• Home Page
• Corporate
  • BCRM Approach
  • BCRM FAQ
  • Case Studies
  • Certifications
  • Code Of Conduct
  • Company details
  • Customer satisfaction
  • Industry Endorsements
  • The Team
  • Why us?
• Policies
  • Business Continuity
  • Conflict of Interest
  • Corporate Social Responsibility
  • Data Protection
  • Disability Discrimination
  • Environment
  • Equal Opportunities
  • Health and Safety
  • Information Security
  • Personnel Screening
  • Quality
• Services
  • Health Checks
    • Business Continuity
    • Security Vetting
    • Data Protection Act
    • Software Asset Management
    • Service Management
    • Information Security
    • PCI DSS
    • Risk Management
  • Information Assurance
    • Disaster Recovery
    • Information Security
    • Physical Security
    • Employee Vetting
    • Software Asset Management
    • Risk Management
    • Identity Management;
    • Secure Disposal
  • Compliance
    • Governance Today;
    • GRC
    • FSA Compliance
    • Data Protection Act;
    • PCI DSS;
    • Sarbanes Oxley;
    • FSAP
    • Workflow and GRC;
    • Using XBRL for GRC;
    • Inspection of Records;
    • Litigation Support
    • Employment Law
    • FSA Support
    • Money Laundering
  • Management Systems Consultancy
    • ISO 9001
    • SO 14001;
    • ISO 17025
    • OHSAS 18001
    • ISO 20000
    • BS 25999;
    • ISO 27001;
    • Do you need us?
    • Auditing
    • Polices and Procedures
  • Continuous Improvement
    • ISO 9004;
    • Total Quality Management (TQM)
    • Six Sigma;
    • Capability Maturity Models;
    • ServQual / RATER;
    • EQF
    • Balanced Scorecards;
  • Certification Services
    • Standards Implemented
    • Management System Implementation Methodology
    • Consultancy to Support Certification
    • Certification Body Audit Markings
    • Certification Pre-Audit Services
    • Remediation
    • Certification FAQ
  • Digital Forensics
    • Forensic Evidence Recovery
    • Expert Witness Services
• Records Management
• Training
• Standards
  • Management Systems
    • BS 25999
    • ISO 14000
    • ISO 17025
    • ISO 20000
    • ISO 27000
    • ISO 9000
    • OHSAS 18000
    • PAS 99
  • Other Standards
    • BS 10008
    • BS 10012
    • ISO 25777
    • BS 7858
    • BS 8470
    • BS 7858
    • BS 8549;
    • ISO 15489
    • ISO 19770
    • ISO 24762
    • ISO 38500
• Legislation
  • Basel II
  • Data Protection Act
  • Financial Sector Assessment
  • Financial Services and Markets Act (UK);
  • Health Insurance Portability and Accountability Act US);
  • Markets in Financial Instruments Directive (EU);
  • Miscellaneous relevant EU Directives;
  • Payment Card Industry Data Security Standards (worldwide);
  • Sarbanes Oxley (US);
  • Single European Payments Area (EU);
• Legal
  • Copyright
  • Legal Disclaimer
  • Privacy
  • Security
  • Links to other sites
• Site Map
• Contact Us
•  

---

?

Data Protection Act (DPA) 1998

---

The Data Protection Act (DPA) is a United Kingdom Act of Parliament which defines UK law on the processing of data on a living and identifiable people. Anonymised or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified in a variety of ways, with one or more pieces of available information. The Act applies only to data which is held, or intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'.

The DPA is the primary legislation in the UK that governs the protection of personal data in the UK, even though it does not actually mention 'privacy'.

It was enacted to bring UK law into line with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, that required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. In theory, it provides a way for individuals to control information about themselves.

The Data Protection Act was enacted on 1 March 2000.

The Act defines eight data protection principles.

1. personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

• at least one of the conditions in Schedule 2 is met, and
• in the case of 'sensitive personal data', at least one of the conditions in Schedule 3 is also met.

1. personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
2. personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
3. personal data shall be accurate and, where necessary, kept up to date;
4. personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes;
5. personal data shall be processed in accordance with the rights of data subjects under this Act;
6. appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
7. personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Most of the DPA does not apply to domestic use (e.g. keeping a personal address book). Anyone holding personal data for other purposes is legally obliged to comply with the DPA, with a number of exceptions.

The DPA creates rights for those who have their data stored, and responsibilities for those who store, process or collect personal data. The person who has their data processed has the right to:

• view the data an organisation holds on them, for a small fee, known as 'subject access fee';
• request that incorrect information be corrected;
• if the organisation ignores the request, a court can order the data to be corrected or destroyed and, in some cases, compensation can be awarded;
• require that data is not used in any way that may potentially cause damage or distress;
• require that their data is not used for direct marketing.