Data Protection Act 1998
18 July 2009
The Data Protection Act controls how your personal information is used by corporations and the Government. Its rules require everyone who collects data to follow strict rules, and to keep your information safe.
The particular points to note in the 1998 Data Protection Act are:
- a broad definition of “data”, including information held both electronically (whether on computer or other electronic means) and in manual or paper-based filing systems regardless of location
- a broad definition of “processing”
- extension of the rights of “data subjects” (workers in this case) to have access to details of data held about them, to know for what purpose information is held, and its relevance to their working life.
There are eight principles governing the processing of personal data. Anyone collecting personal information must:
- process it fairly and lawfully
- obtain it only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes
- use it in a way that is adequate, relevant and not excessive in relation to the purposes for which it is processed
- ensure accuracy and, where necessary, kept up to date
- keep it for no longer than is necessary for the purposes for which it is processed
- process it in accordance with the rights of data subjects under the Act
- protect against unauthorised or unlawful processing and accidental loss, destruction or damage
- not transfer to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of data protection.
The 1998 Act introduced new restrictions on the holding and processing of what is termed “sensitive personal data”, such as racial or ethnic origin, political opinions, religious or other beliefs, whether a member of a trade union, physical or mental health, sexual life, and any court record, or allegations of such. In addition to being subject to the eight principles above at least one of the following conditions must be complied with – there are others, but most relevant in the context of employment are:
- the worker has given his or her explicit consent to the processing
- the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the employer in connection with employment
- the processing is necessary in connection with any legal proceedings or for the purpose of obtaining legal advice
- the processing is necessary for the administration of justice, for the exercise of functions conferred by statute, or for the exercise of any function of the Crown
- that if the processing relates to sensitive data as to racial or ethnic origin it is necessary for the purpose of monitoring equality of opportunity or treatment between persons of different racial or ethnic origins with a view to enabling such equality to be promoted or maintained; and is carried out with appropriate safeguards for the rights and freedoms of data subjects.
The Act also covers the use of computerised decision making packages, such as those used in recruitment and sifting of applications. The uses of such packages to complement, not replace, human judgement is not in contravention of the Act – it is when they are in sole use that restrictions apply.
Employers are expected to think carefully about what kind of information they ask of their workers. They must consider what is the purpose of such information and who is to have access to it and under what conditions. Unauthorised access to workers’ records should be a disciplinary matter, and may be a criminal offence under Section 55 of the Act.
Since October 2001 individuals have been able to see all manual files on them, and been able to make complaints, seek correction or claim recompense.