The random thoughts of a sceptical activist

Looking after personal data…or not? The UCA and the DPA.

A responsible organisation looks after the personal data it holds. That’s not just good practice, it’s a legal requirement under the Data Protection Act 1998 (DPA). The Information Commissioner’s Office (ICO) is there to oversee the Act and ensure it is appropriately followed. In their own words:

The ICO enforces and oversees the Data Protection Act, the Freedom of Information Act, the Environmental Information Regulations, and the Privacy and Electronic Communications Regulations.

Our main functions are educating and influencing (we promote good practice and give information and advice), resolving problems (we resolve eligible complaints from people who think their rights have been breached) and enforcing (we use legal sanctions against those who ignore or refuse to accept their obligations).

and

All public and private organisations are legally obliged to protect any personal information they hold, and may be required to notify with the ICO.

Organisations processing personal data must, amongst other things, comply with the eight Data Protection Principles:

The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

* Fairly and lawfully processed
* Processed for limited purposes
* Adequate, relevant and not excessive
* Accurate and up to date
* Not kept for longer than is necessary
* Processed in line with your rights
* Secure
* Not transferred to other countries without adequate protection

The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

Should an individual or organisation feel they’re being denied access to personal information they’re entitled to, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner’s Office for help. Complaints are usually dealt with informally, but if this isn’t possible, enforcement action can be taken.

So, one of their main functions is to maintain the Register of Data Controllers, which is the statutory register that all Data Controllers (ie the person in each organisation responsible for the data) must register with, giving details of what data they hold, for what purposes and how it is processed.

Public bodies like the General Chiropractic Council (GCC) have additional duties placed on them by the Freedom of Information Act 2000 (FOI), but non-public bodies only have to comply with the DPA. Indeed, since the Register is a public document, anyone can look it up to see what kinds of personal information they declare they keep, for what purposes and how they process it. For example, the Register entry for the GCC can be seen by entering ‘general chiropractic council’ into the Register’s search facility. The GCC’s entry also tells you that they are a public authority under the FOI Act.

Similarly, private organisations like the British Chiropractic Association (BCA) are also registered. Enter ‘British Chiropractic Association’ into the search facility.

What about the McTimoney Chiropractic Association (MCA)? Yep! They are there as well. Of course, none of this tells us if they are, indeed, processing personal data properly, but at least they are registered.

That just leaves the United Chiropractic Association (UCA) and the Scottish Chiropractic Association (SCA). Are they registered and looking after their members’ personal data? Well, just try searching for ‘United Chiropractic Association’, or their address ’45 North Hill, Plymouth’, or their postcode ‘PL4 8EZ’, or the post code of their old address ‘PL21 9AB’. Nothing. Zilch. No entry. Same for the SCA.

Now, they may well follow the Data Protection principles, but it certainly appears as if they are not registered with the ICO. The Commissioner takes a dim view of anyone not complying.

I have complained to the Commissioner that I don’t believe the UCA and SCA are complying with the DPA. He will investigate and take appropriate action.

However, since my personal details seem to be spread far and wide as a result of my complaints against a few (OK, 523) chiropractors, I wondered what information the BCA, the MCA and the UCA have about me. So, I sent off Data Protection Act 1998 Subject Access Requests last week, each with a cheque for £10, which is the maximum they can charge for supplying me with:

* a copy of all the information they hold about you;
* details of:
o why your information is processed; and
o the types of organisations it may be passed on to.

So far, I’ve had acknowledgements from the BCA and the MCA. I received a registered letter from the UCA today, saying:

Thank you for your letter of 6th July 2009 and cheque for £10. Section 7 of the DPA entitles an individual to be informed by a data controller whether personal data of which that individual is the subject is being processed by the data controller.

The UCA can confirm that no personal data of which you are the subject has been processed by this association until we received your letter of 6th July 2009.

I find it surprising that there have been no letters, no emails or anything else with my name on it. Not ever been mentioned? Not even once? I’m saddened…

It remains to be seen what the BCA and MCA come up with.

And finally…

Woo gets everywhere, doesn’t it? It’s all pervasive — unless you actively watch out for it, it can creep in unnoticed.

The ICO has a health plan for its staff. Very commendable, looking after your staff. The claim they are:

committed to providing ways to enhance the health, wellbeing and quality of life for our staff

There’s that tricky word ‘wellbeing’ — causing confusion wherever it’s used. And, surprise, surprise, woo has leaked into the ICO — their Health cash plan funds:

osteopathy
chiropractic
acupuncture
homeopathy

And up to £1,200 per annum. They also seem to provide a dodgy-looking food intolerance test.

Good grief!

2 Responses to Looking after personal data…or not? The UCA and the DPA.

  • G'day Zero,
    Speaking from general IT knowleddge (I'm in Australia, and don't know the UK's rules specifically), generally acts like the DPA cover data held in "information systems" which can be organised filing cabinets. The key is that the data is held in a way that it can be processed. Emails in someone's personal mail account, and references to you in letters filed under the sender's name should not count as data about you held by the organisation – otherwise it becomes an impossible burden.

  • DavidP

    The ICO produce a good guide on how to determine what is 'personal data' and therefore covered by the DPA. Although there are several criteria to be met, basically it is any data from which I can be idnetified as an individual and includes emails, whether live or on an archive or back-up system.

Leave a Reply

Your email address will not be published. Required fields are marked *


× eight = 56

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>