Lancaster University Data Protection
Project 2000-01

 

 

Home
About the Project
Summary of the Act
DP  Principles
Project Guidelines
Conferences
Search
Contacts
Project Closure

The Data Protection Act 1998 – A Summary

 

Key Points to Note

bulletPersonal data must be obtained fairly and lawfully. The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration. Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject
bulletThe new Act covers personal data in both electronic form and manual form (e.g. paper files, card indices) if the data are held in a relevant, structured filing system
bulletPersonal data processing must be in accordance with the purposes notified by the University to the data protection commissioner- if any ‘new processing’ is to take place the Data Protection Representative, must be consulted
bulletPersonal data must be kept accurate and up to date and shall not be kept for longer than is necessary
bulletAppropriate security measures must be taken against unlawful or unauthorised processing of personal data and against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection training
bulletPersonal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internet

 

Data Subject Rights

The Act gives significant rights to individuals in respect of personal data held about them by data controllers. These include the rights:

bullet

To make a subject access request- an individual is entitled to be supplied with a copy of all personal data held.

bullet

To require the data controller to ensure that no significant decisions that affect them are based solely upon an automated decision-taking process

bullet

To prevent processing likely to cause damage or distress

bullet

To prevent processing for the purposes of direct marketing

bullet

To take action for compensation if they suffer damage by any contravention of the Act by the data controller

bullet

To take action to rectify, block, erase or destroy inaccurate data, and

bullet

To request the Data Protection Commissioner to make an assessment as to whether any provision of the Act has been contravened

 

Details of the eight Principles on which the Act is based may be viewed on the project website. Further information is also available at the Data Protection Commissioner’s website (http://www.dataprotection.gov.uk).

A list of the guidelines relating to HE-specific effects of the 1998 Data Protection Act, to be produced by the project, is available here.

 

 

M Mukerji

March  2001

 

 

 

'The material contained on this site is intended as a guide to Higher Education Institutions (HEIs) in the UK in complying with the Data Protection Act 1998. As such, it may be reproduced or adapted for use by HEIs. It is not intended and should not be treated as legal advice. The University of Lancaster can accept no liability in negligence or otherwise to those who rely directly or indirectly on any statements contained on this site.'
Webmaster:  Malcolm Baldwin
Revised: 05 Nov 2003 10:42 .