Data Protection Act

Notes for guidance on complying with the Data Protection Act 1998

What does this note cover?

• It covers the main points in the Data Protection Act which need to be borne in mind in our day to day work.
• What to do if something goes wrong.
• It is not a comprehensive guide to the Act but it does contain links to other sources of information.

Who needs to read it?

Anyone who processes personal data and that means almost everyone.

What is meant by processing?

The definition of processing is very wide and includes:

• obtaining, recording and holding data
• performing any operation on the data, including the erasure or destruction of the data and its disclosure to third parties

What are personal data?

The Act defines personal data as information which relates to a living individual who can be identified:

• from the data or
• from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller (see definition below)

The information may be in either electronic or manual (ie paper) form.

Electronic data

Personal data are caught by the Act if the information is being processed, or is recorded with the intention that it should be processed, ‘by means of equipment operating automatically in response to instructions given for that purpose’.

For all practical purposes this means any data held in electronic form.

Emails

The Information Commissioner has advised that email messages may be caught by the Act if they identify living individuals and are held, in automated form, in live, archive or back-up systems, or have been deleted from the live system but are still capable of recovery. They may also be caught if, despite having been deleted from the electronic system they are stored in paper form, in relevant filing systems (see next paragraph).

Manual data (data recorded on paper only)

In relation to public bodies like the Department and its executive agencies the Data Protection Act covers all recorded personal data whether this is kept in paper or electronic form. Prior to November 2005 paper data had to be kept as part of ‘a relevant filing system’ to be within the scope of the Data Protection Act. That is no longer the case.

Understanding some of the terms used in the Act

What is a data controller?

A data controller is:

• a person who alone, jointly or in common with others determines the purposes for which and the manner in which any personal data are processed
• responsible for ensuring that the provisions of the Data Protection Act are complied with

The term ‘person’ includes legal entities, so in the eyes of the law, the Department (which includes its Executive Agencies for these purposes) is the data controller, but everyone who is employed by the Department (including its agencies) and who processes personal data has a duty to discharge the data controller’s responsibilities.

Accountability for information assets rests with the relevant Information Asset Owner (IAO).  Each information asset has a designated IAO, who reports to the Senior Information Risk Owner (SIRO).

What is a data processor?

In some cases external contractors process data on our behalf.  These are known under the Act as “data processors”.  But the Department, as the Data Controller, nevertheless remains responsible for their actions.

Who is a data subject?

The data subject is the individual who the personal data is about or, put another way, the subject of the data.

The Data Protection principles

The Data Protection principles form a central part of the Act and are the ‘golden rules’ for processing personal data. They must be observed and all staff who process data must be aware of these principles.

The eight principles, together with the conditions for fair and lawful processing mentioned in the first principle, are set out in full on the Information Commissioner's Office website.

In summary, however, they require that the data must be:

• fairly and lawfully processed and, in particular, shall not be processed unless certain conditions are met (more stringent conditions apply if the data being processed are classified as ‘sensitive’)
• obtained only for one or more specified and lawful purposes
• adequate, relevant and not excessive to the purpose for which the data are required
• accurate and, where necessary, kept up-to-date
• kept no longer than necessary
• processed in accordance with the rights of the data subject (which are specified in the Act)
• kept secure against unlawful or unauthorised processing, or accidental loss or erasure
• not transferred to a country outside the European Economic Area unless that country ensures an adequate level of protection

Some other important points to bear in mind when processing personal data

• When personal data are being obtained, every effort must be made to ensure that the following information is made available to the data subject (ie the person whose data it is):
  • the identity of the data controller (see definition of data controller above)
  • the purposes(s) for which the data are to be processed
  • the likely consequences of the processing
  • to whom the data are likely to be disclosed
  • any other information which may be appropriate in the circumstances
• Where personal data are obtained from someone other than the data subject, the foregoing information should, so far as practicable, be made available to the data subject at the earliest opportunity.
• Persons whose data you are processing must not be misled or deceived as to the purposes for which you are processing their data, or as to whom you may disclose the data.
• Data subjects have a statutory right of access to their data, so whatever you commit to paper or to the computer – including your personal opinions - may have to be retrieved and disclosed to them if a formal enquiry is made.
• Paper and electronic documents must be properly filed, on either registered paper or electronic files. Such files will be subject to disposal agreements which will help to meet the requirement of the Act that personal data must be kept for no longer than necessary.
• The Department’s rules on security must be observed.

What to do if something goes wrong?

If you discover that data has been lost or if you believe there has a breach of the data protection principles in the way data is handled, then you must immediately inform the relevant Information Asset Owner who must follow the Department’s policy on breach reporting.  The first priority must always be to close or contain the breach and then to mitigate the risks to those individuals that may be affected by it. The Agency or Departmental Data Protection Officer should be informed as soon as possible.

How should Data Protection affect the way I organise my work?

• It is even more important that documents, including emails, which contain personal data are: 
  • kept in an orderly fashion 
  • filed on registered electronic or paper files as soon as practicable if they are to be retained
  • erased or destroyed when they are no longer required
• You should not keep random collections of odd papers or old emails. If they need to be retained, they should be properly filed, as mentioned above.
• You should observe the Department’s clear desk policy.
• You should satisfy yourself that, if required, you could retrieve personal data in response to a subject access request (see next section).

What rights do individuals have under the DPA?

The one most commonly used is the right of an individual to request copies of any personal data being processed about them by the data controller.  These requests are known as “subject access requests”.  In response to a valid request, the individual is entitled to be told:

• whether personal data about them are being processed and, if so, for what purpose(s)
• to whom the data may be disclosed
• the source of the data

The individual, or data subject, is entitled to receive, in an intelligible form, all the information, including email messages where appropriate, which forms the personal data.  This may be by way of a transcript, a photocopy or a print-out. An explanation must be provided if the personal data are held in a form which means they are not immediately intelligible to the data subject. Information which identifies a third party may be withheld unless the individual concerned consents to its disclosure.

To release or not to release?

The Act specifies certain circumstances under which personal data can properly be withheld (see Exemptions below). However, it is the Department’s policy to be as open as possible in response to a subject access request. For example, personal data which are known to exist and are accessible, but which do not necessarily form part of a ‘relevant filing system’ as described in the Act should, as a matter of course, be released unless they are caught by one of the exemptions.

Other rights

In addition to subject access rights, the data subject can, in certain circumstances require the data controller to stop processing their personal data, or to order the rectification, blocking or erasure of inaccurate data and to claim compensation for damage or distress caused by a breach of the Act.

Where personal data are being processed automatically for the purpose of evaluating matters relating to the data subject, and the processing is likely to constitute the sole basis for a decision affecting the data subject, he/she is entitled to be given an explanation of the logic involved in the decision process.

What do I do if I receive a request for personal data (a ‘subject access request’)?

If you receive a request from a member of the public (or DfT colleague) asking to see their personal data refer it without delay to the Department’s Data Protection Officer (DPO) in Information Management Directorate.

How does the Data Protection Officer deal with the request?

The DPO will ensure that it is a valid enquiry. Subject access enquiries are not valid unless they:

• are made in writing by the data subject or his/her legal representative
• contain sufficient information to enable the required information to be located

Once the DPO is satisfied that the request is valid, divisions likely to be holding the personal data will be asked to interrogate their systems and to produce the necessary information. The DPO will check that the requirements of the Act have been met and then pass the information to the data subject.

The Department must answer a valid request within 40 calendar days of its receipt.

Your rights to access your own personal data held by the Department

You have the same rights under the DPA as any individual about whom the Department is processing personal data.  The below explains how to make a subject access request.  Although the DPA allows data controllers to charge a £10 fee for handling subject access requests, it is not the policy of the central Department to charge this fee.

How to make a request to see your personal data (not HR files)

To make a subject access request to see any personal data that the Department holds about you, other than on HR files, send your request to the Data Protection Officer  in the Information Rights Unit (IRU).  You will need to give enough information, as outlined below, to enable the data you are interested in to be located, and state the address you would like the reply sent to.  (You will need to provide proof of identity before copies of your personal data can be sent to your home address.)

