Data Protection - A Summary
What does the Data Protection Act cover?
The DPA covers personal data which is defined as information relating to a living individual who can be identified from those data, or from those data and other information which is in the possession of or is likely to come into the possession of, the data controller. Personal data includes expression of opinion and indications of the intentions of the data controller or any other person in respect of the individual.
There is a subsection of personal data known as sensitive personal data, this includes information regarding racial or ethnic origin, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexual life, the commission or alleged commission of any offence, and any related proceedings.
What does the Data Protection Act mean for the University?
The Information Commissioner’s Office (ICO) oversees the Data Protection Act; the University is registered with the ICO and must annually renew this notification. The Data Protection Act regulates how the University can process personal information and sets out 8 principles which must be followed.
What are the 8 Data Protection Principles?
The Data Protection Principles outline best practice with regards to processing Personal Data and must be complied with. The principles are:-
1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive.
4. Personal data shall be accurate and where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary.
6. Personal data shall be processed in accordance with the rights of data subjects under the Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country outside the European Economic Area unless that country ensures an adequate level of protection.
How does the Data Protection Act affect how the University uses personal data?
In addition to the Data Protection principles outlined above the DPA specifies conditions that must be met when processing personal data, the lists below are not exhaustive but contain the conditions that are likely to be relied upon by the University.When processing Personal Data one of the following conditions must be met:
- The individual has given consent.
- The processing is necessary for the performance of a contract.
- The processing is necessary for a legal obligation.
- The processing is necessary for the protection of the data subject’s vital interests.
- The processing in necessary for the exercise of any other functions of a public nature exercised in the public interest.
- The processing is necessary for the purposes of legitimate interests pursued by the data controller.
When processing Sensitive Personal Data not only must one of the above apply, but there are additional conditions, at least one of which must be met:
- The data subject has given his explicit consent.
- The processing is necessary for compliance with legal obligations in connection with employment.
- The processing is necessary to protect the vital interests of the data subject or another person where consent cannot be given by or on behalf of the data subject, and the data controller cannot reasonably be expected to obtain consent
- The processing in necessary to protect the vital interests of another person, in a case where consent of the data subject has been unreasonably withheld.
- The personal data has been made public as a result of steps deliberately taken by the data subject.
- The processing is necessary for the purpose of, or in connection with, any legal proceedings or for the purpose of obtaining legal advice.
- The processing is of sensitive personal data consisting of information as to racial or ethnic origin, is for the purpose of identifying or reviewing the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and is carried out with appropriate safeguards for the rights and freedoms of data subjects.
What happens if the DPA is breached?
The Information Commissioner has the authority to carry out Assessments of any Data Controllers against whom he has received complaints, if they are found to be breaching the DPA enforcement notices will be issued to force compliance. Breaches can also be tried in court.
The Act provides for separate personal liability for any of the offences in the Act. If a member of staff consents to an offence committed by the University, or that offence is attributable to any neglect on his/her part, that member of staff can be proceeded against and fined accordingly. Additionally, a data subject has the right to sue for compensation if he/she has suffered damage and/or distress as a result of the University’s breach of the data protection regulations.
Offences under the act include:
- Processing without notification
- Failure to notify the commissioner of changes to notification register entry
- Failure to comply with an enforcement notice/information notice/special information notice
Knowingly or recklessly obtaining or disclosing personal data or the information contained in personal data without the consent of the data subject.