 |
 |
 |
If you are not sure about the meanings of any of the terms we use, have a look at our jargon buster.
We cannot give advice about individual cases. If you need individual help or advice, you should contact the Information Commissioner's Office.
1. What are my rights under data protection?
The Data Protection Act 1998 gives you the right to see the personal information held about you by businesses and organisations in the public and private sectors. This is known as the right of 'subject access'.
You also have a right to have inaccurate data corrected, destroyed, blocked or erased, and to seek compensation for any damage or distress caused to you by such inaccuracy. Inaccurate data means information which is incorrect, or misleading about any matter of fact. You can apply to a court for an order to enforce this right.
The Act also governs the way in which organisations may use the personal information you supply to them, and you have the right to require organisations to stop, or not to begin, using your personal information for direct marketing purposes. More on stopping direct marketing.
2. Who can I ask for information?
Almost all organisations which hold or use your personal information are required to supply your information on request. If you want to check whether a particular organisation is covered, you can check the register of data controllers maintained by the Information Commissioner.
3. How do I make a request?
You should write to the 'Data Controller' at the organisation holding your data. Your letter should include your name and contact details. The organisation may ask you for further information in order to confirm your identity, and to locate the information you require. They may also ask you to pay a small fee of up to £10 (including VAT).
4. What does it cost to make a request?
Most organisations can charge you a fee of up to £10 (including VAT). Credit Reference Agencies may only charge you up to £2 (including VAT) for providing your information. You may be charged up to £50 for health records which are not held in electronic form.
5. How long does it take?
Organisations have 40 calendar days to answer your request, counting from the date they receive the request.
6. What if my request is refused?
Organisations are allowed to refuse your request if:
Certain health, education or social work records are also exempt, as well as confidential references supplied by the organisation.
If you believe your request has been refused wrongly, you should contact the Information Commissioner's Office for further advice.
7. What if the information I am given is wrong?
If an organisation is holding incorrect information about you, you have a right to have that information corrected, erased, destroyed or blocked from further disclosure. If the inaccuracy of the data has caused you damage or distress, you have a right to seek compensation from the organisation. If the organisation refuses to correct or destroy the information, you can apply to a court for an order requiring them to do so. The court will only grant an order if the information is incorrect or misleading about any fact (not opinions). For further assistance in correcting inaccurate data or seeking compensation, you should contact the Information Commissioner's Office.
8. Can I get information about other people and can they get information about me?
You can only access other people's personal information if you are acting on their behalf, and if they have given their permission to the organisation for them to disclose information to you in that way. It is up to the organisation holding the information to ensure that they have proper evidence of that permission before disclosing any information.
Organisations must not assume that they have permission to discuss a person's business or personal affairs with their spouse, partner or friend, unless they have formally been notified that the individual is content for them to do so.
In the same way, other people can only access your information if they are acting on your behalf and you have given your permission to the organisation for the information to be disclosed to them.
The Freedom of Information Act does not override the Data Protection Act - Freedom of Information cannot be used to get personal information about people other than the applicant.
9. Can information about me be used, disclosed or sold without my consent?
Organisations may use information about you for purposes which are consistent with those for which they held the information in the first place.
It is not always necessary under the Data Protection Act for organisations to obtain your consent before disclosing information about you. Whether or not they need to do this will depend on the particular circumstances in which the information is being processed. Organisations should normally be open with you about how they intend to use your personal information. However, there are certain situations in which they are not required to do this, for example, where:
10. How do I stop organisations sending me marketing information?
You have the right to require organisations to cease, or not to start sending you marketing information that you haven't asked for, or contacting you to sell you goods or services. There are two main ways to do this.
When you give personal information on a form, you should be given the opportunity to either "opt in" or "opt out" of receiving any marketing materials. This will usually mean ticking a box on the form. If you later change your mind, or forget to tick the box at the time you fill out the form, you can ask the organisation to change your preferences. You can write to the organisation at any time to require that they stop, or don't start sending you these materials.
You may also wish to register your details with the Mail, Telephone or Fax Preference Services. Companies are legally obliged not to contact numbers registered with the Telephone or Fax Preference Services. The Mail Preference Service (MPS) is a voluntary service funded by the direct marketing industry. Registration with the MPS will remove your name from around 95% of postal direct marketing services.
11. Does the Act stop the police from getting access to personal information?
No. The Act is flexible, and has a number of exceptions from the general rules restricting the gathering and use of personal information to enable other important functions like preventing or detecting crime, and apprehending or prosecuting offenders. The police are generally well aware of these exceptions, and they use them regularly. The Act does not stop the disclosure of personal information to the police when they need that information for their law enforcement functions.
The Act also allows the disclosure of information when it is required by a court order, or it is for the purposes of (or in connection with) legal proceedings or obtaining legal advice. This may , for example, enable you to get basic personal information about other people for the purposes of considering or taking legal action against them.
12. Does the Act apply to overseas companies and call centres?
The Act prohibits the transfer of personal information from the UK to other countries unless those countries can ensure a similar level of data protection. However, you can consent to your personal information being transferred anywhere in the world. Organisations can also set up contracts with overseas organisations receiving personal information which impose higher standards of protection than there might be under the national law of the receiving country.
Organisations in the UK which have personal information processed overseas on their behalf remain responsible for the security of that information. The UK company is required to ensure that the overseas processing company complies with the UK Data Protection Act.
