The Data Protection Act - Essay Example

The Data Protection Act, Private Security and the Rights of Individuals The Data Protection Act aims to accord greater protection to the rights of the individual, in respect of whom information is collected, accumulated, processed or supplied; in comparison to the rights organizations that utilize and control such data. Not only data in electronic form but also data in hard copies or paper records comes under the purview of this Act. This piece of legislation makes it necessary to implement relevant security measures to prevent unauthorized access to, modification, revelation or destruction of such information. The Data Protection Act 1988 created a new category of sensitive personal data with respect to individuals, which cannot be processed. It had provided a list of requirements that had to be met, in order to process this category of individual data. It prohibits sharing and transferring of personal data to countries outside of the European Union. Several security standards have been established to process personal data. Therefore accessing and processing individual data has been subjected to more stringent controls. The Data Protection Act 1988 had also provided substantial rights to individuals that permitted them to claim compensation for damage or distress caused by unlawful access and processing of their personal information. The sophistication of technology has widened the scope of processing data. Policy decisions are entirely dependent on technological parameters such as aptitude tests, psychometric analyses, and drug and genetic testing, scanning of application forms and Curriculum Vitae. Moreover, new software has been developed, which allows the user to interrupt and decode e-mails of individuals. In addition, there has been a widespread use of CCTV surveillance of individuals (Warren, 2002. Pg 446). The fundamental question that arises is whether the Data Protection Act 1998 provides positive measures for the regulation of private security and the protection of individuals’ rights. It is also an assumption that the Data Protection Act 1988 provides negative limitation for the effectiveness of security professionals, while protecting the assets and rights of individuals for whom they work. Although these assumptions seem to be correct, in practice the Act effectively provides adequate protection to individual’s rights and controls private security. The Act attempts to balance the interests of individuals and private security professionals’ work (The Data Protection Act 1998). The Data Protection Act 1998 integrates the European Data Protection Directive with the domestic legislation of the United Kingdom. This Act covers several areas of personal data and it recognises certain types of personal data as sensitive and intimate. The holders of personal information must obtain the clear and unambiguous consent of the individuals, while procuring such information from them. They are also required to obtain the consent of the individuals, prior to processing and sharing sensitive and intimate information (Janson-Smith, 2003). One of the most affected sectors by the Data Protection Act 1998 is the field of medical research. Medical research by its very nature collects sensitive information about patients, so as to provide adequate treatment. Medical research in the epidemiology of cancer requires vast amounts of vital information regarding the patients. This information is generally collected without obtaining the explicit consent of patients. The restrictions of the Act, in this field, would make it well nigh impossible to collect such crucial information (Janson-Smith, 2003). The Data Protection Act 1998 stipulates that all processing of personal and sensitive information must comply with the requirements of the Act. Appendix 1 of the Data Protection Act 1998 provides certain key principles of the Act. The salient rules of the Act require transparency, under which the individuals are expected to have clear and unambiguous knowledge with regard to the collection of the information from them; and the purpose for which such information is to be employed (Social Research Association, 2005). Under the principles of the Data Protection Act 1998, there should be fair and lawful processing of personal information. Such data processing must fulfil the conditions laid down in Schedule 24 of the Data Protection Act 1998. If the information is sensitive and intimate, its processing must fulfil one of the conditions as laid down in Schedule 35. The collection of personal information must be adequate and relevant for the purposes for which it is collected. There should not be any excessive collection of personal information (Social Research Association, 2005). The processed personal information must not be retained longer than the time required for processing and utilizing that data. The processing of personal data must be done in accordance with the rights provided by the Act to individuals. Safeguarding personal information is very important under this Act. These measures must protect the information from accidental loss, destruction or damage. Another significant feature of this Act is that the holders of personal information must not share this information with anyone outside the European Economic Area (Social Research Association, 2005). The Data Protection Act 1998 provides rights to individuals to access their medical records and claim compensation, in the event of any damage or misuse of their information. The Data Protection Act 1998 rescinded some parts of the Access to Health Records Act 1990, which dealt with the rights of individuals. Patients or solicitors on behalf of their patients, can now access their records (What the Data Protection Act really means for you, 2000). Data holding organisations have to take reasonable and appropriate measures in order to prevent data loss, unauthorised use of data or the unlawful processing of data. Those who store data are not permitted to disclose data for unauthorised purposes. Safeguarding measures are also to be aimed at preventing accidental data losses and wilful destruction or damage to data (Johnston, February 29, 2000). The Data Protection Act 1998 makes it mandatory for multinational corporations and other online companies to prevent data sharing with countries and territories that fall outside of the European Economic Area. It also requires companies to