|
|||
Commercial Angles' Newsletter - October 2001 Data Protection Act 1998 Data controllers, businesses and individuals in UK who hold personal data in electronic form must notify the Information Commissioner's office and add their details to the public access Data Protection Register by 24 October 2001. Registration costs £35 and failure to notify is a criminal offence. Notification can be given to the Information Commissioner on line at http://www.dpr.gov.uk. The web site also contains a downloadable self-assessment page which gives guidance on the exemptions from the need for registration which are applicable to data controllers in various cases. The principal exemptions are for businesses which only process data for:
and which only disclose information to third parties necessary for business administration. The Data Protection Act 1998, which replaced and greatly extended the 1984 Data Protection Act came into force on 1 March 2000. However businesses established after 24 October 1998 must comply with the Act from their start-up date. All provisions of the Act do not come into force immediately - for example the provisions relating to paper-based personnel records must be observed from 24 October 2007. However many businesses will need this length of time to sift through their paper based files and put them in a form which allows them to be made available in a timely fashion to data subjects on request. The full text of the Act, whilst not being a rattling good read, is available on-line. The principal problem areas for UK businesses are:
The last item is of particular importance to international businesses since an e-mail to a US company containing the name and address of a customer in the European Economic Area might be construed as breaching the requirements of DPA. The eight principles of Data Protection laid out in DPA Schedule 1 are reproduced below.
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
|
Articles from previous newsletters Acquisitions & Mergers | Big Brother | Business Plans | Climate Change Levy | Company Car Tax | Contracts of Employment | Corporate Immigration | Corporate Responsibility | Data Protection | Energy Audits | Environmental Liability | Euro Notes & Coins | Exports to Germany | Export procedures | Fraud recovery | Out of Court Offers | Payroll Review | Prevention of Fraud I | Prevention of Fraud II | Prevention of Fraud III | Product Liability | Redundancy | Stakeholder Pensions | Temporary Contracts | Travel Expenses | Value of the Euro | Work Permits | More articles | |
Copyright © 2001 Commercial Angles
English - UK
English-Overseas
Brain Teasers
Français
What I
need is...
Links
Deutsch
newsletter