Site guide

My attempt at simplifying the Data Protection Act.

My blog updates

  • Grand Central: Great trains, terrible terms
    Feb 26, 2010
    Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. ...
  • Filling cabinet breaches
    Feb 1, 2010
    I like to analyse the ICO's undertakings and enforcement notices to see whether there are lessons you can learn from other people's unfortunate mistakes. ...
  • Data Sharing and the Blue Badge Parking Scheme
    Jan 13, 2010
    Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. ...
  • The future of privacy talk at ORG
    Dec 6, 2009
    Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. ...
  • Abuse of radio buttons and check boxes
    Dec 5, 2009
    I’m particularly sensitive to interface design and I saw a real horror this week. ...
CISSP Logo

Principle 4

Ensure data you hold is accurate

What the Act says

Personal data shall be accurate and, where necessary, kept up to date.

What this means

On a practical basis this principle means that you need to make sure that you record any information you get from a Data Subject or a third-party accurately. It doesn’t mean that you have to perform extensive checks on information the Data Subject gave to you, but that you accurately record what they gave you. You would be expected to make simple checks such as verifying a postcode or that a date given was a valid date, and this would be true if the data subjected entered the information into a web form, or if you did the data entry internally.

The requirement to keep data up to date is not intended to be onerous. You wouldn’t be expected to contact a person to check that the information you hold is up to date (except in a few special circumstances) however you would be expected to have the systems in place to be able to update a person’s information when they told you of a change.

For example, if a customer told you they had moved, you would need to make sure you recorded this information.

From a security perspective you should make sure that any systems you have that make automatic updates to information do this correctly. Good practice would be to make sure that you have evidence that you’d tested such systems.

Finally, the requirement to be accurate only extend to facts, and not to opinions (although you should always be careful about recording opinions, as they can be disclosed under a Section 7 Subject Access Request).

How to test

Remember, to comply with the Act you should test every bit of processing of each bit of data against all eight principles.

The fourth principle gives these tests:

  1. How can you be sure that the information given to you by a Data Subject is recorded correctly (what simple validation could you do, what about sample audits or automated tests)?
  2. What processes do you have in place to record corrections to inaccuracies that the Data Subject brings to your attention?
  3. When ever a person or an automated process changes personal information, what systems do you have in place to make sure this is accurate?

Technology Matters

  1. It should be part of your general IT behaviour to try to maintain accurate data, as this will generally have more serious effects on the business than a breach of the DPA.
  2. A good place to start is to make sure that any data entry screens have great error checking and a user interface that helps people eliminate errors – whether this is a member of your staff entering data, or the Data Subject is filling in an electronic form.
  3. This is an area where you need to be very careful about using ‘real’ data in a test environment. If you export data from a live environment to a test or development environment and then make test changes or test transactions on that data, it will become inaccurate pretty quickly.
  4. You need to have change control procedures so that when you upgrade software that can change personal data, you can ensure and demonstrate that the software’s been fully tested?
  5. If you link or import data sources which both contain personal information, can you be sure that you’ve correctly added the right data to the right person?

Disclaimer: This is general information only and I’ve tried to simplify the major parts of the Act to make it easy (I hope) to understand. This isn’t legal advice and it isn’t specific advice for you. If you’re looking for help with DPA and Information Security compliance then please contact me.