• Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

Data Protection Basics and other useful information

Collapse
Loading...
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Data Protection Basics and other useful information

    Mods,
    Feel free to move to a different forum.

    Been working quickly today finding out some critical information for a personal issue which I thought I'd share a small piece of for those who don't already know it:

    A. Data Protection Act 1998 is governed by eight fundamental enforceable principles:
    Personal data must be:
    1. fairly and lawfully processed
    2. obtained for specific purposes
    3. adequate, relevant and not excessive for the specified purposes
    4. accurate
    5. not be kept for longer than necessary
    6. processed in accordance with the data subject's rights
    7. held securely
    8. not transferred to countries outside the UK without adequate protection.

    In ALL institutions the handling and processing of ALL data is the responsibility of the Data Controller. They have to ensure any staff who process data abide by the above principles, and they are responsible personally if anything is done incorrectly.

    Where it applies to the DWP, look up Security Protocol No8 July 2006 for confirmation of the above. Also has to comply with Social Security Administration Act and the Human Rights Act.

    THIS HAS MASSIVE IMPLICATIONS.

    B. SAR's can often be avoided and £10.00 saved by making a request under the Freedom of Information Act (which is now part of the Human Rights Act 1998)

    C. DWP and Statute Barred: overpayments made to you by the DWP whre they allege fraud - the DWP have 6 years to take you to court for this, after which they cannot take court action.

    The debt never becomes Statue Barred, but can only be collected from certain benefits after 6 years.

    If interviewed under caution by the DWP they have three choices:
    1. to drop the case
    2. to take you to court (within 6 years)
    3. Or, agree not to prosecute you IF YOU AGREE to admit the offence and accept either a penalty or formal caution. (No. 15 Section 115A under "Offences, Penalties and Overpayments) of the Social Security Administration (Fraud) Act SubSection 2a states you must be "invited to pay a penalty, which if agreed will result in no further proceedings taking place."

    Where they go back over 6 years they cannot take you to court, if you haven't agreed to admit the offence then they have only one course of action left.

    D. Subject Access Requests (SAR) We all know they have 40 calendar days in which to respond. This means they can post the stuff out to you on the 40th day NOT that you have to have received the reply in 40 days.



    Hope this may be of help to someone.
    Tags: None

  • #2
    Re: Data Protection Basics and other useful information

    Sorry to split hairs but could you point me in the direction where it states they can take over 40 days just so long as they posted it within the time-line Also 40 days is the MAXIMUM & should not be considered as reason for taking 40 days if the information can be provided sooner it should be

    Also its worth noting that in some cases the company is the data controller & not just an individual

    Comment


    • #3
      Re: Data Protection Basics and other useful information

      What righty has said is correct.
      Here is some more info on DPA
      How to satisfy subject access requests | OUT-LAW.COM by Pinsent Masons LLP

      ------------------------------- merged -------------------------------
      The ICO website states this:

      "A reply must be received within 40 days as long as the necessary fee has been paid. A data controller should act promptly in requesting the fee or any further information necessary to fulfil the request. If a data controller is not processing personal information of which this individual is the data subject, the data controller must reply saying so."

      Glossary of terms - ICO
      Last edited by leclerc; 19th December 2010, 15:57:PM. Reason: Automerged Doublepost
      "Family means that no one gets forgotten or left behind"
      (quote from David Ogden Stiers)

      Comment


      • #4
        Re: Data Protection Basics and other useful information

        Also I would add that with the consent or other power of attorney (such as a LPA) of the data subject a 3rd party may make a SAR on their behalf AND if the subect is deceased the DPA 98 does not apply

        Comment


        • #5
          Re: Data Protection Basics and other useful information

          Deleted as stated I was wrong, but need further clarification
          Last edited by Caspar; 19th December 2010, 20:27:PM. Reason: Clarification Needed

          Comment


          • #6
            Re: Data Protection Basics and other useful information

            Deleted as clarification needed
            Last edited by Caspar; 19th December 2010, 20:28:PM. Reason: Clarification required

            Comment


            • #7
              Re: Data Protection Basics and other useful information

              This is the site - it goes into great detail and was quoted by the DWP Data Processor to back up their case last Friday (recorded my end) after a lengthy disagreement between myself and their data processor (controller is the Secretary of State). The confusion as you can see is over the word "respond" and its definition. They take it to mean they have 40 days in which to respond -ie- they can send it on the 40th day. I took it to mean to respond to me (-ie- I should receive it within that time).

