Advice on Security Issues

Data Protection Act 1998
-  a brief guide

The new Data Protection Legislation - Data Protection Act 1998, came into force on 1st March 2000, yet research by the Stationery Office indicates that over half of all company directors are unaware of its provisions, despite warnings of possible imprisonment and fines for failure to comply!

The legislation affects all businesses / organisations holding information on living persons and embraces 8 principles which state that personal data shall:

• be obtained and processed fairly and lawfully
• be held for lawful purposes only
• be used or disclosed for those purposes only
• be relevant and not excessive in relation to its purpose
• be accurate and up to date
• be held no longer than necessary
• be able to be accessed and corrected by the individuals to which it relates
• be secure

The 1998 Act replaces the registration requirement of the Data Protection Act 1994 with a notification procedure. Another main difference is that the Data Protection Registrar can now enforce the above principles against those who are exempt from notification. Those who control data should therefore ensure that they comply with the new Act even though they may not have to notify, e.g. if they only process manual data.

Security

The Act specifies that measures must be taken to ensure that data is secure. Furthermore, where a third party processes data for the controller, there should be a written contract between the parties to ensure compliance with the Act. The security principle can become especially important if the data is "sensitive" e.g. relates to sex, ethnicity, trade union affiliation, etc. or is transferred abroad.

Recipient countries must be able to ensure an adequate level of protection for the rights and freedoms of data subjects.

"Data Subjects"

The new Act states that the subject of the data is entitled (for payment of a fee) to descriptions of the data being processed, its purpose, potential recipients, and its source. There are also some new rights, such as preventing the data being used for direct marketing, for purposes likely to cause damage or stress, or for automatic decision making.

Manual Records / CCTV Recordings, etc.

Unlike the 1994 Act which applied to automatically processable data, the new Act relates to "relevant filing systems" and "accessible records", which will include some types of manual data system, video tapes, CDs, etc.

This has obvious implications for areas such as CCTV recordings among other applications and remember that the ultimate destruction of Video Tapes, CDs, and other storage media can only be considered truly safe if the data has been rendered unreadable prior to disposal. This will probably involve the destruction of magnetically stored data by degaussing or shredding, and shredding of hard copy data (e.g. paper).

Please contact us at Insight if you would like details of suitable degaussing or shredding equipment.

Transitional provisions

There are some transitional provisions which delay the full impact of the 1998 Act until 2001 or 2007. Data controllers should check whether they are affected, however even if they are, early compliance would probably be good business practice and remember - much of the new legislation is simply an extension of existing principles and directives - failure to conform in these areas is unlikely to be looked on in a

A key factor in avoiding prosecution for failing to conform to the new areas encompassed by the legislation will be a demonstrable commitment to the introduction of appropriate measures, so as always - ignorance will be no excuse.

Summary:

• To ensure compliance with the new Act, companies / organisations should:
• check whether they should notify under the new Act
• audit the personal information held by the organisation, how it was obtained and to whom it is disclosed and decide whether this is sensitive or not.
• decide whether permission is held for the processing of the data
• appoint a data protection compliance officer to control this aspect of the organisations activities
• ensure that the data is secure and that staff are aware of the policies relating to it
• implement procedures and training to ensure personal data is properly dealt with
• ensure that third parties processing the data are secure

The 1998 Data Protection Act will affect many organisations (including in some cases new areas of an organisations business not previously affected).

Non compliance penalties could include fines of up to £5,000 and/or imprisonment.

further information is available from the Data Protection website: www.dataprotection.gov.uk