Group Home

The Data Protection Principles

Anyone processing personal data must comply with the eight enforceable principles of good practice. Data must be:

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate
  • not kept longer than necessary
  • processed in accordance with the data subject’s rights
  • secure
  • not transferred to other countries without adequate protection

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply.

Processing Personal Data

The definition of data processing is far wider than under the previous legislation. For example it incorporates the concepts of 'obtaining', 'holding' and 'disclosing' data or information. All are considered to be processing, which takes place when an operation or set of operations is carried out on personal data. The Act requires that personal data be processed fairly and lawfully Personal data will not be considered to be processed fairly unless certain conditions are met. A data subject must be told the identity of the data controller and why that information is to be processed.

  • Processing may only be carried out where one of the following conditions has been met:
  • the individual has given his or her consent to the processing
  • the processing is necessary for the performance of a contract with the individual
  • the processing is required under a legal obligation
  • the processing is necessary to protect the vital interests of the individual
  • the processing is necessary to carry out public functions
  • the processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could prejudice the interests of the individual)

Processing Sensitive Data

The Data Protection Act makes specific provision for sensitive personal data. Sensitive data include:

  • racial or ethnic origin
  • political opinions
  • religious or other beliefs
  • trade union membership
  • health
  • sex life
  • criminal proceedings or convictions

Sensitive data can only be processed under strict conditions, which include:

  • having the explicit consent of the individual
  • being required by law to process the data for employment purposes
  • needing to process the information in order to protect the vital interests of the data subject or another
  • dealing with the administration of justice or legal proceedings

Relevant Filing Systems

The Act covers information which is recorded as part of a ‘relevant filing system’. This means a set of information in which the records are structured, either by reference to individuals or by reference to criteria relating to individuals, so that ‘specific information relating to a particular individual is readily accessible’. The definition means a significant amount of manual data falls under the scope of the Act, as does the extension of the definition of data to cover ‘accessible records’. Accessible records are, broadly: school pupil, housing, social services and health records to which access was previously available under other legislation.

Transitional arrangements exempt manual records held in a relevant filing system before 24 October 1998 from full compliance until 2007. However, the right of subject access to information held in paper files covered by the Act has been available since 24 October 2001, regardless of the date from which the information was held.

Subject Access Request

The Act allows individuals to find out what information is held about themselves on computer and some paper records. This is known as the right of subject access.

To make a subject access request under the Data Protection Act, complete a data subject access application form. This form can be obtained from the Data Protection Officer by using the contact information at the foot of the page.

mhs homes charge a fee of £10 for each subject access request. Information should be delivered within 40 days of payment being received.

The Data Protection Act contains a number of terms that have a specific meaning. A guide to the terminology is available on this website.

For further information on the rights of individuals to access their information, visit the Information Commissioner's website at www.informationcommissioner.gov.uk

< use the following link to go back to the main Data Protection page.