              Fortunately for us it doesn't matter now, but it is a point of law that needs a definitive answer. Where is the actual law quoted as we now have two genuine quotations of it (DWP use the latter) that are open to two different interpretations. DPA is not clear I think as I'm sure I went to that first.



              This was taken from How to satisfy subject access requests | OUT-LAW.COM by Pinsent Masons LLP


              There is no extension of the 40-day time period for obtaining consents. Failure to respond to a subject access request within the 40-day period gives rise to the ability of the individual to obtain a court order to require the data controller to comply with the request. In addition, failure to respond within 40 days will be a breach of the Sixth Data Protection Principle. Any person affected by the breach may bring an action for damages (provided they can prove loss, which may be difficult to do) and any associated distress.


              Further comments gratefully received.

              Comment


              • #8
                Re: Data Protection Basics and other useful information

                Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

                Straight from the Act itself. Surely if a data controller responds on Day 40 THEY have complied, even though YOU haven't received it.

                Comment


                • #9
                  Re: Data Protection Basics and other useful information

                  Originally posted by Caspar View Post
                  Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

                  Straight from the Act itself. Surely if a data controller responds on Day 40 THEY have complied, even though YOU haven't received it.
                  To have complied the data controller MUST have supplied the data to the subject WITHIN 40 days & posting is NOT supplying

                  Comment


                  • #10
                    Re: Data Protection Basics and other useful information

                    Thanks Righty - much appreciated as stated in pm.

                    I'm happy to accept this as correct as I trust Righty, however I still think the actual wording is too open to interpretation.

                    Although in my case it is now irrelevant with the DWP as they've given up for other reasons, I'm still going to get in touch today to let them know I know they're wrong and haven't duped me as I think it's disgusting they lie to the public like me. I consider myself to have at least a modicum of intelligence, so your "average person" would be tied in knots by them which is simply unjust.

                    Maybe a complaint to the ICO as well with a copy of the telephone conversation?

                    Comment


                    • #11
                      Re: Data Protection Basics and other useful information

                      The 40 days begins when they have received a valid request for information. If they have exceeded the 40 days then you have the right to complain to the ICO on that basis.
                      "Family means that no one gets forgotten or left behind"
                      (quote from David Ogden Stiers)

                      Comment


                      • #12
                        Re: Data Protection Basics and other useful information

                        Just thought I would chuck this in, When trying to enter certain clubs in Croydon and Bromley my son has his passport scanned which they then pass onto "interested parties" His passport is out of date and was refused entry because of this. just hope they are "secure" passport information being passed around.

                        Comment


                        • #13
                          Re: Data Protection Basics and other useful information

                          Originally posted by Delboy01 View Post
                          Just thought I would chuck this in, When trying to enter certain clubs in Croydon and Bromley my son has his passport scanned which they then pass onto "interested parties" His passport is out of date and was refused entry because of this. just hope they are "secure" passport information being passed around.
                          I can see a club needing proof of age, but surely they can't insist on a passport. Where do they state they may pass the information on to "interested parties?" What information exactly are they passing on? I would be writing to the data controller of the club asking some awkward questions and removing my permission for him/her to process my data in any way whatsoever. They only need it as proof of age.

                          Comment


                          • #14
                            Re: Data Protection Basics and other useful information

                            Originally posted by Delboy01 View Post
                            Just thought I would chuck this in, When trying to enter certain clubs in Croydon and Bromley my son has his passport scanned which they then pass onto "interested parties" His passport is out of date and was refused entry because of this. just hope they are "secure" passport information being passed around.
                            Don't they accept Driver's licence?
                            Is he under the age of 18?
                            Can he opt out of his info being sent to "interested parties" since that is surely an unfair practice?
                            "Family means that no one gets forgotten or left behind"
                            (quote from David Ogden Stiers)

                            Comment


                            • #15
                              Re: Data Protection Basics and other useful information

                              Originally posted by leclerc View Post
                              Don't they accept Driver's licence?
                              Is he under the age of 18?
                              Can he opt out of his info being sent to "interested parties" since that is surely an unfair practice?
                              He doesnt have one atm. regarding opting out I dont believe he ever opted in??

                              Comment

                              View our Terms and Conditions

                              LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

                              If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


                              If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.
                              Working...
                              X