Data Protection Act [DPA] (1998) and General Data Protection Regulation [GDPR] (2018)

DPA

The act sets out the rules for helping others

They have to disclose what type of data they are collecting.

Exemptions

National Security

If required for the purpose of national security, the government does not have to disclose what data they are holding about individuals.

Crime

Data which is being held in order to prevent or detect a crime does not need to be disclosed.

Taxation

Any data collected for taxation purposes is exempt.

Eight Principles

Personal data should be obtained and processed fairly and lawfully

Personal data can be held only for specified and lawful purposes

Personal data should be adequate, relevant and not excessive for the required purpose

Personal data should be accurate and kept up-to-date

Personal data should not be kept for longer than is necessary

Data must be processed in accordance with the rights of the data subject

Appropriate security measures must be taken against unauthorized access

Personal data cannot be transferred outside the EU unless the country has similar regulation to the Data Protection Act

This means that you should be told about data which is being collected about you and should be asked for your permission to collect it.

You should also be made aware of the reason why the data is to be collected and for what it will be used.

The data collector has to state why they want to collect and store information when they apply for permission to be able to do so.

If they use the data they have collected for other purposes, they are breaking the law.

Organisations should only collect the data that they need and no more.

Your school needs to know your parent's phone number in case they need to contact them in an emergency. However, they do not need to know what your grandmother's name is, nor do they need to know your eye colour.

They should not ask, nor should they store such details since this would be excessive and would not be required to help with your education.

Companies should do their best to make sure that they do not record the wrong facts about a data subject.

Your school probably asks your parents to check a form once a year to make sure that the phone number and address on the school system is still correct.

If a person asks for the information to be changed, the company should comply if it can be proved that the information is indeed incorrect.

Organisations should only keep personal data for a reasonable length of time.

Hospitals might need to keep patient records for 25 years or more, that is acceptable since they may need that information to treat an illness later on.

However, there is no need for a personnel department to keep the application forms of unsuccessful job applicants.

People have the right to inspect the information held on them (except in certain circumstance - see later).

If the data being held on them is incorrect, they have the right to have it changed.

This means information has to be kept safe from hackers and employees who don't have rights to see it.

Data must also be safeguarded against accidental loss.

This means that if a company wishes to share data with an organisation in a different country, that country must have similar laws to our Data Protection Act in place.

Eight Principles

DPA

The right to be informed

Right of access

Right to remedy

Right to erasure

Right to restrict processing

Right to data portablity

Right to object

Rights related to automated decision making including profiling

Each person has the right to object to how their personal data is being processed. For example it is being used for direct marketing or personal profiling.

The individual has a right to 'block' further processing. For example if the personal data was obtained for one reason such as admin of an account, then it can be blocked from being re-sold to a third party for other uses.

If the personal information being held is inaccurate or incorrect then each person has the right to insist that it is fixed.

This is the right to 'be forgotten'. The main idea is that each person can insist that their personal data (including postings etc) are deleted where there is no compelling reason for its continued retention.

If an organisation or web site is collecting information about you, then they need to explain what they are doing with the collected data and make it easily understood. This is often set out in their privacy policy.

Each person has the right to obtain and re-use their personal data for their own purposes across different services.

For example consumers can take advantage of apps and services to find them a better deal or help them understand their spending habits.

There is a famous comedy sketch where an official is droning to the customer 'The computer says no" without a care. This is an example of a decision being made by an algorithm based on your personal profile.

Now individuals have the right not to be subject to an automated decision, they can insist on human intervention and/or an explanation of the decision and challenge it.

Each person has the right to see what personal information is being held by the organisation

GDPR