1 / 18

Understanding the Data Protection Act 1998

Learn about the main provisions and principles of the Data Protection Act 1998 and its application to different stakeholders. Discover the importance of fair data collection, adequate processing, and rights to know and secure personal data.

mulcahy
Download Presentation

Understanding the Data Protection Act 1998

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 7 – 21st March, 2002 The Data Protection Act [1998] CT218 Professional Issues

  2. European Union Data Protection • Directive 95/46/EC of the European Parliament • Set out principles and required member states’ DP legislation to conform within 3 years • Available from European Union Information Society Website: http://europa.eu.int/comm/internal_market/en/ media/index.htm Professional Issues / Lecture

  3. The Data Protection Act The Data Protection Act [1998](repealed earlier DPA of 1984) Entered into force on 24th October 2001(End of Transitional Period) All computer professionals should know its main provisions Information on the DPA can be found on the website of the Office of the Information Commission (OIC) http://www.dataprotection.gov.uk Professional Issues / Lecture

  4. 8 Principles of Data Protection Data must be: 1 fairly and lawfully processed 2 processed for limited purposes 3 adequate, relevant and not excessive 4 accurate 5 not kept longer than necessary 6 processed in accordance with the data subject's rights 7 secure 8 not transferred to countries without adequate protection Professional Issues / Lecture

  5. Data Protection Act 1998 cont’d Computer professionals should also know • the main definitions of the act e.g. • data subject, • data controller, • personal data • sensitive personal data • the main obligations of any holder of personal data • how the act applies to different stakeholders(e.g. customers, employees) Professional Issues / Lecture

  6. FARSTARS  1st Principle of DPA  3rd Principle of DPA  6th Principle of DPA  2nd Principle of DPA  8th Principle of DPA  4th Principle of DPA  5th Principle of DPA  7th Principle of DPA • Fair • Adequate • Rights to know • Specific purpose • Transfer • Accuracy • Retention • Security Professional Issues / Lecture

  7. Fair collection Personal Data must be obtained Fairly and Lawfully • Subject has given consent and/or • Processing is necessary • For the performance of a contract to which the DS is a party • For taking steps at request of DS • To protect vital interests of DS • Special conditions apply to Sensitive Personal Data • See Conditions in Schedule 2 of the Act Professional Issues / Lecture

  8. Adequate collection • Collect enough personal data for the purpose • Don’t collect more than necessary for the purpose Professional Issues / Lecture

  9. Rights to know • Data subjects can request to see ALL the information you hold on them (system must be able to meet this obligation) • Data subjects who have given permission for the Processing or retention of Personal Data may change their mind later (system must be able to meet this obligation) Professional Issues / Lecture

  10. Specific purpose • Personal Data may only be collected for a lawful purpose(e.g. a Sale) • Personal Data must not become dissociated from that purpose and used for another purpose (e.g. Direct Marketing) without the consent of the Data Subject (Opt In or Opt Out?) Professional Issues / Lecture

  11. Transfer of personal data • Transfer of Personal Data to a country outside the EEA* is only permitted if the country in question offers adequate protection • At present only Switzerland meets this requirement • Up to date list at www.dataprotection.org.uk ----------------------- *EEA = 15 countries of the European Union + Liechtenstein, Norway, Iceland Professional Issues / Lecture

  12. Accuracy of personal data • Personal Data must be kept up to date • Accuracy is the responsibility of the Data Controller, NOT the Data Subject • Data Subjects should be contacted periodically and asked to check that the Personal Data held on them is still valid • Data subjects must have a way of correcting incorrect data Professional Issues / Lecture

  13. Retention of personal data • Personal Data may only be retained for a limited period • Retention period depends on the purpose for which the Personal Data was collected (e.g. Personal Data relating to a Sale might have to be kept for up to 7 years for Tax or VAT purposes whereas Personal Data collected for a competition only needs to be kept as long as necessary for the running of the competition) Professional Issues / Lecture

  14. Security of personal data • Duty of care towards Data Subjects • Data in the system must be kept safe + secure • Data must not be corrupted or lost (protected against viruses, hackers, theft, accidental or malicious damage, etc.) • Data must not be available to non authorised people (including in transit) • Inside the organisation • Outside the organisation See Amazon case http://www.junkbusters.com/ht/en/amazon.html#last Professional Issues / Lecture

  15. Case Study - Amazon Background documents • US case against Amazon http://www.junkbusters.com/ht/en/amazon.html#last • Request from Privacy International to the Information Commissioner to investigate Amazon.co.uk • http://www.privacyinternational.org/issues/compliance/amazon/pi-dpc-complaint-041200.html Professional Issues / Lecture

  16. Privacy International’s complaint against Amazon.co.uk Extract* from a letter of 4/12/2000 from Simon Davies, Director of Privacy International, to the Information Commissioner Quote: “On 14 September I wrote to the Managing Director of Amazon.co.uk 1) requesting access to all information relating to me that Amazon holds,2) declaring my intention to then demand that Amazon then delete that information, and 3) objecting to the transfer of the data to the US His office acknowledged receipt of the letter on 27 October, but I have to date received no further reply. “ ------------------ *The full text of the letter + the whole exchange of correspondence can be found at http://www.junkbusters.com/amazon.html#last Professional Issues / Lecture

  17. Data Protection Issues • What are the Data Protection Issues involved? • How should a company respond to a similar request (in order to comply with its obligations under the DPA) Professional Issues / Lecture

  18. Revising for Exams • Lecture Notes andother Materialdiscussed in the Lectures (as distributed and/or available on I: drive) • Text book: “Professional Issues in Software Engineering” by Frank Bott et al.(available in the Library).More specifically, concentrate on Chapters 1,2, 5, 6, 10 and 11, which deal with the material covered (or to be covered) in the Lectures. • FARSTARS and the Data Protection Act (www.dataprotection.gov.uk) • Material available on the web mentioned in the lectures (e.g. in relation to Case Studies) Professional Issues / Lecture

More Related