The Data Protection Act
In 1998, the United Kingdom Parliament passed the Data Protection Act to provide guidelines for using personal information. In general, the DPA establishes the rights and duties of organizations that process personal data, which includes information that could be used to identify a living individual. For example, names, addresses, telephone numbers, and email addresses all fall under the auspices of the Act.
Who Needs to Comply?
As the Information Commissioner’s Office makes clear, the Act applies to an activity – processing personal information – not to specified entities or individuals. Therefore, any organization within the U.K. that collects, handles, uses, retains, discloses, or destroys this type of data must uphold the guidelines outlined by the DPA.
An important part of this legislation is the requirement to notify the Information Commissioner if personal information is going to be handled. Failure to do so is a criminal offense. Other cases of non-compliance might not be considered criminal offenses, but could cause organizations to be subject to claims for compensation if people feel the company has acted out of accordance with the rights and duties established by the law.
Transparency and Openness for Personal Data
In an effort to make it clearer to individuals how and when their personal information is being used by entities, the DPA outlines eight basic principles governing data use. Personal data must be:
- Processed fairly and lawfully
- Obtained only for one or more specific, stated purposes, and processed only in manners compatible with those purposes
- Adequate, relevant, and not excessive for those purposes
- Accurate and up to date
- Kept only as long as necessary for the established purposes
- Processed according to the rights of data subjects as outlined by the DPA
- Protected by appropriate technical and organizational measures to guard against unauthorized or unlawful access as well as loss, destruction, or damage
- Kept within the European Economic Area unless the receiving country or territory can ensure an adequate level of protection
These measures are further developed by principles and conditions established in the Schedules of the Act, which dictate more specifically when certain types of data can be collected, how they should be processed, and the steps required of a data controller.
The Security Factor
In terms of information security and data management technology, the principle on technical protective measures is the most relevant. Although it doesn’t establish specific requirements for encryption, the DPA requires organizations to take into consideration the nature of the personal data they handle and the consequences that could result from a data breach.
Companies must also establish who is responsible for data security and put the right physical, technical, backup and procedural measures in place to ensure a robust, reliable system. As the Information Commissioner’s Office emphasized, these steps must go beyond storage and transmission: They also need to address access controls, data recovery, and the permissions given to personnel in various roles.