Data protection act

What is the Data Protection Act 1998?

Data Protection is about protecting us as individuals by using the law to protect our information, it is also about recognising data as a valuable asset and safeguarding that asset.

The Data Protection Act 1998 regulates the processing of information relating to individuals. This includes obtaining, holding, using or disclosing such information. It covers manual filing systems and records as well as computerised ones, card indexes and microfiche.

Bristol City Council employees, members and agents may find themselves, at times, in possession of personal information about colleagues, members of the public, suppliers and clients.  All such information whether held on manual or automated systems is confidential and must be treated with care.

Bristol City Council has established a Data Protection Policy, which reflects the requirements of the Data Protection Act.  All employees must comply fully with this policy, the Act and other relevant legislation.

Requirements of the Act

Notification
Before you set up a new filing system or computer database that will contain personal data (eg. name and address) you should check that it will be legal to do so and then contact your Data Protection Officer who will amend the current Data Protection Register entry. The completed alteration forms are sent to the Information Commissioner who has 42 days in which to decide if your application is acceptable.

The notification process to gain an entry on the Data Protection Register for Bristol City Council is managed by Heléna Ashton, Data Protection Officer, foi@bristol.gov.uk

Subject Access
The ‘right of subject access' allows an individual to have access to information held on computer or manual files and to be supplied with a copy of any personal data held and where appropriate to have it corrected or deleted.

Subject access requests should be referred to the Council’s Data Protection Officer immediately to ensure they are dealt with appropriately.

Compensation An individual who suffers damage or distress as the result of any contravention of the requirements of the Act can seek compensation through the Courts

Direct Marketing An individual has the right to prevent personal data being used for direct marketing.

Disclosure of Personal Data
Disclosure is the passing of personal information to another individual or organisation.

The Council recognises that personal information is confidential and that unauthorised disclosure is a criminal offence under the Act.

Disclosures may only be made in accordance with the Principles when:

• the permission of the data subject has been given.
• the disclosure is by order of a Court, or a statutory duty.
• the disclosure, within the organisation , is for the registered purposes of that organisation.
• the persons to whom the disclosure is made is described in the disclosure section of the data user's register entry.

It is an offence to use deception to obtain personal information to which you are not entitled.

Security
In accordance with the Act, data must be kept secure.

All employees must comply with the standards specified in the Council's Information Security Policy.

Bristol City Council collects, holds and uses information that is both confidential and valuable to the Council in the carrying out of its business. Such information and the computer systems that store, process and transmit it must be adequately protected against any activity that could affect authorised and lawful use.

The standards of information security to be applied throughout the Council irrespective of the differing computer systems in use, are defined in this Information Security Policy. Current legislation relating to the use of information systems is listed in Appendix A.

All forms of electronic information exchange are covered by this policy.

The Principles

Data users must comply with the eight Data Protection Principles of good practice, which underpin the Act.

1. Personal data shall be processed fairly and lawfully and shall not be processed unless specific conditions are met.
2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For further information about Data Protection, please contact:

The Office of the Information Commissioner
Wycliffe House, Water Lane. Wilmslow,
Cheshire, SK9 5AF

Telephone : 01625-545 745