Data Protection Act 1998

info security measure bit 1998AbstractThe focus of this report is to rationalize the requirements imposes of info certificate round 1998. The 1998 act affects to all people who uses culture or study rough separatewise individuals Business. The DPA 1998 covers from the initial collection of education through its final deletion or destruction. The main terminus employ in the IT industry is entropy Processing which is extremely wide and it potful be either usage of info, alteration of info, retrieval, selective selective randomness transmission or destruction of randomness.IntroductionThe Data defense Act 1998 is a unify Kingdom Act of Parliament 1 which came into force early in 1999 and replaced the Data auspices Act 1984. The Act defines law on the bear on entropy of living people. It is unrivaled of the main laws of legislation that governs the bulwark of individualised info. infra this act, those who manage or use individual(prenominal) infor mation secure to check comp whatsoever rules or patterns that atomic number 18 defined in the DPA. It overly provides make ups to individuals over their ad hominemised information. Some of the individual rights down the stairs DPA include access, compensation and the anticipateion of serve uping.The radical normal of DPA is protecting privacy and a way in which distributively individual basin control information almost them. Also it defines a way in which governments should carry their market strategy, through each intercourse media. Most of the act does non apply to domestic use, for example be hankerings ad hominem address book. Well, if whatever 1 utilizes someonealized information for other purpose he should follow this Act. The DPA also suss outs that the entropy comptroller or the computer potency forget be liable for process operation against the DPA Principles.The HistoryThe Data Protection Act 1984 was introduced in UK legislation to prov ide special protection to individuals. The Act was adopted by the European Parliament after a lengthy discussion sessions. They adopted a proposal for a directive on the treat of soulal information and on the transference of much(prenominal) information. Certain protections where accustomed in scenario where the ad hominem information relating to them was handled, such as large business arrangings and in emerging information technology. Data granted from one come aparty to a nonher party may further be used for the specific purpose it was disclosed for. The entropy should be single unploughed for a limited occlusive of time and mustiness non be disclosed to other party without the authorisation of entropy owner. The term Processing and personalized selective information had a great impact in transformation during the DPA 1984. The own(prenominal) entropy covers both the selective information in electronic and manual form. And the term Processing became wide i n such a way that nothing could be carried out in relation to personal entropy under this definition.The Data Protection Registrar was the regulatory permission who over call fors the implementation and billetality of the act. Later it was followed up by the Data Protection Act 1998, which is an implementation of European Union Directive 95/46/EC. In DPA 1998 it renamed the Data Protection Registrar to Data Protection Commissioner. The functionality of Data Protection Commissioner is to ensure the compliance by publics by victorious the necessity steps. The afoot(predicate) Information Commissioner is Richard Thomas, he has the authority to inform parliament directly. The other function of commissioner is to provide guidance, promote good practice which falls under the Act. It also provides helpline services by phone or indite request. The commissioner also acts corresponding a legal adviser to the information restraints and has developed issued m both documents for the s elective information command for implementing and interpretation of their duties.Some of the documents include enrol of Practice for CCTV usersCode of Practice on Employment Practices, which include codes on Recruitment and extract Records Management Monitoring at Work and Medical Information to the highest degree the employees.Code of Practice on Telecommunications Directory Information and Fair Processing.The Principles of DPA 1998The DPA 1998 contains eight information protection principles in relation to the processing of personal entropy. They argonPersonal entropy should be impact fairly and lawfully.Personal entropy should sole(prenominal) be obtained for one or more qualify and lawful purposes, and it should not be further processed in any manner irreconcilable with these purposes.Personal information should be adequate, relevant and not excessive in relation to the purposes for which they were collected or processed.Personal info should be undefiled and wher e necessary kept up to date.Personal information should not be kept prospicienter than is needful for its intend purpose.Personal data should be processed in accordance with the rights of the individual which the information concerns. purloin good measures should be taken against unauthorised or unlawful processing or destruction of personal data and against accidental loss or destructionor deadening to personal data.Personal data should not be transferred outside the European Economic subject area unless that acres ensures an adequate level of protection for the rights and freedoms of data heart-to-hearts in relation to the processing of personal data.The First Data Protection PrincipleThe commencement exercise data protection principle says thatPersonal data shall be processed fairly and lawfully and, in particular, shall not be processed unless At least one of the conditions in scroll 2 is met, andIn the strip of sensitive personal data, at least one of the conditions in Schedule 3 is also met.In the maidenborn principle, by fairly and lawfully it means that any processing of personal data must be allowed by common law. Fair processing states that any all the processing must be fair without any cheapjack. The processing should be carried out without any deception. The important point of view of the first principle is obtaining