The DATA Protection Act 1998
The Data Protection Act 1998 Act regulates the use of personal data and gives effect in UK law to the European Directive on Data Protection. Whereas the Freedom of Information Act 2000 seeks to make information public, the Data Protection Act seeks to control how information can be processed and used.
What does the Act cover?
The Act is concerned with “personal data”, that is information about living, identifiable individuals. This need not be particularly sensitive information and can be as little as a name and address.
The Act gives individuals (data subjects) certain rights. It also requires those who record and use personal information (data controllers) to be open about their use of that information and to follow sound and proper practices (the Data Protection Principles).
Data controllers are those who control the purpose for which and the manner in which personal data is processed. The Council, the corporate body is the Data Controller and responsible for compliancy with the act.
Data subjects are the individuals to whom the personal data relate.
The Information Commissioner is responsible for administering and enforcing the Data Protection Act.
The Council holds personal information about living individuals on paper or on computer (e.g. details of planning applications, grant applications etc.) and are required in law to notify and register with the ICO under the Data Protection Act 1998. Registration takes place annually.
The Data Protection Act controls how your personal information is used by organisations, businesses or the government.
Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the UK without adequate protection
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- sexual health
- criminal records
Do individual councillors also need to notify under the Data Protection Act
If members have computers at home and those computers hold data to which the Data Protection Act applies, they may need to register individually with the ICO. Unless the computer belongs to the Council and it is controlled by the Council, the ICO is likely to argue that each member is a data controller and he or she will need to register and pay the fee. There is a self-assessment guide which members can complete online to check whether or not they need to do this.
The Data Protection Principles
The Council must still comply with the eight data protection principles. The principles are set out below.
- It must be collected and used fairly and inside the law.
- It must only be held and used for the reasons given to the Information Commissioner.
- It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry.
- The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register.
- It must be accurate and be kept up to date.
- It must not be kept longer than is necessary for the registered purpose.
- The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access.
- The files may not be transferred outside of the European Economic Area (that’s the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law.
- The council must have a legitimate reason for processing the data.
- Information should be ‘processed fairly’ i.e. when you collect the information from individuals you should be honest and open about why you want it.
- The Council should explain (in most cases in writing): who (the data controller) are the Council- the name of your Council; the intent to use the information and to whom the Council intends to give the personal data. This may be a specific third party, or a may be a more general description such as “other Councils’ etc.
- Data users should monitor the quantities of data held and ensure that they hold neither too much nor too little. Hold only the data which you actually need.
- Personal data should be accurate. If it is not, it must be corrected.
- Only in exceptional circumstances should data be kept indefinitely. In order to comply with the principle the Council has a Record Management System for the removal of different categories of data from your system after certain periods, and is no longer required for audit purposes.
- Individuals must be informed, upon request, of all the information held about them. They can prevent the processing of data for direct marketing purposes and are entitled to compensation if they have been caused damage by any contravention of the Act.
Dealing with subject access requests
In response to a subject access request individuals are entitled to a copy of the information held about them, both on computer and as part of a relevant filing system. They also have the right to receive a description of why their information is processed, anyone to whom it may be disclosed, and any information available to you about the source of the data.
On receipt of a written subject access request, the Council must deal with it promptly and in any case within 40 days from the date of receipt.
If the Council seeks clarification or further information, the 40 days will begin when you receive this further information from the requester.
The Council will ask for a fee of not more than £10 and the 40 days does not begin until this is received.
Description of processing at Penrith Town Council
The following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.
Nature of work – Town Council
Reasons/purposes for processing information
The Council process personal information to enable us to provide local services in accordance with our statutory powers and duties, to promote campaigns, public relations and fundraising, conduct research and to support and manage our staff.
Type/Classes of information processed
The Council process information relevant to the above reasons/purposes.
This may include:
- personal details
- family details
- lifestyle and social circumstances
- financial details
- education and training details
- information regarding goods or services provided
The Council also process sensitive classes of information.
Who the information is processes about
The Council process personal information about:
- elected representatives, other holders of public office and members of the town council
- residents of the town
- complainants and enquirers
- advisers, consultants and other professional experts
- Business or other contacts, agents and contractors.
Who the information may be shared with
The Council sometimes needs to share personal information. Where this is necessary the Council are required to comply with all aspects of the Data Protection Act (DPA).
Where necessary or required the Council shares information with:
- the residents of the town
- employees family, associates and representatives of the person whose personal data The Council are processing
- current, past or prospective employers
- suppliers, providers of goods or services
- education, training establishments and examining bodies
- financial organisations and advisers
- persons making an enquiry or complaint
- the media
- local government
Transferring information overseas
The Council do not transfer any personal information outside the European Economic Area (EEA).