Data Protection Quick Survival Guide

The Data Protection Act 1998 is a United Kingdom Act of Parliament which defines UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. From 25 May 2018 the Data Protection Act will be replaced by the General Data Protection Regulation.

Although the Act itself does not mention privacy, it was enacted to bring UK law into line with the European Directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves. Most of the Act does not apply to domestic use, for example keeping a personal address book. Anyone holding personal data for other purposes is legally obliged to comply with this Act, subject to some exemptions.

What does the DPA cover?

The DPA covers personal data which is defined as information relating to a living individual who can be identified from those data, or from those data and other information which is in the possession of or is likely to come into the possession of, the data controller.

Personal data includes expression of opinion and indications of the intentions of the data controller or any other person in respect of the individual. There is a subsection of personal data known as sensitive personal data, this includes information regarding racial or ethnic origin, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexual life, the commission or alleged commission of any offence, and any related proceedings.

Does it apply to Falmouth?

Yes! Falmouth is not exempt from the Act. The Information Commissioner's Office (ICO) oversees the Data Protection Act and Falmouth is registered with the ICO and must annually renew this notification. This consists of declaring the purposes for which we hold data, who we collect/process data about, what type of data we hold and to whom we disclose that data. The Data Protection Act regulates how Falmouth can process personal information through the eight principles. These must be followed.

The Act also sets out the situations where the eighth principle does not apply. These situations are considered in more detail on the ICO website but you can also contact the data protection officer for further information.

If you are considering sending personal data outside the EEA, there is a checklist to help you decide if the eighth principle applies and, if so, how to comply with it to make a transfer. For further information please contact the data protection officer.

What does this mean - can I just collect and process personal data anyway?

The short answer is "no ... however"! Whenever Falmouth collects and processes personal data it must use the eight principles as a framework to ensure that the data collection is compliant. This applies to paper-based information held in files and folders in a structured filing system and also applies to computer systems - whether you are considering new ones or updating existing ones. In addition to this the Act requires that specific conditions must be met when processing personal data, the lists below are not exhaustive but contain the conditions that are likely to be relied upon by Falmouth.

When processing personal data at least one of the following conditions must be met:

  • The individual has given consent
  • The processing is necessary for the performance of a contract
  • The processing is necessary for a legal obligation
  • The processing is necessary for the protection of the data subject's vital interests
  • The processing in necessary for the exercise of any other functions of a public nature exercised in the public interest
  • The processing is necessary for the purposes of legitimate interests pursued by the data controller

When processing sensitive personal data not only must at least one of the above apply, but there are additional conditions, at least one of which must be met:

  • The data subject has given his explicit consent
  • The processing is necessary for compliance with legal obligations in connection with employment
  • The processing is necessary to protect the vital interests of the data subject or another person where consent cannot be given by or on behalf of the data subject, and the data controller cannot reasonably be expected to obtain consent
  • The processing in necessary to protect the vital interests of another person, in a case where consent of the data subject has been unreasonably withheld
  • The personal data has been made public as a result of steps deliberately taken by the data subject
  • The processing is necessary for the purpose of, or in connection with, any legal proceedings or for the purpose of obtaining legal advice
  • The processing is of sensitive personal data consisting of information as to racial or ethnic origin, is for the purpose of identifying or reviewing the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and is carried out with appropriate safeguards for the rights and freedoms of data subjects

What happens if there is a breach of the Data Protection Act?

The information commissioner has the authority to carry out assessments of any data controllers against whom he has received complaints. If they are found to be breaching the DPA, enforcement notices will be issued to force compliance. Breaches can also be tried in court. The ICO also has the power to impose fines for significant breaches up to a current limit of £500,000.

The Act provides for separate personal liability for any of the offences in the Act. If a member of staff consents to an offence committed by Falmouth, or that offence is attributable to any neglect on his/her part, that member of staff can be proceeded against and fined accordingly. Additionally, a data subject has the right to sue for compensation if he/she has suffered damage and/or distress as a result of Falmouth's breach of the data protection regulations. Offences under the act include:

  • Processing without notification
  • Failure to notify the commissioner of changes to notification register entry
  • Failure to comply with an enforcement notice/information notice/special information notice
  • Knowingly or recklessly obtaining or disclosing personal data or the information contained in personal data without the consent of the data subject

Are there any exemptions from the Data Protection Act?

