Data Protection Act 1998

I am not stupid you know!

But
1 in 3 people admit they throw away documents containing important personal information without shredding them Lancashire County Council left social work records in a filing cabinet that was sold at auction 62,000 Bank of Scotland mortgage customer details were put on a CD and put in the post but it never turned up ...

People are aware of their rights!

A senior academic at Lancaster University has received a written warning for making "illicit disclosures" after he responded to a mother's complaint about her son's tuition. The professor replied immediately, listing the student's modules, contact time etc. BUT When the student became aware of the exchange, he complained to the university that it had released the information without his consent.

How does the law protect personal data?

The Data Protection Act (DPA) is designed to protect personal data stored on computers or in an organised paper filing system.

The DPA
A number of concerns needed addressing: Who could access this information? How accurate is it? Could it be copied? Is it possible to store information without the individuals knowledge or permission? Was a record kept of any changes?

Exercise 1
You are on your own in the office one lunchtime, the phone ringswhat do you do?
You answer the phone Hello I am a lawyer with Grabbit and Runne acting in a criminal case. I need to know the address of one of your members of staff as they are key witnesses in a trial, please can you give me their contact details? Without them the defence will collapse and you may be prosecuted for obstruction

Exercise 1 Summary

How the DPA works

The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give legal rights to people who have information stored about them. Basically it works by: setting up rules that people have to follow having an Information Commissioner to enforce the rules
It does not stop organisations storing and using information about people. It just makes them follow rules.

The 3 Main Roles

Information Commissioner Data Controller Data subject

Types of data
There are distinct types of personal data 1. Personal data 2. Sensitive personal data

If someone who is not entitled to see these details can obtain access without permission it is unauthorised access.

Exercise 2
Its late, you want to go home, youre the last one in the office, the phone rings (why you again?)what do you do?
You pick up the phone Hello is that the University? I am phoning about my nephew, I want to know how well he is doing, his mother is so worried about him. I also want to know his address so I can send his birthday present

Exercise 2 Summary

The Eight Principles

For the personal data that Data Controllers store and process:
1. It must be collected and used fairly and inside the law. 2. It must only be held and used for the reasons given to the Information Commissioner. 3. It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. 4. The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. 5. It must be accurate and be kept up to date. 6. It must not be kept longer than is necessary for the registered purpose. 7. The information must be kept safe and secure. 8. The files may not be transferred outside of the European Economic Area unless the country that the data is being sent to has a suitable data protection law.

Data Subjects rights

1. 2. 3. 4. 5. 6. A Right of Subject Access A Right of Correction A Right to Prevent Distress A Right to Prevent Direct Marketing A Right to Prevent Automatic Decisions A Right of Complaint to the Information Commissioner

7.

A Right to Compensation

Exemptions
Complete exemptions 1. Any personal data that is held for a national security reason is not covered.

2. Personal data held for domestic purposes only at home, e.g. a list of your friends' names, birthdays and addresses does not have to keep to the rules.

Partial exemptions e.g. HMRC, school pupils, company planning documents, health notes, statistics, employer references

Yes OK Tim, but what does it all mean?

You can be prosecuted for unlawful action under the legislation if:
you use or disclose information about other people without consent or authorisation you give information to another employee or student who does not need the details to carry out their legitimate duties, even if it was accidental

Think!
Who can hear your phone call? Who are you really talking to? Do they really need to know? Who can see your pc screen? Where does waste paper end up? What information is on your desk or in-tray?

You should remember these points:

Do not leave people's information out on your desk. Lock filing cabinets. Do not leave data displayed on screen, (use a screensaver?). Do not leave your computer logged on and unattended. Do not choose a password that's easy to guess. Do not give your password to anyone, ever. Never send anything by fax or e-mail that you wouldn't put on the back of a postcard. Do not disclose any personal information without the data subjects consent or verifying the enquirer (e.g. phone the police officer back via the station switch board).

Exercise 3

Please see Case Study Lost Laptop in your notes.

Exercise 3 Summary

Social Networking

What social media tools are you using? Are they for work or social purposes? Or is the line a bit

Social Networking Social Media posts are subject to Data Protection legislation So, think before updating that Facebook status!

The Internet Doesnt Forget!

Email: data-protection@bradford.ac.uk with any queries you may have.

Exercise 4
What did you get from this session? Please write down 3 things that you are going to do when you get back to the office regarding the DPA issues raised here today.

Thank You!
Please email: data-protection@bradford.ac.uk with any queries you may have. www.bradford.ac.uk/data-protection