Using the Law to Protect Your Information

One simple fact of modern life is that many people have information about us. Your personal data is stored in hundreds of places. In some instances, as with medical records, that might be a good thing. But it can also be worrying - if, say, the information is incorrect or out of date.

However, there are steps you can take to protect your information.

Data Protection Act

When the Data Protection Act came into force in 2000, it laid down rules for processing personal data which apply both to records on computer and on paper. Under the Act, anyone handling data has to comply with "the rules of good information handling practice" - in other words, they need to be very careful.

The Information Commissioner is the person who has to enforce the act. However, his powers are extremely limited, since failure to comply with the Act, bizarrely, isn't a criminal offence. This means he can't award compensation. All he can do is decide whether compliance with the Act is "likely or unlikely" - which doesn't help you much. If you end up taking someone to court regarding information on you, any decision the Commissioner has given isn't binding on the judge.

Your Rights

Under the law, you have very definite rights regarding information stored about you. According to the statute, it must be processed in a "lawful manner" and only used "for limited purposes." Everything must be accurate and relevant, and it shouldn't be kept any longer than necessary. Additionally, it should be kept securely, and not transferred to countries where it can't be adequately protected.

You have the right to see information on yourself. If you believe an organisation is holding information on you, you can write to them and request it under the "right of subject access." In some cases, such as work performance or creditworthiness, decisions are made about you by computers, and you have the right to be told about the logic behind this - quote section 7(1) [d] in your request.

To obtain your credit file, you need to contact the credit reference agencies. For a fee of £2, they'll supply it to you.

Always send your requests for information by recorded delivery, and keep a copy of your correspondence. You might be asked to give more details to confirm your identity, and you might have also to pay a fee, although this shouldn't be over £10.

Once you've made your request, the organisation has 40 days to reply. Normally, you'll be able see all the information the organisation has on you, although there are a few exceptions. If there's no response in 40 days, write once more, again using recorded delivery. If there's still no reply, contact the Data Protection Helpline.

Your data shouldn't be used to market you with "products, services or ideas." If the information about you is wrong, you can demand it's changed or destroyed.

Stopping People Processing Your Information

The tricky wording under the Act means that you can only take steps to prevent your information being processed if it might cause you or someone else "substantial damage or distress which is unwarranted." That excludes a number of legal situations, or if you've given your consent to the information processing (which you can withdraw at any time), or where it's necessary - if you're entering into a contract, for example.

If you believe the processing falls outside these parameters, and will cause more than just annoyance, you can to send the organisation a "data subject notice," demanding they stop. You'll need to give proof of identity, explain what data you're referring to and how it's harming you. Use recorded delivery as proof that you sent it. Legally, the organisation has 21 days to respond in writing.

That reply must say they've either complied with your request, or intend to, and to what degree. If there's no answer, write again, and if there's still no reply, contact the Information Commissioner (www.informationcommissioner.gov.uk). You can also pursue the matter through the courts.