Main Menu
- Other links
- Sections
- About
This snapshot taken on 26/07/2008, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This document was produced for internal BERR purposes. It has been published in accordance with the BERR publication scheme drawn up under the Freedom Of Information Act 2000.
Data Protection is concerned with respecting the rights of individuals (data subjects) when processing their personal information. This is achieved by being open and honest with Data Subjects about the use of information about them and by following good data handling procedures. In consequence, Data Protection is a task in which everyone has a part to play. The Departmental Data Protection Act Officer (DDPAO), Data Protection Officer’s (DPOs), Group Information Managers (GIMs), the Departmental Records Officer (DRO) or their Agency equivalents are available to assist in this task. However, they cannot achieve anything without the active help and support of all those involved.
This policy
Graham Rowlinson
Departmental Data Protection Act Officer
1.1 This is the Policy of the Department for Business, Enterprise & Regulatory Reform in relation to the Data Protection Act 1998. It states how the requirements of the Act are to be met by identifying the procedures, duties and responsibilities to be carried out. BERR guidance booklets 'Security You Can Handle It' and 'Security You Can Manage It' issued by the Corporate and Security Policy and Compliance Unit in IWS are also relevant. Where Personal Data are processed using IT equipment, refer to the Department for Business, Enterprise & Regulatory Reform IT Security Policy documents at BERR net.
1.2 Definitions of several terms used are included at ANNEX A to this Policy.
2.1 The Data Protection Act is concerned with the rights and freedoms of living individuals (Data Subjects) and in particular their right to privacy when processing their personal information. For the purposes of the Act , the term "processing" applies to a comprehensive range of activities. It includes the initial obtaining of personal data, their keeping and use, accessing and disclosing them through to their final destruction. It is best to assume that if you are processing information relating to living individuals then your actions are covered by the Act.
2.2 The term "personal data" is defined in the Data Protection Act, as amended by the Freedom of Information Act. "Personal data" is information about a living individual from which that individual can be identified. It may take any of the following forms
• Computer input documents;
• Information processed by computer or other equipment (e.g. CCTV);
• Information in medical, social work, local authority housing or school pupil records;
• Information in some sorts of structured manual records;
• Unstructured personal information held in manual form by a public authority.
2.3. The last of these categories was introduced into the Data Protection Act by FOI for certain purposes of the Act only. However, in the case of this last type, which is sometimes referred to as category e) data, there are some special rules designed to reduce the administrative burden which requests for information are likely to place on authorities.
2.4. All staff have responsibilities under the Act to ensure that their activities comply with the Data Protection Principles. Line managers have responsibility for the type of personal data they collect and how they use them. Staff should not disclose personal data outside BERR’s procedures, or use personal data held on others for their own purposes.
2.5. The Department is required by the Act to notify the Information Commissioner of the use it makes of personal data. Any member of staff who knowingly or recklessly uses, discloses or transfers personal information other than as prescribed in the Department’s notification could be prosecuted, unless there is some legal justification for example under "whistle-blowing legislation.
3.1. The aim of this Policy is to ensure that the Department fully complies with the requirements of the Act. A list of the Data Protection Act principles is at Annex B.
4.1. Responsibility for the Department's compliance with the Act is vested in the Departmental Data Protection Act Officer (DPAO) acting in conjunction with Group Information Managers (GIMS) and individual Data Holders.
4.2. Data Protection Policy relating to personal ( and personnel files) information in respect of members of staff or ex members of staff and responsibility for this aspect of DPA within BERR rests with HR & CM Directorate (specifically with HR Operations). BERR’s Data Protection Policy in relation to Personnel files and substantive guidance for Line Managers, individuals and Personnel Sections etc is available here.
5.1. The Act specifies the conditions that must apply for the processing of personal data to be legal. If none of the conditions apply, the processing of personal data is unlawful and therefore not permitted.
5.2. All the Department’s existing, planned and developing information processing systems, manual or IT based, must take account of the requirements of this Act.
5.3. All the Department's IT systems should have a System Security Policy (SSP). For those systems where personal data are processed the SSP must detail how the system complies with the eight principles of the Act. This includes ensuring that appropriate technical and organisational measures are in place in order to maintain security and thereby to prevent any unauthorised processing of personal data and against accidental loss or destruction of, or damage to, personal data.
5.4. The use the Department makes of personal data should be covered by Department's notification, a copy of which is held by the Information Commissioner’s Office. Any changes to an IT or manual system that would affect the Department's notification of personal data and the purposes for which they are held then the DPAO must be notified of the necessary changes.
5.5. All staff must be made aware of their responsibilities under the Act and as specifically detailed in this Policy. This is to be achieved by means of written guidance and awareness activities made available on an ongoing basis.
