global insurance management

Data Protection

Apr 09 2014

Data Protection

Reason for issue:         Update and reminder.

Action required:           Read and ensure your CPD record in your Training Log is updated.

Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business.

Legislation concerning Data Protection

The main current and relevant legislation in the UK is The Data Protection Act 1998 (DPA) but there is also the Freedom of Information Act 2000 (FOIA), covering public sector bodies.  The DPA is what was used in the UK to implement the European Data Protection Directive.

The DPA is based around eight principles of ‘good information handling’. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

If a firm holds information about individuals either on computer or in certain types of filing system it may be holding ‘personal data’.  Broadly speaking the DPA covers four types of information (referred to as ‘data’ in the Act):

i)    information processed, or intended to be processed, wholly or partly by automatic means;

  • information in electronic form usually on computer;

ii)    information processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’;

  • usually paper records in a filing system

iii)   information that forms part of an ‘accessible record’;

  • certain health records, educational records and certain local authority housing or social services records, regardless of whether the information is processed automatically or is held in a relevant filing system; and

iv)   information held by a public authority.

Data Protection Principles

The 8 principles state that personal information must be:

1)     fairly and lawfully processed;

2)     processed for specified purposes;

3)     adequate, relevant and not excessive;

4)     accurate and, where necessary, kept up to date;

5)     not kept for longer than is necessary;

6)     processed in line with the rights of the individual;

7)     kept secure; and

8)     not transferred to countries outside the European Economic Area (EEA) unless the information is adequately protected.

What is Personal Data?

The DPA defines personal data as;

"Data which relate to a living individual who can be identified;

a)     from those data, or

b)    from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."

What is Sensitive Personal Data?

The DPA makes special reference to information defined as "sensitive personal data" which refers specifically to information such as;

a)     the racial or ethnic origin of the data subject,

b)    their political opinions,

c)     their religious beliefs or other beliefs of a similar nature,

d)    whether they are a member of a trade union,

e)     their physical or mental health or condition,

f)     their sexual life,

g)    the commission or alleged commission by them of any offence, or

h)     any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

What is a Data Subject?

This is an individual who is the subject of personal data.  In other words, the data subject is the individual whom particular personal data is about. The DPA does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.

What is a Data Controller?

This means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

A data controller must be a “person” recognised in law, that is to say:

  • individuals;
  • organisations; and
  • other corporate and unincorporated bodies of persons.

Data controllers will usually be organisations, but can be individuals, for example self-employed consultants.  Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller.

Data controllers must ensure that any processing of personal data for which they are responsible complies with the Act.  Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.

Data controllers remain responsible for ensuring their processing complies with the Act, whether they do it in-house or engage a data processor.

What is a Data Processor?

In relation to personal data, it means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Data processors are not directly subject to the Act.  However, most data processors, if not all, will be data controllers in their own right for the processing they do for their own administrative purposes, such as employee administration or sales.

What is a Subject Access Request?

Subject access is one of the main rights of the DPA. It gives people the right to access their personal information.

An individual can ask a firm to tell them about any personal information they hold about them, and to provide them with a copy of that information.  In most cases the firm must respond to such a request within 40 calendar days of receiving it.  A fee can be charged for dealing with the request and need not be answered until the fee is received. The maximum fee chargeable is currently £10.

The Information Commissioner’s Office (ICO)

An Information Commissioner is appointed by the Queen and is responsible for administering the provisions of both the DPA and the FOIA.

The Information Commissioner’s Office is the UK’s independent authority set up to:

  • uphold information rights in the public interest;
  • promote openness by public bodies; and
  • ensure data privacy for individuals.

The ICO will rule on eligible complaints, give guidance to individuals and organisations and take appropriate action when the law is broken.

The Public Register

Under the DPA every organisation (the data controller) that processes personal information (personal data) must notify the ICO, unless they are exempt.  Failure to notify is a criminal offence.

Data controllers are required to inform the ICO of certain details about their processing of personal information and the ICO then uses these details to make an entry describing the processing in a register, which is available to the public for inspection (i.e. on the ICO website

The main purpose of notification and the public register is to promote openness in the use of personal information.

What are the consequences of non-compliance?

The Commissioner has been given extensive powers of enforcement:

  • The ICO can serve a data controller with an 'information notice' requiring the data controller to provide certain information within set time limits. Failure to comply with such notice, or providing deliberately false information, is a criminal offence.
  • If the ICO concludes that there has been a breach of the Act, a data controller may be served with an 'enforcement notice'. This could force a data controller to cease processing personal data, or cease processing data in a particular way. Failure to comply with an enforcement notice is a criminal offence.

Criminal liability does not lie just with the data controller:

  • It is possible for officers of a company, such as its directors or managers, to be personally criminally liable if the offence has been committed with their consent, connivance or neglect.
  • Employees may also incur criminal liability in certain limited circumstances if they disclose or obtain personal data without authority of the data subject controller.


The increasing use of information technology and the internet ensures that data protection remains one of the most important and relevant laws that businesses are required to comply with.  All organisations must keep under regular review how they collect, store and use personal data and ask themselves whether they comply with the DPA.

Back to news

Global News Archive

We are now part of the AXA Group Click here

Generation 3 Ceramic  Click here

Cutting edge, Market Leading Software from our Solutions company. Click here