Data Protection Act (DPA)
The Data Protection Act (DPA) 1998 gives living individuals the right to access personal information held and processed by the Service. The Act governs how the Service can use the personal information held - including how we acquire, store, share or dispose of it. It also allows you to challenge the accuracy, alter or destroy data held on file.
The DPA requires that organisations processing personal information (data controllers) notify the Information Commissioner's Office (ICO). From 01 October 2009 notification for Public Authorities with more than 250 members of staff is £500 per year. It is illegal under DPA to process data without notifying the ICO and without renewing the annual notification.
The register includes the name and address of registered organisations and describes the kind of processing they do. You can search the register on the ICO’s website: Data Protection Registration.
Personal information can only be accessed by members of the Service who have a legitimate reason to do so, you (the Data Subject) or someone acting on your behalf with your permission.
The Service follows the 8 Data Protection Principles, stating that data must be:
- Processed fairly and legally
- Processed for limited purposes and in an appropriate way
- Relevant and sufficient for the purpose
- Kept for as long as necessary and no longer
- Processed in line with individuals' rights
- Only transferred to other countries that have suitable data protection controls
If you wish to make a request to access your personal information, please go the Requesting Personal Information page