provide adequate security measures to data that is sent to other countries. The basic reason for this requirement is that information holding companies must consider the implications of the Act and act accordingly. Companies may require professional advice in this regard (Johnston, February 29, 2000). Data holding companies must consolidate the data and submit reports whenever required. Companies that deal with the direct marketing of information must obtain prior consent from the owners of such information, in order to utilize their personal details. Marketing databases must be periodically screened for compatibility with Mail Preference Service and Telephone Preference Service. The GB Information Management conducted a survey with two hundred large business organisations with regard to the DPA 1998. This study’s results revealed that a majority of these companies did not have adequate knowledge about the requirements of the Act. Most of the directors of these companies were unaware of the fact that they would be held personally liable for the maintenance of databases containing personal information (Johnston, February 29, 2000). The Information Commissioner imposed penalties on banks and construction societies for having disseminated the vital personal information of their customers; such as names, addresses, dates of birth and PIN’s. In one instance, a bank had shredded debit cards and credit cards and disposed them by placing them in unsecured dust bins, located outside their premises (Compliance Monitor, 1 October 2007). Although, the Financial Services Authority has not imposed any penal action on these organisations, the Information Commissioner’s Office had imposed such penalties. The ICO had awarded damages to the tune of £1.4 million to the Nationwide Building Society, for the loss of a laptop by their bankers, which had contained information regarding its customers. The society successfully claimed that this information had been highly protected and could be used for fraudulent purposes like identity theft. The ICO reduced the fine to £980,000. The FSA had established that the training arrangements of the Nationwide Building Society had been inadequate (Compliance Monitor, 1 October 2007). Data protection had been undermined by the Markets in Financial Instruments Directive of the EU. Mere data loss cannot be tantamount to a breach of the rules of the Data Protection Act and the Financial Services Authority. A majority of the victims of serious crimes are being deprived of help due to the stringent rules of the Data Protection Act (DATA LAW 'CUTS HELP TO VICTIMS OF CRIME', August 19, 2001. Pg. 14). The chief objective of this Act is to legalize data collection and processing. It does not promote data protection. It supports the interests of data handlers and data controllers. These information databases can be accessed by anyone by paying a fee. This could result in a number of crimes such as identity theft, economic fraud and benefit abuse. The DPA permits data controllers to collect and process irrelevant information and minute details of individuals (Lenoir, 2007). Individual privacy has been greatly influenced by the enactment and implementation of the Data Protection Act 1998 and the Human Rights Act 1998. While the Human Rights Act 1998 provided individuals with a legal right to individual privacy, through the right to privacy; the Data Protection Act 1998 had imposed several obligations on employees and employers, as well as individuals to be monitored and to comply with the provisions of the act (Warren, 2002. Pg 446). The holders of information have to maintain a filing system, in which they have to file their manual files. In this filing system they file only the relevant information regarding individuals. They have to realise that the filing system is a form of collection of information, and that while accessing the filing system, they are actually accessing the information of individuals and not the physical form of the filing system (Data Protection Act 1998: Legal Guidance). The Data Protection Act 1998 covers several aspects relating to the system of CCTV and the applicability of the Code of Practice. The provisions of the Act are identified as relevant to the various issues regarding the use of CCTV systems. The operators of CCTV systems and their representatives had developed some standards regarding the use and access to footage. The British Standards Institute had also established some standards in this area (Home Office). The British Security Industry Association or BSIA had submitted a report to the House of Lords select committee, in which it required the security industry to initiate measures to ensure proper protection of the privacy of the public. It maintained that the Close Circuit Television or CCTV could be an essential tool to prevent and detect crime. The use of CCTV instilled a sense of security among individuals; and the BSIA argued that the existing legislation should be reviewed, in order to determine, whether it properly addressed the protection of individuals’ privacy (Cadman, 2007). The role of CCTV had been widely discussed, in several debates across the nation. It is the primary duty of the security agencies to promote, on a widespread basis, the benefits provided by the use of CCTV surveillance; and the public has to be informed about the reduction in crime and related activities. These security agencies have also to appraise the public about the various measures, in place, which ensure the safeguarding of their privacy. The Chairman of the Constitution Committee, Lord Holme opined that the very nature and scope of surveillance and information collection had undergone a drastic change. There were nearly 4.2 million CCTV cameras installed in the United Kingdom (Cadman, 2007). The government introduced the NHS Spine and the ID card database, which enable the government to collect and process quite a bit of information relating to individuals. However, the effects of the newly introduced programmes on the constitutional principles have not been thoroughly examined by the government. The relation between the citizens and the State has been seriously affected and there is public apathy regarding the implementation of measures that affect the privacy of individuals (Cadman, 2007). Surveillance through closed circuit television has become an integral part of British life. The effectiveness of the surveillance