Data Protection Act 1998
The Date Protection Act 1998 (DPA) gives an individual the right to obtain a copy of any personal information held about him/her (subject to access), and imposes responsibilities upon those who collect and process personal information. If someone requests information about himself, this should be handled as a subject access request under the DPA. The exemption in the Freedom of Information (or FOI) Act, which relates to information requested by the subject, simply means that the decision whether or not to release the information must be decided in accordance with the provisions of the DPA, and not the FOI Act.
The Data Protection Act sets out eight data protection principles which are key to achieving compliance with the legislation. They are:
- Personal data shall be processed fairly and lawfully. (Often this will require the consent of the data subject, but there are exceptions to this. In the case of "sensitive personal data", special rules apply and these are set out in Schedule 3 to the Act.);
- Personal data shall be obtained only for one or more specified and lawful purposes;
- Personal data processed shall be adequate, relevant and not excessive;
- Personal data shall be accurate and, where necessary, up to date;
- Personal data processed shall not be kept for longer than is necessary for the relevant purpose;
- Personal data shall be processed in accordance with the rights of data subjects under the Act;
Appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data;
Personal data shall not be transferred to a country outside the European Economic area unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Parish councils are "data controllers" as defined by the Data Protection Act 1998 and therefore have obligations for processing the data held in relation to any living individual.
Applications for personal information under the Data Protection Act 1998 should be addressed to the Clerk.