Post on 22-Dec-2015
description
transcript
DATA PROTECTION ACT
SUBMITTED BY:-
SHADAN NAZIR
ROLL NO.- 11evvcs052
GUIDED BY :-
NEELAM CHOUDHARY
Data Protection Act 1998
The Data Protection Act has two aspects:
Giving people the ‘right to know’ what information organisations hold about them.
Providing a framework for organisations handling personal data.
The primary purpose of data protection legislation is to protect individuals against possible misuse of personal data information about them, held by others.
The Act is underpinned by eight straightforward, common-sense principles.
Why was it introduced?
The Data Protection Act grew out of public concern about personal privacy in the face of rapidly developing computer technology.
It works in two ways, giving individuals certain rights whilst requiring those who record and use personal information on computer to be open about that use.
The aims of Data Protection Act
Anyone who processes personal information must comply with the eight principles.
It provides individuals with important rights, including the right to find out what personal information is held about them.
Data Protection Principles
The eight principles require that personal data is:
1. Data must be kept secure;
2. Data stored must be relevant;
3. Data stored must be kept no longer than necessary;
4. Data stored must be kept accurate and up-to-date;
5.Data must be obtained and processed lawfully;
6. Data must be processed within the data subject rights;
7. Data must be obtained and specified for lawful purposes;
8. Data must not be transferred to countries without adequate data protection laws.
Personal Data
HRIS stores personal and sensitive personal data on employees and job applicants.
Personal data is any information which identifies an individual e.g. name, photograph, applicant or employee number.
Sensitive personal data is personal data relating to the individual e.g. race or ethnic origin, political opinion, religious beliefs, physical or mental health, trade union membership, sexual life or criminal activities. Special conditions apply to the processing of sensitive personal data, including an obligation to obtain the explicit consent of the individual.
Handling Personal Data
The Data Protection Act covers personal data where specific information about a named employee may be readily found within: – Computer systems, such as HRIS.– Manual filing systems, where data is stored under topic headings or
folders where data is stored within file dividers. – Documents which contain personal data but are not filed or
referenced to a particular individual
Particular care should be taken in handling sensitive personal data
Other information which should be handled with care includes next of kin details, bank details or other financial information, and information collected for the purposes of staff recruitment
Kept Secure
Fairly and lawfully processed
Data subjects must give permission for data to be sold or passed on.
Data is often sold. Companies must have your permission to do this.
Subject Access Requests
A Subject Access Request is where an individual asks for the data the University holds on them. Requests must be processed within 40 calendar days.
The University can be asked to disclose all information held in electronic or paper form, that identify the individual making the SAR.
E.g. emails & letters; handwritten notes; comments made in HRIS; shortlisting forms; interview notes; references.
If you receive a request for information under either the Data Protection Act or the Freedom of Information Act you must inform HRIS Support immediately and follow their instructions.
Subject Access Requests
Everything you write or email about an individual is potentially disclosable to them
...From: Peter Headley (p.headley@ox.ac.uk)
To: Colleagues
Subject: This stupid data protection request (again!!!!)
Hi there….
The Data Protection Officer has demanded George
Lambert’s personal file again……!!
Can you all have a flick through the file and remove
anything you don’t want him to see, before I send it on to
the DPO….
Ta. Pete
Subject Access Requests
Everything you write or email about an individual is potentially disclosable to them...even if it is marked confidential or draft.
From: Peter Headley (p.headley@ox.ac.uk)
To: Colleagues
Subject: This stupid data protection request (again!!!!)
Hi there….
The Data Protection Officer has demanded George Lambert’s
personal file again……!!
Can you all have a flick through the file and remove anything you
don’t want him to see, before I send it on to the DPO….
Ta. PeteCONFIDENTIAL
Risk Of Non Compliance
Breaching the Data Protection Act represents a reputational and financial risk to the University
The Information Commissioner’s Office has the power to fine organisations up to £500,000 for breaches of the Data Protection Act
Ealing Council and Hounslow Council fined £70,000 and £80,000 for losing password-protected but unencrypted laptops.
Hertfordshire County Council fined £100,000 for accidentally faxing sensitive personal information to the wrong recipient.
Company A4e fined £60,000 for losing an unencrypted laptop containing sensitive personal details about salaries, criminal activity and employment status.
CONCLUSION
The Data Protection Act is designed to prevent inappropriate use of data about individuals.
It is overseen by the Information Commissioner.
Data users store data about data subjects. Data users must follow the eight Data
Protection Principles.
There are some exemptions to the act, such as national security.