• Homepage
• About us
• Our Work
• Capacity Building Your Organisation
• Client Groups
• Community Safety In Your Borough
• Community Safety & Crime Reduction
• Conference
• Consultancy
• CSAS Networks and events
• CSAS Training
• FADIS
• Hot Topics
• CSAS Factsheets
  • CDRP's
  • Compacts
  • Community Safety Projects
  • Data Protection Act
  • Drug Action Teams
  • Drug & Alcohol - Funding
  • Local Area Agreements
  • LAAs - What's New?
  • Local Strategic Partnerships
  • Quality Assurance
  • Respect Agenda
  • Safer Neighbourhoods
  • Youth Offending Teams
  • Youth Crime Policy Overview
• News
• Job Vacancies
• Resources & Links
• Enquiry Form
• Access keys
• Sitemap
• Site search

Data Protection Act

Summary

• The fundamental aim of the Data Protection Act (DPA) is to ensure that use of personal data is fair, and that no harm is caused to individuals through careless or irresponsible use of their data.
• There are 8 principles of the DPA. The principles are based on good practice and common sense, it will mean that you have accurate and current information about the people who access your services.
• If your organisation holds personal data about individuals you may need to notify the Information Commissioner on an annual basis.
• There are various steps you can take to ensure that you comply with the DPA.

About the Data Protection Act

The Data Protection Act (DPA) 1998 is based on eight principles and gives legal rights to individuals in respect of personal information about them processed by others.

One of the main functions of the Information Commissioner and his staff is to ensure that organisations that are processing data are doing so in line with the obligations that are placed upon them by the DPA and other related legislation.

There are eight principles in place to make sure that your information is handled properly.

1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for longer than is necessary
6. Processed in line with individual rights
7. Secure and
8. Not transferred to countries without adequate protection.

Notification

The Information Commissioner maintains a public register of Data Controllers. Individuals can consult the register to find out what processing of personal data is being carried out by a particular Data Controller.

Notification is the process by which a Data Controller's details are added to the register, and the cost is £35 a year . Many Data Controllers are exempt from Notification, and it is important not to be taken in by scam letters threatening legal action unless substantial fees are paid at short notice.

There is a useful guide for self assessment on the Information Commissioners website. Notification can be done online or by post, forms are available on the Information Commissioners website or on request by calling 01625 545 740.

Exemptions include;

• Some not for profit organisations.
• Processing of personal data for personal, family or household affairs (including recreational purposes).
• Data Controllers who only process personal data for the maintenance of a public register.
• Data Controllers who only process personal data for anyone or all of the following purposes for their own business;
• Staff administration
• Advertising, marketing and public relations
• Accounts and records.

Data Protection Compliance

It is important to ensure that you comply with the DPA. Some of the main questions you need to be able to answer include;

• Are we sure that our data is accurate and secure, so that no one is harmed by mistakes or by information falling into the wrong hands?
• Is our use of personal data fair?
• Does everyone know what sort of information we hold about them, and what we use it for?
• Are we clear about when we need consent to use people's information?
• Have we checked our information-collection processes to make sure that the information we hold is adequate, relevant and not excessive?
• Do we keep information longer than necessary?
• Do we have clear procedures if people don't want to receive marketing or fundraising material?
• Do we get consent for putting information (including photographs) about people on our web site?
• Are we up to speed on the Criminal Records Bureau?
• Is our information secure against unauthorised access when sent by e-mail?

Action Points

• Ensure that anyone you hold information about knows that you hold it, what you use it for, and who you might pass it onto. Often a short statement on your forms and leaflets, or a notice in your waiting room, is all that you will need.
• Get consent for holding people's information wherever possible, and get explicit consent, in writing if possible, for any 'sensitive' information you want to hold, unless you have checked that you don't need consent.
• Make sure that you offer people the chance to opt out of any direct marketing.
• Modify your systems to record, where necessary; consent, direct marketing and opt-outs.
• Design or modify your systems so that you can easily comply with any request by a Data Subject to see the records you hold on them.
• Make appropriate security arrangements, both for manual and computer systems, depending on how sensitive the information is.
• Draw up a policy (perhaps linked to your confidentiality policy) and train or brief your staff in what they are allowed to do with people's information, what they are not allowed to do, and whom they have to ask if they are unsure.
• 'Notify' the Information Commissioner about any data processing activities which are not exempt.
• Appoint a member of staff as Data Protection Compliance Officer, so that they know it is part of their job to find out about data protection in more detail and to keep the organisation within current law.
• Implement a system to regularly review your database and files in order to ensure that information is current and accurate.

---

Further Resources

• Information Commissioner
  www.informationcommissioner.gov.uk
  
• The Data Protection Act 1998
  www.hmso.gov.uk/
  
• Department for Constitutional Affairs
  www.dca.gov.uk/
  
• London Advice Service Alliance
  www.lasa.org.uk
  
• Criminal Records Bureau
  www.crb.gov.uk

Glossary

• Information Commissioner
  The Information Commissioners Office is a UK Independent supervisory authority reporting directly to the UK Parliament. They oversee and enforce compliance with both the Data Protection Act 1998 and Freedom of Information Act 2000.
  
• Data Controller
  The person who determines the purposes for which, and the manner in which, personal data is processed. This may be an individual or an organisation, and the processing may be carried out jointly or in common with other persons.
  
• Data Subject
  This is the data subject (individual) who is the subject of the personal

[top]