Data Protection Essentials
24 August 2007
|
Please note : this guidance has been prepared by JISC Legal for information purposes only and is not, nor is intended to be, legal advice. This information is not intended to constitute, and receipt of it does not constitute, a contract for legal advice or the establishment of a solicitor-client relationship.
|
Table of Contents
- Introduction to Data Protection Law
- Key Terms in the Act
- Principles for Data Processing
- Rights of the Data Subject
- Exemptions Under the Act
- Enforcement
If you have Adobe Acrobat Reader installed on your computer, you may download a PDF version here - Data Protection Essentials. (Recommended for printing.) Acrobat Reader is available free from Adobe's web site.
(a) What is data protection law?
Data protection law ensures individuals that the data about them held, processed and used by organisations is managed properly.
It places obligations on those who process personal information.
Data protection in the UK is provided for by the Data Protection Act 1998 (the 'Act').
(b) Why is data protection law relevant to further and higher education (FE and HE) institutions?
Data protection law is important to FE and HE institutions because they collect, process and use the data of individuals such as students, staff, alumni and enquirers for various purposes.
(c) What does the Act do?
- It places certain obligations upon organisations prior to, and during, their use of personal data
- It grants individuals certain rights regarding the personal information held about them by organisations.
(d) What does the Act cover?
- The Act applies to all organisations that hold and process personal data relating to any identifiable living individual.
- It covers any data held in electronic formats (e.g. emails, word files, databases).
- It also applies to manual data if the data is structured in a way that specific information regarding individuals is readily accessible.
- It applies to unstructured personal data held by public authorities, including FE and HE institutions, in certain circumstances.
(e) What are the types of data covered by the Act?
The Act covers 'personal data' and 'sensitive personal data'.
'Personal data' is any information about an identifiable living individual regardless of the format of information. This does not mean every document which has the data subject's name on it, but the overriding test is whether the information in question affects a person's privacy, or in other words, whether it is significant biographical information.
'Sensitive personal data' comprises information regarding an individual's race or ethnic origin, political opinion, religious beliefs, trade union membership, physical or mental health, sex life, criminal proceedings or convictions.
(a) What is meant by 'processing'?
'Processing' refers to anything done to the personal information by the people processing it including the organisation, adaptation, alteration retrieval, consultation or use, disclosure of the data by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction of the information or data.
(b) Who are the key parties under the Act?
- Data controllers (e.g. an FE or HE institution): They determine the purposes for which, and the manner in which, any personal data are processed. They have the main responsibilities under the Act
- Data subjects (e.g. students, members of staff in an FE or HE institution): The people whose data are subject to processing. They are granted rights under the Act.
- Data processors (e.g. market researchers): They process personal data on behalf of a data controller and, under the Act, the data controller is responsible for their activities.
(a) What are the principles with which a data controller must comply while processing personal data?
A data controller must ensure that the personal data is
- fairly and lawfully processed
- processed for limited, stated purposes
- adequate, relevant and not excessive
- accurate and up-to-date
- kept no longer than necessary
- processed in accordance with the individual's rights
- secure
- not transferred to a country outside the European Economic Area unless that country has adequate data protection itself.
(b) What is meant by 'fair and lawful processing' of data and how can it be done in FE and HE institutions?
Fair and lawful processing means that the data subject will have to be informed that their data is being collected, who will hold their data, what it will be used for and who will have access to it.
Fair and lawful processing in FE and HE institutions can be done by issuing to staff and students a data protection notice providing details regarding the purposes for which the collected data will be used.
To be considered fair and lawful processing, FE and HE institutions must also satisfy one of the following conditions:
- the individual has consented to the processing.
- the processing is necessary for the performance of a contract with the individual.
- the processing is required under a legal obligation (other than a contractual one).
- the processing is necessary to protect the vital interests of the individual.
- the processing is necessary to carry out public functions.
- the processing is necessary in order to pursue the legitimate interests of the data controller or third parties and is not unfair to the individual.
In addition, processing of sensitive personal data requires one of the extra conditions below is satisfied.
- the data subject must have given his or her explicit consent.
- the data is required by law for employment purposes.
- the data is needed in order to protect the vital interests of the individual or other person.
- the data is needed to deal with the administration of justice or legal proceedings.
What are the rights of a data subject?
A data subject has seven rights in respect of the information held about them by data controllers. They are:
- The right of subject access that allows a data subject to make a written request to the data controller concerned and to be supplied with any personal data held about them by the data controller whether in electronic or manual format.
- The right to prevent processing if it is likely to cause damage or distress to the data subject.
- The right to prevent processing for direct marketing purposes.
- The right to prevent automated decision making.
- The right to compensation if the data protection is breached.
- The right to rectification and other remedies for inaccuracy
- The right to ask the Commissioner to assess whether the Act has been contravened if the data subject feels that their data has not been processed in accordance with the Act.
When can FE or HE institutions refuse to provide access to personal data?
FE or HE institutions can refuse to disclose information recorded by a data subject during an academic, professional or other examination or the examination marks of a data subject in advance of their general release.
FE or HE institutions are exempt from furnishing copies of any confidential references written about data subjects on behalf of the FE or HE institution.
Who is the Information Commissioner and what is the function of the Information Commissioner's Office (ICO)?
- The Information Commissioner is responsible for the administration and enforcement of the Act in the UK .
- The ICO provides guidance to organisations and individuals on ensuring effective compliance with the Act.
- All data controllers processing personal information must notify the ICO that they are doing so, unless their processing is exempt under the Act.
- The ICO can serve enforcement and information notices against data controllers who do not comply with the Act.
Mahesh Madhavan
24 August 2007
© JISC Legal