DATA PROTECTION ACT

SUBMITTED BY:-

SHADAN NAZIR

ROLL NO.- 11evvcs052

GUIDED BY :-

NEELAM CHOUDHARY

Data Protection Act 1998

The Data Protection Act has two aspects:

Giving people the ‘right to know’ what information organisations hold about them.

Providing a framework for organisations handling personal data.

The primary purpose of data protection legislation is to protect individuals against possible misuse of personal data information about them, held by others.

The Act is underpinned by eight straightforward, common-sense principles.

Why was it introduced?

The Data Protection Act grew out of public concern about personal privacy in the face of rapidly developing computer technology.

It works in two ways, giving individuals certain rights whilst requiring those who record and use personal information on computer to be open about that use.

The aims of Data Protection Act

Anyone who processes personal information must comply with the eight principles.

It provides individuals with important rights, including the right to find out what personal information is held about them.

Data Protection Principles

The eight principles require that personal data is:

1. Data must be kept secure;

2. Data stored must be relevant;

3. Data stored must be kept no longer than necessary;

4. Data stored must be kept accurate and up-to-date;

5.Data must be obtained and processed lawfully;

6. Data must be processed within the data subject rights;

7. Data must be obtained and specified for lawful purposes;

8. Data must not be transferred to countries without adequate data protection laws.

Personal Data

HRIS stores personal and sensitive personal data on employees and job applicants.

Personal data is any information which identifies an individual e.g. name, photograph, applicant or employee number.

Sensitive personal data is personal data relating to the individual e.g. race or ethnic origin, political opinion, religious beliefs, physical or mental health, trade union membership, sexual life or criminal activities. Special conditions apply to the processing of sensitive personal data, including an obligation to obtain the explicit consent of the individual.

Handling Personal Data

The Data Protection Act covers personal data where specific information about a named employee may be readily found within: – Computer systems, such as HRIS.– Manual filing systems, where data is stored under topic headings or

folders where data is stored within file dividers. – Documents which contain personal data but are not filed or

referenced to a particular individual

Particular care should be taken in handling sensitive personal data

Other information which should be handled with care includes next of kin details, bank details or other financial information, and information collected for the purposes of staff recruitment

Kept Secure

Fairly and lawfully processed

Data subjects must give permission for data to be sold or passed on.

Data is often sold. Companies must have your permission to do this.

Subject Access Requests

A Subject Access Request is where an individual asks for the data the University holds on them. Requests must be processed within 40 calendar days.

The University can be asked to disclose all information held in electronic or paper form, that identify the individual making the SAR.

E.g. emails & letters; handwritten notes; comments made in HRIS; shortlisting forms; interview notes; references.

If you receive a request for information under either the Data Protection Act or the Freedom of Information Act you must inform HRIS Support immediately and follow their instructions.

Subject Access Requests

Everything you write or email about an individual is potentially disclosable to them

...From: Peter Headley (p.headley@ox.ac.uk)

To: Colleagues

Subject: This stupid data protection request (again!!!!)

Hi there….

The Data Protection Officer has demanded George

Lambert’s personal file again……!!

Can you all have a flick through the file and remove

anything you don’t want him to see, before I send it on to

the DPO….

Ta. Pete

Subject Access Requests

Everything you write or email about an individual is potentially disclosable to them...even if it is marked confidential or draft.

From: Peter Headley (p.headley@ox.ac.uk)

To: Colleagues

Subject: This stupid data protection request (again!!!!)

Hi there….

The Data Protection Officer has demanded George Lambert’s

personal file again……!!

Can you all have a flick through the file and remove anything you

don’t want him to see, before I send it on to the DPO….

Ta. PeteCONFIDENTIAL

Risk Of Non Compliance

Breaching the Data Protection Act represents a reputational and financial risk to the University

The Information Commissioner’s Office has the power to fine organisations up to £500,000 for breaches of the Data Protection Act

Ealing Council and Hounslow Council fined £70,000 and £80,000 for losing password-protected but unencrypted laptops.

Hertfordshire County Council fined £100,000 for accidentally faxing sensitive personal information to the wrong recipient.

Company A4e fined £60,000 for losing an unencrypted laptop containing sensitive personal details about salaries, criminal activity and employment status.

CONCLUSION

The Data Protection Act is designed to prevent inappropriate use of data about individuals.

It is overseen by the Information Commissioner.

Data users store data about data subjects. Data users must follow the eight Data

Protection Principles.

There are some exemptions to the act, such as national security.