The DPA is the implementation of the EU's Data Protection Directive and is designed to protect people from abuse of their information by forcing organisations to treat personal information in certain ways.
They must treat personal data fairly and lawfully, must only use it for whatever purpose it was gathered for and must keep it secure.
The demands of the DPA only apply, though, to information which qualifies as 'personal data'. The ICO has now published guidance to help organisations decide if the information they hold is controlled by the DPA.
The guidance outlines the demands of the Directive, on which the UK law is based.
"The Directive … considers first whether the information relates to an identifiable individual and then describes the two different types of processing (processing by automatic means and manual processing within a ‘filing system’) which will bring information within the scope of the Directive," says the guidance.
The guidance says that in most circumstances organisations will find it relatively straightforward to determine whether the data relates to an identifiable person.
Whether it counts as 'data' in the first place might be more complex.
The guidance says: "the Directive and the DPA cover two common categories of information:
Generally, information lodged in computer systems will qualify as 'data', the guidance says.
"[For example:] A tennis coach types up a report on his computer of an individual tennis player’s performance in a tennis tournament. The information in question has been recorded in a form in which it can be readily manipulated, retrieved and disseminated electronically," says the guidance. "The information in the report is clearly processed automatically and is ‘data’ for the purposes of the DPA."
Information held on paper or other media but in a structured way will also count as data, it said. "It is important to appreciate that information stored in a systematic way, but not held in traditional manila files in a conventional filing cabinet or wall-mounted file hangers, may still be held in a ‘filing system’ if the system is structured to allow easy access to specific information about individuals," it says.
"It is inevitable that manual records systems cannot be searched for specific information as quickly and easily as electronic systems. However if, when necessary, specific information about a particular individual may be retrieved from the system then the information can generally be described as readily accessible," it says.
Organisations should not assume that information is not in a filing system just because it is hard to find, the guidance says.
"Some manual records systems will be organised in such a way that the process of locating, retrieving and printing the specific information about a particular individual will be resource intensive. However, the key consideration is not the time and effort involved but whether there is a system in place that allows the organisation to find information, applying a standard search procedure, without searching through every item in a set of information," it says.
The guidance is organised into a flowchart to help organisations decide if their records are regulated by the DPA.
