The centrepiece of UK data protection law is the Data Protection Act 1998 (the “DPA”). This legislation was enacted pursuant to a European Directive. Data protection law governs the “processing” of “personal data”.
“Processing” is defined in the Act to mean: “… obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including – (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data.“
In other words, almost anything you do with data will constitute “processing”.
“Personal data” is broadly defined to mean: “… data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.“
So, for example, a list of names and addresses of customers will be personal data, as will an email address containing a person’s name.
Most of the key obligations in the DPA are placed upon “data controllers”. A data controller is defined as: “… a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.” In respect of personal data collected and processed through your website, you (or the company or other person who operates the website) will be the data controller.
The main consequences of this status are as follows. First, the DPA requires “notification” from data controllers, unless an exemption is available. You can find out more about notification (which costs £35 per year) on the Information Commissioner’s website. Second, individuals have certain rights under the DPA in relation to their personal data – for example, the well known subject access right – with which data controllers must comply. Third, in the processing of personal data, data controllers must comply with the data protection principles.
In practice, a large number of UK websites operate in breach of data protection laws. Nonetheless, it is important that data protection compliance issues be addressed. Breaches of data protection legislation can lead to criminal as well as civil liability.
I am opening a small childrens clothes shop.
Do I have to legally install CCTV in my shop?
I’m not aware of any legal requirement for CCTV in shops and would be amazed if was such a requirement in English law (although note that I’m no expert in the laws relating to the operation of a high street store).
As a Merchant Navy officer I am often put in the position where some party wishes to contact me, or talk to me on a matter when I am at sea. I have tried setting up a power of attorney, account passwords, and letters of authorisation to allow my partner to discuss my affairs; however we keep getting the quoted Data Protection Act. I have reviewed the S.I. and the Act and can find no provision to allow a person to give permission for another party to access or discuss information with another. Is it even possible?
I’ve never looked specifically at this question, so please don’t treat this reply as considered advice, but I would have thought that the provision of evidence of consent (in the case of non-sensitive personal data) and express consent (in the case of sensitive personal data) would be formally sufficient to overcome any objection to discussing your affairs based on the DPA 1998. See Schedule 1, Part 1, para 1; Schedule 2, para 1 and Schedule 3, para 1. Of course that doesn’t mean that relevant organisations have to agree to deal with your partner, and there may be evidential issues. How do your colleagues deal with this problem?
When looking into whether we needed to notify last year, I was led to beleive by the DPA that if the data collected was only to be used to contact those people for marketing purposes by your own company, and never to be disclosed to a third party (unless requested by a legal authority for criminal purposes etc) then it would not be necessary. Please can you clarify? As we do collect e-mail addresses etc (opted-in) form our customers for the purpose of contacting them with marketing offers.
One of the general exceptions covers “1st party” advertising, marketing and PR. Accordingly, such activity does not in itself give rise to a notification obligation. See:
http://www.ico.gov.uk/for_organisations/data_protection/notification/need_to_notify.aspx
Can local authorities scan letters from residents and publish on their website? This is being done in respect of objections to planning applications. Phone numbers and emails are being redacted but names and addresses are being left free to view.
I’ve never had cause to look at the position of local authorities under the DPA, and I’m afraid I know nothing about planning law. However, if they have a statutory obligation to publish the relevant material on their websites, then it won’t be a breach of the DPA. See: http://www.legislation.gov.uk/ukpga/1998/29/section/34