UK Data Protection Act (DPA)
Data Protection Act directs the way in which personal information can be used by organization or government. It is an attempt to safeguard the data of people that organization collect and save.
UK Data Protection Act is a law passed by UK Parliament . It states the law processing identifiable information of a person.Here identifiable information means any information that can help in fixing identity of a person, like Aadhar Card number in India. This act was formed to match the 1995 EU Data Protection Directive. This act is not applicable to domestic use of data nor is it applicable to how an individual uses the information he/she has saved, for example information saved in an individual’s address book. The act has created rights for individual whose data is stored (known as Data Subject) and responsibilities for those who save the data. The Act has defined ten Principles; they are as following:
1.Fair and lawful processing of personal data:
Information processing implies collecting or saving the information or altering the data or using the data or information for business purpose ; destroying or disclosing the data to third party. As per the act the data should be processed only when the data subject has requested the data processing or data processing is required for carrying out certain contract. For example if a bank changes the personal information of its customer on customer’s request, then it’s a lawful processing otherwise change in even the smallest part of information without requirement is illegal or unlawful.
- Personal data should be obtained for lawful purpose only and should be processed only for that specified purpose:
If any organization has stored data for any specific purpose then it should process the data for that purpose only. Even if the data is processed for any other purpose , the purpose should be compatible with the specified purpose. For example if any educational institute has saved the data for administrative purpose then it can not use the data for target marketing. If the data is to be shared it should be done according to the rules.
- Personal data should be adequate and not excessive:
The organization should collect data that is just or of right amount i.e. neither less nor more than what is required. For example if a person is opening an account in the bank , the bank should not ask for more personal details than what is required for verification. Nationality can be asked but not belief or religion.
- Personal Data should be accurate and kept up to date when ever required.
Personal data collected by the organization must be accurate. The organization should update the data at regular intervals. for example if any customer has changed his contact number the same should be updated in bank’s account immediately.
- Personal Data should be processed for specified purpose and should not be kept for longer than required.
The personal data should be processed for the specified reason only, and when it is no longer required it should be disposed securely. For example if a customer has closed his account , his personal data provided its not mandatory for the bank to keep it.
6.Personal Data should be processed in line with data subject’s rights.
The other rights provided under common law –“ Right to confidentiality” and “ right to Private family life and correspondence” under Human Rights Act are also provided to Data Subject so that his information is not misused.
7.Personal data Security
The organization should take all the required organizational and technical measure to ensure the security of personal data. Now a days BPOs have access to many sensitive personal data, they should ensure that their employees do not misuse the data and unauthorized person should not have any access to that data.
8.Personal Information should not be shared with any other country without appropriate security.
The act state that without proper security and consent from data subject, the information should not be shared with any other country outside EEA(European Economic Area). For example without the consent form the data subject, even the photograph should not be displayed on the website that has high reach.