What is the Data Protection Act?
The Data Protection Act (DPA) is an act passed by the Parliament of the United Kingdom in 1988. The act was created to control the use of personal or customer information by government bodies or business organizations.
It protects people and lays down rules about how their data can be used.
The Data Protection Act is also relevant to data or information about people stored on a computer or any organized document filing system. There are many Data Protection Act breach examples where organizations did not adhere to the rules and were subject to the risk of prosecution by the Information Commissioner’s Office (ICO).
In such cases, fines can be up to £500,000 and can also lead to imprisonment.
In May 2018, the UK Data Protection Act was replaced by the General Data Protection Regulations (GDPR), also known as the Data Protection Act 2018.
Data Protection Act Principles
To enable organizations to firm up their data protection policies to a reasonable level, the UK created eight Data Protection Act principles.
The primary aim of these principles is to clearly outline the mandatory steps required to adhere to the Data Protection Act 2018. These principles exist to protect the data of people that organizations process.
Therefore, it’s essential that everyone understands them.
1. Fair and lawful
The Data Protection Act 2018 establishes the rule that data of people must be processed fairly, lawfully and in a transparent manner. This means that all organizations must only process data for the purpose for which they collect it and consider the rights of the data subject.
Organizations must provide full transparency about the use of the data, and ensure that their data is used only in ways expected by people.
2. Purpose of use
One of the Data Protection Act principles is purpose limitation, which states that organizations must collect data only for legitimate, specified, and explicit purposes and not process them further in a manner that goes against those stated purposes.
Organizations should only use people’s data for the purpose they originally stated. This implies that an organization must not use the data collected to market to other companies or their customers unless the person has consented to it.
Biometric and genetic information is also considered sensitive data, and organizations may only collect such information if it is meant for a relevant purpose. Not to forget, CCTV operators must also adhere to the Data Protection Act CCTV when they collect, store and provide CCTV images of people.
3. Adequate and relevant
Another important one of all Data Protection Act principles is data minimization. This principle of the Data Protection Act refers to the importance of holding only as much data about an individual as is necessary.
Data being collected must be relevant, adequate and limited only to what is necessary pertaining to the original purpose for which they are collected and processed. The best practice here is to calculate the information an organization needs for achieving their goals.
4. Accuracy and up-to-datedness
The UK Data Protection Act requires organizations to take reasonable steps to keep all information and data up to date.
They are also required to change it if in case any inaccuracy is found. Whenever a person changes the data an organization holds, the company must stop contacting the person through the previously provided information.
Also, organizations should avoid simply waiting for individuals to contact them to change or update their information. Instead, they should actively ensure that they have accurate information about an individual.
5. Retention period
This principle of the Data Protection Act requires organizations to regularly review the duration for which they hold data of people. Holding the data for the required amount of time makes it easier to manage their data.
Also, data that is outdated or no longer relevant must be properly deleted or destroyed. For instance, a customer tells a store that they no longer wish to get any advertisements or marketing information and asks the store to remove their details from their database.
The store should hold enough information on the person to remove them from their marketing lists.
6. Rights of people
This principle of the Data Protection Act allows people the right to access their personal data. It also grants them the right to prevent it from being used for direct marketing, or if it’s causing distress.
The principle allows people to have any inaccurate data altered and claim compensation for damages due to data breaches. In some cases, people can request specific data to be destroyed or deleted.
Owing to this principle, people have a say in how companies holding their data use it for specified purposes.
The UK Data Protection Act requires the setting up of proper physical security systems to store personal information safely. The goal is to ensure that no sensitive information is exposed to security risks.
Organizations are advised to provide adequate training on data protection and cybersecurity to their staff. Furthermore, their data security system should be relevant to the nature of their business and the information they hold about their customers.
8. Transfer of data
Lastly, the Data Protection Act 2018 requires that personal data should not be transferred outside the European Union until and unless the country it is being transferred to can guarantee adequate security of the data to maintain the rights of people.
This principle requires data controllers to inform the person about their objective behind transferring their data abroad and to ensure that the country receiving their data can adequately protect it under their own data security laws.