Site guide

My attempt at simplifying the Data Protection Act.

My blog updates

  • Grand Central: Great trains, terrible terms
    Feb 26, 2010
    Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. ...
  • Filling cabinet breaches
    Feb 1, 2010
    I like to analyse the ICO's undertakings and enforcement notices to see whether there are lessons you can learn from other people's unfortunate mistakes. ...
  • Data Sharing and the Blue Badge Parking Scheme
    Jan 13, 2010
    Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. ...
  • The future of privacy talk at ORG
    Dec 6, 2009
    Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. ...
  • Abuse of radio buttons and check boxes
    Dec 5, 2009
    I’m particularly sensitive to interface design and I saw a real horror this week. ...
CISSP Logo

Principle 6

Respect people’s rights over personal data

What the act says

Personal data shall be processed in accordance with the rights of data subjects under this Act

What this means

Data Subjects (people whose data you process) have certain rights. This principle states that you have to respect those rights, which are:

The right of access
A Data Subject can ask you whether you are processing their personal data, and if so, request that you send them a copy of all the data you hold on them. This can also include:

  • Where you obtained their data
  • What you’re doing with their data (what processing)
  • Who, or the types of companies, you have disclosed it to

This is commonly known as a Subject Access Request, an SAR or a Section 7 Request.

The right to prevent processing causing damage or distress
They can request that you stop a particular type of processing if it causing them damage or distress. This is detailed in Section 10 of the Act.
The right to prevent processing for the purpose of direct marketing
They can ask you to stop using their data for direct marketing. This is also known as a Section 11 Request.
Rights about the automatic processing of data
If you make decisions based on automatically processing data (the computer says no) then a Data Subject has a right to know that a decision was made automatically and request that the decision is revaluated manually.

This is a pretty complicated principle to get right. There are a number of exemptions you need to be aware of, and you need to make sure that in disclosing information to a Data Subject you don’t inadvertently breach the privacy of another person (such as one of your employees). There are also particular time limits specified for you to respond to each type of request. It is wise to have an employee trained in how to respond to these requests — especially subject access requests — or to use your solicitor to help.

How to test

Unlike the other principles, this principle doesn’t suggest a test that you could use to evaluate each bit of processing. Instead I’d suggest the following two tests would measure your compliance.

  1. Is there someone nominated (and trained) to deal with Data Subject requests, and does everyone in the organisation know who that person is?
  2. Do you have a documented policy to follow for all four of the possible requests from Data Subjects you might receive?

Technology matters

This principle poses some real challenges for the IT team.

  1. Can you actually collate all the information relating to a Data Subject from many diverse systems? These could include your core line-of-business systems, any emails about the Data Subject, files from normal office applications, scanned documents and digital records of telephone conversations.
  2. If you use many Data Processors could you retrieve the information from them to respond to a subject access request?
  3. Do you always record the source of personal data alongside the data?
  4. Are you able to record a Data Subject’s request not to have their personal data used for direct marketing? (This is very different from deleting their record)
  5. Whenever you disclose or share data with another organisation, do you make a record of that on each Data Subject’s record? How would you be able to respond to a subject access request that asked for this information?

Disclaimer: This is general information only and I’ve tried to simplify the major parts of the Act to make it easy (I hope) to understand. This isn’t legal advice and it isn’t specific advice for you. If you’re looking for help with DPA and Information Security compliance then please contact me.