Data Protection and Data Protection Act (DPA) Compliance
With an increase in the electronic storage and processing of information comes an increased risk of hacking, information security breaches and data loss. It has therefore never been more important for businesses to protect their critical information assets.
In the UK, all organisations that hold or process personal data must comply with the requirements of the Data Protection Act 1998 (DPA). This page provides information about data protection and compliance with the DPA, and provides links to information on global data protection legislation.
On this page:
Video: the relationship between data protection law and information systems
The video below features IT Governance’s CEO Alan Calder speaking at the Privacy Laws & Business 23rd Annual International Conference about the relationship between data protection law and information systems.
The Data Protection Act 1998 (DPA) applies to all organisations in the UK that handle personal data. It mandates certain rights for people who have their personal data processed, stored, or transmitted, and sets out responsibilities for organisations that process, store or transmit personal data.
Schedule 1 of the Act sets out eight data protection principles with which organisations must comply. These state that personal data must be:
Treated fairly and lawfully.
Treated with specific and specified purposes.
Adequate, relevant and not excessive.
Accurate and up to date.
Not retained for longer than necessary.
Processed in accordance with individuals rights.
Held with appropriate levels of security.
Not transferred abroad without ensuring of adequate levels of legal protection.
Organisations must inform the Information Commissioner’s Office (ICO) if they hold or process personal data, and if found to be in breach of the Act can be fined up to £500,000 by the ICO.
This may at first seem like a stringent series of demands to make of each organisation, especially those operating on a small scale, but the benefits of a rigorous approach to data protection can often help data controllers as much as data subjects. Procedural changes brought in as a result of compliance with the DPA can also promote other efficiencies in an organisation. So where should you start?
The ICO has issued a Privacy Impact Assessment which you can use to determine the extent of your organisation’s impact on privacy. The DPA does not specify a particular Standard to help your organisation achieve compliance with its requirements, but you may find the best-practice approach provides the easiest route to compliance. Several relevant standards are available:
BS 10012:2009 is the British standard which specifies the requirements for a personal information management system (PIMS) which provides an infrastructure for, inter alia, maintaining and improving compliance with the DPA.
ISO 27001 is the international standard which specifies the requirements for an information security management system (ISMS) which will ensure the confidentiality, integrity and availability of any information you store.
ISO 22301 is the international standard for business continuity management systems (BCMS), certification to which will demonstrate that your organisation is prepared for unplanned disruption of whatever sort, including data breaches.
IT Governance supplies a range of products and services to help you achieve DPA compliance, including the following:
We recommend the following useful books on the Data Protection Act’s requirements:
In the UK the Data Protection Act, the Human Rights Act, the Regulation of Investigatory Powers Act and various telecommunications, distance selling and anti-spam measures combine to make compliance a significant challenge for all organisations. In addition to the DPA, all private sector organisations are also obliged to comply with the Freedom of Information Act.
Around the world, data protection and privacy legislation is an increasingly important part of overall IT governance. It is in this field in particular that new laws are emerging on a regular basis. Many of these overlap, or contradict existing laws, and rarely come with detailed regulatory implementation guidance or meaningful case law.
The British BS10012 Personal Information Management System Standard (PIMS) provides guidance on tackling this problem. BS10012 specifies the requirements for a PIMS and thus allows quick compliance to existing Acts (including the DPA), and new laws because of its best practice approach to the management of personal information.