Sections:
Data Protection Act 1998 Summary Guidance
Introduction to the Data Protection Act 1998
1.1 What is the Act?
The Data Protection Act 1998 came into force on 1 March 2000 and replaces the previous 1984 Data Protection Act. However transitional arrangements mean that its full impact will not be felt until October 2001. The Act sets rules for processing personal information and applies to some paper records as well as those held on computer.
1.2 What type of data is covered?
The Act applies to "personal data", that is data about identifiable living individuals. This covers both:
automated personal data held electronically, and · manual or paper data held in structured files or easily accessible systems.
It includes both facts and opinions about the individual, and also any indication of the intentions of DFID or any other person in respect of the individual. Staff need to be mindful of the possibility of disclosure when writing anything down (on paper or in electronic form) about any individual.
1.3 How does it affect you?
The Data Protection Act works in two ways. It gives rights to individuals (known as "data subjects") about whom information is held. It also places obligations on those (known as "data controllers") who record and use "personal information" to do so in a way which follows the eight principles of good information handling.
In practice, most if not all Departments in DFID will record and use such personal data, whether it covers employees, contracted staff or individuals with whom we come into contact throughout everyday business. In principle, all such data comes within the provisions of the Act. We therefore need to be able to demonstrate that we are handling such data in accordance with the eight principles, and be aware that such data is, within the terms of the Act, accessible by the data subject.
The eight principles require that data must be:
- fairly and lawfully processed;
- processed for limited purposes and not in any manner incompatible with those purposes;
- adequate, relevant and not excessive;
- accurate;
- not kept for longer than is necessary;
- processed in line with the data subject's rights;
- secure;
- not transferred to countries without adequate protection.
And that processing may only be carried out where one of the following conditions has been met:
- the individual has given his or her consent to the processing;
- the processing is necessary for the performance of a contract with the individual;
- the processing is required under a legal obligation;
- the processing is necessary to protect the vital interests of the individual;
- the processing is necessary to carry out public functions;
- the processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could prejudice the interests of the individual).
In addition, there are further provisions relating to the processing of sensitive data, which includes data on racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life, criminal proceedings or other convictions.
1.4 What DFID departments need to do
Overall responsibility to ensure that we fulfil our obligations as a data controller lies with Information Department. At the heart of meeting our obligations on good information handling is a proper system for managing records, and the records management procedures already in place help to ensure compliance with the Act. However, it is important that these procedures are properly followed; and the following issues also need highlighting:
- Notification, which replaced registration under the 1984 Act, is the process whereby Data Controllers are required to advise the Information Commissioner of all the purposes for which they process data, together with certain supplementary information about each purpose. DFID's Data Protection Officer o-ordinates our annual notification with the assistance of the Data Protection Liaison Officers in each department. It is, therefore, vital that you contact DFID's Data Protection Officer if you have a new purpose for holding or processing personal data so that our notification can be amended;
- All DFID contracts with processors of personal data (e.g. PPA Bath who process our payroll) need to be amended to include a suitable data protection clause. Our Legal Adviser has suggested a clause to be considered. Please contact DFID's Data Protection Officer for further information;
- You will need to inform new data subjects on whom you intend to hold or process personal information (e.g. consultants database or mailing lists): of the type of data which is held about them; from whom it was obtained; what it will be used for; and to whom it will be disclosed;
- You will need to be aware of the second principle of the Act, the requirement to process data only for purposes compatible with that for which they were collected. In other words, if you are asking for personal data for recruitment purposes you cannot use the data for any other purpose.
Wherever a Department is in doubt about its obligations, advice should be sought from Information Department. Each Department has a Data Protection Liaison Officer, who will act as a link with Information Department in ensuring compliance and dealing with requests for information.
Departments also need to be alert to any requests by data subjects for access to information (known as subject access requests). Any such requests should be referred immediately to DFID's Data Protection Officer, who will work with Departments to ensure that a reply is issued within the 40 day deadline.
1.5 What if DFID doesn't comply with the act?
The Information Commissioner, formerly known as the Data Protection Commissioner, is an independent body, which enforces the Data Protection Act (and the Freedom of Information Act). There is no internal complaints procedure under the Data Protection Act. If an applicant is dissatisfied with the Department's handling of a request they can make a complaint directly to the Information Commissioner, which could result in enforcement action being taken.
For further information please refer to the detailed guidance on the Act on
the Information Commissioner's website: 
www.dataprotection.gov.uk