The rights and duties set out in the Data Protection Act are designed to apply generally, but there are some exemptions from the Act to accommodate special circumstances.

If an exemption applies, then (depending on the circumstances) you will be exempt from the requirement:

  • To notify the Information Commissioner; and/or
  • To grant subject access to personal data; and/or
  • To give privacy notices; and/or
  • Not to disclose personal data to third parties

Entitlement to an exemption depends in part on your purpose for processing the personal data in question: for example, there is an exemption from some of the Act's requirements about disclosure and non-disclosure that applies to processing personal data for purposes relating to criminal justice and taxation. However, you must consider each exemption on a case-by-case basis because the exemptions only permit you to depart from the Act's general requirements to the minimum extent necessary to protect the particular functions or activities the exemptions concern.

For more information please contact the Information Office or visit the ICO website.

Key definitions

If you have only a very basic understanding of the Data Protection Act you will have come across various terms and expressions relating to the Act. For example: personal data, sensitive personal data, data controller and so on. What do they mean?

On this page is a link to the Data Protection Act Glossary of Terms.

Your rights under the Data Protection Act

As an individual you have certain rights under the Act. You have a legal right to access information held about you. To find out what Falmouth holds about you please go to the Accessing Information heading below. You can also ask Falmouth to stop sharing information about you but we only have to do so where the sharing causes you unjustified damage or distress. As Falmouth is also subject to the Freedom of Information Act you can make a request under this Act for the details of our information sharing, eg in our policies and procedures.

If you have concerns about information sharing, the first thing to do is contact the Information Office who should be able to tell you if information is being shared and if so what the information is, who it is being shared with and why. It is important that this information is accurate and up to date. If you have concerns at all you should contact the Information Office.

The right to subject access

You have the right to be told by Falmouth whether it, or someone else on its behalf, is processing your personal data and, if so, to be given a description of the personal data, the purposes for which they are being processed and the likely recipients and sources of that personal data. Any request must be made in writing (this includes email). This is known as a subject access request. We can charge up to £10 for providing this.

The right to prevent processing

An individual has the right to serve a written notice on us to either cease, or not begin processing information likely to cause unwarranted substantial damage or distress.

The right to prevent processing for direct marketing

You have the right to make a written request to Falmouth or any organisation holding your data not to use it for direct marketing.

Rights in relation to automatic decision making

An individual is entitled by written notice, to ensure that no decision, which significantly affects them, is based solely on the processing of data by automatic means. For example: job performance measured solely by computer.

The right to compensation

If any individual suffers damage by contravention of the Act by the data controller, they can apply for compensation. This applies if we fail to take reasonable care. Damage means financial loss or physical injury. In limited circumstances it is also possible to claim compensation for distress alone.

The right to rectification, blocking, erasure and destruction

You may apply to the court for an order requiring Falmouth to rectify, block, erase or destroy data relating to you if they are inaccurate. This covers factual information and also covers expressions of opinions based on inaccurate data. Please let us know if you believe we hold information that is not correct.

The right to ask the ICO to assess whether the Act has been contravened

This gives you the right to ask the Information Commissioner to investigate and assess whether Falmouth or any organisation has breached the Act.

Accessing information under the Data Protection Act

The Data Protection Act 1998 (DPA) entitles individuals to request access to any personal data that an organisations may hold about them - which of course includes Falmouth. This is known as a Subject Access Request or SAR. The process that should be followed when requesting personal information from Falmouth is explained in our Subject Access Request procedure (which can be downloaded from the link below) and is applicable to staff and students. Under the DPA a fee can be charged for each request received depending on the type of request. A brief description of the types of request applicable to Falmouth is given below:

Personal information from an organisation will usually cost a maximum of £10.

Requesting personal information including your education records: a sliding scale ranging from £1 - £50 depending on the number of pages to be provided.

Contact us

For more information or specific enquiries, please contact the Information Office: