Data Protection Quick Survival Guide

The Data Protection Act 1998 is a United Kingdom Act of Parliament which defines UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK.

Although the Act itself does not mention privacy, it was enacted to bring UK law into line with the European Directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves. Most of the Act does not apply to domestic use, for example keeping a personal address book. Anyone holding personal data for other purposes is legally obliged to comply with this Act, subject to some exemptions.

The Act defines eight data protection principles, outlined below. It also requires companies and individuals to keep personal information to themselves. Please read the essential information contained in the paragraphs below.

What does the DPA cover?

The DPA covers personal data which is defined as information relating to a living individual who can be identified from those data, or from those data and other information which is in the possession of or is likely to come into the possession of, the data controller.

Personal data includes expression of opinion and indications of the intentions of the data controller or any other person in respect of the individual. There is a subsection of personal data known as sensitive personal data, this includes information regarding racial or ethnic origin, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexual life, the commission or alleged commission of any offence, and any related proceedings.

Does it apply to Falmouth?

Yes! Falmouth is not exempt from the Act. The Information Commissioner's Office (ICO) oversees the Data Protection Act and Falmouth is registered with the ICO and must annually renew this notification. This consists of declaring the purposes for which we hold data, who we collect/process data about, what type of data we hold and to whom we disclose that data. The Data Protection Act regulates how Falmouth can process personal information through the eight principles. These must be followed.

What are the eight principles?

The Data Protection Principles outline best practice with regards to processing personal data and must be complied with. The eight principles are:

1. Personal data shall be processed fairly and lawfully

  • Have legitimate grounds for collecting and using the personal data
  • Not use the data in ways that have unjustified adverse effects on the individuals concerned
  • Be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data
  • Handle people's personal data only in ways they would reasonably expect
  • Make sure you do not do anything unlawful with the data

2. Personal data shall be obtained only for one or more specified purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

In practice, the second data protection principle means that you must:

  • Be clear from the outset about why you are collecting personal data and what you intend to do with it
  • Comply with what the Act says about notifying the Information Commissioner
  • Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair

3. Personal data shall be adequate, relevant and not excessive

This is the third data protection principle. In practice, it means you should ensure that:

  • You hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual
  • You do not hold more information than you need for that purpose

So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as 'data minimisation'.

4. Personal data shall be accurate and where necessary, kept up to date

This is the fourth data protection principle. Although this principle sounds straightforward, the law recognises that it may not be practical to double-check the accuracy of every item of personal data you receive. So the Act makes special provision about the accuracy of information that individuals provide about themselves, or that is obtained from third parties.

To comply with these provisions you should:

  • Take reasonable steps to ensure the accuracy of any personal data you obtain
  • Ensure that the source of any personal data is clear
  • Carefully consider any challenges to the accuracy of information
  • Consider whether it is necessary to update the information

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary

This is the fifth data protection principle. In practice, it means that you will need to:

  • Review the length of time you keep personal data
  • Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
  • Securely delete information that is no longer needed for this purpose or these purposes
  • Update, archive or securely delete information if it goes out of date

6. Personal data shall be processed in accordance with the rights of data subjects under the Act

This is the sixth data protection principle, and the rights of individuals that it refers to are:

  • A right of access to a copy of the information comprised in their personal data
  • A right to object to processing that is likely to cause or is causing damage or distress
  • A right to prevent processing for direct marketing
  • A right to object to decisions being taken by automated means
  • A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • A right to claim compensation for damages caused by a breach of the Act

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

  • Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach
  • Be clear about who in your organisation is responsible for ensuring information security
  • Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff
  • Be ready to respond to any breach of security swiftly and effectively

8. Personal data shall not be transferred to a country outside the European Economic Area unless that country ensures an adequate level of protection

This is the eighth data protection principle, but other principles of the Act will also usually be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using subcontractors abroad.

The Act also sets out the situations where the eighth principle does not apply. These situations are considered in more detail on the ICO website but you can also contact the data protection officer for further information.

If you are considering sending personal data outside the EEA, there is a checklist to help you decide if the eighth principle applies and, if so, how to comply with it to make a transfer. For further information please contact the data protection officer.

What does this mean - can I just collect and process personal data anyway?

The short answer is "no ... however"! Whenever Falmouth collects and processes personal data it must use the eight principles as a framework to ensure that the data collection is compliant. This applies to paper-based information held in files and folders in a structured filing system and also applies to computer systems - whether you are considering new ones or updating existing ones. In addition to this the Act requires that specific conditions must be met when processing personal data, the lists below are not exhaustive but contain the conditions that are likely to be relied upon by Falmouth.

When processing personal data at least one of the following conditions must be met:

  • The individual has given consent
  • The processing is necessary for the performance of a contract
  • The processing is necessary for a legal obligation
  • The processing is necessary for the protection of the data subject's vital interests
  • The processing in necessary for the exercise of any other functions of a public nature exercised in the public interest
  • The processing is necessary for the purposes of legitimate interests pursued by the data controller

When processing sensitive personal data not only must at least one of the above apply, but there are additional conditions, at least one of which must be met:

  • The data subject has given his explicit consent
  • The processing is necessary for compliance with legal obligations in connection with employment
  • The processing is necessary to protect the vital interests of the data subject or another person where consent cannot be given by or on behalf of the data subject, and the data controller cannot reasonably be expected to obtain consent
  • The processing in necessary to protect the vital interests of another person, in a case where consent of the data subject has been unreasonably withheld
  • The personal data has been made public as a result of steps deliberately taken by the data subject
  • The processing is necessary for the purpose of, or in connection with, any legal proceedings or for the purpose of obtaining legal advice
  • The processing is of sensitive personal data consisting of information as to racial or ethnic origin, is for the purpose of identifying or reviewing the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and is carried out with appropriate safeguards for the rights and freedoms of data subjects

What happens if there is a breach of the Data Protection Act?

