Data Protection Act 1998

The Data Protection Act 1998 sets out rules for processing personal information, and it applies to some paper records as well as those held on computer and some automatically processed data, for example, document image processing, audio/video, photographs and CCTV. The Act gives individuals certain rights, and imposes obligations on those who record and use personal information to be open about how information is used and to follow eight data protection principles:

Data Protection Principles
Personal data must be processed following these principles so that data are:

1. processed fairly and lawfully
2. obtained for specified and lawful purposes
3. adequate, relevant and not excessive
4. accurate and, where necessary, kept up-to-date
5. not kept for longer than necessary
6. processed in accordance with the subject's rights
7. kept secure
8. not transferred abroad without adequate protection

Rights of Data Subject (individuals) under the Act
The Data Protection Act 1998 came into force on March 1 2000. The Act gives legal rights to individuals in respect of personal data held about them by others.

Under the Act, personal data must be processed following the Data Protection Principles so that data are:

1. processed fairly and lawfully and only if certain conditions are met
2. obtained for specified and lawful purposes
3. adequate, relevant and not excessive
4. accurate and where necessary kept up-to-date
5. not be kept for longer than necessary
6. processed in accordance with the rights of data subjects
7. kept secure
8. not be transferred abroad unless to countries with adequate data protection laws

You are entitled to have access to information held about you, except where releasing that information would breach another person's privacy. You also have rights including rights to prevent processing likely to cause unwarrented damage or distress and to prevent processing for the purposes of direct marketing.