Freedom of Information and Data Protection
The Data Protection Act 1998
What is the Data Protection Act 1998?
The Data Protection Act 1998 (the DPA) came into force on 1 March 2000.
It sets rules for processing certain personal information and applies to some paper records as well as those held on computers.
In brief, the DPA:
- provides a general right of access to personal data (as defined in the DPA) held by a data controller. A data controller might or might not be a public authority, such as Ribble Valley Borough Council; and
- controls the processing of personal data by prescribing certain data protection principles (of "good information handling") and imposing a duty on those who control personal data to comply with these principles.
The DPA seeks to strike a balance between the rights of individuals and the sometimes competing interests of those with legitimate reasons for using personal information.
Many people and organisations (data controllers) hold details about other people (data subjects) on computer or in paper files. This can rise to problems (e.g. if the information is entered wrongly, is out of date or is confused with that of someone else). The DPA therefore gives individuals certain rights in regard to the information held about them and places obligations on those who process such data.
What data is covered by the DPA ("personal data")?
The DPA applies where the request relates to personal data.
"Personal data" means data which relates to a living individual who can be identified:
- from the data; or
- from the data and any other information which is in the possession of, or is likely to come into the possession of, the data controller
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
What are the data protection principles?
The DPA contains 8 principles which, taken together, form the basic standard to which those processing personal data must operate. The following information is a summary of these principles.
The first principle is that the data must be fairly and lawfully processed.
At least one of the following conditions must be met for personal data to have been fairly processed:
- the data must be processed fairly and lawfully;
- the individual has consented to the processing;
- processing is necessary for the performance of a contract with the individual;
- processing is required under a legal obligation (other than one imposed by the contract);
- processing is necessary to protect the vital interests of the individual;
- processing is necessary to carry out public functions;
- processing is necessary in order to pursue the legitimate interest of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual).
There are also special provisions for dealing with sensitive personal data. This is defined in the DPA and includes things such as racial or ethnic origin, political opinions, religious or other beliefs, physical or mental health conditions and convictions.
Extra conditions have to be met for such information to be fairly processed.
The other 7 principles say that data must be:
- processed for limited purposes;
- relevant and not excessive;
- not kept for longer than is necessary;
- processed in line with individual's rights;
- secure; and
- not transferred to countries without adequate protection.
What rights do I have under the DPA?
You have various rights under the DPA. One of the most important is the right of subject access. This allows you to find out what information is held about you by a data processor on computer and within some manual records. The paragraphs below explain more above how you can exercise this right in respect of information that we hold about you, by making a subject access request (SAR) to Ribble Valley Borough Council.
Other rights provided by the DPA include the right to:
- prevent processing where this causes substantial unwarranted damage or distress to you or anyone else;
- prevent processing for direct marketing purposes;
- object to decisions made only by automatic (i.e. non-human) means;
- compensation from a data controller for damage and distress caused by any breach of the DPA;
- rectification, blocking, erasure and destruction of personal details if they are inaccurate or contain expressions of opinion based on inaccurate data;
- ask the Information Commissioner to assess whether the DPA has been contravened.
How do I request copies of my personal data held by Ribble Valley Borough Council?
Information under the DPA (e.g. subject access requests or SAR) can be obtained by:
- emailing Stuart Haworth at email@example.com or
- by writing to: The Data Protection Officer (Computer Department), Ribble Valley Borough Council, Council Offices, Church Walk, Clitheroe, Lancashire, BB7 2RA.
A fee for responding to a SAR may be required (up to a maximum of £10) and, where this is the case, we will advise you of this. Our "Fees Policy", contains further information on this.
When we receive a SAR, it is important for us to be confident that we are supplying your data to you (and not to somebody else who you might not be happy for us to share your data with).
We will therefore usually ask you to provide us with some evidence as to your identity.
When will I hear back from Ribble Valley Borough Council?
Ribble Valley Borough Council will respond to an subject request quickly and, in any event, within forty days. Where we cannot comply with your request we will advise you as soon as possible and explain the reasons for our refusal.
When will Ribble Valley Borough Council not provide me with a copy of my personal data?
As explained above, Ribble Valley Borough Council, as data controller, needs to be confident that we are supplying your data to you (and not to somebody else who you might not be happy for us to share your data with). Where we reasonably require you to provide further information in order to satisfy us of your identity and you do not supply us with that information, we will not be obliged to comply with your request.
The DPA also provides that we are not obliged to supply you with your personal data unless you have:
- made a request to us in writing, and
- paid the fee that we require (which will be a maximum of £10).
There are some other circumstances in which we may be unable to supply you with a copy of your personal data (such as where we could not comply with your request without disclosing information relating to another individual who could be identified from that information). Where this is the case, we will, wherever possible, explain to you why we cannot meet your request.
In so far as possible the Ribble Valley Borough Council will endeavour to comply with all subject access requests.
What if I am unhappy with the Council's response to my request?
If you, as an applicant, are dissatisfied with our initial response you can seek an internal review of that decision. A member of staff who was not involved with the original request will undertake the review.
If you remain dissatisfied, you can seek an independent review from the Information Commissioner.
Requests for a review by the Information Commissioner should be made in writing directly to: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.