Carlisle City Council
The Data
Protection Act 1998 (external link) carries forward the
elements from the legislation introduced in 1984, and imposes
stringent requirements that any organisation holding personal data
must comply with. The legislation states that all processing
undertaken must be fair and lawful, accurate and up-to-date, and
that the data is adequate, relevant, not excessive and is held for
no longer than is necessary.
It also becomes mandatory that appropriate technical measures
are taken to prevent unauthorised or unlawful processing or
disclosure of data. This includes accidental loss or destruction
of, or damage to, personal data.
Personal data can only be processed if one of the following
applies:
- an individual has given consent;
- that it is part of a contract;
- it is a legal obligation;
- it is necessary to protect the individual.
The rules also introduce "sensitive personal data", which
includes any that are racial or ethnic in origin, political
affiliations, religious or other beliefs. This data demands greater
protection and one of the following must be true: an individual's
explicit consent is required; is a legal requirement; to protect
the vital interests of the individual. Where consent is obtained,
the individual must be made fully aware of the purposes for which
the data is to be used and of any recipients.
Data held in manual or paper form is subject to the Act. So any
personal details stored in a paper format must be registered and
the above conditions apply.
Individuals' rights are enshrined in provisions to enable anyone
to see a full description of the data held about him, on payment of
a fee. This information has to be altered if it is inaccurate or
likely to cause damage or distress (subject to an
exemption).
Individuals can also request details of how automatic
decision-making processes operate. This can impact on the use of
data for direct marketing, either by mail or telephone.
Compensation can be claimed for damage caused by breach of the
Act.