Data Centers

Cheat Sheet: Data Protection Act 1998

Update: It's only just begun...

1998? That's a bit out of date isn't it?
Not really. The Data Protection Act 1998 only came into force in 2000 and businesses didn't have to be fully compliant until October 2001. It takes a while for some legislation to get warmed up, you know.

What's it there for?
The Act is based on a European directive which requires member states "to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data". It means that all companies have to be honest about how they use personal data.

Does it affect my company?
Very probably. All computer records and most manual records come within the terms of the law if they can be used to identify the individual the record refers to. They don't need to be filed by name but could, for example, be filed by amount of business transacted, geographical location or type of business.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

So long as the personal information within these files can be used to identify the individuals concerned, they are covered by the Act as personal data. And it isn't just customers - it means partners, suppliers and your own employees as well.

OK, it's a fair cop. I'm hoarding loads of personal data. What happens now?
The Act means so-called "data controllers" have to register with the information commissioner. It also means they have to obtain consent from individuals to process their personal data and to ensure it is processed fairly. People have to 'signify' their consent positively, which means failure to reply to a message does not mean that consent has been given.

Consent must also be 'specific' and 'informed'. This means it has to be relevant to all the uses registered, including the type of information held, the purposes of the processing, the type of people who may be given access to it and the length of time that it might be on file.

Blimey, they don't ask for much do they?
I'm not finished yet. Individuals can request a copy of all data relating to them, how it is used, where it came from and who has access to it (for a fee).

So who's in charge of this?
The information commissioner is Richard Thomas. He can issue enforcement notices forcing companies to stop activities that contravene the Act. The commissioner can initiate his own action or take action as the result of a complaint.

And he carries a big stick?
If there are reasonable grounds to suspect that an offence is being committed, the Information Commissioners Office (ICO) can apply for a warrant to enter and search premises and seize documents as evidence. Offences can be taken to the magistrates' courts or to a crown court.

So who's fallen foul of the Data Protection Act so far?
Well there have been a few recent high profile cases. In March 2007, 12 banks were named and shamed by the ICO after it was discovered that paper copies of customer information had been discarded in bins outside various branches.

How seriously are companies taking data protection then?
Well the 2006/07 ICO annual report warned the number of banks, retailers and public bodies admitting to serious lapses in data security is "frankly horrifying".

Any data to back all this up?
During the 12 months prior to July 2007, the ICO received around 24,000 enquiries and complaints regarding personal information. It also prosecuted 16 individuals and organisations for DPA breaches.

There was also good news in terms of public awareness around data protection rights which rose to 82 per cent.

So has the DPA changed much since 2001?
Funny you should ask. Only a few weeks ago the ICO announced it wanted to shake up the way data is shared within and between organisations.

And back in May, the information commissioner demanded the ICO be given more power to check if companies are complying with the DPA. It currently needs permission from organisations to carry out an inspection but Thomas told a Home Office Select Committee this situation should change.

There have also been calls to strengthen the legislation further - such as silicon.com's Full Disclosure campaign, which is calling on the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors (see box above for more details).

Looks like the ICO is stepping up a gear...
It certainly looks that way. Just make sure you don't leave data in the dustbin.

Editor's Picks

Free Newsletters, In your Inbox