and disclosing personal data, which covers the whole life cycle of personal data used by the data ascendence. The data controller should have authoritative reasons for collecting and processing the personal data and should not use the data in such a way that have unjustified perverse effects on the individual relate.The legal philosophyful processing also defines that the data exposeds should be provided with information during the time of collecting the data, on why and how their data argon being processed. This information is provided in the Fair Processing Notice. The mention should include the basic information precondition up belowThe identity of the data controller who process the personal data.The purposes for which the personal data are intended to be processed.To whom the personal data may be disclosed to, for example, a government department or agency.And any further information regarding the processing, to ensure the subject, that the data controller does not do anything unlawful with the data.Conditions to be well-to-do for Fair ProcessingIn improver to the Fair Processing Notice, thither are some more conditions that should be met. The conditions are listed in Schedule 2 of the Act. There are six conditions for processing personal data in Schedule 2 the personal data should not be processed unless one of the conditions is met.Schedule 2 conditionsThe data subject has given his accept for processing.If it is for perform or entering a contract with the data subject.The data controller is under a legal obligation, other than under contractFor the purpose of protecting the vita l concern of the data subject.It is for the arrangement of justice, exercising functions under an enactment, exercising of government functions, or the exercise of any other functions of a public nature in the public interestIt is for the pursuit of the legitimate interests of the data controller.In the skid of sensitive personal data, one of the conditions in Schedule 2 and Schedule 3 must also be met for Fair Processing.Schedule 3 Conditionsexplicit admit has been given by the data subjectit is for the exercise of rights or obligations in connection with employmentit is to protect the vital interests of the data subject or anyone elseit is part of the legitimate activity of a not for profit organisationthe personal data have already been made public by the data subjectit forms part of legal proceedings, including obtaining legal advice, and exercising or defending legal rightsit is for the administration of justice, or exercising functions under an enactment, or exercising of g overnment functionsit is for medical purposesit is for the purpose of monitoring equality of luckThe hour Data Protection PrincipleThe Second Principle Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes, explains the requirement for unsexing the purpose for which it obtains the personal data. It also means that, the organisation who obtains the personal data should clearly specify the reason to the ICO, why they are collecting and what they intend to do with the personal data. The organisation should also notify the process to the Information Commissioner.The data controller can send privacy notices regarding the process to reach out it more effective. secretiveness notices are generally given at the time of collecting personal data. Data controller should also need to get prior consent to use or disclose the personal data for the purpose other than he originally obtained for.The Third Data Protection PrincipleThe tercet principle of the Data Protection Act states three conditions or requirements to the data controller. The data controller should not obtain any more personal data than they need for the processing nor they should discard any personal data. The data must be adequate, relevant and not excessive. Also the data controller is not authorised to process whatever information he likes virtually the individual.The third principle also states that the data controller should identify the nominal required information on each individual to fulfil their purpose. scarce in sure cases he can hold additional information somewhat(predicate) certain individuals for the processing. A simple example for this is a operating sawbones before performing a surgery he should know about the patient medical conditions, such as his medical history, his habits (like drinking, smoking etc), information from medical checkups. If the pati ent has to undergo a major heart operation, the surgeon go out also look upon patient family members medical history also. If the parents have asthma, decline pressure, etc.In organisation the same process is taking place in a different manner during the recruitment process. The employees are asked same in depth question regarding their personal information. The third principle is strongly linked to the first principle. Processing of personal data which is inadequate, irrelevant or excessive is unfair to the data subject. The first principle requires lividity in processing. The excessive information can be something that the organisation keeps for certain conditions, like in a manufacturing factory they will keep the blood group of their entire employee who works in a hazardous purlieu and this information is needed only in case of accidents. Such information are likely to be irrelevant and excessive for the rest of the employees.The one-quarter Data Protection PrincipleThe A ct says that Personal data shall be accurate and, where necessary, kept up to date. Once the data controller overcomes the first and second principles of DPA, the next main fact to ask is the data quality, in which truth plays the main role. There are two obligations in the fourth principle that should be taken care off.Firstly, the data should be accurate. The data controller should take necessary steps to ensure the accuracy of data in regard to the purpose for which it is collected and further processed. Incomplete information will be faulty if it misleads. Even though if the actual given data happens to be true, at that place will be a misleading if the two data subjects are identical. In such cases more information will be needed to keep it more accurate for the data controller