Home Page > Data Protection Act: Guidance on Compliance

Data Protection Act: Guidance on compliance

Notes for guidance on the implementation of the Data Protection Act (DPA)1998

What does this note cover?

• It covers the main points in the Data Protection Act which need to be borne in mind in our day to day work.
• Explains what to do if something goes wrong

It is not a comprehensive guide to the Act but it does contain links to other sources of information.

Who needs to read it?

Anyone who processes personal data and that means almost everyone.

What is meant by processing?

The definition of processing is very wide and includes:

• obtaining, recording and holding data
• performing any operation on the data, including the erasure or destruction of the data

What are personal data?

The Act defines personal data as information which relates to a living individual who can be identified:

• from the data or
• from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller

The information may be in either electronic or manual (ie paper) form.

Electronic data

Personal data are caught by the Act if the information is being processed, or is recorded with the intention that it should be processed, 'by means of equipment operating automatically in response to instructions given for that purpose'.

For all practical purposes this means any data held in electronic form.

Emails

The Information Commissioner has advised that email messages may be caught by the Act if they identify living individuals and are held, in automated form, in live, archive or back-up systems, or have been deleted from the live system but are still capable of recovery. They may also be caught if, despite having been deleted from the electronic system they are stored in paper form, in relevant filing systems (see next paragraph).

Manual data (data recorded on paper only)

In relation to public bodies like the Department and its executive agencies the DPA covers all recorded personal data whether this is kept in paper or electronic form. Prior to November 2005 paper data had to be kept as part of 'a relevant filing system' to be within the scope of the DPA. That is no longer the case..

Terminology used in the DPA

Data Controller

A data controller is:

• a person who alone, jointly or in common with others determines the purposes for which and the manner in which any personal data are processed and
• responsible for ensuring that the provisions of the Data Protection Act are complied with

The term 'person' includes legal entities, so in the eyes of the law, the Department for Transport is the data controller (for VCA), but everyone who is employed by the Department and its agencies and who processes personal data has a duty to discharge the data controller's responsibilities.

Accountability for information assets rests with the relevant information asset owner (IAO). Each information asset has a designated IAO, who reports to the senior information risk owner (SIRO).

Data processor

In some cases external contractors process data on our behalf. These are known as data processors under the Act. But the Department, as the data controller, nevertheless remains responsible for the data processors.

Data subject

The data subject is the individual who the personal data is about, ie the subject of the data.

The Data Protection principles

The Data Protection principles form a central part of the Act and are the 'golden rules' for processing personal data. They must be observed and all staff who process data must be aware of these principles.

The eight principles, together with the conditions for fair and lawful processing mentioned in the first principle, are set out in full on Information Commissioner's Office web site.

In summary, however, they require that the data must be:

• fairly and lawfully processed and, in particular, shall not be processed unless certain conditions are met (more stringent conditions apply if the data being processed are classified as 'sensitive')
• obtained only for one or more specified and lawful purposes
• adequate, relevant and not excessive to the purpose for which the data are required
• accurate and, where necessary, kept up-to-date
• kept no longer than necessary
• processed in accordance with the rights of the data subject (which are specified in the Act)
• kept secure against unlawful or unauthorised processing, or accidental loss or erasure
• not transferred to a country outside the European Economic Area (EEA) unless that country ensures an adequate level of protection

Some other important points to bear in mind when processing personal data

• When personal data are being obtained, every effort must be made to ensure that the following information is made available to the data subject:
• • the identity of the data controller (see definition of data controller above)
  • the purposes(s) for which the data are to be processed
  • the likely consequences of the processing
  • to whom the data are likely to be disclosed
  • any other information which may be appropriate in the circumstances
• Where personal data are obtained from someone other than the data subject, the foregoing information must be made available to the data subject at the earliest opportunity.
• Persons whose data you are processing must not be misled or deceived as to the purposes for which you are processing their data, or as to whom you may disclose the data.
• Data subjects have a statutory right of access to their data, so whatever you commit to paper or to the computer - including your personal opinions - may have to be retrieved and disclosed to them if a formal enquiry is made.
• Paper and electronic documents must be properly filed, on either registered paper or electronic files. Such files will be subject to disposal agreements which will help to meet the requirement of the Act that personal data must be kept for no longer than necessary.
• The Agency's rules on security must be observed.

If something goes wrong?

If you discover that data has been lost, or if you believe there has a breach of the data protection principles in the way data is handled, you must immediately inform the relevant information asset owner (IAO) who must follow the Agency policy set out in Agency guidance on reporting unclassified breaches.

The first priority must always be to close or contain the breach and then to mitigate the risks to those individuals that may be affected by it. You should inform the agency data protection officer as soon as possible.

How should Data Protection affect the way I organise my work?

• It is even more important that documents, including emails, which contain personal data are:

· kept in an orderly fashion

· filed on registered electronic or paper files as soon as practicable if they are to be retained

· erased or destroyed when they are no longer required

• You should not keep random collections of odd papers or old emails. If they need to be retained, they should be properly filed, as mentioned above.
• You should observe the Agency's clear desk policy.
• You should satisfy yourself that, if required, you could retrieve personal data for which you are responsible to answer an enquiry from a data subject.

Rights of the individual under the DPA

The most commonly used is the right of an individual to request copies of any personal data being processed about them by the data controller. These requests are known as subject access requests.

In response to a valid request, the individual is entitled to be told:

• whether personal data about them are being processed and, if so, for what purpose(s)
• to whom the data may be disclosed
• the source of the data

The individual, or data subject, is entitled to receive, in an intelligible form, all the information, including email messages where appropriate, which forms the personal data. This may be by way of a transcript, a photocopy or a print-out.

