The Data Protection Act 1984 was originally set up to safeguard personal data held on file. It applies to any facts, opinions or information relating to an individual (including customer and employee files) and may consist of manual data stored in an appropriate filing system, although not necessarily electronically recorded.

Any readily accessible personal data processed by data controllers must comply with the Data Protection Act, the latest revision of which came into force on 1 March 2000.

Personal Data

Personal data must be processed fairly and lawfully and it must not be processed unless:

• The individual has given their consent OR

• The process is necessary for a contract OR

• The process is necessary for legal reasons OR

• The process is necessary to protect the interests of the individual

Additional consent must be granted if the data is of a sensitive nature, such as race, ethnic origin, political stance, religious beliefs, physical and mental health, offences committed etc.

The processing of personal data must be:

• Used for specified and lawful purposes

• Relevant to the intended purpose

• Accurate and kept up to date

• Not kept for longer than necessary

• Processed in accordance with the rights of the individual

• Protected against unauthorised or unlawful processing

• Not transferred to a country without adequate protection

Subject Rights

Individuals have rights to the personal data that is held about them; these include being able to:

• Have access to their information

• Withdraw consent to processing

• Prevent processing for direct marketing purposes

• Give notice to automated decision-making

• Gain compensation if they suffer damage and distress due to the circumstances of processing

• Destroy or amend inaccurate data

• Request an assessment of the procedure used

Exceptions to Rights

Some personal data is exempt from the above subject rights, although notification will still need to be made.

Exemptions may include data for the purposes of:

• National Security

• Crime Prevention

• Health

• Education

• Research

• Armed Forces

• Examination scripts and marks

• Disclosures required by law

• Legal services

• Pastoral care

Offences

It is an offence to process personal data without notification (unless exemptions apply).

Other offences include:

• Processing outside of time limits

• Obtaining or disclosing personal data unlawfully

• Illegally selling personal data

• Enforcing access to subject data

Consent & Notification

The data controller must ascertain consent from the individual. The controller cannot infer consent from non-response or obtain consent using duress.

The data controller must notify the individual of entry into the Data Protection Register and must provide the following information:

• Name and address of data controller

• Name and address of representative

• Description of data being processed and its purpose

• List of any recipients to which data may be disclosed

• Names of any countries to which data may be transferred

• Notification if the data falls into any of the exemption categories

You do not have to notify the individual if the only processing you carry out is for one or more of these purposes:

• Staff administration

• Advertising, marketing and public relations for your own goods and services

• Accounts and records carried out by you

Please note: This guide is intended to provide basic information only. Where specific advice is required, we recommend that you seek proper professional help; either from this firm or other suitably qualified person or practice.