The Data Protection Act
- Date of births
- Contact information
- Credit History
Data controllers are the people that determine how the personal data is proccessed
Data controllers must declare what information will be stored and how it will be used in advance. This is recorded in the register.
All data controllers must obey the eight principles of data protection, these are:
- It must be collected and used fairly and inside the law.
- It must only be held and used for the reasons given to the Information commissioners
- It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with.
- The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the data.
- It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move.
- It must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most.
- The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone.
- The files may not be transferred outside of the European Economic Area (that's the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law.
People who have personal data stored about them are called Data Subjects. The DPA have set up rights for these people
- A Right of Subject Access
A data subject has a right to be supplied by a data controller with the personal data held about him or her. The data controller can charge for this (usually around £10 pounds).
- A Right of Correction
A data subject may force a data controller to correct any mistakes in the data held about them.
- A Right to Prevent Distress
A data subject may prevent the use of information if it would be likely to cause them distress.
- A Right to Prevent Direct Marketing
A data subject may stop their data being used in attempts to sell them things (eg by junk mail or cold calling.)
- A Right to Prevent Automatic Decisions
A data subject may specify that they do not want a data user to make "automated" decisions about them where, through points scoring, a computer decides on, for example, a loan application.
- A Right of Complaint to the Information Commissioner
A data subject can ask for the use of their personal data to be reviewed by the Information Commissioner who can enforce a ruling using the DPA. The Commissioner may inspect a controller's computers to help in the investigation.
- A Right to Compensation
The data subject is entitled to use the law to get compensation if personal data about them is inaccurate, lost, or disclosed.