5.6. The Act provides for exemptions from notification, from the need to comply with the subject access rights in respect of personal data held, and from the non-disclosure provisions of the Act. The circumstances where an exemption applies are strictly limited. Therefore, advice must be sought from the DPAO if an exemption is considered to apply.
When processing Personal Data, one (or more) of the following conditions must apply otherwise the processing is unlawful under the terms of the Data Protection Act 1998 and therefore is not permitted.
1. The Data Subject has given his / her consent to the processing.
2. The processing is necessary:-
a. for the performance of a contract to which the Data Subject is a party, or
b. for the taking of steps at the request of the Data Subject with a view to entering into a contract.
3. The processing is necessary for compliance with any legal obligation to which the Data Controller is subject, other than an obligation imposed by contract.
4. The processing is necessary in order to protect the vital interests of the Data Subject.
5. The processing is necessary:-
a. for the administration of justice,
b. for the exercise of any functions conferred on any persons by or under any enactment,
c. for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
d. for the exercise of any other functions of a public nature exercised in the public interest by any person.
6. The processing is necessary (subject to variance by the Lord Chancellor) for the purposes of legitimate interests pursued by the Data Controller or by the third party (ies) to whom the data are disclosed, except where in particular cases that processing would prejudice the rights and freedoms or legitimate interests of the Data Subject
One of the conditions for processing is that the data subject has given his/her consent to the processing. There is a distinction in the Data Protection Act 1998 ("DPA") between the nature of the consent required to satisfy the condition for processing and that which is required in the case of the condition for processing sensitive data. The consent must be "explicit" in the case of sensitive data. The use of the word "explicit" and the fact that the condition requires explicit consent "to the processing of the personal data" suggests that the consent of the data subject should be absolutely clear. In appropriate cases it should cover the specific detail of the processing, the particular type of data to be processed (or even the specific information) the purposes of the processing and any specific aspects of the processing which may affect the individual, for example, disclosures which are made of the data.
Sensitive Personal Data covers information concerning a person’s:
7.1. With a few exceptions the Act does not require the notification of manual processing of personal data. However, there are a number of benefits that result from registering the purposes of all processing of personal data held in relevant (manual) filing systems. Details of all relevant filing systems in the Department will be notified to the Information Commissioner.
7.2. The Department's registration is maintained by the Data Protection Officer in IWS/IRU with the assistance of the Group Information Managers (GIM) and DPLO’s in BERR’s Executive Agencies. It is a criminal offence to undertake processing of personal data without notifying the commissioner of this processing or of any changes that have been made to the processing. If you would like to view the current registration click here.
8.1. The second period of transitional relief from most of the requirements of the 1998 Act (including Subject Access requirements) is still in force and covers the period from 24 October 2001 – 23 October 2007. This concerns manual data only (other than in relation to the historical research exemptions) and applies to:-
manual data (including accessible records and credit reference agency records) which were:-
subject to processing already under way immediately before 24 October1998, (i.e. eligible manual data) and held immediately before that date.(Therefore manual data added on or after 24 October 1998 will not qualify)
data that:- form part of a non-automated accessible record, but are not recorded as part of (or with the intention that they should form part of a relevant filing system, whether or not processing was already under way immediately before 24 October 1998 and whenever held.
8.2. Recording of additional information on the data subjects (such as new fields in a database) may result in loss of transitional relief depending upon the nature of the additional information being collected and its effect on the purpose for which the data are processed. Conversion of a manual system to an IT based one will lose any transitional relief that may have existed for the manual system.
The DPAO will review the Department’s notification in light of any changes to the use the Department makes of personal data.
This Policy will be reviewed annually.
Departmental Data Protection Act Officer
Department for Business, Enterprise & Regulatory Reform
Information and Workplace Services Directorate
2nd Floor,
Kingsgate House,
London SW1E 6SW
Tel. 020 7215 6452 (GTN. 215 6452)
Fax. 020 7215 5713
Information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose, is recorded in a relevant filing system, or constitutes an accessible record.
A person who either alone or jointly determines the purposes for which and the manner in which any personal data are processed.
A person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
An individual who is the subject of personal data.
Data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the Data Controller), including any expression of opinion about the individual and any indication of the intentions of the Data Controller in respect of that individual.
The process whereby a Data Controller notifies the Office of the Information Commissioner of the use it makes of personal data.
Processing of personal information or data means obtaining, recording, or holding the information or data or carrying any operation or set of operations on the information or data, including:- organisation, adaptation or alteration of the information or data; retrieval, consultation or use of the information or data; disclosure of the information or data by transmission or otherwise making available; or alignment, combination, blocking, erasure, or destruction of the information or data.
Any set of information relating to individuals to the extent that the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
Reference should be made to the Act for a complete list of definitions of terms used in the Data Protection Act 1998.
Personal data shall be processed, fairly and lawfully (see ANNEX A) for the definition of lawful processing).
Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of the data subjects under the Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.