
collected
Adequate, relevant and not excessive - Accurate, and where necessary, kept up to date
- Kept for no longer than necessary
- Processed in accordance with the individuals rights (as defined)
- Kept secure (through technical and organisational measures)
- Transferred only to countries that offer adequate data protection
In October 2007 the regulations of the Data Protection Act will change.
The Data Protection Act was introduced in 1998 to give the public access to data held about them on organisations' files. It was introduced to help people see and understand the information which firms were using and holding about them. Through accessing this information the public has the opportunity to see if files are correct, relevant or incomplete and can advise the record holding organisation accordingly.
Currently, the DPA gives people the right to claim to view personal information held about themselves, whether it is on paper or held electronically. Requests must be made in writing to the company or individual who holds the data.
For any electronically held data, relating to updates after 1998, an organisation must supply all files within 40 days.
October 2007 Implications:
On 24th October 2007, the DPA will change, and firms will have to supply ALL data from 1998 onwards, not just that held on electronic files, within 40 days of the initial request.
New documents that will fall under the act include manual
data - health records, local authority, housing and social services records for
example as well as records on active files which has not been put onto an
electronic system.
Firms that cannot provide their records to an enquirer within the 40 day period
will be liable under the law, most probably with a fine. There is a legal
right of recourse through the courts for the public to challenge organisations
that are late with information and also to enforce changes to data to ensure it
is accurate.
It is therefore more important than ever that firms and organisations have quick access to accurately stored and retrievable information.
October 2008 Implications:
In October 2008 the final exception from the Act, whereby records predating 1998, held in manual filing systems, will also fall under the Act's jurisdiction. These files will also need to be accessed and forwarded to the enquirer within 40 days.
For the full run down of the Data Protection Act visit the Government's Office of Public Sector Information website at : http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm
Failure to store email is a potential jail term for directors under RIPA, which makes it a legal requirement for companies to keep all electronic communications for the life of the document. Directors must be able to supply law enforcers with email data on request, or risk facing charges of contempt or perverting the course of justice.
The Office of the Information Commissioner argues that this blanket saving of emails is in breach of the Data Protection Act. "Information on individuals should not be kept for longer then necessary and should not be of an excessive amount -- companies archiving emails in this way would need to justify their reason for doing so," said Iain Bourne, strategic policy manager for the Commissioner. "Companies keeping everything for the purposes of liability are taking a disproportionate approach -- it's corporate paranoia and there are data protection rules that they have to obey."