to identify. If the data controller makes decision on the result of inaccurate processed data, then he will be breaking the first data protection principle which indicates the strong link between acc uracy and fairness in data processing.Secondly, the data controller should also see that the personal data are kept up-to-date. This condition depends upon the case where personal data are subjected to repeated use for a long period of time. In such cases data controller has to take more canvass on personal data. If the data subject notifies the data controller that the data is inaccurate, then he should ensure the changes are made to the data to keep it up-to-date.If a data subject suspects that the information held about him is inaccurate, he will have to see the personal data which the data controller holds. The data subject can make an access request under instalment 7, for accessing a copy of his personal data held by the data controller. If the appeal is satisfied with the data subject, then the court may pose the data controller to rectify, block, erase, or destroy the personal data. If the processing had caused straiten to the data subject then the court will order to give compensation.The ordinal Data Protection PrincipleThe Fifth Act says that Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. The data controller should review, for how long the personal data is retained. He shall also retain the data for performing purpose other than the original purpose for which it was obtained. The main element of the one-fifth principle is to show the reason for which the personal data is held. If the data controller fails to show a sufficient reason for holding the data then, he should get rid of the data.If the personal data is kept for a long time there is a chance that the information will go out of date ca use error. It also becomes difficult to ensure that the information is accurate. Even if the information is no more needed, the data controller should make sure that it is held securely. Reviewing personal data regularly and deleting those no longer needed is a good practice. The data that should be retained must be archived or put offline.The personal data are retained only in certain scenarios depending upon the current and future scope of the information. Major concerned things for retaining data are the cost, liability and risks for retaining the personal information.The Sixth Data Protection PrincipleThe sixth DPA principle says that Personal data shall be processed in accordance with the rights of data subjects under this Act 9. The sixth principle gives rights to the individual in respect of personal data the organisation hold about them. Under this principle certain rights for individual are mentioned they are price of admission to personal data.Preventing process likely to cause damage or distress.Prevent direct marketing.Automated decision do.Correcting inaccurate personal data.Compensation.Access to personal data is commonly referred to as subject access. It is created by character 7 of the DPA. This is mostly used by data subject s who want to see the copy of personal data which the organisation holds about them. The data subjects are entitled only to their own data. By giving a written request an individual is entitled to know whether any personal data is being processed. The organisation should also inform him the reasons it is being processed and whether it will be given to any other organisation.The second right says that the data subject can demand the organisation to stop the processing if it causes damage or distress to the data subject. The individual can write an remonstrance stating the damage or distress faced by them to the data controller. This is called remonstrance to processing. The remonstrance should clearly specify the effect of processing.For example, forecast the scenario where a person is refused a job in an manufacturing company because the company came to know from a third party that the man is unsuitable for job because he was one among the trade union activists. The third party will be having a blacklist containing names of people who are unsuitable to be occupied in a manufacturing company. The suffering person can write to the data controller who maintains the blacklist and ask him to remove his name from the list. He can show that he is suffering damage and distress because of this processing. In this case the data controller should cease processing the persons information and respond to his carry within 21 days.The data subjects also have the right to prevent their data being processed for Direct Marketing. They can give an objection to processing to halt the usage of their data for direct marketing. Direct marketing includes junk mails that are not addressed to a particular person but to the occupier. For example, mails posted through every letter box in a street, like leaflets, shop advertisements, etc. The direct marketing does not just refer to selling items to customers but also includes promotions and campaigns. The data subject may ask the org anisation to delete these details from database. But it is preferent to suppress the personal data. Suppressing involves just retaining only enough information about the customers. It also ensures that the organisation not sends marketing to people who have asked not to and helps retaining individual information in the database.Data subjects also have the right to inform the data controller, not to make automated decision using their personal data and can ask to reconsider the decision taken by automated means. The data controller should inform the data subject when such a situation is taken. These types of decision are taken without any human intervention. For example, consider a person who transfers his cash from one composition to other and the transfer gets declined automatically. This might have happened because the individuals information did not friction match the pre-defined criteria in the automated system. He may undertake manual process to do the transfer.According to the fourth principle the data should be accurate. If the data is inaccurate, the data subject has the right to apply the court for releasing an order to