|
| |
The Data Protection Act 1998 – A Summary
Key Points to Note
 | Personal data must be obtained fairly and lawfully. The data subject should
be informed of who the data controller is (the institution); who the data
controller’s representative is; the purpose or
purposes for which the data are intended to be processed; and to whom the data
will be disclosed. For students this is done by the University during
registration. Personal data processing may only take place if specific
conditions have been met- these include the subject having given consent or
the processing being necessary for the legitimate interests of the data
controller. Additional conditions must be satisfied for the processing of sensitive
personal data, that relating to ethnicity, political opinion, religion,
trade union membership, health, sexuality or criminal record of the data
subject |
| The new Act covers personal data in both electronic form and manual form
(e.g. paper files, card indices) if the data are held in a relevant,
structured filing system |
| Personal data processing must be in accordance with the purposes notified by
the University to the data protection commissioner- if any ‘new processing’
is to take place the Data Protection Representative, must be consulted |
| Personal data must be kept accurate and up to date and shall not be kept for
longer than is necessary |
| Appropriate security measures must be taken against unlawful or unauthorised
processing of personal data and against accidental loss of, or damage to,
personal data. These include both technical measures, e.g. data encryption and
the regular backing-up of data files and organisational measures, e.g. staff
data protection training |
| Personal data shall not be transferred to a country outside the European
Economic Area unless specific exemptions apply (e.g. if the data subject has
given consent) this includes the publication of personal data on the internet |
Data Subject Rights
The Act gives significant rights to individuals in respect of
personal data held about them by data controllers. These include the rights:
|
To make a subject access request- an individual is entitled to be supplied
with a copy of all personal data held. |
|
To require the data controller to ensure that no significant decisions
that affect them are based solely upon an automated decision-taking process |
|
To prevent processing likely to cause damage or distress |
|
To prevent processing for the purposes of direct marketing |
|
To take action for compensation if they suffer damage by any contravention
of the Act by the data controller |
|
To take action to rectify, block, erase or destroy inaccurate data, and |
|
To request the Data Protection Commissioner to make an assessment as to
whether any provision of the Act has been contravened |
Details of the eight Principles on which the Act is based may
be viewed on the project website. Further
information is also available at the Data Protection Commissioner’s website (http://www.dataprotection.gov.uk).
A list of the guidelines relating to HE-specific effects of
the 1998 Data Protection Act, to be produced by the project, is available here.
M Mukerji
March 2001
|
.gif)
