The increasing trend to store vast quantities of such data has worried many people. Some of their concerns are:
Who will be able to access this data? Will information about me be available over the Internet, and therefore vulnerable to hackers? Can my records be sold on to someone else?
Is the data accurate? If it is stored, processed and transmitted by computer, who will check that it is accurate? People often think it must be true if 'it says so on the computer'.
Will the data be sold on to another company? For example, could my health records be sold to a company where I have applied for a job? Could my personal details, collected by my employer, be used by a commercial company for targeting junk mail?
Will data about me be stored even if it is not needed?
In order to address these concerns, the Data Protection Act (1998) was passed.
There are certain terms that you must know for your exam. You may be asked to explain what they mean. They are:
Data Subject
Data User
Data Controller
Data Commissioner
Data Subject
This is the person that the data is being collected from or stored about. This could be you!
Data User
This is any person who needs to access or use the data as part of their job. This could be a secretary who needs to look up your address so that they can send a letter home, it could be a personnel officer who needs to know the medical history of an employee who regularly takes time off sick.
Data Controller
This is often the person in charge of the organisation - but it doesn't necessarily have to be. This person decides what data the organisation needs to collect and what it will be used for. This is the person who must apply for permission to collect and store data in the first place.
Data Commissioner
This is the person who enforces the Data Protection Act. This is the person that organisations need to apply to in order to gain permission to collect and store personal data.
Personal Data
Personal data covers both facts and opinions about a living individual. Facts would include name, address, date of birth, marital status or current bank balance. Results in examinations, details of driving offences, record of medications prescribed and financial credit rating are further examples of facts that could relate to an individual. Personal opinions such as political or religious views are also deemed to be personal data.
Data Controllers must ensure that their organisation follows the eight principles of the Data Protection Act when dealing with personal data.
It is unlikely that you will be asked to know all 8 principles by heart, but you must have an understanding of them and be able to discuss at least three of four of them.
1 Personal data should be obtained and processed fairly and lawfully.
This means that you should be told that data is being collected about you, and you should know what the data will be used for.
2 Personal data can be held only for specified and lawful purposes.
The Data Controller has to state why they want to collect and store information when they apply for permission to be able to do so. If they use the data they have collected for other purposes, they are breaking the law.
3 Personal data should be adequate, relevant and not excessive for the required purpose.
Organisations should only collect the data that they need and no more. Your school needs to know your parent's phone number in case they need to contact them in an emergency. However, they do not need to know what your grandmother's name is, nor do they need to know your eye co lour. They should not ask, nor should they store such details since this would be excessive and would not be required to help with your education.
4 The personal data should be accurate and kept up-to-date.
Companies should do their best to make sure that they do not record the wrong facts about a data subject. Your school probably asks your parents to check a form once a year to make sure that the phone number and address on the school system is still correct.
If a person asks for the information to be changed, the company should comply if it can be proved that the information is indeed incorrect.
5 The personal data should not be kept for longer than is necessary for the purpose for which it is collected.
Organisations should only keep personal data for a reasonable length of time. Hospitals might need to keep patient records for 25 years or more, that is acceptable since they may need that information to treat an illness later on. However, there is no need for a personnel department to keep the application forms of unsuccessful job applicants.
6 Data must be processed in accordance with the rights of the data subjects.
People have the right to inspect the information held on them (except in certain circumstance - see later). If the data being held on them is incorrect, they have the right to have it changed.
7 Appropriate security measures must be taken against unauthorised access.
This means information has to be kept safe from hackers and employees who don't have rights to see it. Data must also be safeguarded against accidental loss.
8 Personal data cannot be transferred to countries outside the European Union unless the country provides an adequate level of protection.
This means that if a company wishes to share data with an organisation in a different country, that country must have similar laws to our Data Protection Act in place.
No comments:
Post a Comment