The Data Protection Act 1998 seeks to strike a balance between (i) legitimate expectations of confidentiality and privacy and (ii) enabling legitimate uses of personal information for the greater good of society. This is no easy task, when one considers:
We each have our own views and expectations when it comes to our information: talking about how much you earn; discussing how you voted; your attitudes to CCTV and Streetview, your use (or not!) of social media. The law needs to cover all these different views.
Personal data gets everywhere – from the smallest company to the largest multi-national; public, private and third sectors; one person can now process millions of records; all departments might collect, use and store personal data. The law needs to cover all these different organisations and all their activities.
We all have some 'red lines' – for example, our medical information to be private, or our financial details to be held securely. The law needs to ensure compliance and penalties for serious breaches in the right situations.
These provide the checks and balances on how personal information should be used; guidance on collecting, sharing and storing it; principles on maintaining the quality and security of it, and protection when personal information is sent overseas.
These seek to provide people with control over their personal information. The most used of these is the "right of access" – being able to see or have a copy of their information. Other rights: objecting to marketing and stopping processing causing unjustified distress. Striking the right balance between openness and privacy can be difficult but essential.
The Information Commissioner's Office (ICO) enforces the Data Protection Act. The ICO has the power to investigate organisation, take enforcement action, issue fines and prosecute offences. The ICO also has an advisory role, issuing advice, guidance and Codes of Practice.
First, there has to be a serious breach of a data protection principle. The majority of the fines have been in relation to breaches of Principle 7 – information security.
Next, the breach has to be likely to cause substantial financial damage or distress. The damage or distress do not have to be proven, and distress alone is sufficient.
Finally, you will be fined if you knew (or should have known) there was a risk of the breach occurring but failed to take reasonable steps to prevent it.
Most organisations handling personal information must notify with the ICO. This is the process by which an organisation informs the ICO and the public about their processing of personal information; it ensures transparency about in who is doing it and why.