What are the key things I have to do to comply with the Data Protection Act of 1998?
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
There are a number of basic requirements for the U.K. Data Protection Act of 1998 and some are extremely demanding. As a minimum, every organization that is going to process personal data (and this means any data relating to a living human being, not to an organization) must register with the Information Commissioner (www.ico.gov.uk) and describe, in the registration, what the purpose of processing this data is. It must be a permitted purpose. Registration is annually renewable and, once registered, you must comply with the purposes for which you've registered. That's the easy bit. The more complex bit is, in essence, that you must comply with the eight principles of the Data Protection Act. The eight principles are that personal information must be: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to other countries without adequate protection
The ICO has comprehensive information (http://www.ico.gov.uk/for_organisations.aspx) and the BSI Data Protection Guide provides comprehensive guidance.
This was first published in January 2008