Data Protection Act

Contents

9.1 Introduction

The Data Protection Act 1984 is:

" An Act to regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information"

It applies to all BT people and the information they handle in the normal course of their duties which can identify a living individual and is stored or processed by the means of automatic equipment.

9.2 Data protection act principles

The Act, primarily enforced by the Data Protection Registrar, contains eight Data Protection Principles. These Principles are:

  1. The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
  2. Personal data shall be held only for one or more specified and lawful purposes.
  3. Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes.
  4. Personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or those purposes.
  5. Personal data shall be accurate and, where necessary, kept up to date.
  6. Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  7. An individual shall be entitled:
    1. at reasonable intervals and without undue delay or expense:
      1. to be informed by any data user whether he holds personal data of which that individual is the subject; and
      2. to access to any such data held by a data user; and
    2. where appropriate, to have such data corrected or erased.
  8. Personal data held by data users or in respect of which services are provided by persons carrying on computerbureaux
  9. Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.

Data Protection Act 1984 Schedule 1 Part 1

-POLICY 9.1: DATA PROTECTION ACT

All BT People are individually liable under the Data Protection Act 1984 and shall abide by the eight Data Protection Principles, and shall observe the guidance promulgated by the BT Group Data Protection Unit.

9.3 Definitions

  1. The following provisions shall have effect for the interpretation of this Act
  2. "Data" means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.
  3. "Personal data" means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user), including any expression of opinion about the individual but not any indication of the intentions of the data user in respect of that individual.
  4. "Data subject" means an individual who is the subject of personal data.
  5. "Data user" means a person who holds data, and a person "holds" data if:
    1. the data form part of a collection of data processed or intended to be processed by or on behalf of that person as mentioned in subsection (2) above; and
    2. that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection; and
    3. the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a) above or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion.
  6. A person carries on a "computer bureau" if he provides other persons with services in respect of data, and a person provides such services if:
    1. as agent for other persons he causes data held by them to be processed as mentioned in subsection (2) above; or
    2. he allows other persons the use of equipment in his possession for the processing as mentioned in that subsection of data held by them.
  7. "Processing", in relation to data means amending, augmenting, deleting or rearranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject.
  8. Subsection (7) above shall not be construed as applying to any operation performed only for the purpose of preparing the text of documents.
  9. "Disclosing", in relation to data, includes disclosing information extracted from the data; and where the identification of the individual who is the subject of personal data depends pary on the information constituting the data and pary on other information in the possession of the data user, the data shall not be regarded as disclosed or transferred unless the other information is also disclosed or transferred.
Data Protection Act 1984 Part I Section I

9.4 Registration

BT plc is registered both as a Data User and a Computer Bureau under 'The Act". Although registrations are effected and controlled centrally by the BT Group Data Protection Unit, all BT plc people who control Personal Data, as defined in 9.3.3 above, are responsible for ensuring that such Personal Data is covered by those registrations, by contacting the Data Protection Unit.

POLICY 9.2: REGISTRATION OF PERSONAL DATA

Any person who controls Personal Data is responsible for ensuring that such Personal Data is covered by the BT plc registrations controlled by the Group Data Protection Unit.