We are trying to do a security audit in our company and everyone is concerned about the HR department. Could we use the DPA 1998 in order to enforce some changes? I read it from top to bottom but it seems this act is to regulate credit agencies and such, but which regulations could I use regardings data protection within an organisation? The Data Protection Act
The Data Protection Act regulates how your personal information is used and protects you from misuse of your personal details.
It provides a common-sense set of rules which prohibit the misuse of your personal information without stopping it being used for legitimate or beneficial purposes.
The details of the Data Protection Act are quite complex, but at the heart of it are eight common-sense rules known as the Data Protection Principles.
These require personal information to be:
fairly and lawfully processed;
processed for limited purposes;
adequate, relevant and not excessive;
accurate;
not kept longer than necessary;
processed in accordance with your rights;
kept secure;
not transferred abroad without adequate protection.
Organisations using personal information ('data controllers') must comply with these Principles.
The Act provides stronger protection for sensitive information about your ethnic origins, political opinions, religious beliefs, trade union membership, health, sexual life and any criminal history.
Credit Reference Agency Records
When you apply for a loan, credit card, bank account or mortgage, the chances are that the company involved will run a check on you with a credit reference agency. These agencies check the electoral register to confirm that people live where they say they do, and report on bad debts, bankruptcies and perhaps on how well people keep up repayments of existing loans. If any of the information about you is wrong, it could be extremely damaging. The Data Protection Act allows you to see this information.
If you are about to apply for a mortgage or other major loan it may be worth checking in advance to see what information credit reference agencies hold on you. Correcting any errors in advance could help you avoid problems at a later stage, when you may not be able to get things put right in time.
When you apply, you should state that your request is limited to personal information relating to your financial standing. The data controller then has to reply within seven working days. The maximum fee it can charge you is 拢2 and you should enclose this with your application.
Under the Consumer Credit Act 1974 you are entitled to have incorrect information corrected. If the file contains mistakes, the agency must correct them and tell you what it has done within 28 days. If it refuses, or you are not satisfied with the amendment, you can send it a note of correction of up to 200 words, which it must add to your file and send out whenever information about you is supplied in the future.
If you are having problems obtaining credit as a result of the credit records of, for example, other family members living at the same address as you, you can apply to have your credit records 鈥榙isassociated鈥?from theirs. You need only make such an application to one of the main credit reference agencies. That agency will also notify the others.
If you have problems obtaining credit, it may be useful for you to read the information leaflet 'Credit Explained' published by the Information Commissioner (www.ico.gov.uk)
The three main credit reference agencies in Britain are:
Call Credit plc
One Park lane
Leeds
West Yorkshire
LS3 1EP
Tel: 0113 244 1555
Fax: 0113 234 0050
http://www.callcredit.co.uk/
Equifax plc
Credit File Advice Service
PO Box 1140
BRADFORD
BD1 5US
http://www.equifax.co.uk/
Experian Ltd
PO BOX 9000
Nottingham
NG80 7WP
Tel: 0870 241 6212
http://www.experian.co.uk/ The data protection act is not there to regulate any industry.
As the name suggests, it is there to protect peoples' private data from other people who have no need for it.
If you are doing a security audit and you are finding it easy to access confidential data in the HR department, then you have both a legal and moral obligation to do something about it.
The HR people there should know better.
Kick their a.sses. It covers any organisation that keeps personal data on people--medical records, employee records, whatever. So if you sare not meeting the standards, you had best change things that are required.
'The Data Protection Act requires anyone who handles personal information to comply with a number of important principles. It also gives individuals rights over their personal information.' These links may help.
http://www.lsbu.ac.uk/foi/documents/data...
http://www.bbk.ac.uk/hr/policies_service... |
