The Data Protection Act (DPA) 1998 (full text) gives living individuals the right to access personal information held and processed by the Service. The Act governs how the Service can use the personal information held, including how we acquire, store, share or dispose of it. It also allows you to challenge the accuracy, alter or destroy data held on file.
The DPA requires organisations processing personal information (data controllers) to register with the Information Commissioner's Office (ICO). It is illegal to process personal data without notifying the ICO or renewing the annual notification.
The Data Protection Public Register may be viewed on the ICO's website and includes the name and address of all registered organisations and describes the kind of processing they do.
Personal information can only be accessed by members of the Service who have a legitimate reason to do so, you (the Data Subject) or someone acting on your behalf with your permission.
The Service follows the eight Data Protection Principles, stating that data must be:
- Processed fairly and legally
- Processed for limited purposes and in an appropriate way
- Relevant and sufficient for the purpose
- Kept for as long as necessary and no longer
- Processed in line with individuals' rights
- Only transferred to other countries that have suitable data protection controls