To help us to help you, please specify the data you requir -

For example

• a date range (such as January 2007 onwards, or 12 December 2006 to end of August 2007)
• a list of staff who you think might have dealt with the data in question (such as names of line mangers, names of HR staff)
• brief details of the subject matter (such as my personal data relating to matters concerning my last year’s PMR report)

When the IRU have received this information from you they will answer your request within the 40 days statutory time limit, or if this is not possible, will explain why and say when a full response should be expected. 

How to make a request to see your HR file

It is the Department’s policy to allow members of staff to view their HR files. If you wish to view your HR file you should contact the Information Rights Unit (IRU) to make an appointment.  If you prefer, you can arrange for your union representative to see your file on your behalf, in which case we would first need your written authority.

On receiving your request, the IRU will ask HR to send your file to them, and first check that it does not contain information about other individuals (e.g. a letter outlining performance bonuses received by you and other individuals) or other information that is exempt under the Data Protection Act. The IRU will then contact you to make an appointment for the viewing, which can take place either at Southside, Victoria Street (for London based staff) or at Ashdown House, Hastings (for Hastings based staff).

If you would like copies of papers from the file, please let IRU know at the viewing and they will send them on to you.

Alternatively, if you only want a small amount of information from the file we can photocopy and send it to you, if you would find this more convenient than viewing the file yourself.

Our Notification with the Information Commissioner

Notification is the process by which a data controller informs the Information Commissioner about the processing of personal data within the controller’s organisation. Those details are used by the Commissioner to make an entry in a statutory register which is available to the public for inspection. Each data controller is allowed only one entry in the register: for the Department this will cover both the core department and the executive agencies. The entry must be renewed every year.

Notification – what steps must I take?

Existing processing activities within the Department should already be covered by the Department’s notification. The Data Protection Officer keeps the notification under review to ensure that it remains accurate and complete.

If a new activity is commenced that is likely to involve processing personal data then the Data Protection Officer should be contacted to enquire whether it is covered by the existing notification and, if not, to arrange to have it added.

Divisional Managers are responsible for ensuring that the DPO is contacted in accordance with this guidance in relation to possible new notifications or changes to existing notifications.

The DPO will also advise on the appropriate form of notification to give to those whose data you will be processing so as to meet the fairness requirements of the First Data Principle.

You can look up the Department’s notification by going to the Information Commissioner's Office website – our notification number is Z7122992.   You must not make a direct approach to the Information Commissioner about notification – all such enquiries must be made through the DPO.

What about the agencies and NDPBs?

With the exception of Notification arrangements (for which see above) Agency chief executives will administer their own arrangements for ensuring compliance with the Data Protection Act 1998, including the handling of subject access enquiries.

Divisions sponsoring non-departmental public bodies should ensure that those bodies are aware of the requirements of the Act and that they have arrangements in place to ensure compliance, including Notification to the Information Commissioner and the handling of subject access requests.

Where can I find more information about data protection?

From the Information Commissioner’s Office website or from the Department’s Data Protection Officer.

How does Data Protection differ from Freedom of Information?

The Data Protection Act 1998 relates only to personal data, ie data from which living individuals can be identified. The scope of the Freedom of Information Act 2000 is much wider and gives a general right of access to information – other than personal data – held by public authorities.

For information about the impact of FoI within the Department, contact DfT's FoI Advice Team.

Information about the Act generally, is on the Information Commissioner's Office website.  

Exemptions from the right of subject access

Personal data held for the following purposes will generally be exempt from the right of subject access and would therefore not be disclosed by the DPO in response to a subject access request.

• National security
• Crime and taxation, including
  • the prevention or detection of crime
  • the apprehension or prosecution of offenders
  • the assessment or collection of any tax or duty
• Health, education and social work (this exemption is subject to orders being made by the Home Secretary to bring such exemptions into effect)
• Regulatory activity concerning the protection of members of the public, charities or fair competition in business
• ‘Special purposes’, namely:
  • the purposes of journalism
  • artistic purposes
  • literary purposes
• Research, history and statistics
• Information made available to the public under any enactment
• Confidential references given by the data controller
• Judicial appointments and honours
• Crown employment and Crown or Ministerial appointments

As stated above, however, all subject access requests received by the central Department are dealt with by the DPO.  You should not attempt to handle one of these requests yourself or attempt to apply the above exemptions.