A Rough Guide to the Data Protection Act 1998

What's all the fuss about?

The Data Protection Act 1998 differs from its 1984 younger sister as it extends its powers to cover paper-based files, demands more care be taken over potentially sensitive information and could affect which details you publish on the internet.

Although the Act came into force over a year ago, the reason that you might have heard people panicking about it is that from October 2001 all data-handlers, whether exempt from notification or not, will have to comply with the Act’s restrictions on the use of personal data.

Do I need to notify?

Getting a straight answer to this one has been rather a trial for many people. Armed with the somewhat confusing leaflet from the Archbishops’ Council, a website address and a strong coffee, I set out to find a solution. The results of my quest are as follows:

Nearly all PCCs and incumbents are exempt from notification.
Those few that do need to notify will be the ones that hold sensitive pastoral information on computer.
Straight-forward records of membership etc are OK, so long as you apply common sense to how and why they are used (see Restrictions)
If in doubt, there is a handy self-assessment exercise on the Data Protection Commissioner’s website. You can notify direct on this website too. You can also phone them on 01625 545745.

Subject access rights

From 24 October 2001, you have to be prepared for subject access requests — as from this date, a person has the right to access all information held by an organisation about him or her. This means that you must be able to give anyone who requests it a copy of all information that you hold about them, including any correspondence or other papers held about them and a copy of anything held concerning them on the computer. You have forty days in which to do this and you may charge a fee of up to £10. You are able to withhold any references that you have given about the individual, but not any that you have received, and you must remove anything which would identify a third party. If in doubt, contact Church House.

Restrictions on the use of personal data

Common sense really, but personal data may only be obtained, held or disclosed to others if:

its use is fair and lawful;
it is to be used only for specified purposes — individuals should be told what you intend to do with the information and given the opportunity to opt out if they so wish;
the information is adequate, relevant and not excessive in relation to the purpose for which it is to be used;
it is accurate and up to date;
the information is kept for no longer than strictly necessary;
individuals’ subject access rights are honoured;
it is kept securely — addresses and phone numbers should not be left where they are open to abuse and passwords or padlocks should be used where necessary;
information should not be transferred to any country outside Europe without adequate data protection being in place.

What should I do now?

Don't panic! Just make sure that you have identified who holds what data about the parish. Nominate someone to be responsible for that data and compliance with the Act. Notify if necessary. Destroy all information that you cannot justify still holding, and let people know what sort of info is held about them, especially if it is to be published on a website.

Right-click the link and use Save target as... or Save link as... to save the files to your PC.

Many browsers have difficulty if you attempt to display the file within a browser window by left-clicking. Internet Explorer can crash.

The layout of Word documents can be affected by your printer settings. Help

Microsoft Word 97 file (32k)

PDF file of these notes (299k)

Download a Word reader

Download a PDF viewer | RISC OS

This page is part of the website of the Diocese of Chichester