The information commissioner has the authority to carry out assessments of any data controllers against whom he has received complaints. If they are found to be breaching the DPA, enforcement notices will be issued to force compliance. Breaches can also be tried in court. The ICO also has the power to impose fines for significant breaches up to a current limit of £500,000.

The Act provides for separate personal liability for any of the offences in the Act. If a member of staff consents to an offence committed by Falmouth, or that offence is attributable to any neglect on his/her part, that member of staff can be proceeded against and fined accordingly. Additionally, a data subject has the right to sue for compensation if he/she has suffered damage and/or distress as a result of Falmouth's breach of the data protection regulations. Offences under the act include:

  • Processing without notification
  • Failure to notify the commissioner of changes to notification register entry
  • Failure to comply with an enforcement notice/information notice/special information notice
  • Knowingly or recklessly obtaining or disclosing personal data or the information contained in personal data without the consent of the data subject

Are there any exemptions from the Data Protection Act?

The rights and duties set out in the Data Protection Act are designed to apply generally, but there are some exemptions from the Act to accommodate special circumstances.

If an exemption applies, then (depending on the circumstances) you will be exempt from the requirement:

  • To notify the Information Commissioner; and/or
  • To grant subject access to personal data; and/or
  • To give privacy notices; and/or
  • Not to disclose personal data to third parties

Entitlement to an exemption depends in part on your purpose for processing the personal data in question: for example, there is an exemption from some of the Act's requirements about disclosure and non-disclosure that applies to processing personal data for purposes relating to criminal justice and taxation. However, you must consider each exemption on a case-by-case basis because the exemptions only permit you to depart from the Act's general requirements to the minimum extent necessary to protect the particular functions or activities the exemptions concern.

For more information please contact the Information Office or visit the ICO website.

Key definitions

If you have only a very basic understanding of the Data Protection Act you will have come across various terms and expressions relating to the Act. For example: personal data, sensitive personal data, data controller and so on. What do they mean?

Below is a link to the Data Protection Act Glossary of Terms, which should help de-mystify these definitions:

Your rights under the Data Protection Act

As an individual you have certain rights under the Act. You have a legal right to access information held about you. To find out what Falmouth holds about you please go to the Accessing Information heading below. You can also ask Falmouth to stop sharing information about you but we only have to do so where the sharing causes you unjustified damage or distress. As Falmouth is also subject to the Freedom of Information Act you can make a request under this Act for the details of our information sharing, eg in our policies and procedures.

If you have concerns about information sharing, the first thing to do is contact the Information Office who should be able to tell you if information is being shared and if so what the information is, who it is being shared with and why. It is important that this information is accurate and up to date. If you have concerns at all you should contact the Information Office. Please read the essential information contained in the paragraphs below.

The right to subject access

You have the right to be told by Falmouth whether it, or someone else on its behalf, is processing your personal data and, if so, to be given a description of the personal data, the purposes for which they are being processed and the likely recipients and sources of that personal data. Any request must be made in writing (this includes email). This is known as a subject access request. We can charge up to £10 for providing this.

The right to prevent processing

An individual has the right to serve a written notice on us to either cease, or not begin processing information likely to cause unwarranted substantial damage or distress.

The right to prevent processing for direct marketing

You have the right to make a written request to Falmouth or any organisation holding your data not to use it for direct marketing.

Rights in relation to automatic decision making

An individual is entitled by written notice, to ensure that no decision, which significantly affects them, is based solely on the processing of data by automatic means. For example: job performance measured solely by computer.

The right to compensation

If any individual suffers damage by contravention of the Act by the data controller, they can apply for compensation. This applies if we fail to take reasonable care. Damage means financial loss or physical injury. In limited circumstances it is also possible to claim compensation for distress alone.

The right to rectification, blocking, erasure and destruction

You may apply to the court for an order requiring Falmouth to rectify, block, erase or destroy data relating to you if they are inaccurate. This covers factual information and also covers expressions of opinions based on inaccurate data. Please let us know if you believe we hold information that is not correct.

The right to ask the ICO to assess whether the Act has been contravened

This gives you the right to ask the Information Commissioner to investigate and assess whether Falmouth or any organisation has breached the Act.

Accessing information under the Data Protection Act

The Data Protection Act 1998 (DPA) entitles individuals to request access to any personal data that an organisations may hold about them - which of course includes Falmouth. This is known as a Subject Access Request or SAR. The process that should be followed when requesting personal information from Falmouth is explained in our Subject Access Request procedure (which can be downloaded from the link below) and is applicable to staff and students. Under the DPA a fee can be charged for each request received depending on the type of request. A brief description of the types of request applicable to Falmouth is given below:

Personal information from an organisation will usually cost a maximum of £10.

Requesting personal information including your education records: a sliding scale ranging from £1 - £50 depending on the number of pages to be provided.

Contact us

For more information or specific enquiries, please contact the Information Office:

Email: dpa@falmouth.ac.uk