by CCTVs is the subject matter of public debates across the UK. CCTV cameras have been installed in public areas, where the flow of public is heavy. Individuals are at risk of being caught on camera, while crossing a road, shopping or accessing bank services. Railways stations and airports have also been equipped with CCTV cameras. The legality of the CCTV surveillance in public areas is not a matter of control. Under this new Act, the Information Commissioner is empowered to issue Enforcement Notices in the event of any breach of the Data Protection provisions (Home Office). The Enforcement Notice provides for remedial action for violations, and ensures future compliance with the provisions of the Act, if so required by the Information Commissioner. The latter official will also ensure that the operators of the CCTV cameras and surveillance equipment act in accordance with the CCTV Code of Practice, guidelines. The Commissioner can initiate action against non – compliance with the legal obligations, set out in the Act, on the operators of the surveillance equipment. He can exercise his powers of imposing liability on the operators, in the event of any violation or infringement of the provisions of the Act (Home Office). There is public outcry against the use of CCTV surveillance in the UK, because many people argue that a significant number of the CCTV systems are illegal and infringe their privacy, without due cause. It has been contended that basic data protection is not followed by any business organisation in the UK. A mere five percent of the offices and buildings which were surveyed by Datpro had fulfilled the basic data protection requirements, laid down by the extant legislation. The Security Industry Authority or the SIA had begun licensing CCTV in Scotland, which would render a large number of CCTV surveillance systems illegal. Moreover, the evidence recorded by the non compliant CCTV monitoring systems would not be admitted in court (Vickers, 2007). The government of the United Kingdom is trying to install a large number of CCTV cameras, which could result in the largest number of CCTV’s per head in the world. This move could provoke human rights activists to protest against the government and its policies. These initiatives would repeal the constitutional spirit and the legal provisions of privacy in the UK. As such, the new laws do not respect basic rights; and the privacy of individuals could be seriously at stake. In addition to this, the operators of CCTV cameras are stating that individuals cannot obtain video recordings; and that only the police were authorized to request such footage. This is incorrect; and according to the Data Protection Act if the request of individuals is not properly handled, then such an act constitutes an offence (Vickers, 2007). The Information Commissioner can generate Codes of Practice and interpret the provisions of the Data Protection Act 1998, wherever necessary. It is believed that a code of practice is necessary for the widespread use of CCTV surveillance systems. Such a code will engender the smooth operation of video surveillance (Home Office). The irony is that the United Kingdom has the highest number of surveillance cameras than any other nation in the world. There had been widespread negotiations with biometric companies, with regard to the development of technology that could be used to search digital database to match images of suspected individuals with those of already known offenders (Bowcott, 2008). Nevertheless, it was established, on some occasions, that these entities had violated the requirements of the Act. In addition, data protection had been adversely affected by the European Union’s Markets in Financial Instruments Directive. Furthermore, this Act did not provide adequate protection to personal data, due to the failings of the data controllers. In conclusion it can be stated that the private security industry does not accord appreciable concern for the privacy of the citizens. On several occasions it was evident that the CCTV system was not following the norms set out in the Data Protection Act. In other words private security was negligibly affected by the Data protection Act. As such, the Data Protection Act 1998 neither protects the personal data of individuals, nor does it provide data controllers with adequate power to obtain crucial personal data, even if such data could prove helpful for other individuals’ medical needs. List of References Bowcott, O. (2008, May 06). CCTV boom failed to slash crime, say police. Retrieved May 11, 2008, from The Guardian: http://www.guardian.co.uk/uk/2008/may/06/ukcrime1 Cadman, E. (2007, December 12). BSIA: Security industry must reassure public on privacy. Retrieved May 11, 2008, from http://www.info4security.com/story.asp?sectioncode=16&storycode=4116486&c=1 Compliance Monitor. (1 October 2007). Double jeopardy - data protection. FINANCIAL SERVICES . DATA LAW 'CUTS HELP TO VICTIMS OF CRIME'. (August 19, 2001. Pg. 14). Sunday Mail . Data Protection Act 1998: Legal Guidance. (n.d.). Retrieved April 26, 2008, from http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_act_legal_guidance.pdf Home Office. (n.d.). Legal Compliance. Retrieved May 11, 2008, from http://www.crimereduction.homeoffice.gov.uk/cctv/cctvminisite30.htm Janson-Smith, D. (2003, May 12). The Data Protection Act 1998: Protecting people from the wrongful use of their personal information by others. Retrieved April 26, 2008, from http://genome.wellcome.ac.uk/doc_WTD021018.html Johnston, I. (February 29, 2000). Tough on fairness and accuracy. The Times (London) . Lenoir, A. (2007, November 17). Privacy and Data Protection Act 2007 (P&DPA07). Retrieved April 26, 2008, from http://www.bbc.co.uk/dna/actionnetwork/A4446038 Social Research Association. (2005, October). Data Protection Act 1998: Guidelines for social research. Retrieved April 26, 2008, from http://www.the-sra.org.uk/documents/pdfs/sra_data_protection.pdf The Data Protection Act 1998. (n.d.). Vickers, S. (2007, October 02). "Nearly all CCTV illegal”, expert claims. Retrieved May 11, 2008, from http://www.info4security.com/story.asp?sectioncode=9&storycode=4114943&c=1 Warren, A. (2002. Pg 446). Right to privacy? The protection of personal data in UK public organizations. New Library World. London , Vol 103, issues 11/12. What the Data Protection Act really means for you. (2000, September 23). Pulse , p. 29. Read More