business i - Business Link in the South West

The Data Protection Act has two aims. First, it provides a framework for handling personal information. Second, it gives individuals the right to know what information is held about them.

1 - Handling personal information - 8 data protection principles

Anyone who processes personal information must make sure it is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with the individuals’ rights
• Secure
• Not transferred to other countries without adequate protection

2 - Individuals’ rights under the Act

• Right to access. Individuals have the right to know if you, or someone on your behalf, hold information about them. This extends to knowing what information is processed, why, and who it may be disclosed to. Individuals can request a copy of this information, and are entitled to know about the source of the information.
• Right to prevent direct marketing. Individuals can request you don’t use their information for direct marketing. You must comply within a reasonable time period (In most cases, 28 days).
• Right to have information corrected. Personal information that is factually incorrect or misleading must be changed upon request. If you don’t, the individual can impose a court order to correct or destroy the information.
• Right to compensation. Damage claims can be made if your breach of the Act has led to damage or distress (the latter can’t usually be claimed on its own).
• Right to prevent automated decisions. Individuals can stop important decisions about them being made solely by automated means. For example, recruitment decisions resulting exclusively from automated computer tests may be unfair and subject to prevention.

How to comply

Although the principles of Data Protection legislation are relatively straightforward, implementation of processes to ensure compliance may require some planning.

The comprehensive Business Link guide ‘Comply with the Data Protection Act’ includes:

• Background information about the 8 DP principles.
• Information on how to fairly and lawfully use personal information.
• Information on access rights.
• Guidance about monitoring employees.
• Information about the Information Commissioner’s Office (the independent body that enforces the Data Protection Act).
• A case study entitled ‘How I complied with the Act’.

More info - Comply with the Data Protection Act