13. Where can I get advice/help with my own case?
The Information Commissioner's Office can offer individual advice about your own circumstances. You can contact them at:
The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 01625 545745 (General Enquiries)
14. How do I complain if I think an organisation is not complying with the Act?
In the first instance, you should write to the organisation and explain your concerns. If you cannot resolve the problem in this way, you should contact the Information Commissioner's Office, who have the powers to investigate the complaint, and may take legal action against organisations which are in breach of the Act.
15. What if I'm not happy with the way the Information Commissioner handles my complaint?
The Parliamentary Ombudsman can investigate complaints about the Commissioner. See the Ombudsman's website for more details.
The Commissioner is independent of government, and reports directly to Parliament. Ministers and government departments (including DCA) cannot investigate the Commissioner's handling of complaints, nor comment more generally on the advice or standards of service provided by his office.
1. How do I know whether the Data Protection Act applies to my business/organisation?
In general, the Data Protection Act applies to all organisations (including individuals, such as self-employed financial advisors and accountants) which hold or use personal data (that is, information about individuals). Personal data will include information about your staff, your customers or clients or anyone else with who you have dealings in the course of your business or professional activities. Even if you simply hold membership lists for social or other clubs or charities, you also have to comply with at least some of the provisions of the DPA.
The only exception is where, as an individual, you hold personal information only for domestic reasons (eg an address book or Christmas card list) in which case the DPA does not apply at all.
One of the requirements of the DPA is that individuals and organisations that are processing personal data need to “notify” the Information Commissioner that you are doing so, and the purpose of that processing. There are exceptions to this rule where you are an organisation holding personal information only for:
The Information Commissioner's website to find out will give further guidance on whether the Act applies to you, and whether you need to notify. Alternatively, you may call the Commissioner's Notification Helpline on 01625 545740.
2. What responsibilities do I have under the Act?
If you are subject to the Data Protection Act, you have a number of legal responsibilities:
3. What does it cost to notify?
Notification costs an annual fee of £35, on which no VAT is charged. This fee is payable to the Information Commissioner.
A number of private companies have been approaching businesses demanding up to £95 plus VAT for notification under the Data Protection Act. You should not be misled by these businesses (who frequently style themselves as official-sounding "agencies"): they have no official standing or powers and there is no connection between them and the Information Commissioner's Office. Organisations who wish to complain about correspondence received from these businesses should contact their local Trading Standards Department.
4. How am I allowed to use the personal information I hold?
The way you use may use the personal information you hold is governed first by the eight Data Protection Principles. These require that information is:
As part of complying with the principles, you must:
The terms of your notification with the Information Commissioner will also affect the way in which you may use the personal information you hold. If you want to use the information for new purposes for which you have not notified, you must update your notification before you begin using the information in a new way.
5. Where can I get individual advice/help about my responsibilities under the Act?
The Information Commissioner's Office can offer individual advice about your own circumstances. You can contact them at:
The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 01625 545745 (General Enquiries)
Telephone 01625 545 (Notification Helpline)
6. I have been contacted by an "agency" informing me that I must register/notify under the Data Protection Act and pay them a large fee. How can I be sure this agency is genuine?
If you are a business or organisation who processes personal information on computer you may need to be on the register of data controllers maintained by the Information Commissioner. The annual notification fee is £35, on which no VAT is payable. However, a number of private companies have been approaching businesses demanding up to £95 plus VAT for notification under the Data Protection Act. You should not be misled by these businesses (who frequently style themselves as official-sounding "agencies"): they have no official standing or powers and there is no connection between them and the Information Commissioner's Office. Organisations who wish to complain about correspondence received from these businesses should contact their local Trading Standards Department.
To find out whether you need to notify under the Data Protection Act, you should telephone the Notification Department at the Information Commissioner's Office or consult the Information Commissioner's website. See answer to the previous question for contact details.
Data controller
The person who decides the purposes for which, and the manner in which personal information is to be processed. This may be an individual or an organisation.
Data subject
The person whose personal information is held by a data controller.
Enforcement notice
A legal document which the Information Commissioner can issue to a data controller, requiring him or her to take certain steps to comply with the Data Protection or Freedom of Information Act.
Information Commissioner
An independent office-holder appointed by the Crown to administer and enforce the Data Protection Act, the Freedom of Information Act 2000 and other legislation governing the use of, and access to, information. The Information Commissioner is independent of government and reports directly to Parliament. The present Information Commissioner is Richard Thomas.
The Commissioner also promotes good practice in compliance with the Data Protection and Freedom of Information Acts.
Information Notice
A legal document which the Information Commissioner can issue to a data controller, requiring him or her to supply information to the Commissioner so that he can assess whether or not the data controller is complying with the Data Protection or Freedom of Information Act.
Information Tribunal
A data controller on whom an information or enforcement notice has been served may appeal against the notice to the Information Tribunal.
Notification
The process by which data controllers register their details on the statutory register maintained by the Information Commissioner. They must register the types of information they hold, and the purposes for which they hold it.
Personal data/information
Information relating to a living individual, from which that individual can be identified, or which can be used to identify a living individual in conjunction with other information held, (or likely to be held) by a data controller. Personal data/information includes expressions of opinions about that person, or indications of intent towards them.
Principles
The Data Protection Act 1998 requires that data controllers process personal data in accordance with eight Principles. These require that personal data are:
Processing
The processing of personal data includes obtaining, recording, holding or carrying out any operation on the data.
Subject Access
The right of data subjects to receive a copy of the information held about them, a description of why their information is being processed, and details of anyone who may see a copy of their data, to whom it may be transferred, and the logic involved in any automated decisions taken on the basis of that data.