An Introduction to

Data Protection
Welcome to your EduCare module on data protection.
This module gives an introduction to the Data Protection
Act 1998 and who it applies to, as well
as a guide to its overarching principles and what
organisations must do to comply with it. When the
Act was made law, many myths abounded about
what organisations could or could not do for fear of
infringing it and incurring sizeable penalties. When
you have completed this module, we hope that you
will see that most if it is common sense and typically,
most organisations will already have systems in place
that comply.

Why was the Act introduced?

The Act was introduced in response to organisations
increasing use of computers in the second half of the
twentieth century. Prior to this, most records were typed
on an old fashioned typewriter or handwritten and stored
in a paper filing system which made access to them so
much more difficult. Computers allowed organisations of
all descriptions to easily access, search and edit files on
electronic databases. As technology developed,
computers were then networked, so potentially everyone
in an organisation could access database information,
some of it potentially very sensitive. As the number of
organisations using computers to store and process
personal information grew, people became more
aware that information could be misused or fall into the
wrong hands.
The Data Protection Act 1998 updated previous
data protection law. It was introduced to control the way
information is handled and it also gave legal
rights to people who have information stored about
them. Similar legislation has been passed to protect
people in other European countries too because
computers, combined with the internet, know no
geographic boundaries.

activities (details of the types of organisations who

must notify can be found at www.ico.gov.uk)
Help to resolve disputes involving the processing
of personal data.

The Information Commissioner also enforces

compliance and can prosecute those who commit
criminal offences under the Act. For example, if an
organisation fails to notify or renew a notification, they
can be fined up to 5,000 and if their information
processing is not in line with the principles of the Act,
they can also be fined 5,000. However, if the
Information Commissioner deems that the Act has
been seriously breached, they can serve notices
requiring organisations to pay up to 500,000.

Who is covered by the Act?

All of us - the Act covers any information that relates to
living people and is held on computer and in some
cases, on paper. This could be an individuals name,
address, telephone or mobile number, date of birth
and so on. It also covers any opinions about the
individual or any other information from which they
could be identified.

The main eight requirements of the Act

There are eight data protection principles that together
constitute what the Information Commissioner (IC)
regards as good information handling.
These are that all personal information about
individuals should be:

The purpose of the Act

1. Fairly and lawfully processed (the IC describes

processing as obtaining, disclosing, recording,
holding, using, erasing or destroying personal
information. They also state that: The definition is
very wide and will cover virtually any action which
is carried out on a computer)

The primary purpose of the Act is to promote high

standards in the handling of personal information and
therefore protect an individuals right to privacy. The Act
is enforced by the Information Commissioner whose role
is to:

2. Processed for a specified purpose (this means

that information can only be used for those
purposes the organisation has registered with the
IC. It can not be given away or sold unless an
individual has given permission)

Promote the Act

Give advice and guidance
Keep a register of organisations that are required to
notify them about their information processing

An Introduction to
Data Protection
3. Adequate, relevant and not excessive (when
compared with the purpose stated in the register, for
example, you must not collect more data than you
need to fulfil the task stated in the ICs register)
4. Accurate and, where necessary, kept up-to-date (for
example updating peoples names when they marry
or their addresses when they move house)
5. Not kept for longer than is necessary
(information can only be held for specified periods,
not indefinitely)
6. Processed in line with the rights of the individual
(people have a right to know what information is held
about them by organisations and they can ask to
see it. Individuals also have a right to prevent
organisations from using their personal details for
marketing purposes)
7. Kept secure (meaning backed up and protected from
unauthorised access)
8. Not transferred to countries outside the European
Economic Area unless the information is
adequately protected.

Extra rules for organisations that hold

sensitive information
Everyone must follow the previous eight requirements of
the Data Protection Act, but many organisations also
hold sensitive information about individuals, for
example, details of their healthcare, criminal records, or
sexual life.
There are stricter rules for these organisations which
concern any information held about an individuals:

Racial or ethnic origin

Political opinions
Religious or similar beliefs
Trade union membership
Physical or mental health condition
Sexual life
Offences or alleged offences committed
Proceedings relating to those offences or
alleged offences.

Can I process personal information?