block, rectify, erase or destroy the inaccurate information. The court may look into whether this statement is true or not. If the individual has suffered from damage or distress then he will be awarded compensation.The Seventh Data Protection PrincipleThe seventh DPA ensures the security of personal data undergoing process. The principle says that Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This principle is often called security principle. The data controller should take proper care of data which he holds not minutely or deliberately compromise. He should also need to design and complot the security to fit to the process. Also make sure about the person in his organisation that is responsible for the data information security. The data controller should adopt appropriate measures againstUnauthorised processing of personal data.Unlawful processing of personal data.Accidental destruction, damage or loss to personal data. proficient measures/security includes the use of passwords and other authentication techniques, encryption and anti-virus software to comment malwares. . He should also ensure to keep up to date with the increment of security technologies, make sure that well trained and reliable staffs with sturdy physical and technical security are used. As a part of notification process the data controller should describe the Information Commissioner about the security arrangements made in the organisation to keep the personal data.The eighter from Decatur Data Protection PrincipleThe eighth DPA says that Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The data controller requires informing individuals about the disclosure of their personal data to other overseas parties. Before making the data transfer to a third party, the data controller should consider whether he can achieve his aims without processing the original data and there should be some substantive processing conducted on the personal data in the third country. The condition will not apply in the case where it is not possible to identify individuals from the information. In this type of cases the data controller are free to transfer the information outside the EEA.A transfer is said to have occurred when the personal data is send to other country. If the data controller puts the personal data on a website will often results in data transfer to other countries outside the EEA. The transfer occurs when someone outside the EEA access the website. The data controller sho uld also consider the fact that a transfer occurs while putting personal data on websites and sees whether it is fair for the concerned data subject. Currently, there are no restrictions on personal data transfer to EEA countries. They are Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, and Slovenia.The European Commission will also undergo a case to case assessment of the level of protection affordable by the third country. all the circumstances surrounding the data transfer are assessed. In addition to this consideration must be also given toThe nature of personal data.How long will the proposed process last.The country of origin of personal data and the ending to which it will be transferred.The security measures and professional rules in the destination country.Certain countries have been considere d for having adequate protection by the European Commission. They are Argentina, Canada, Guernsey, Isle of Man, Switzerland, and Jersey.ConclusionI hope this report would have given a brief idea about the Data Protection Act 1998. This report also mentions the different principles concerned with DPA, the way that a data controller should follow for lawful and fairness processing. Proper care should be taken while handling personal data, still cyber threats are through with(p) by accruing the mobile numbers of individuals and pinpointing them by identifying the co-ordinates of the SIM location. So the firms or organisation should ensure that they pay more attention to DPA for the safety and privacy of people.AnnotationsDPA Data Protection Act 1998ICO Information Commissioners OfficeEEA European Economic AreaSIM Subscriber Identification Module CardReferencesStewart Room, 2007, Data Protection residency in Context, Published by CAPDM.City Of London, Data Protection Act, open a t http//www.cityoflondon.gov.uk/Corporation/LGNL_Services/Council_and_democracy/Data_protection_and_freedom_of_information/Data_protection_act.htm Accessed on Jan 10,2010Wikipedia, Data Protection Act 1998, useable at http//en.wikipedia.org/wiki/Data_Protection_Act_1998 Accessed on Jan15,2010Piers Leigh-Pollitt James Mullock, 1999, The Data Protection Act Explained, Second Edition 2000,Publlished by Osborne Clarke.Lancaster University Data Protection Project, 2001, the Data Protection Principle. forthcoming at http//www.dpa.lancs.ac.uk/principles.htm Accessed on Jan16, 2010.ICO, Processing personal data for specified purposes (Principle 2), lendable at http//www.ico.gov.uk/for_organisations/data_protection_guide/principle_2_processing_personal_data_for_specified_purposes.aspx Accessed on Jan 24,2010ICO, Keeping personal data accurate and up to date (Principle 4)Available at http//www.ico.gov.uk/for_organisations/data_protection_guide/principles_3_to_5_information_standards/keep ing_personal_information_accurate_and_up_to_date.aspx . Accessed on Jan 24,2010ICO, Retaining personal data (Principle 5).Available at http//www.ico.gov.uk/for_organisations/data_protection_guide/principles_3_to_5_information_standards/retaining_personal_data.aspx . Accessed on Jan 24,2010ICO, The rights of individuals (Principle 6).)Available at http//www.ico.gov.uk/for_organisations/data_protection_guide/principle_6_the_rights_of_individuals.aspx . Accessed on Jan 26,2010ICO, Information security (Principle 7).Available at http//www.ico.gov.uk/for_organisations/data_protection_guide/principle_7_information_security.aspx . Accessed on Jan 26,2010ICO, direct personal data outside the European Economic Area (Principle 8).Available at http//www.ico.gov.uk/for_organisations/data_protection_guide/principle_8_sending_personal_data_outside_the_eea.aspx . Accessed on Jan 26,2010Peter Carey,2004, Data Protection Handbook, Published by Law Society.