The rules of good information
handling - the principles. Anyone processing personal data must comply
with the eight enforceable principles of good practice. They say that
data must be:
| Principle |
Explanation |
| 1. Fair |
Personal
data is to be processed fairly
and lawfully and in particular, shall not
be processed unless at least one of these
conditions is met:
Data subject has given consent, requires active communication. The
processing is necessary with a view to a contract at the request
of data subject. For legitimate interests - balanced so as not to
prejudice the data subject. |
| 2. Specific |
Personal
data shall be obtained for one or more specified purposes and
must not be further processed in any manner incompatible with the
original purpose(s). This means to:Give notice to the data subject
(e.g. consent clauses).
Notification to the Commissioner under the notification provisions. |
| 3. Adequate |
Personal
data shall be adequate, relevant, and not excessive in relation
to the purpose(s) for which they are processed. |
| 4. Accurate |
Personal data shall be accurate, and where necessary, kept up to
date. |
| 5. Retention |
Personal
data processed for any purpose(s) shall not be kept for longer
than is necessary for that purpose(s). |
| 6. Rights |
Personal
data shall be processed in
accordance with the rights of the data subjects(s) under
this act. |
| 7. Security |
Appropriate
technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data AND against
accidental
loss or destruction of, or damage to, personal data. |
| 8. Transfer |
Personal
data shall not be transferred to a country or territory outside
the European Economic Area (EEA) or Norway, Iceland and Liechtenstein,
unless that country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to the
processing of personal data. |
Processing personal data
'Processing' is broadly defined and takes place when any
operation or set of operations is carried out on personal
data. The Act requires that personal data be processed
"fairly and lawfully". Personal data will not be considered
to be processed fairly unless certain conditions are met.
A data subject must be told the identity of the data
controller and why that information is or is to be processed.
Processing may only be carried out where one of
the following conditions has been met:
The individual has given his or her consent to the
processing;
The processing is necessary for the performance of a
contract with the individual;
The processing is required under a legal obligation;
The processing is necessary to protect the vital interests
of the individual;
The processing is necessary to carry out public functions;
The processing is necessary in order to pursue the
legitimate interests of the data controller or third parties
(unless it could prejudice the interests of the individual).
Processing sensitive data
The Data Protection Act makes specific provision for
sensitive personal data. Sensitive data includes racial or
ethnic origin; political opinions; religious or other beliefs;
trade union membership; health; sex life; criminal
proceedings or convictions.
Sensitive data can only be processed under strict conditions, which
include:
Having the explicit consent of the individual;
Being required by law to process the data for employment
purposes;
Needing to process the information in order to protect the
vital interests of the data subject or another;
Dealing with the administration of justice or legal
proceedings.
What does all this mean to you as an Gateway
user?
YOU MUST HAVE ACTIVE CONSENT before you perform
a search.
You must enter the title, a first name and date of birth
(and middle initial if the applicant has one) - to ensure
that the correct persons’ information is returned.
Once you have gained consent for a specific purpose -
you must obtain further consent if you want to process
it further. Please remember that ‘processing’ covers a
vast range of activities to do with the data.
Be aware of the implications of the DPA, non-compliance
could result in your business losing its DPA license and
therefore, its ability to trade.
For further information please visit:
www.dataprotection.gov.uk
|
The
Data Protection Act applies to 'personal data' that is, data about identifiable
living individuals. Wyse Assist supplies personal
data so as a user of Gateway you must be
aware of your responsibilities.
Those who decide how and why personal
data are processed, known as data
controllers (Credit reference agencies, information providers), must comply
with
the rules of good information handling,
known as the Data Protection Principles,
and the other requirements of the Data Protection Act. |
|
