The data protection act explained
Posted on 10 Feb 2011 at 14:37
Rik Ferguson, the senior security advisor at Trend Micro, knows a thing or two about the Data Protection Act, so we asked for a plain English explanation:
“The Data Protection Act is designed to protect people (oddly called data subjects rather than data owners) from having their data collected, processed or transmitted without their informed consent. It places an obligation on the data controller (whoever is doing the data collection) to ensure that data isn’t collected without a purpose, that it isn’t shared without permission, that it’s protected in storage. and that it isn’t retained for longer than is necessary. The DPA gives every data subject the right to see what data is held about them in electronic format, and in some cases on paper.
“Normally a maximum fee of £10 is permissible under law, but if the request is to a credit reference agency the fee is £2. The fee may exceed £10, particularly with reference to health or educational data. Any obstacles that may be put in the way beyond these fees are illegal and could be reported to the Information Commissioner.”
In order to request disclosure of the data held about you, a formal request is required – something along the following lines:
“This is a subject access request for disclosure of information under section 7 of the Data Protection Act 1998. Please send me the information which I am entitled to under section 7(1).
"In accordance with that section, please provide a statement confirming whether any personal data is being processed; describing the personal data processed; specifying the purposes for which data is processed for each category of data, and the recipients of any data disclosed; detailing any transfers of data outside the UK in whatever form or by whatever means.
"As required by the Data Protection Act 1998 section 8(2), please provide an explanation of the purpose, meaning, and context of the information. This includes geographical information for any location data that is retained.”
The DPA applies specifically to “data controllers” within the UK. That said, the DPA is actually an implementation, which is why, as such, all countries of the EU have broadly similar legislation.
This means your data is protected pretty much across Europe in a similar fashion.
Outside of Europe protective legislation varies wildly, so if you choose to surrender your details to a non-European-based organisation, you should be aware that you may have little or no protection in law.
Head back to the Reclaim your data main page here.
Author: Davey Winder
This is misleading in a couple of respects.
The DPA is not
"designed to protect people from having their data collected, processed or transmitted without their informed consent". That is a common misconception. Consent is one of the conditions for processing personal data; however, data controllers can rely instead on the processing being necessary for their legitimate interests and not unduly prejudicial to the data subject. Consent is required under the DPA only if the data is sensitive personal data (although again there are alternative, albeit more restrictive, conditions).
Secondly, I doubt many people involved in data protection in practice would agree that all EU countries have broadly similar data protection legislation. The national laws of all EU member states stem from the same Directive, but the ways in which member states have chosen to implement and enforce the Directive vary very significantly. The UK is at the more relaxed end of the scale; countries such as Austria and Slovakia have much more onerous regimes.
By Joel_H on 11 Feb 2011
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- Google I/O live stream and blog: how to watch 2014 Google I/O keynote speech live
- Google testing its own domain registration service
- Adobe announces first hardware: Adobe Ink and Slide
- Vote now in the PC Pro Excellence Awards 2014!
- What’s new in OS X 10.10? Apple Yosemite’s new features
- Samsung Z Tizen phone helps loosen ties with Android
- Microsoft rumoured to launch smartwatch this summer
- LG G3 launched: LG takes the wraps off smartphone that offers “more with less effort”
- LG G3 launch live video stream and blog: as it happened
- Apple fixes iMessage lock-in for Android switchers
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- I went to Glastonbury and the only thing that got high was my smartphone
- Meet the robots helping teach children
- PaperLater: would you pay to print the internet?
- Amazon vs Kobo: how much to make the ebook switch?
- Phishing emails: how I nearly got caught out
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child