Data Protection Defined
What is the Data Protection Act?
The Data Protection Act is a British law, which was passed because it was required by the Data Protection Directive from the European Union. Before the European Union, there was a treaty and a convention of the Council of Europe. Now, the Council of Europe is larger and older than the European Union. It is legally looser, that is to say, it produces treaties, which may or may not be binding. When the United Kingdom signed and ratified the Council of Europe Convention on Data Protection, that meant it was required to adopt legislation, which it did in the first Data Protection Act which, ironically, was passed in 1984.
What does the Data Protection Act do?
The Data Protection Act, like laws in many other countries, sets standards for the processing of personal data that is information about individuals. It has basic standards about how the information is acquired, what it's used for, how long it's kept, along with rights such as the right of subject access to the information - that is your right to see information about yourself - and rights of correction and clarification. And also the information is not to be kept for longer than is necessary, so there can be a right to have the information removed. Also there are some rights to compensation if the rules on data protection have been breached and if they've caused damage.
What is 'personal data'?
Personal data is information about an identifiable living person. That is to say it's information is that can be traced to a person so that if the information is filed under a code safe say but the code can be broken by reference to another file as it were, then that's personal data. It stops being personal data if it is completely anonymized. Also it's significant that personal data is about natural living persons in this country, in some other countries it can be information about a legal person, that is to say a company, and some countries provides some form of legal protection to dead people.
What is a 'data controller'?
The data controller is the person who is responsible for the data processing. It used to be called the data user. It will be, in many cases, a company, an educational institution, or a government department. There may be circumstances in which the data controller may also, in some senses, be a data subject. That is, information about the person who is the controller may be controlled by someone else.
What is a 'data subject'?
The 'data subject' is a person you, me or anyone; it's a natural person. Any living person is called ‘data subject' because under the act the 'data subject' it is the person who has rights under the act. The ‘data controller', broadly speaking, is a person or institution or company that has duties.
What is 'processing'?
Processing is handling, and doing something with the data: whether it be filing it, passing it on, consulting it, collating it, or sorting it. The only handling of data that doesn't quite qualify as processing is the very transitory use of data, and it's interesting that Sweden, which was the first country to adopt the National Data Protection Act, has recently amended its act so that data processing is more limited in its definition. This ensures that the transitory accessing a person's information, as in over the Internet, will not probably count as processing. But essentially it's doing anything with the data.
What are my rights under the Data Protection Act?
Under the Data Protection Act you have a right to have information about yourself processed in accordance with the standards of the act. That is obtained fairly and legally and used only for the purpose that you provided for. It is not kept longer than is necessary, is not excessive for the purpose, and a right to have it corrected or even deleted. The right of correction and deletion hinges on your right to exercise subject access - that is a right to see data about yourself.
How does the Act protect my privacy?
It's only a partial protection because the right to privacy, and I'll use the North American pronunciation here, as a legal right emerged really in the 19th century, first of all as a right in private civil law, that is to say, your right to get compensation if another person had invaded your privacy. This was developed by legislation and by the courts so that eventually they came up with four general classifications of privacy rights. One is the right not to be intruded upon, the right to be left alone, the right of physical seclusion, if you will. The second is a right not to be placed in a false light, that is, not to have information communicated about you which is wrong. A third is a right to have confidential information treated confidentially, personal information. Finally, a right not to have your likeness appropriated without your consent, your likeness being how you appear or how you sound, for example. Data protection laws do not cover all of these rights of privacy. Data protection laws protect your right not to be placed in a false light in many circumstances. They also protect your right to have personal information which is provided in confidence treated confidentially. Data protection law does very little to protect your right to physical seclusion, and data protection law does very little to protect your right not to have your image or your likeness used without authorization.
How can I find out what information is held about me?
Data controllers are required to register to notify the information commissioner's office about what kind of personal data they process. That is - what kind of information they have, about what people, what they obtain it for, what they use it for, to what other institutions or people they will communicate it, how long they hold it. All of that they provide, and the information commissioner's office can tell you about it or you can go straight to the data controller and simply say you want to know what information about yourself the data controller is processing and what the data controller is doing with it.
How can I stop my personal information being processed?
You can stop personal information being processed but, you can only do this with difficulty in many circumstances because data protection law requires the informed consent of the data subject for data to be processed. However in many circumstances the data controller, The University for example or the company will require you to provide information and to consent with being processed in order to obtain a benefit such as study in a University. You frequently see on forms, in magazines or online in a little box at the bottom in which you click to indicate if you do not want the information you are provided for purposes of the competition, the order to be used for any other purpose. So to that extent you can stop personal data being processed. There are also various statutory and non statutory schemes by which you can opt out of a erect mail for example, and that's increasingly adopted in electronic field. So in many circumstances you can stop personal data being processed or at least you can stop it being processed further than is necessary for the purpose of your transaction, your perches for example. But its very difficult to stop it from being processed completely because you have to provide information in many circumstances in order to obtain goods and services.
When am I allowed to claim compensation under the Data Protection Act?
Under the Data Protection Act, you can get compensation in the courts if there has been a breach of the Data Protection rules, such as if the information has been obtained unfairly or illegally or it's been used for a purpose other than that for which it was provided, or if it has been used without your consent. You can only get compensation through the courts if you can prove that this breach of the Data Protection rules has caused you damage in some way. You do have a right to compensation.
How can I claim compensation?
If there's been a breach and you've suffered damage, then you can go to court. For most purposes, if you think that the Data Protection Act is being breached, you go to the Information Commissioner. Now, the Information Commissioner used to be called the Data Protection Registrar and then he was called the Data Protection Commissioner, but now he's called the Information Commissioner because he has responsibilities under both the Data Protection Act and the Freedom of Information Act. The Information Commissioner has powers to order data controllers to do certain things and to issue enforcements notices, for example. He does not have the power to impose a fine like the French and Spanish Data Protection Authorities do. However, he can go to court to get the court impose a fine. But for most purposes, if you think there has been a breach of the Data Protection Act, your first avenue would be to go to the Information Commissioner's office.
When can I take a case to court?
When you think that there has been a breach in the Protection Act that has caused you damage, then you can go to court.
What duties do I have to perform under the Data Protection Act?
You only have duties under the Data Protection Act if you are a data controller. So that if you are an employer, if you are a business, then you almost certainly will process personal data about your employees and you customers, and so you will have a duty to inform the Information Commissioners Office of what you are doing in processing those personal data. And then you have a duty to give notice to the data subjects of your processing to their personal data and of their rights under the Data Protection Act.
How does the Act affect my business?
It depends on what your business is. If you are in the production of goods business, the Data Protection Act will mostly affect you as an employer; your duties as a data controller in processing the personal data of your employees. If you are selling the goods, as well as producing them, then you will have duties regarding the personal data of any customers that you have. Now, in many circumstances, you may be a producer, and you will be selling goods to companies. In which case, you don't have much in the way of responsibility towards your customers, because they're not natural persons, they're just companies. However, if you're in the retail business, or the mail-order business, then you will be collecting a lot of personal data about your customers. You will have duties to inform them of what data you're collecting, what you're using it for, and, for example, you will have a duty to get their informed consent, if you're going to use information about them for any other purpose, or pass it on to any other data controller.
