The DPA (Data Protection Act) in the UK is a law that controls how the personal information of any UK citizen should be used by businesses, organisations or the government. Every person or entity responsible for using personal information or data of any UK citizen must follow data protection principles which are simply, strict rules on the proper use of data. The individual or entity must ensure the personal information is; used lawfully and fairly, used for the intended purpose and used adequately in a relevant manner that is not excessive. The individual or entity must also make sure the data is handled according to data protection rights, and the data is kept in a safe and secure manner. Stronger legal protection applies to more sensitive data such as a person’s overall health, sexual health, criminal records, political opinions, religious beliefs and ethnic background.
Data subject rights: Finding out the type of data an organisation/company has about you
Under the DPA, UK citizens have the right to see the type of information a company or the government stores about you. The DPA allows you to ask about personal information in writing through an enquiry referred to as a subject access request. When writing to an organisation to get a copy of the information they have about you, you should address the letter to the organisation’s company secretary. The organisation has a legal mandate to share with you such information as long as you make a formal request.
What it means for customers submitting their information to companies
Customers don’t have to guess or remember the exact kind of information they submit to companies. If you aren’t sure about the information a certain organisation has about you, just write a formal request.
It is, however, worth noting that information can still be withheld even after making a formal request. For instance, if the information is about the armed forces or national security, organisations reserve the right to withhold the information. Organisations can also withhold information if it is about detection, investigation or prevention of a crime. Information about assessment/collection of tax as well as judicial/ministerial appointments is also supposed to be withheld and organisations aren’t obligated by law to disclose why they are withholding information.
In a nutshell, if you are a regular UK citizen who just wants to know the kind of information an organisation has about you, there is no reason why you shouldn’t get access to such information.
Although you can get this information for free, some organisations charge to provide such information. Most organisations charge £10 or less although the cost can increase depending on the amount and type of information. For instance, it will cost you more to get numerous paper records held by a public authority in an unstructured way. Health and education records also cost more.
Launching a complaint
If you suspect your data has been stored insecurely or misused by any organisation/company in the UK, you should contact them immediately and share your concerns in writing. If you are not happy with the response you get, you can contact the ICO (Information Commissioner’s Office). The ICO is also open if you need any advice on data related issues or concerns. The ICO has a telephone helpline: 0303 123 1113. The ICO also has an online chat feature that allows you to talk to an adviser.
The ICO has the mandate to investigate claims as well as take the necessary action against individuals or entities that misuse personal data.
What it means for the company taking the information
The ICO takes its data protection mandate very seriously. Just recently, the ICO fined UK telecommunication provider TalkTalk £400,000 after finding the company guilty of maintaining poor data protection measures. TalkTalk failed to prevent a data breach which compromised personal data belonging to approximately 157,000 of its customers back in 2015. Payday loan lender Wonga is set to face the same fate after facing the worst customer data breach in history. In April 2017, the lender suffered a data breach that saw the theft of sensitive data belonging to 270,000 customers. If Wonga is found guilty, the payday loan giant could pay a hefty fine amounting to millions of pounds.
Companies which receive sensitive personal information from their clients have no choice but to invest heavily in data protection security measures or face disgruntled customers and the ICO.