����ý

It is increasingly common for personal details to be stored on computers. The Data Protection Act 1998/2018 exists to protect personal details. This personal data includes items such as:

• name and address
• date of birth
• medical records
• school and employment records
• religion

Personal data is private and should be accessible only by users who have the appropriate authority.

Digital files stored on computers can be easy to access, copy and share. Protection is needed to make sure that personal data held by others is kept private and not altered or deleted. The Data Protection Act exists to ensure that data is properly looked after.

A person who has data stored about them is known as a data subject. As a data subject, a person has the right to see what data is held about them by an organisation and to have that data amended if incorrect.

Every organisation that holds data must appoint a data controller. This person is responsible for ensuring that the organisation stays within the principles stated by the Data Protection Act.

The Data Protection Act is built around eight principles (rules) which state how personal data should be treated:

• Personal data must be fairly and lawfully processed. This means that an organisation must be truthful about what personal data they wish to collect and what they want to use it for.
• Personal data must be obtained for specified and lawful purposes. This means that an organisation cannot use personal data for any purpose other than that stated when they collected the data. For example, if a company wanted your exam records to see if you were qualified for a job, it could not use those records to try to sell you revision guides that it thinks you might need. Also, the company cannot pass on your data to any other organisation without your permission.
• Personal data must be adequate, relevant and not excessive. This means that an organisation cannot ask for any data that is not needed. For example, when you apply for a bank account the bank cannot ask you where you went on holiday last year.
• Personal data must be accurate and up to date. If data held about you is wrong or out of date, you have the right to have it corrected or deleted. This is extremely important, as incorrect or out-of-date data might, for example, prevent you from getting a job or a loan, or being able to buy a house.
• Personal data must not be kept for longer than is necessary. As soon as an organisation no longer needs your data, they must delete it.
• Personal data must be processed in line with your rights. This includes the right to see any data held on you and the right to correct inaccurate data.
• Personal data must be held securely. This means that data must be kept safe from unauthorised access - for example, with usernames and passwords - but also safe from accidental loss - by making backups.
• Personal data must not be transferred to other countries outside the European Economic Area unless those countries have similar data protection laws.

In the UK, the Data Protection Act is overseen by the Information Commissioner's Office (ICO). This is an independent regulatory authority whose responsibility is to see that organisations follow data protection legislation. The office has the authority to prosecute and fine any organisation found to be in breach of the Data Protection Act.

The General Data Protection Regulation 2018

In 2018, the law concerning how personal data is treated by an organisation was updated to take into account the huge amount of data that is now stored. This is known as the General Data Protection Regulation 2018 (GDPR) and is broadly similar to the principles in the Data Protection Act 1998/2018, with a few amendments.

GDPR specifies that personal data must be:

• processed lawfully, fairly and in a transparent manner - this means organisations need to tell people what data is being stored and what it will be used for, including cookies on websites, online forms and apps
• collected for specified, explicit and legitimate purposes - the data cannot be used for anything other than what it was originally collected for
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed - data cannot be collected that is not relevant to the organisation’s needs
• accurate and, where necessary, kept up to date - individuals have the right to request that data is changed but it is also the responsibility of the organisation to make sure that the data is correct
• kept in a format which identifies individuals for no longer than is necessary - data can be kept for longer as long as anything that identifies the individual is removed
• processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures - in other words, an organisation must take adequate actions to ensure that the data is safe from accidental loss and cyberattacks

GDPR differs from the Data Protection Act of 1998/2018 by also including ‘the right to be forgotten’, which means that an individual can request that an organisation erases all their personal data. This right only applies in certain circumstances.

The Data Protection Act of 2018 includes specific content for the UK not covered in GDPR.