The Data Protection Act was implemented to protect the privacy of living individuals who could be identified from the data, or from a combination of data held by the data controller. This also includes any opinions expressed about the individual.
When Collecting data, the data controller must ensure they tell the individual who they are, what the information is going to be used for and ensure that they do not collect more information than is necessary.
The data must be kept securely and not kept for longer than it’s needed. It must also be kept up to date and accurate. Individuals have the right to access their data at any time. Companies may charge a fee for this but they must respond within a set timeframe set out by their particular contract.
The act contains eight “Data Protection Principles”. These specify that personal data must be:
1. Processed fairly and lawfully.
2. Obtained for specified and lawful purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up to date.
5. Not kept any longer than necessary.
6. Processed in accordance with the “data subject’s” (the individual’s) rights.
7. Securely kept.
8. Not transferred to any other country without adequate protection in situ.
This has an impact on businesses because they must ensure anyone involved in collecting or accessing personal data is fully aware of the laws and legislations and they must be monitored to ensure the Act is being followed. If the Data Protection Act is breached in any way the Information Commissioner’s Office has the power to issue fines of up to £500,000 to small businesses. For many start-up companies this would be devastating.
There are certain circumstances where the Data Protection Act does not apply:
A business is only holding information which pertains to the internal workings of the company. Such as payroll, advertising, marketing and other PR related activities.
The organisation is not for profit.
The data is only processed for the purpose of personal, family or household affairs
The data is only used to maintain a public register.
No computers are used to process the data
If users do not give consent due to not fully understanding what cookies are for this can result in the website becoming unusable – for example if you are required to log in to an account before making a purchase. If cookies are disabled you cannot stay logged in, which would mean you could not make any purchases. E-commerce can lose money if users do not consent to cookies being used and as a result cannot log in to their accounts – they would have to go elsewhere for their purchase to a website that does not have an account system.