What is the Data Protection Act 1998?
Designed to ensure that companies use and store the personal data associated with their customers in a responsible manner, the data protection act is a piece of legislation that sets forth a number of specific rules governing the way that any organisation can gather, process and disseminate information that could be used to identify a specific individual. Because of its scope, the data protection act affects the overwhelming majority of public-facing organisations. Unfortunately, it is also widely regarded as one of the most complicated and opaque parliamentary acts in the UK, and, as a result of its wording, is often misinterpreted by organisations and consumers alike.
Before the data protection act was introduced in 1998, the rules governing the way that companies had to protect sensitive information pertaining to their customers were much less defined. This meant that an individual’s details could be stored in an unsafe manner, sold on to third party companies for profit, or withheld from the individual in question - unless company-defined data processing surcharges were paid.
Now, however, everything is regulated - permission from the involved party is needed before data is taken, organisations have responsibility to protect the data that they store from theft and accidental loss. Certain pre-defined rights pertaining to the individual whose data is being stored have to be fully respected and a number of offences have been defined to ensure that companies who do not comply with the act can be fined.
If you’re working for a customer-facing organisation, or an organisation that stores personal information, you’ll need to stay abreast of the specifics, and take steps to ensure that you remain compliant with the Data Protection Act 1998.
You can find more information on compliance with the Act by taking the Virtual College Data Protection at Work course. Click here to find out more.
The Scope of the Data Protection Act
The Data Protection Act covers any and all information that could be used to identify an individual, whether these are records that contain a name and an address, an email address, or any information that includes personal details that could be used to identify someone, such as information about medical conditions, details of employment or details of marriage.
For most businesses, this means their customer data, gathered every time somebody places an order or signs up for a service. However, the Data Protection Act 1998 does also cover data obtained from a third party source, or data gathered via email signup forms. Unfortunately, a great many organisations do not fully understand the scope of the Act, and don’t always know what information they should be protecting, which means that they struggle to comply with the stricter parts of the legislation, and often unwittingly violate its rules and regulations.
The Principles and Responsibilities of Data Protection
Information that’s covered by the Data Protection Act has to be stored, processed and disseminated according to eight clearly defined principles:
- Firstly, data that’s stored and processed by an organisation has to be handled in a lawful fashion, and used only for its intended purpose
- Secondly, data should only be gathered and stored if it’s for a specific, clearly defined purpose, and should not be kept ‘just in case’
- Thirdly, any data that is stored for a specific purpose should only be adequate for that intended purpose, and should not include excessive or unneeded details
- Data should also be accurate, and should also be kept up-to-date where possible to prevent old addresses or phone numbers from being associated with the wrong individual
- Data should not be kept for longer than it is needed
- Sensitive information of any kind should be handled with the rights of its subject in mind
- Any data covered by the act should be protected from unlawful use, accidental loss or destruction
- Data covered by the act should not be transferred outside of any European territory
The data protection act also demands that companies and/or organisations that seek to obtain sensitive information always get permission from the subject, which means that you, as a business or organisation seeking to collect records covered by the act, have a responsibility to inform your customers that data is being collected, and also to allow them to opt out of this process.
If you’d like to know more about the specific requirements of the data protection act, you might be interested in taking the Virtual College Data Protection at Work course.