Data Protection Act – Why its important
We all have to give information about ourselves to others for many different reasons, from a credit card purchase to applying for a job. We also choose to put personal information online, for example on social media. But whether you are concerned about how others are using your own data or working in a career that involves handling other people’s data, it’s important for you to be aware of the legal framework.
Why do we need to protect data?
When you pay for something with a credit or debit card, you don’t expect your bank details to be made available to all and sundry. But there are other occasions when you might want data to remain private. For example, if you join a sports club, you wouldn’t want the club to give out your address without your permission.
What is the Data Protection Act?
The Data Protection Act (DPA) is a UK law designed to control how organisations, businesses and the government can use your personal data.
It covers information kept on paper and electronically, from details such as your email address and phone number to your job history and more personal information, for example about your health or beliefs. The DPA was brought into law in 1994 and updated in 1998.
What are ‘data protection principles’?
These are the principles under which your personal information is used and held. Anyone responsible for the data of others must follow these rules: for example, if you work in a shop and take a card payment, or if you collect email addresses for a club that you run.
The principles state that personal information must be used fairly and lawfully, and for limited, specifically stated purposes. Data must be accurate, kept safe and secure, and kept for no longer than is absolutely necessary. It must also be used in a way that is adequate, relevant and not excessive – for example, if data is collected for one reason, it should not be used for a different reason. Finally, it shouldn’t be transferred outside the UK without adequate protection.
What about sensitive information?
Some data is considered more sensitive than others and has an even stronger framework of legal protection. This includes:
- ethnic background
- political opinions
- religious beliefs
- sexual health
- criminal record
What about information given to an employer?
When you are given a job offer, an employer is permitted to ask for certain information about you. This will range from the basics, such as name, contact details and National Insurance number, to information about your qualifications and work history. During the course of your employment, they may also keep further records on you relating to pay and conditions, training, accidents in the workplace and disciplinary action.
Some of this information is confidential, and employees have a right to know what records are kept and how they are subsequently used. An employer must be aware of and follow DPA rules and has 40 days to respond to a request by an employee to see the data kept on them.
Employers are not permitted to discriminate against potential candidates for interview on certain grounds (see our blog A Guide to Equality and Diversity), however, if a previous employer told them confidential information that led to them deciding not grant an interview to a candidate, the previous employer could be in breach of the DPA.
How do I know what data an organisation holds about me?
Under the DPA, you have the right to know what information is held about you by organisations, whether a business, the government, a hospital or a school. You can do this by writing to the organisation and they will be legally required to inform you. There are a few exceptions; examples include when the information relates to tax, national security or crime. There may be a cost but it shouldn’t usually be more than £10.
If you find out that the information held on you is incorrect, you have the legal right to ask for it to be changed.
What if my data hasn’t been kept safely?
If you think that an organisation hasn’t kept information about you securely, or has misused it in some way, you are permitted to make a complaint.
First contact the organisation in question, but if you are not happy with their response or want further advice, you can also contact the Information Commissioner’s Office (ICO) via their helpline: 0303 123 1113.
Anyone responsible for collecting data about others should ensure that it is handled in keeping with the legislation set out in the Data Protection Act. If you have any queries about your responsibility for other people’s data, you should ask a more senior person in your workplace or organisation. Equally, if you have concerns about how you think your own data is being used, it’s worth investigating further for your own peace of mind – the law is in place to protect you.