ICT Management. > Legal Issues

Introduction to the Data Protection Act

By Paul Ticher

The Data Protection Act 1998 regulates the collection, storage, use and disclosure of information about individuals by organisations. Any organisation that keeps information about individuals must comply with the act. This article gives a brief introduction to the act and issues related to it.

N.B. this article is aimed at voluntary sector agencies - some special rules apply to Local Authorities.

The Data Protection Act 1998 finally came into force fully on 24th October 2001. The Act applies to personal data - information about identifiable living individuals that is:

• Held on computer or any other automated system
• Held in a relevant filing system (a paper system such as client records system, or a set of files on service users that is organized alphabetically by the name of the person or some other identifier such as case number)
• Intended to go onto computer or into a relevant filing system

The Data Protection Act applies mainly to the Data Controller - the person who decides why and how personal data is processed. This "person" doesn't have to be an individual and in most cases will be an organization. Individual members of staff or volunteers will merely be agents of the data controller.

The Act has eight Data Protection Principles that cover issues including the processing, accuracy, security and lawfulness of data collection as well as the rights of the Data Subject.

At the same time as the Data Protection Act came into force, another little known set of regulations also took effect, to implement the EU Telecommunications Data Protection and Privacy Directive. Much of this concerns privacy issues around telephone directories and caller line identification (where you can find out who called by dialling 1471). However, there is also a section restricting junk faxes and giving individuals the right to refuse tele-marketing.

Anyone wanting to call people at home for any kind of marketing, including charity fundraising, must check that the person has not registered to block such calls. The Regulations are enforced by the Information Commissioner (formerly the Data Protection Registrar and then the Data Protection Commissioner).

Before the Data Protection Act came into force, the Data Protection Registrar hosted a meeting where representatives of FIAC (now Advice UK), NACAB (now Citizens Advice), the National Consumer Council and similar organisations were able to raise matters of concern. One point that emerged was the balance which will sometimes have to be drawn between the interests of the Data Subject and the interests of others. For example, an advice agency which was giving housing advice might well collect information about poor landlords. If this was put on computer, the landlords would become Data Subjects, and therefore be entitled to know that their information was being processed - but of course this would cut right across client confidentiality and would be against the interests of the client, if not actually dangerous to them. There is no intention for the Data Protection Act to make people behave unreasonably, and there is provision in the Act for personal data to be withheld in certain circumstances for example if:

• in that particular case it might prejudice the prevention and detection of crime, the prosecution or apprehension of offenders or the assessment or collection of any tax or duty to provide a copy;
• the data identify other people who have not consented to the disclosure of their data and where, on balance, it appears wrong to provide it.

The Lasa Computanews Guide on Data Protection outlines the compliance issues that voluntary sector organisations need to be aware of (209 kb PDF document - requires Adobe Reader. Download free from Adobe). The legal guidance and other publications are available from the website of the Information Commissioner or by telephoning 01625 545 700.