Data Protection Laws

Established in 1984 and updated in 1998, the Data Protection Act sets out the various rights of the people designated as data controllers, data users and data subjects, as well as general rules for dealing with data. It aims to prevent exploitation of the data subject's data.

NB:The laws mentioned here apply to Britain, although similar ones probably exist in many other countries.

Rights

The act specifies seven rights given to data subjects:

1. Data subjects must be given a copy of any data held about them, and the reason it is being held, upon request. The individual must also be told how the data was obtained and to whom it may be passed.
2. If the processing of the data has not previously been authorised by the data subject, and the processing is not necessary for a legal reason or to protect the data subject, then the data subject may ask that the processing stops if he deems that it will cause damage or distress.
3. A data subject may ask that the processing stops if the processing is for the purpose of direct marketing.
4. A data subject may ask that automated decisions made using the data are not used as the sole source of data for decision-making processes relating to him. He may also demand to be told when such decisions are made.
5. If a data subject incurs losses or damage due to the illegal processing of the data, he may claim compensation. A bit of a no-brainer, this one...
6. A data subject can use a court to order the data controller to correct or erase any inaccurate data pertaining to him.
7. A data subject can request an inquiry into the processing of data pertaining to him to see that it is legal (as defined by the Act itself).

Principles

In addition to the rights, there are eight principles which everyone must obey:

1. Personal data may be processed only when one of more of the following conditions are met:
   • The data subject has given permission;
   • The processing is necessary to protect the data subject;
   • The processing is necessary for legal reasons, or to carry out the work of the government or the justice system;
   • The processing is necessary in the normal work of the data controller and the processing does not contradict the rights of the data subject;
   • The data is defined as sensitive and one or more of these extra conditions are met:
     • The data subject has given permission;
     • The data subject cannot give consent and the processing is necessary to protect him;
     • The processing is done by a political, religious or trade union organisation;
     • The data subject deliberately made the data public;
     • The processing is necessary for legal reasons;
     • The processing is necessary to determine that the data subject obtains an equal opportunity (for example, in a job application)
2. Personal data may only be obtained for a specified, lawful purpose and cannot be used in other way;
3. The data must be relevant to the purpose specified;
4. The data must be be accurate and (if applicable) up to date;
5. The data must be kept for no longer than necessary;
6. The data must be processed giving due attention to the rights of the Data Subject;
7. Steps must be taken to ensure the safety of the data against illegal processing, theft and other loss or damage to the data.
8. The data must not be transferred outside of the European Union unless the destination country has adequate laws detailing the safety of the data;

Exemptions

• National Security
• Crime Prevention/Detection
• Taxes
• Health
• Education
• Social Work
• Regulatory Activity
• Journalism
• Artistic/Literary purposes
• Research/Historical purposes
• Publicly available information
• Legally required disclosures

Back to Computers, the Law and You