and the General Data Protection Regulation
The relevant legislation is the Data Protection Act, 1998 and (from May 2018) the General Data Protection Regulation. This area of law administered by the Information Commissioner's Office, ICO.
The data held by any organisation must be:
- used fairly and lawfully;
- used for limited, specifically stated purposes;
- used in a way that is adequate, relevant and not excessive;
- kept for no longer than is absolutely necessary;
- handled according to people’s data protection rights;
- kept safe and secure;
- not transferred outside the European Economic Area without adequate protection.
There is an important distinction between Personal Data and Sensitive Personal Data. While the data rules above apply to all data held, sensitive data must be treated with greater care and the organisation holding it must get explicit consent from the individual to do so.
|Personal Data||Sensitive Personal Data|
You can ask to see the information an organisation holds about you, both on computer and on paper, using a Subject Access Request. You might have to pay up to £10 to do so (£2 for a credit reference agency, up to £50 for medical records, depending on the number of pages).
Organisations that do not process personal information on a computer are exempt from registration with the ICO but must still "adhere to the principles of the Data Protection Act".
So far as SAfE is concerned, there will be little practical difference. Client data is, in general, not stored online. Where information is gathered, it is held in anonymised form and used to analyse client statistics for reports to sponsers and to refine the services made available.
In the case of debt clients and other casework where we write letters on the clients' behalf, these letters and other necessary information will be stored on the case-worker's encrypted memory stick. An additional client consent form will be signed in these circumstances, there is an example here.