DATA PROTECTION ACT

SUBMITTED BY:SHADAN NAZIR

ROLL NO.- 11evvcs052
GUIDED BY :NEELAM CHOUDHARY

Data Protection Act 1998

The Data Protection Act has two aspects:

Giving people the right to know what information organisations

hold about them.

Providing a framework for organisations handling personal data.

The primary purpose of data protection legislation is to protect individuals

against possible misuse of personal data information about them, held by
others.
The Act is underpinned by eight straightforward, common-sense principles.

Why was it introduced?

The Data Protection Act grew out of public concern about

personal privacy in the face of rapidly developing
computer technology.

It works in two ways, giving individuals certain rights whilst

requiring those who record and use personal information
on computer to be open about that use.

The aims of Data Protection Act

Anyone who processes personal information

must comply with the eight principles.

It provides individuals with important rights,

including the right to find out what personal
information is held about them.

Data Protection Principles

The eight principles require that personal data is:
1. Data must be kept secure;
2. Data stored must be relevant;
3. Data stored must be kept no longer than necessary;
4. Data stored must be kept accurate and up-to-date;
5.Data must be obtained and processed lawfully;
6. Data must be processed within the data subject rights;
7. Data must be obtained and specified for lawful purposes;
8. Data must not be transferred to countries without adequate data
protection laws.

Personal Data

HRIS stores personal and sensitive personal data on

employees and job applicants.

Personal data is any information which identifies an
individual e.g. name, photograph, applicant or employee
number.
Sensitive personal data is personal data relating to the

individual e.g. race or ethnic origin, political opinion,

religious beliefs, physical or mental health, trade union
membership, sexual life or criminal activities . Special
conditions apply to the processing of sensitive personal
data, including an obligation to obtain the explicit
consent of the individual.

Handling Personal Data

The Data Protection Act covers personal data where specific

information about a named employee may be readily found within:

Computer systems, such as HRIS.

Manual filing systems, where data is stored under topic headings or
folders where data is stored within file dividers.
Documents which contain personal data but are not filed or
referenced to a particular individual

Particular care should be taken in handling sensitive personal data

Other information which should be handled with care includes next

of kin details, bank details or other financial information, and
information collected for the purposes of staff recruitment

Kept
Secure

Fairly and lawfully

processed

Data subjects must give permission for data

to be sold or passed on.

Data is often sold. Companies must have

your permission to do this.

Subject Access Requests

A Subject Access Request is where an individual asks for

the data the University holds on them. Requests must be
processed within 40 calendar days.

The University can be asked to disclose all information held

in electronic or paper form, that identify the individual
making the SAR.

E.g. emails & letters; handwritten notes; comments

made in HRIS; shortlisting forms; interview notes;
references.

If you receive a request for information under either the

Data Protection Act or the Freedom of Information Act you
must inform HRIS Support immediately and follow their
instructions.

Subject Access Requests

Everything you write or email about an

individual is potentially disclosable to them
k)
.a.cu.u
x
o
@
y
)
le
k
d
a
e ley@ox.ac
(p.h
y
le
d
a
d
e
a
e
H
r
ete
m:PP
eadley (p.h
in!!!!!!)!)
Fro
H
a
g
r
e
a
(
t
e
t
s
e
:
u
m
ro ... olleagues
req
F
ne
tio
tetcio
est (again!
o
u
r
q
p
s
To:CC
r
e
a
t
u
n
a
g
d
a
e
iddata protec
ll
tup
To: bo
hisstsu
id
p
jetc:t:TT
Su
is
h
Subjec
.
re
the
Hith
r ge
.
eog

e
r
e
edGG
d
n
e
a
Hi
m
r
e
o
d
e
s
a demanded
h
r
e
c
f
O
n fcer has
tio
tetcio
roe
!!
O
n
ataPP

in
c
a
g
t
TheDD
a
o
r
le
!
!
f
a
l
t

a ts persona fle again

Themb
r personal
e
La bee
ov
s
rem
t
r
ndre
a
m
e
le
a
v
f
L
o
e
m
h
t
to
ghthe fle and I send it onto
rou
h
t
k
ic
f
e
h
r
n
a
g
o
o
e fick throu to see, bef e I send it
av
ll h
ouaa
a want him see, befor
e
ny
v
a
Ca
h
ll
u
to
nt
o
d
u
Canyyto
o
y
ingyou dont want him
anthh
ing .
anye D
O.
th DPP

O
e
h
t

Subject Access Requests

I
T
N

L
A

Everything you write or email about an

individual is potentiallyydisclosable
to
k)
c.u
.a
x
o
@
le
)
d
k
a
e ley@ox.ac.u
p.h
y (it
adle
e
H
admarked confdential
r
e
them...even
if
is
te
.h
p
e
(
P
:
y
le
m Peter Head
Fro
)
!!!!
gain
(a
m: lleagues
t
s
Froor
e
)
u
q
!!
!!
re
odraft.
tection
st (again
To:CC
: olleagues upid data pro ction reque

E
D

To bject: This stpid data prote

Su
stu
Subject: This
.
s
ere
betrt
Hi hth
am
L
.
e

g
r
re
o
s
e
e
r
G
t
e
i
d
b
H
e George Lam
a nd
em
asdd
h
d
r
e
e
d
c
n
a
f
O
m
e
n
o Ofcer has
ti
c
e
t
o
r
P
ta
a rotection
The D
!!
ata lPfi

ain
The rD
agin
!!
you
a leleag

ingyo
son
a
yth
peso
n
a
e
u
fi
v
l
o
a
m
n
g
re
in
r
d move anyth
n
pe
a
le
fi
e
th
ghthe file and re e DPO.
rou
k th
fic
a
e
g
v
u
a
h
ro
ontotothth
ll
th
a
k eforehI send iton
e DPO.
youall have a fice
Canyo
b
it
,
d
u
e
n
s
Cannt want him tose
re I se
dot want him to e, befo
don
Peete
Ta.Pe
t
.
Ta

O
C

I
F

Risk Of Non Compliance

Breaching the Data Protection Act represents a reputational and financial risk to
the University

The Information Commissioners Office has the power to fine organisations up to

500,000 for breaches of the Data Protection Act

Ealing Council and Hounslow Council fined 70,000 and 80,000 for losing
password-protected but unencrypted laptops.

Hertfordshire County Council fined 100,000 for accidentally faxing sensitive

personal information to the wrong recipient.

Company A4e fined 60,000 for losing an unencrypted laptop containing

sensitive personal details about salaries, criminal activity and employment
status.

CONCLUSION

The

Data Protection Act is designed to prevent

inappropriate use of data about individuals.

It

is overseen by the Information

Commissioner.
Data users store data about data subjects.
Data users must follow the eight Data
Protection Principles.
There

are some exemptions to the act, such as

national security.