The Data Protection Act 1998 (OCR A Level Computer Science)
Revision Note
Written by: Jennifer Page
Reviewed by: James Woodhouse
The Data Protection Act 1998
What is The Data Protection Act?
The Data Protection Act (DPA) is a law that protects personal data from being misused
Examples of personal data would include
Name
Address
Date of Birth
Race
Religion
Most people that store personal data has to follow the Data Protection Principles although there are a few exemptions:
Domestic purposes – if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the DPA
Law enforcement – the Police investigating a crime is not subject to the DPA. E.g. if someone has been suspected of a crime they can't request to see the evidence about them
Intelligence services processing – personal data processed by the intelligence services (eg MI5) is not covered by the DPA
The Data Protection Principles
Principle | How does it affect a company? | Example |
---|---|---|
1. Personal data must be fairly and lawfully processed | A company has to be clear about what personal data they wish to collect and what they want to use it for. | A school can request personal data to be able to call guardians in an emergency. |
2. Personal data must be collected for specified and lawful purposes | A company cannot use personal data for any purpose other than what they stated originally. They also cannot pass this data on without permission. | A company asks for a phone number to call regarding delivery but then uses it to market new products. |
3. Personal data must be adequate, relevant and not excessive | A company cannot request personal data that they do not need right away. | A bank cannot ask for their customer's previous trips when opening an account. |
4. Personal data must be kept accurate and up to date | If a company holds personal data that is wrong or out of date then you have a right to have it corrected or deleted. | If a bank has a customer's old address then they will not be able to send up to date statements. |
5. Personal data will not be kept for longer than is necessary | A company must delete personal data once they no longer have a need for it. | If a customer closes their account the company must delete their data. |
6. Personal data must be processed in line with people's rights | If requested a company must provide a customer with all the personal data they hold on them. | A hospital has to give a patient’s full records if requested by the patient. |
7. Personal data must be held securely | A company is required to make sure that personal data they keep is secured (usernames and passwords) and is backed up to prevent accidental loss. | A company could make external backups on the cloud. |
8. Personal data must not be transferred to countries outside the European Economic Area unless those countries have similar data protection laws | A company cannot send personal data outside the European Economic area unless the country in question has been deemed by the European Commission to provide a good level of protection of personal data. | A company cannot send its data to China because they are not deemed to have adequate Data Protection. |
Examiner Tips and Tricks
When you get a question asking to explain the principles make sure you explain them and not just state them.
Example: Personal data must be fairly and lawfully processed which means that companies must collect personal information with a lawful reason to have the data
OCR are also aware that the law is constantly changing especially in regards to DPA therefore answers will be accepted that use an interpretation of the law based on when the specification was set (2015) or when the examination was sat.
E.g. you can include GDPR
Actions Companies Must Take
Companies can face extremely large fines if they are found to be in breach of the Data Protection Act
Companies must appoint a member of staff as their Data Controller. They will then be responsible for making sure that the principles of the Data Protection Act are not breached and to keep in communication with the Information Commissioner
The company must put in place physical or digital security measures to prevent the data from being accessed without consent
The company should make sure that they train their staff to abide by the principles
Companies must send a copy of the subject's data if a Subject Access Request (SAR) is received. This copy must be sent securely after the company has verified the identity of the subject
Rights of an Individual Under the DPA
Under the Data Protection legislation, data subjects have the following rights with regards to their personal information:
To be informed about the collection and the use of their personal data
To access personal data and supplementary information
To have inaccurate personal data rectified, or completed if it is incomplete
To be forgotten in certain circumstances
To restrict processing in certain circumstances
To data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
To object to processing in certain circumstances
To automated decision making and profiling
To withdraw consent at any time (where relevant)
To complain to the Information Commissioner
Case Study
British Airways fined £20m over GDPR Breach
“British Airways (BA) has been fined £20 million by the UK's data protection authority over data security failings which enabled unauthorised access to be obtained to personal and payment card information relating to more than 400,000 of its customers.” - External link to Pisent Masons article
Things that British Airways could have done to prevent the breach:
Making sure that employees have multi-factor authentications on their log-ins
Using Role-based controls that allow different users to be assigned different permissions
Having a form of efficient and effective security monitoring
Regularly penetration testing and fixing any issues that occur promptly
These are all deemed good practice and would have likely either prevented the attack or enabled British Airways to spot the breach themselves as opposed to being told about it by a third party.
Last updated:
You've read 0 of your 5 free revision notes this week
Sign up now. It’s free!
Did this page help you?