The Data Protection Act Flashcards
What does the DPA do?
It limits the data held by individual organisations to only that which they need. It stops them holding excessive quantities of data on individuals that they don’t need.
Describe personal data.
Any data which relates to a living, identifiable individual.
Describe data. (DPA)
Anything that is held which can be said to be part of a record. This covers both manual and computer data. If you store data on people, such as their health or educational records, whether it is on paper or on a computer, it is data.
Describe processing. (DPA)
Obtaining, recording or holding the information or data. It also covers any operation performed on it.
What are some operations when processing data? (DPA)
Operations include organising, changing retrieving it or using it in some way. This also includes disclosing it or destroying it.
What is the data subject?
The data subject is the living identifiable human being about whom the data is being held.
What is the data controller?
This is the individual in the company who is responsible for making sure that all the provisions of the DPA are being complied with.
What is the data processor?
This is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Big companies hire third party companies to process their data for them.
Describe the recipient.
These are individuals who are given the data in order to do some form of processing on it. They are usually employees of the data controller or are data processors.
What is a third party?
This is the person who receives the data for processing. A company may need to pass on its data to certain people in order to do its job, for example schools give references and information to the government.
What is an information commissioner?
This is the individual who is responsible for ensuring that the DPA is being adhered to, by giving advice, running training sessions and investigating complaints.
What is the right to subject access?
You are allowed to see what information is being held on you by a company. You need to write to the data controller and request a copy (and pay an administrative charge). The company then have to provide the information within a reasonable amount of time from receiving the request.
What is the right to prevent processing likely to cause damage or distress?
If the processing of the data is going to cause you damage or distress, you can ask the company to stop. The level of it needs to be quite high, if the company doesn’t think it is causing damage or stress it is up to the courts to decide.
What is the right to prevent processing for the purposes of direct marketing?
Direct marketing is mail that is sent to you advertising goods and services. You can request that is is stopped.
What are the rights in relation to automated decision making?
Some decisions are taken by a computer. Credit checks are an example. Points are awarded for things such as time in work, owning your own home and based on the amount of points you get, a decision is made as to whether you get a credit card. You can request for a person to make the decision instead of a computer.
What is the right to compensation if damage and distress if suffered by the act being contravened?
If you can prove that the data controller did not follow the requirements of the act meaning you suffered both damage and distress, you are entitled to compensation.
What is the right to rectify, block or erase incorrect data?
If the held data is wrong, you can get it changed.
Here are some possible reasons for exemption from the DPA:
National security, crime and taxation (you can’t see your records), health, education and social work (if giving the subject access will cause them harm), domestic purposes (data held on your own computer, such as a mailing list for Christmas cards).
Personal data shall be processed fairly and lawfully:
This means that there should be consent for the processing to occur.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes:
When a company wants to collect and hold personal data, it must let the information commissioner know what it is going to hold and what it is going to do with it.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed:
They can’t hold more information than necessary. It must all be relevant.
Personal data shall be accurate and, where necessary, kept up to date:
The company must endeavour to ensure that it only has accurate information on you. This may entail them sending out the information they hold for you to check. If they find any inaccurate information, they must correct it.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes:
You can’t hold data forever. Eventually it will no longer meet the purpose.
Personal data shall be processed in accordance with the rights of data subjects under this act:
The data subject has certain rights. These include access to the data, the right to correct data if is wrong, the right to compensation if the processing has caused damage and distress and the right to prevent processing from causing damage and distress.