An explanation must be provided if the personal data are held in a form not immediately intelligible to the data subject.

Information which identifies a third party may be withheld unless the individual concerned consents to its disclosure.

To release or not to release?

The Act specifies certain circumstances under which personal data can properly be withheld. These are set out in Exemptions from the right of subject access to this guidance.

However, it is the Agency's policy to be as open as possible in response to a subject access enquiry. For example, personal data which are known to exist and are accessible, but which do not necessarily form part of a 'relevant filing system' as described in the Act should, as a matter of course, be released unless they are caught by one of the exemptions.

Other rights

In addition to subject access rights, the data subject can, in certain circumstances require the data controller to stop processing their personal data or to order the rectification, blocking or erasure of inaccurate data and to claim compensation for damage or distress caused by a breach of the Act.

Where personal data are being processed automatically for the purpose of evaluating matters relating to the data subject, and the processing is likely to constitute the sole basis for a decision affecting the data subject, he/she is entitled to be given an explanation of the logic involved in the decision process.

What do I do if I receive a request for personal data (a 'subject access enquiry')?

If you receive a request from a member of the public (or Agency colleague) asking to see their personal data, refer it without delay to VCA's data protection officer (DPO)

How is an enquiry handled?

The DPO will ensure that it is a valid enquiry. Subject access enquiries are not valid unless they:

• are made in writing by the data subject or his/her legal representative
• contain sufficient information to enable the required information to be located
• are accompanied by the appropriate fee (currently £10.00)

Once the DPO is satisfied that the request is valid, divisions likely to be holding the personal data will be asked to interrogate their systems and to produce the necessary information. The DPO will check that the requirements of the Act have been met and then pass the information to the data subject.

The Agency must answer a valid request within 40 calendar days of its receipt.

In certain circumstances the data subject has the right to prevent further processing or to order the rectification, blocking or erasure of inaccurate data and to claim compensation for damage or distress caused by a breach of the Act.

What information must I produce?

In response to a valid enquiry, the data subject is entitled to be told:

• whether personal data about the individual are being processed and, if so, for what purpose(s)
• to whom the data may be disclosed
• the source of the data

Where personal data are being processed automatically for the purpose of evaluating matters relating to the data subject, and the processing is likely to constitute the sole basis for a decision affecting the data subject, he/she is entitled to be given an explanation of the logic involved in the decision process.

The data subject is also entitled to receive, in an intelligible form, all the information, including email messages where appropriate*, which forms the personal data. This may be by way of a transcript, a photocopy or a print-out. An explanation must be provided if the personal data are held in a form which means they are not immediately intelligible to the data subject. Information which identifies a third party may be withheld unless the individual concerned consents to its disclosure.

(*Note: Advice about subject access to personal data contained in emails can be found on the Information Commissioner's Office web site.)

Notifying the Information Commissioner

Notification is the process by which a data controller informs the Information Commissioner about the processing of personal data within the controller's organisation.

The Commissioner uses these details to make an entry in a statutory register which is available to the public for inspection.

Each data controller is allowed only one entry in the register: for the Department (DfT), this covers both the core department and the executive agencies. The entry must be renewed every year.

Steps to take

Existing processing activities within VCA should already be covered by the Department's notification. The data protection officer (DPO) keeps the notification under review to ensure that it remains accurate and complete.

If a new activity is likely to involve processing personal data, the DPO should be contacted to enquire whether it is covered by the existing notification and, if not, to arrange to have it added.

Heads of Branches are responsible for ensuring that the DPO is contacted in accordance with this guidance in relation to possible new notifications or changes to existing notifications.

The DPO also advises on the appropriate form of notification to give to those whose data you will be processing so as to meet the fairness requirements of the First Data Principle.

You can look up the Department's notification on the Information Commissioner's Office web site - our notification number is Z7122992. You must not make a direct approach to the Information Commissioner about notification: all such enquiries must be made through the DPO.

As an employee of the Agency, what rights do I have under the Data Protection Act?

Subject to certain exemptions you are entitled to see personal data held by the Agency about you, such as your personnel records. No fee is charged for applications made under the Act by the Agency's employees or former employees for access to personal data about themselves as employees.

If you want to make an appointment to see your Personnel files or to make an application for access to your personal data in other records please contact the Agency DPO.

Where can I find more information about data protection?

From the Information Commissioner's Office web site or from the Agency's Data Protection Officer.

How does Data Protection differ from Freedom of Information?

The Data Protection Act 1998 relates only to personal data, ie data from which living individuals can be identified. The scope of the Freedom of Information Act 2000 is much wider and gives a general right of access to information - other than personal data - held by public authorities.

Information about the impact of FoI contact the Agency's FoI Officer.

Information about the Act generally, is on the Information Commissioner's Office web site.

More guidance about the implementation of the Freedom of Information Act will be issued in due course.

Exemptions from the right of subject access

Personal data held for the following purposes will generally be exempt from the right of subject access and should not therefore be disclosed in response to an enquiry from a data subject.

• National security
• Crime and taxation, including
• • the prevention or detection of crime
  • the apprehension or prosecution of offenders
  • the assessment or collection of any tax or duty
• Health, education and social work (this exemption is subject to orders being made by the Home Secretary to bring such exemptions into effect)
• Regulatory activity concerning the protection of members of the public, charities or fair competition in business
• 'Special purposes', namely:-
• • the purposes of journalism;
  • artistic purposes;
  • literary purposes
• Research, history and statistics
• Information made available to the public under any enactment
• Confidential references given by the data controller
• Judicial appointments and honours
• Crown employment and Crown or Ministerial appointments

If, in response to a subject access enquiry, you are asked to disclose personal data which you think may be covered by one of these exemptions, you should seek advice from the Agency's Data Protection Officer.