Data Protection Act
The purpose of the data protection legislation is to protect people's personal information from misuse by placing controls on organisations and people who handle personal information. The legislation is the Data Protection Act 1998 (DPA).
The DPA covers all processing of personal data which includes the collection, storage, use and disclosure of personal data. The council must comply with the DPA in respect of all the personal information that it holds about individuals.
The eight principles
The Data Protection Act states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
- fairly and lawfully processed
- processed for specified and lawful purposes
- adequate, relevant and not excessive
- accurate and up to date
- not kept for longer than is necessary
- processed in line with your rights
- not transferred to other countries without adequate protection.
The DPA contains a number of terms. The key ones are defined below.
Personal data is information about a living individual who can be identified from that data alone or from that data and any other data which the council holds or is likely to hold in the future.
Sensitive Personal Data - Personal data which contains information with regards to:
- racial or ethnic origin
- political opinions
- religious or similar beliefs
- membership to a trade union
- physical or mental health
- sexual life
- commission or alleged commission of an offence
- legal proceedings or sentencing for any offence.
Processing includes all actions in relation to personal data such as collecting, recording, holding, organising, adapting, altering, retrieving, consulting, using, disclosing, storing, erasing, destroying, blocking and disseminating.
An individual who is the subject of the personal data.
The person or organisation that determines what personal data is used for and how it is processed. The council is a data controller.
A person or organisation which processes personal data on behalf of the data controller but does not decide how the data is used.
How can the public access information held about them?
The act allows members of the public to find out what information we hold about them. This is known as the Right of Subject Access and can be exercised by submitting a Subject Access Request.
The act entitles the individual to receive:
- a description of the data
- an explanation of why the data is being held
- an explanation of who the data may be given to
- a copy of the data with any technical terms explained
- an explanation as to the source of the data
- an explanation as to how (if any) automated decisions taken about them have been made.
If you wish to make a Subject Access Request, you must:
- make your request in writing, preferably using the Subject Access Request Form. This will provide us with the necessary information to allow us to locate the information you require
- provide proof of your identify. Acceptable types of identification are detailed in the Request Form
- pay a fee of £10 (there is no charge for students, pensioners, staff, benefit claimants and those on income support). Please provide suitable evidence in support of this.
We will respond to your request within the statutory 40 calendar days, following receipt of the above items.