Data Protection

Data protection was created to ensure your “fundamental right to privacy is upheld”.

Consumers “can access and correct data” about themselves.

Holders of data about individuals must “comply with data protection principles”.

In relation to the best code of practice for organisations, for example a retailer, there are eight principles that should be adhered to in order to comply with the legal responsibilities of a data controller.

“Data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files”

The eight principles are;

Obtain and process the information fairly

“This is the fundamental principle of data protection” Organisations who obtain personal information about people, must collect the information fairly and use it fairly also.

Individuals must be made aware of when their personal information is being collected.

Individuals must know the name of the persons collecting their information.

Individuals must know how the information will be used.

Individuals must know who will have access to the information.

It must be known by the individuals at the time of collection that their personal information may be used for secondary or future purposes, if that is the case.

If the data controllers wish to use the information collected in a new way not disclosed at the time of collection, they must give a new option to individuals asking them if they wish their personal information to be used in the new way.

Keep it only for one or more specified and lawful purposes

 Information about people should only be kept if there is a specific, lawful and clear stated purpose for doing so.

It is against the law to routinely and indiscriminately collect information about people.

Data controllers have to register their “purpose for holding personal information” if it comes to light that information is been held for other purposes, the company/organisation may be liable for prosecution

Process it only in ways compatible with the purposes for which it was given to you initially

 Personal information collected for one purpose must not be used for any other purpose. Information must not be given to any third party unless “compatible with the specified purpose.”

Keep it safe and secure

 Keeping personal information secure is very important.

Confidentiality requirements and sensitivity of the information will dictate the level of security required to protect the information. Larger organisations will be required to invest greater resources into protecting personal information than a smaller company.

Keep it accurate and up to date

 Personal information held by an organisation must be kept up to date and must be accurate.

If an organisation “fails to observe the duty of care provision in the act applying to the handling of personal data”, “they may be liable to an individual for damages.”

Ensure that it is adequate, relevant and not excessive

 Personal information collected must not exceed the level required to achieve the purpose. Over collection of personal information is not acceptable. For example an organisation must not collect excess data with the mentality that they may have a use for the information in the future.

Retain it no longer than is necessary for the specified purpose or purposes

 Personal information collected must be held for the length of time specified at the time of collection, as mentioned earlier, data must not be kept “just in case” a use for it is found at a later date.

Give a copy of his/her personal data to any individual, on request.

An individual may, by making a request obtain whatever information is held by an organisation about them.

The details given must include;

A copy of the data

Description of the purpose the information is being used for

Who has or had access to the information

The source of the data must be revealed “unless contrary to public interest”