Data Protection Defined

What is the Data Protection Act?

The Data Protection Act is a British law, which was passed because it was required by the Data Protection Directive from the European Union. Before the European Union, there was a treaty and a convention of the Council of Europe. Now, the Council of Europe is larger and older than the European Union. It is legally looser, that is to say, it produces treaties, which may or may not be binding. When the United Kingdom signed and ratified the Council of Europe Convention on Data Protection, that meant it was required to adopt legislation, which it did in the first Data Protection Act which, ironically, was passed in 1984.

What does the Data Protection Act do?

The Data Protection Act, like laws in many other countries, sets standards for the processing of personal data that is information about individuals. It has basic standards about how the information is acquired, what it's used for, how long it's kept, along with rights such as the right of subject access to the information - that is your right to see information about yourself - and rights of correction and clarification. And also the information is not to be kept for longer than is necessary, so there can be a right to have the information removed. Also there are some rights to compensation if the rules on data protection have been breached and if they've caused damage.

What is 'personal data'?

Personal data is information about an identifiable living person. That is to say it's information is that can be traced to a person so that if the information is filed under a code safe say but the code can be broken by reference to another file as it were, then that's personal data. It stops being personal data if it is completely anonymized. Also it's significant that personal data is about natural living persons in this country, in some other countries it can be information about a legal person, that is to say a company, and some countries provides some form of legal protection to dead people.

What is a 'data controller'?

The data controller is the person who is responsible for the data processing. It used to be called the data user. It will be, in many cases, a company, an educational institution, or a government department. There may be circumstances in which the data controller may also, in some senses, be a data subject. That is, information about the person who is the controller may be controlled by someone else.

What is a 'data subject'?

The 'data subject' is a person you, me or anyone; it's a natural person. Any living person is called ‘data subject' because under the act the 'data subject' it is the person who has rights under the act. The ‘data controller', broadly speaking, is a person or institution or company that has duties.

What is 'processing'?

Processing is handling, and doing something with the data: whether it be filing it, passing it on, consulting it, collating it, or sorting it. The only handling of data that doesn't quite qualify as processing is the very transitory use of data, and it's interesting that Sweden, which was the first country to adopt the National Data Protection Act, has recently amended its act so that data processing is more limited in its definition. This ensures that the transitory accessing a person's information, as in over the Internet, will not probably count as processing. But essentially it's doing anything with the data.

What are my rights under the Data Protection Act?

Under the Data Protection Act you have a right to have information about yourself processed in accordance with the standards of the act. That is obtained fairly and legally and used only for the purpose that you provided for. It is not kept longer than is necessary, is not excessive for the purpose, and a right to have it corrected or even deleted. The right of correction and deletion hinges on your right to exercise subject access - that is a right to see data about yourself.

How does the Act protect my privacy?

It's only a partial protection because the right to privacy, and I'll use the North American pronunciation here, as a legal right emerged really in the 19th century, first of all as a right in private civil law, that is to say, your right to get compensation if another person had invaded your privacy. This was developed by legislation and by the courts so that eventually they came up with four general classifications of privacy rights. One is the right not to be intruded upon, the right to be left alone, the right of physical seclusion, if you will. The second is a right not to be placed in a false light, that is, not to have information communicated about you which is wrong. A third is a right to have confidential information treated confidentially, personal information. Finally, a right not to have your likeness appropriated without your consent, your likeness being how you appear or how you sound, for example. Data protection laws do not cover all of these rights of privacy. Data protection laws protect your right not to be placed in a false light in many circumstances. They also protect your right to have personal information which is provided in confidence treated confidentially. Data protection law does very little to protect your right to physical seclusion, and data protection law does very little to protect your right not to have your image or your likeness used without authorization.

When am I allowed to claim compensation under the Data Protection Act?

Under the Data Protection Act, you can get compensation in the courts if there has been a breach of the Data Protection rules, such as if the information has been obtained unfairly or illegally or it's been used for a purpose other than that for which it was provided, or if it has been used without your consent. You can only get compensation through the courts if you can prove that this breach of the Data Protection rules has caused you damage in some way. You do have a right to compensation.

When can I take a case to court?

When you think that there has been a breach in the Protection Act that has caused you damage, then you can go to court.

What duties do I have to perform under the Data Protection Act?

You only have duties under the Data Protection Act if you are a data controller. So that if you are an employer, if you are a business, then you almost certainly will process personal data about your employees and you customers, and so you will have a duty to inform the Information Commissioners Office of what you are doing in processing those personal data. And then you have a duty to give notice to the data subjects of your processing to their personal data and of their rights under the Data Protection Act.

How does the Act affect my business?

It depends on what your business is. If you are in the production of goods business, the Data Protection Act will mostly affect you as an employer; your duties as a data controller in processing the personal data of your employees. If you are selling the goods, as well as producing them, then you will have duties regarding the personal data of any customers that you have. Now, in many circumstances, you may be a producer, and you will be selling goods to companies. In which case, you don't have much in the way of responsibility towards your customers, because they're not natural persons, they're just companies. However, if you're in the retail business, or the mail-order business, then you will be collecting a lot of personal data about your customers. You will have duties to inform them of what data you're collecting, what you're using it for, and, for example, you will have a duty to get their informed consent, if you're going to use information about them for any other purpose, or pass it on to any other data controller.