CopyrightLegal DisclaimerPrivacy

 
ERREMME.com

Quick Guide through the Data Protection Act

What is Data Protection all about?

The Data Protection Act (DPA) aims to promote high standards in the handling of personal information, and thereby protecting the individual's right to privacy.

The DPA applies to anyone holding information about living individuals in electronic format and in some cases in physical/manual form. The holders/controllers of this type of data must follow the following Data Protection Principles. These Principles require that personal information must be:

  1. Fairly and lawfully processed;
  2. Processed in accordance with good practice;
  3. Collected for specific, explicitly stated and legitimate purposes;
  4. Not processed for any purpose that is incompatible with that for which the information is collected;
  5. Data processed is adequate, relevant and not excessive;
  6. The data processed is correct and, if necessary up to date
  7. No more personal data is processed than necessary having regard to the purpose of the processing;
  8. All reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, having regard to the purposes for which it is processed; and
  9. Personal data is not kept for a longer period than is necessary, having regard to the purposes for which it is processed.

Why should one comply with the DPA?

First of all one should comply with the DPA because it is a legal requirement. However, it makes also organisational and business sense. For example:-

  • Sending out mail to an address taken from incorrect or out of date records could not only annoy your recipients but also waste your time and money;
  • Good information handling can enhance the organisation's reputation by increasing customer, donor and employee confidence;
  • Good information handling should also reduce the risk of a complaint being made against the organisation.

Furthermore if data is not processed in line with the data protection requirements, and an individual suffers damage as a result, then that individual may also seek compensation for the damage proved to have been suffered.

What happens if one does not comply?

Your organisation's reputation and finances may be affected.

The Commissioner for Data Protection could also take enforcement action against you to bring your process in compliance with the principles.

An individual may also seek compensation through the courts for any damage proved to have been suffered.

What does one actually have to do?

Essentially, one needs to ensure that all staff are aware of and comply with the data protection principles. These principles are central to the DPA and everyone who handles personal data is bound to abide by them.

What if someone asks for details of information held about them?

Individuals have a right under the DPA to have a copy of the information held about them. This is known as the right of subjects to access.

If you receive a data subject access request then you must deal with it without excessive delay and at no cost to the individual requesting such information.

A quick "How to comply Check List"

This short check list will help achieve compliance with the DPA. Being able to answer "yes" to every question does not guarantee compliance, and you may need further advice in particular areas, but it is indicative, that broadly speaking, you are heading in the right direction.

Remember that the personal information you hold might belong to clients, customers or suppliers as well as employees, associates and/or collaborators. All types of personal information are covered by the DPA.

  • Do I really need this information about an individual? Do I know what I am going to use it for?
  • Do the people whose information I hold know that I have it, and are they likely to understand what it will be used for? Would any of them be surprised at what I am doing with their personal information?
  • I am asked to pass personal information on, am I sure that it is all right to do so under the DPA? Does my staff know when they can pass personal information on?
  • Am I satisfied that personal information is being held securely, whether it manually and/or electronically stored? And what about my website? Is it secure?
  • Am I sure that personal information is accurate and up to date?
  • Do I delete/destroy personal information as soon as I have no more need for it?
  • Is access to personal information limited only to those with a strict need to know? Have I thought about who's actually going to be able to see the personal information, especially if I am planning to put it on the website?
  • If I use CCTV is it covered by the DPA? If so, have I got notices up telling people why I have a CCTV? Are the cameras in the right place or they intrude on anyone's privacy?
  • If I need to monitor staff, for example use of email, internet and telephone, have I told them about this and given them the reason why?
  • Have I trained my staff in their duties and responsibilities under the DPA, and are they putting them into practice?
  • Have I got a policy for dealing with data protection issues?
  • Do I need to notify the Commissioner for Data Protection ?
  • If I have already notified, is my notification up to date or does it need removing or amending?

Disclaimer

This guide is intended to make you think on the direction your organisation must be heading in terms of Data Protection. One should not rely solely on this guide to ensure that his organisation is in compliance with the Data Protection Act. We would recommend you take advice on the matter especially if you might have particular circumstances.

The information contained in this document is intended solely to provide general guidance on matters of interest for the personal use of the reader, who accepts full responsibility for its use. The information is provided with the understanding that the authors and publishers are not herein engaged in rendering any professional advice or services. As such, it should not be used as a substitute for advice.

While Erremme Options Limited makes every reasonable attempt to ensure that the information contained in this document has been obtained from reliable sources and to maintain the accuracy of the information, Erremme Options Limited cannot accept responsibility for any prejudice, loss or damage which may occur from use of the information.

All information in this document is provided, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance and fitness for a particular purpose. Nothing herein shall to any extent substitute for the independent investigations and the sound judgment of the reader. Laws and regulations are continually changing, and can be interpreted only in light of particular factual situations.

 
Address: Erremme Business Advisors, 113B, Paola Road, Tarxien PLA 12, Malta
Tel No. (356) 2166 1273   Fax No. (356) 2166 3253
Email: info@erremme.org

Consultancy, design, hosting and programming by A6IT.