There are eight DPA Principles
There are eight principles of good information handling outlined in the act that state that data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
Personal data is becoming increasingly valuable and the collectors and users of data have responsibilities under the act, such as asking a subject’s permission to use the data.
The SVA only keeps sufficient information to allow us to register your business, the key contact and contact details such as email, telephone or mobile number. These details are never shared with anyone outside of the association however, as an association member it is important we network all members to each other and our Founder Partners. Once signed up your business details will be displayed on the site and available to visitors to the site to see and access. The SVA will never knowingly share your contact information with outside third parties not linked to the SVA, we will never sell or re-sell your information. By joining the SVA you agree to allow the platform to display your business and or contact details to other members and visitors to the site.
There are three groups referred to in the act:
- Data Subjects
- Data Users
- Data Controller
This is the term used to describe individuals about which data is held, ie everyone. Under the act, data subjects have certain rights which include:
- To know if data is held about them on a computer system and be able to get a copy and description of that data
- To know the purpose(s) for which the data is being processed and who is going to receive the data
- To inspect such data and to have it changed if it is incorrect
- To ask for compensation if the data held is inaccurate or if unauthorised people have been given access to it
- To prevent the processing of data that is likely to cause damage or distress
- To make sure that decisions made against them are not made only on the basis of automatic processing
To apply for one or all of these rights, a data subject is required to pay a single administration fee. Once this payment is processed the data subject can apply to the data protection commissioner to prevent the processing of data or to correct or even to delete it.
A data user is defined as a person who makes use of personal information for a certain purpose. When carrying out their work, a data user must abide by the DPA, and make sure that the data used is:
- Accurate and up-to-date
- Relevant and not excessive in relation to the specified purpose
- Held and used only for the specified purpose
- Used only with the data subjects consent and processed in line with the rights of the data subject
- Adequate for the specified purpose
- Protected by adequate security, eg Passwords
- Only shared with countries that have appropriate DPA legislation
An example of a user would be a college lecturer.
A data controller is classified as the person or persons in an organisation who is in charge of the collection and use of personal data.
The act specifies that the data controller must do the following:
- Correctly and accurately complete the registry for the Data Protection Commissioner
- Apply to the Data Protection Commissioner for permission to keep the personal data
- Specify what data needs to be kept, the purpose it will be used for and who will have access to it
The DPA allows data subjects to find out the information held about them, whether this is held electronically or on paper. For information or to reach out to us:
Contact: Martyn Raybould MD ICO: ZA769071
DD: 01243 264056