What does the Data Protection Act cover?
The purpose of the Data Protection Act (DPA) is to protect the personal information of data subjects, which is stored digitally or physically in a filing system by a data controller. The personal data which is at risk includes names, birth dates, addresses and locations. Moreover, the sensitive data of individuals includes genetic data and biometric data, and there is a stress to protect this information. Therefore, organisations and businesses will fall in the scope of the DPA if they process personal data and sensitive data and must be aware of the implications this will bring.
The DPA's protection principles:
The DPA 2018 effectively covers eight protection principles, governing the use of personal information. A data controller must abide by these principles, which state that:
-Personal data and sensitive data must be processed lawfully. This data must only be obtained for one or more compatible lawful purposes
-The personal data which is obtained by an organisation should not be excessive. Furthermore, this data should only be kept by the organisation for a necessary period of time. Once the data is no longer relevant to the organisation, it should be destroyed.
-The data obtained by an organisation must be accurate, and it should also be kept in accordance with an individual's rights of data.
-This data should not be transferred outside of the European Economic Area.
-If an organisation exploits or manipulates the data they have obtained from a data subject, then the Information Commissioner's Office (ICO) should use the appropriate organisational measures to punish this unlawful processing of data.
Most businesses will require the personal data of their employees and customers, therefore the business should have a sound procedure in place to ensure this personal data is stored correctly. A breach of this personal data notably arises in the form of an unauthorised third party gaining access to this personal data, forwarding of this personal data to an unauthorised recipient and alteration of this personal data without any consent form the data subject. A data breach contaminates this personal and sensitive data, therefore recital 87 of the General Data Protection Regulations (GDPR) demands that the breach is reported to the ICO.
In 2014, cyber-criminals hacked up to 3 billion Yahoo! users' personal data, which was not adequately protected to resist this cyber-attack. During this breach, the names, birth dates, email addresses and passwords of Yahoo! users were compromised. In 2016, Yahoo! began negotiations to sell to Verizon, but following the revelations of the 2014 data breaches, $350 million was deducted from Yahoo!'s selling price. Furthermore, following the sale, a clause was incorporated to agree that Yahoo! and Verizon would share the legal liability of the data breach. This demonstrates how severely a data breach can tarnish an organisation's reputation, therefore emphasising the importance of avoiding a breach.
The distinction between personal data and sensitive data has been created deliberately, because the breach or inadequate protection of sensitive data has the potential to create far more threatening consequences. Sensitive data encompasses information regarding race and ethnicity, an individual's political affiliation, religious beliefs and data concerning health.
Equifax, a U.S credit monitoring company, experienced a data breach which compromised the sensitive data of 143 million customers in July 2017. The sensitive data which was exposed consisted of social security numbers and essential credit card information. This sensitive data, which was stored electronically in online files, was accessed by hackers using a website application. Equifax were not aware of this breach until 40 days had passed, at which point they reported the data breach. The lack of punishment or accountability issued to Equifax is a demonstration of how lax the data protection laws are in the U.S. Consequently, the updated DPA 2018 in the UK, is a legislative procedure which has been implemented to prevent data scandals such as this from occurring.
The DPA established eight protection principles which the UK government has deemed necessary to protect the personal data and sensitive data of data subjects. Therefore, organisations and businesses need to ensure they comply with these protection principles to avoid any data breaches which compromise the personal information of their employees and customers.