Organisations who wish to process an individuals
personal information should consider whether the
act of processing it is fair and lawful. This means
that they should have a legitimate purpose for
processing it.
They should also fulfil at least one of six standard
conditions as follows:
1. The individual who the personal data is about has
consented to the processing
2. The processing is necessary:

In relation to a contract which the individual

has entered into; or

Because the individual has asked for

something to be done so they can enter into
a contract

3. The processing is necessary because of a legal

obligation that applies to you (except an obligation
imposed by a contract)
4. The processing is necessary to protect the
individuals vital interests. This condition only
applies in cases of life and death, such as where a
persons medical history is disclosed to a hospital
A&E department treating them after a serious road
accident
5. The processing is necessary for administering
justice, or for exercising statutory, governmental,
or other public functions
6. The processing is in accordance with the
legitimate interests condition. The IC cites the
following example of legitimate interests:
A finance company is unable to locate a customer
who has stopped making payments under a hire
purchase agreement. The customer has moved house
without notifying the finance company of his new
address. The finance company engages a debt
collection agency to find the customer and seek
repayment of the debt. It discloses the customers
personal data to the agency for this purpose. Although
the customer has not consented to this disclosure, it is
made for the purposes of the finance companys
legitimate interests ie to recover the debt.

An Introduction to
Data Protection
Extra conditions for sensitive information

Charges

Organisations can only process sensitive personal

information if they meet one of the six standard
conditions previously mentioned, plus at least one of a
much narrower set of six conditions. These are intended
to provide further protection to those who have sensitive
information stored about them and they can be found on
the Information Commissioners website at
www.ico.gov.uk

In order to fulfil a Subject Access Request,

organisations can charge a fee. However, it is set at a
minimum of 10 (unless medical or education records
are involved and more detail about this can be found
on the IC website). The information must be provided
within 40 calendar days from when the fee and all
necessary information needed to locate the record
is received.

Information requests
When someone asks to see personal information an
organisation holds about them, it is called a Subject
Access Request.

Some organisations have a complete or partial

exemption from having to disclose information and
these include those organisations concerned with
national security, law enforcement, examinations etc.
A full list can be found at www.ico.gov.uk

The rules are that:

Best practice

People have a right to make a request in writing for

a copy of the information you hold about them. They
are also entitled to be given a description of the
information, what you use it for, who you might pass
it on to and any information you have about the
source of the information

People also have a right to ask that information

about them is updated or corrected if it is inaccurate

Complying with the Data Protection Act is a matter of

best practice that can have unexpected benefits. For
example, customers and clients will feel assured that
you are protecting their personal information from
getting into the wrong hands; it can actually save
money by ensuring that records are up-to-date so
that postage and stationery are not wasted and it
can also protect you against complaints and claims
for damages.

They can prevent the use of their data for sales and
marketing purposes

In Summary

They have a right to ask that automated decisions

are not made about them, for example where a
computer might add up the scores to determine
whether someone should have their application for
credit passed

People also have a right to make a complaint to the

Information Commissioner who can investigate an
organisations records and make a ruling under the
Data Protection Act.

Organisations cannot respond to a third partys request

for someone elses personal information without the
consent of the person in question (unless it is
reasonable in all circumstances and the organisations
duty to uphold the persons confidentiality has been
fully considered).

No part of this material may be reproduced or utilised in any form or by any means,
electronic or mechanical, including photocopying, recording or by any information storage and
retrieval system without permission in writing by de Brus Marketing Services Ltd
(trading as EduCare).

In this module, we have covered the principles of the

Data Protection Act 1998 and what you need to
consider when holding and processing personal
information. As technology gets ever more
sophisticated and widespread, this Act protects our
rights as individuals. Should you have any queries
about any aspect of the Act, the Information
Commissioner has a very informative website at
www.ico.gov.uk and they run a helpline on:
0303 123 1113 which is open from 9am to 5pm,
Monday to Friday.
We hope that you have found this taster module
informative and that you can apply what you have
learned to your own circumstances. EduCare offers an
extensive range of other subjects in its Business Skills
series, as well as other longer programmes that may
be of interest to you. Please visit www.educare.co.uk
to view the full range of programmes.
de Brus Marketing Services Ltd (trading as EduCare)
DTP10M01 02/11