|
OPERATIONAL GUIDANCE
DATA PROTECTION ACT 1998
INTRODUCTION – DATA PROTECTION, FREEDOM OF INFORMATION AND HUMAN RIGHTS
OG 58 A1 - 19 January 2005
| Purpose |
This guidance gives a brief introduction to data protection and its relationship with the Human Rights Act 1998 and the Freedom of Information Act 2000. It contains the "golden rules" which, if followed, can help us achieve compliance with this legislation without having a detailed knowledge of each Act. However, it is not a substitute for reading the detailed guidance. |
Functional responsibility
| For action |
All staff |
For information |
All staff |
Contents
1. What is the purpose of data protection?
2. Terms used in connection with data protection
3. Openness v privacy
4. Freedom of Information Act 2000
5. Human Rights
6. The combined effect of data protection, freedom of information and human rights (The "Golden Rules")
Glossary of Terms used in this Guidance
Index to further related information
 |
 |
 |
| The Law |
Refer to a lawyer |
Refer to an accountant |
1. What is the purpose of data protection? |
| |
The purpose of data protection is to protect individuals (data subjects) from the unauthorised and unreasonable use or disclosure of information about themselves (personal data). |
| |
The main aspects of data protection are privacy and respect for the individual. This means, for example, not prying into someone’s personal details without good reason (such as asking for personal information that is not necessary for the purpose for which it will be used), allowing the individual to have access to that information and treating the information with respect in terms of what it is used for and who else it is disclosed to. |
| |
The Data Protection Act 1998 ("the 1998 Act") introduced into UK law the provisions of the EC Data Protection Directive (95/46/EC) and made new provision for the regulation of processing of information relating to individuals. |
 |
 |
2. Terms used in connection with data protection |
| |
In order to understand how the Data Protection legislation works, it is important to understand the particular language used in the legislation. There is a full glossary in OG 58 G1 but a few terms at the outset may help you to follow the guidance. |
| |
"Personal data": this means information from which it is possible to identify a living individual, either directly from that information or from additional information which is in the possession of, or is likely to (ie might conceivably) come into the possession of, anyone processing that data. This includes both factual information and expressions of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. |
| |
"Data subject": This means the individual who is the subject of personal data. |
| |
"Data controller": This means the person(s) (ie individual or organisation) who determine(s) the purposes and manner in which any personal data are, or are to be, processed. The Charity Commission is a data controller. |
| |
"Processing": This includes the obtaining, holding, use or disclosure of personal data. In other words, any activity involving personal data (even if that is just storing and reading that information) would fall within the definition of "processing". |
| |
"Data processor": This means any person (other than an employee of the data controller) who processes data on behalf of the data controller (eg a computer bureau). |
| |
"Information Commissioner": This is the independent officer, appointed by Her Majesty the Queen and reporting directly to Parliament, who is responsible for regulating the application of the 1998 Act. |
| |
"Departmental Record Officer (DRO)": This is the officer of the Charity Commission who has responsibility for the care of all records held in the Commission (in any format), from the time they are created or received until they are disposed of. The DRO must therefore be aware of and control all records created and received within the Commission. In order to meet our obligations under the 1998 Act, the DRO will maintain a record of the different types of data processing carried out in the Commission, notify to the Information Commissioner details of that processing (where it is appropriate to do so) and deal with requests for access to personal information made under the 1998 Act. |
| |
You will need to look at the glossary for a fuller list of definitions. |
|
|
3. Openness v privacy |
| |
In the current climate of promoting greater openness in government, where there is now a presumption in favour of the disclosure of information, it is important to remember that there is a balance to be struck between encouraging openness and protecting the privacy of individuals, where it is appropriate to do so. A general rule of thumb therefore is if information can be regarded as personal data, it is important to consider the effect of the 1998 Act before obtaining, storing, using or disclosing it. |
| |
OG 58 A3 sets out the provisions of the 1998 Act and OG 58 B4 sets out the Data Protection Principles which the 1998 Act is there to enforce. |
|
|
4. Freedom of Information Act 2000 |
| |
There is nothing in the Freedom of Information Act 2000 which contradicts the provisions of the 1998 Act. Indeed, the idea is the two Acts will operate in tandem under the supervision of the Information Commissioner. This means that, requests for access to personal information will be dealt with under the provisions of the 1998 Act and requests for access to other sorts of information will be dealt with under the Freedom of Information Act 2000. Guidance on the Freedom of Information Act can be found on the Department for Constitutional Affairs website, or the Office of the Information Commissioner’s website. |
|
|
5. Human Rights |
| |
The principles of data protection are echoed in Article 8 of the European Convention on Human Rights. That Article declares that: |
| |
everyone has the right to respect for their private and family life, their home and their correspondence; and that |
| |
there shall be no interference by a public authority with the exercise of that right except such as is in accordance with the law and is necessary in a democratic society in the interests of: |
| |
|
national security; |
| |
|
public safety or the economic well-being of the country; |
| |
|
for the prevention of disorder or crime; |
| |
|
for the protection of health or morals; or |
| |
|
for the protection of the rights and freedoms of others. |
| |
When considering the effects of the 1998 Act it is therefore as well to consider also the provisions of Article 8. |
|
|
6. The combined effect of data protection, freedom of information and human rights (The "Golden Rules") |
| |
It can be difficult and confusing to try and consider all aspects of the Data Protection and Human Rights Acts together with the existing principles of Open Government and proposals for greater freedom of information at the same time and during the conduct of our daily work. However, there are some basic guiding principles which emerge from all of this legislation which, if followed, can help us achieve compliance without having a detailed knowledge of each Act. |
| |
These basic principles (or "golden rules") are set out below. |
| |
1. |
Treat everyone as you would wish to be treated: fairly, politely and without discrimination. |
| |
2. |
Be open in all your work, while respecting justifiable confidentiality. Only ask for personal information if you really need it and do not disclose it to others without good reason. |
| |
3. |
Make sure all decisions (especially those that deny someone something) can be seen to be fair and reasonable: |
| |
|
Ensure everyone involved has had an opportunity to state their case; |
| |
|
Explain clearly why the decision has been taken; and |
| |
|
Explain how the decision can be reviewed. |
| |
Never express opinions about people – orally or on paper, on computer or elsewhere - that cannot be substantiated by the facts. |
|
|
Index to further related information
|