All businesses use data of some description, and the Data Protection Act 1998 (the “DPA”) was introduced to protect the individuals whose personal data is being held. The ever increasing use of IT and technology in the commercial world means that personal information is stored easily and readily available at the push of a button. Whilst this is much more time efficient, it also means it is much easier for such information to be passed on, misplaced or end up in the wrong hands. So, what does the DPA protect and who is subject to the Act?
What is Personal Data?
The DPA protects personal data which identifies or is capable of identifying an individual. This data is not just names, addresses and bank details, but also less obvious forms of data such as the job title, email address, telephone number or date of birth of a data subject.
What is a Data Subject?
The DPA protects data subjects who are defined as individuals who are the subject of personal data. Your data subjects could therefore be your customers, clients, employees or contractors; anyone whose personal data you process.
What is a Data Controller and why do you need to know?
The DPA applies to and regulates the activity of data controllers. The data controller is the entity (individual, company or other organisation) which decides what personal data is processed, and the purposes for which it is processed. If you collect or process any personal information from a client or employee, then you are a data controller. You may be the only data controller, or you may be a joint data controller depending on allocation of responsibilities…
What is Processing?
Processing is a widely defined term under the DPA and covers obtaining, recording or holding personal data or carrying out any operation or set of operations on the data. Processing can, therefore, cover any activity from simply storing the data through to adapting, transferring and disclosing it.
What is a Data Processor?
A data controller may appoint a data processor to process personal data on its behalf. Perhaps you, as a data controller, outsource your data processing, for instance, in relation to a particular business function, to a third party, perhaps an external HR company or a call centre. It is likely, in this case, that the third party will be regarded as your data processor for the purposes of the DPA. You must ensure that you know how the third party is operating and processing the information on your behalf, and that you monitor and control the manner of processing, by way of entering into suitable contractual terms with your data processor, for the purposes of DPA compliance.
Data Protection Principles
Under the current DPA, anyone responsible for processing personal datamust comply with the 8 principles of data protection, which we recap on as part of this update.
If you require any clarification or if you are unsure about your obligations under the DPA, please do not hesitate to contact our data protection team at Harrison Clark Rickerbys.