Using The Law To Protect Your Personal Data
One simple fact of modern life is that many people have information about us. Your personal data is stored in hundreds of places. In some instances, as with medical records, that might be a good thing. But it can also be worrying - if, say, the information is incorrect or out of date.
However, there are steps you can take to protect your information.
Using The Data Protection Act To Protect Personal DataWhen the Data Protection Act came into force in 2000, it laid down rules for processing personal data which apply both to records on computer and on paper. Under the Act, anyone handling personal data has to comply with "the rules of good information handling practice" - in other words, they need to be very careful.
The Information Commissioner is the person who has to enforce the Data Protection Act. However, his powers for data protection are extremely limited, since failure to comply with the Act, bizarrely, isn't a criminal offence. This means he can't award compensation. All he can do is decide whether compliance with the Data Protection Act is "likely or unlikely" - which doesn't help you much.If you end up taking someone to court regarding personal data on you, any decision the Commissioner has given isn't binding on the judge.
Your Rights Regarding Personal DataUnder the law, you have very definite rights of data protection regarding data stored about you. According to the statute, personal data must be processed in a "lawful manner" and only used "for limited purposes." Everything must be accurate and relevant, and it shouldn't be kept any longer than necessary. Additionally, personal data should be kept securely, and not transferred to countries where it can't be adequately protected.
You have the right to see data on yourself. If you believe an organisation is holding data on you, you can write to them and request it under the "right of subject access." In some cases, such as work performance or creditworthiness, where decisions are made about you by computers, and you have the right to be told about the logic behind this - quote section 7(1) [d] in your request.
To obtain your credit file, you need to contact the credit reference agencies. For a fee of £2, they'll supply it to you.
Always send your requests for information by recorded delivery, and keep a copy of your correspondence. You might be asked to give more details to confirm your identity, and you might have also to pay a fee, although this shouldn't be over £10.
Once you've made your request, the organisation has 40 days to reply. Normally, you'll be able see all the personal data the organisation has on you, although there are a few exceptions. If there's no response in 40 days, write once more, again using recorded delivery. If there's still no reply, contact the Data Protection Helpline.
Your personal data shouldn't be used to market you with "products, services or ideas." If the data about you is wrong, under the Data Protection Act you can demand it's changed or destroyed.
Stopping People Processing Your Personal DataThe tricky wording under the Data Protection Act means that you can only take steps to prevent your data being processed if it might cause you or someone else "substantial damage or distress which is unwarranted." That data protection excludes a number of legal situations, or if you've given your consent to the data processing (which you can withdraw at any time), or where it's necessary - if you're entering into a contract, for example.
If you believe the data processing falls outside these parameters, and will cause more than just annoyance, you can to send the organisation a "data subject notice," demanding they stop. You'll need to give proof of identity, explain what data you're referring to and how it's harming you. Use recorded delivery as proof that you sent it. Legally, the organisation has 21 days to respond in writing.
That reply must say they've either complied with your request, or intend to, and to what degree. If there's no answer, write again, and if there's still no reply, contact the Information Commissioner (www.ico.org.uk). You can also pursue the matter through the courts.