The Data Protection Act 1998 (OCR A-Level Computer Science): Revision Notes

The Data Protection Act 1998

Overview

The Data Protection Act 1998 (DPA) is a UK law designed to regulate how personal data is used, stored, and protected by organisations. It aims to protect individuals' privacy and ensure their personal information is handled responsibly. Understanding the DPA is crucial for anyone working with data, as it impacts how companies store and use data on computer systems.

Purpose of the Data Protection Act

• The DPA was introduced to give individuals control over their personal data.
• It applies to organisations that collect, store, and process personal information.
• Personal data includes any information that can identify a person, such as name, address, or financial details.

Key Principles of the DPA

The DPA outlines eight principles that organisations must follow:

1. Fair and lawful processing: Data must be processed lawfully and fairly.
2. Purpose limitation: Data must only be used for specified, lawful purposes.
3. Data minimisation: Only collect data that is relevant and necessary.
4. Accuracy: Data must be accurate and kept up to date.
5. Storage limitation: Data should not be kept longer than necessary.
6. Rights of individuals: Individuals can access their data and request corrections.
7. Security: Data must be protected against unauthorised access and loss.
8. International transfer restriction: Data should not be transferred outside the European Economic Area (EEA) unless the receiving country provides adequate protection.

Rights of Data Subjects

• Access to data: Individuals can request a copy of their data.
• Correction of data: They can ask for inaccurate data to be corrected.
• Objection to processing: They may object to certain uses of their data, such as for marketing.

Responsibilities of Organisations

• Obtain consent: Organisations must get consent from individuals before collecting their data.
• Ensure data security: They must implement measures to prevent unauthorised access, such as encryption and firewalls.
• Notify breaches: Significant data breaches must be reported to the Information Commissioner's Office (ICO).

Penalties for Non-Compliance

• Organisations that fail to comply with the DPA can face fines and legal action.
• Reputation damage and loss of customer trust are also significant risks.

Examples

Example 1: Collecting Customer Data

• A company collects customer names and email addresses for marketing. Under the DPA:
  • The company must inform customers how their data will be used.
  • Data must be stored securely (e.g., encrypted database).

Example 2: Employee Records

• An organisation stores employee data such as salaries and contact information.
  • Only authorised personnel should have access.
  • Data should be deleted when no longer necessary (e.g., after an employee leaves).

Note Summary