One of the key provisions of the Data Protection Act 1998 is that personal information must be used fairly and lawfully. You should tell individuals what you will use their personal information for, and make sure that your use of personal information does not break any other laws. When you obtain personal information, you must tell individuals:
» the name of your business or organisation
» what you use their information for
» any other information needed to make your use of their personal information fair.
You should also tell the individual that they have a right to access their information and have it corrected if it is factually inaccurate. You should explain any ways you may use the information that they might not expect. For example, you should tell them if you may pass the information to other organisations, or if it might be put on file at credit reference agencies.
Similarly, you should not use personal information for a reason an individual would not expect. This means that if you told an individual you would only send them direct marketing about your own products and services, you could not then pass that individual's details to another organisation. However, if - for example - someone booked a holiday through your business, it would be acceptable to send them a brochure about similar holidays the following year - unless they had asked you not to send them future marketing material.
Authorised information disclosures
Generally, you cannot pass information about an individual to another business or organisation unless you have asked for - and they have given - their consent. However, there are exceptions to this. If the police ask you for information about someone, you can give this information without telling the individual - if doing so could obstruct the investigation or stop a crime being prevented. Disclosures can also be made if they are necessary for a court case or to obtain legal advice, for example, in connection with an employment tribunal.
Individuals' rights under the Data Protection Act 1998
The Data Protection Act 1998 gives individuals certain rights in relation to the use of their personal data. These rights are as follows:
» The right of subject access - gives people the right to obtain information held about themselves. See the page in this guide on personal information access rights.
» The right to prevent direct marketing - individuals can ask you at any time not to use their personal information for direct marketing purposes. They need to make their request in writing and you must act on it in a reasonable period of time. In most cases, this should be within 28 days.
» The right to have personal information corrected - an individual has the right to have incorrect or misleading personal information held about them corrected. If you don't do this, they could obtain a court order directing you to correct, delete, block or destroy the information. If this happens, it will be up to the court to decide if the information is inaccurate and what (if anything) to do about it. The individual may also ask the court for compensation and costs.
» The right to prevent automated decisions - this allows individuals to stop important decisions about them being made by solely automated means - for example, decisions made only by a computer. This can include recruitment decisions made solely on the basis of psychometric testing. There are some automated decisions which, under certain circumstances, are exempt from this right. A sensible course of action is to allow the individual the right to appeal a decision taken in this way.
Personal information access rights
The Data Protection Act 1998 gives individuals the right to access the personal information you process about them. Individuals have the right to: »know whether you, or someone else on your behalf, is processing personal information about them »know what information is being processed, why it is being processed and who it may be disclosed to »receive a copy of the personal information about them »know about the sources of the information.
To obtain access to personal information held about them, an individual must send either a written or electronic request - known as a subject access request (SAR). The SAR doesn't have to refer to the Act but should make it clear that it is a formal request from the individual and not just an everyday enquiry. You can charge a fee of up to £10 to provide the information requested.
If you are not sure about the identity of an individual requesting information, you can ask for proof. This could be an official document - eg a council tax bill, driving licence or passport. You can request additional information that you might need to respond to the SAR. For example, if an individual has requested emails you could ask when the emails were sent, or for the senders or recipients of the emails.
Conditions for responding to a SAR
You must respond to a SAR no later than 40 days after receiving it. The 40-day period does not start until you receive any additional information you need. You don't need to supply the information until after you receive any fee payable. You must provide the information requested in a permanent format - such as a computer printout, letter or form - unless:
» the individual agrees otherwise
» it is not possible to supply such a copy
» it will involve 'disproportionate effort'
If this is the case, you must still provide access to the information in another way. You must also ensure that the information can be understood. For example, if there are any codes used, you should explain what they mean.