Personal Data: The Act Begins to Bite
| Pages | 11-14 |
| DOI | https://doi.org/10.1108/02635579010000156 |
| Date | 01 January 1990 |
| Published date | 01 January 1990 |
| Author | Peter Tarrant |
| Subject Matter | Economics,Information & knowledge management,Management science & operations |
PERSONAL
DATA:
THE
ACT
BEGINS
TO
BITE
11
Personal
Data:
The
Act Begins
to Bite
Peter Tarrant
T
he implications and obligations for any
organisation holding personal data on
computer files.
Any
manager who is responsible for personal data being
held
on computer in the UK should already be aware of
the
Data Protection Act but some have ignored the
requirements
and even failed to register. The result has
been
that some who did not register have been
fined
up
to
£1,000 plus costs. Fines in the lower courts can go as
high
as £2,000 while in the upper courts there is no limit.
With
the fee for registration for three years currently
standing
at £56, failing to register is a costly oversight.
Some managers have only a hazy idea of their other
obligations under the Act (although details are given in
the published guidelines, see Figure 1). Here, too,
ignorance
could prove expensive in other ways.
The Principles
Registration is the first obligation under the Act, but in
addition there is the requirement to conform
to
eight data
protection principles, which are basically guidelines for
good practice in relation to the personal data held.
Broadly they state that personal data shall be:
• collected and processed fairly and lawfully,
• held only for lawful purposes described in the
register entry,
• used only for those purposes and
only be
disclosed
to those people described in the register entry,
• adequate, relevant and not excessive in relation to
the purposes for which they are held,
• accurate and, where necessary, kept up-to-date,
• held
no
longer than
is
necessary for the registered
purpose,
• protected by proper security.
The Act also provides for individuals to have access to
data held about themselves, and, where appropriate, to
have the data corrected or deleted.
Already some organisations have run foul of these
principles and the Registrar has served Enforcement
Notices for a number of breaches such as failure to stop
unsolicited mail when requested to do so and failure to
give information
in
response to
a
subject access request.
Enforcement
There are five ways in which formal action may be taken
to enforce the provisions of the Data Protection Act.
The
first
is prosecution
in
the courts. This usually arises
through failure to register or where a data user processes
personal data outside the terms of his/her register entry.
The second is through enforcement
notices,
issued
by
the
Registrar where there has been a contravention of the
Data Protection
Principles.
These
will
require a data user
to take whatever action is necessary to comply with the
Principles. Failure to do this could then lead to de-
registration. A de-registration notice is a third means of
enforcement and can require the removal of part or all
of a register entry, thus preventing the user from
processing this data.
A fourth measure is refusal of an application to register
or amend a register entry. Finally, there is the transfer
prohibition notice to prevent the transfer of personal data
outside the United Kingdom.
If the Registrar proposes to serve an enforcement notice
or, for
example,
refuse an application
to
register, the data
user can appeal to the Data Protection Tribunal. In the
case of a prosecution in the lower courts, the data user
can appeal to a higher court.
Tougher Line
Today
the Registrar, Eric
Howe,
takes
a
tougher
line
with
those who fail to register or renew their registration
because the Act has been on the statute book
long
enough
for data users to know what their obligations entail. Both
prosecutions and enforcement notices are beginning to
rise in number.
To continue reading
Request your trial