Guide to Data Protection Act for Data Controllers

Data Protection Principles

Sixth Data Protection Principle – Respect for the individual’s rights

At a glance

  • The DPA grants certain rights to individuals in relation to their personal data and how it is processed.
  • You must process all personal data in accordance with the rights of individuals.
  • You should plan ahead in order to prepare for responding to each of the likely requests and notices you may receive and meet the statutory timelines.
  • In order to respond in a timely fashion to requests and notices from individuals you should have certain information readily available. This includes what personal data you have, where you keep it, what the legal basis is of all your processing, where you obtained it, who you share it with, how long you keep it, and how you intend to delete it once required. 

Checklist

  • We respect the right to be informed by notifying each individual about our identity and the purpose(s) of processing as soon as possible.
  • We know what personal data we have on each individual, and are ready to respond to requests for access within the 30-day timeline.
  • We have procedures in place to respond to individual’s requests to have inaccurate data rectified and execute on them where substantiated.
  • We are ready to respond to notices from individuals who require that we stop processing their data in whole or in relation to certain purposes or in certain manners.
  • We are ready to stop direct marketing in respect of individuals who notify us.
  • We notify individuals when we take decisions that affect them based solely on automatic means, and we are ready to reconsider it on a different basis. 

In brief

What is the “respect for the individual’s rights” principle?

The sixth data protection principle says:

Personal data shall be processed in accordance with the rights of data subjects under this Act.

This principle underscores the importance of all the rights of individuals under the DPA:

  • The right to be informed;
  • The right of access;
  • The right to rectification;
  • The right to stop/restrict processing;
  • The right to stop direct marketing;
  • The right in relation to automated decision making; and
  • The right to complain and seek compensation. 

What is the right to be informed?

The right to be informed follows from the first data protection principle (fair and lawful processing).

Processing will only be fair if personal data is handled in ways that people would reasonably expect. This includes being told what the identity of the data controller and the purpose(s) for processing are. This is done in the privacy notice which is provided to the individual as soon as practicable, which is usually when the data is being gathered.

Depending on the nature of the processing activity, although not explicitly required by the DPA, fairness may also require you to provide information on who you will share it with, any international data transfers, how long it will be kept for, and the technical and organisational measures taken to comply with the seventh data protection principle (security – integrity and confidentiality).

You will find more on the right to be informed here

What is the right of access?

Individuals have the right to access their own personal data and receive information about its use. There are some exemptions to this right.

You have one month to respond to a subject access request.

There is no fee, except in exceptional circumstances further explained below.

You will find more on the right of access here

What is the right to rectification?

Individuals have a right to have inaccurate personal data rectified, blocked, erased or destroyed.

The right to rectification operates slightly different from other individual rights. The DPA does not expressly grant individuals the right to ask you to correct inaccuracies in their personal data, but individuals have a right to complain about inaccurate personal data and where such complaint is upheld, you can be compelled to correct the inaccuracy or delete the inaccurate personal data.  

Notwithstanding this, the Ombudsman would expect organisations to deal with reasonable requests for rectification directly as a matter of good practice, instead of waiting for a formal complaint to be made and upheld.

Having accurate information is to the benefit of the data controller as well as the individual.

You will find more on the right to rectification here

What is the right to stop/restrict processing?

The DPA introduces a right for individuals to demand that processing cease. However, this right is not absolute.

An individual may require that you:

  • cease processing their personal data;
  • not begin processing their personal data;
  • cease processing their personal data for a specified purpose; or
  • cease processing their personal data in a specified manner.

You must comply with this request, unless the processing is done to meet the conditions of a contract (or is undertaken as a step towards engaging in a contract), when it is done under a legal obligation, or in order to protect the vital interest of the individual.

Certain exemptions also apply to the right to stop processing.

You will find more on the right to stop/restrict processing here

What is the right to stop direct marketing? 

The DPA introduces an absolute right for individuals to demand that direct marketing targeting the individual cease or not begin.

Direct marketing is defined as:

the communication, by whatever means, of any advertising, marketing, promotional or similar material, that is directed to particular individuals.

You will find more on the right to stop direct marketing here

What are the rights in relation to automated decision making?

Where a decision is made solely by automated means (without human involvement), an individual has the right to require that it be reconsidered on a different basis.

You need to notify individuals when such decisions are made solely on an automated basis, and respond to written notifications from individuals within legal timelines outlining the steps taken to comply.

This right relates to automated decisions which affect the individual, for example for the purpose of evaluating the individual’s performance at work, creditworthiness, reliability, conduct or any other matters relating to the individual.

You do not need to comply with an individual’s notice if the decision is taken:

  • for the purpose of considering whether to enter into a contract with the individual; or
  • in the course of performing such a contract,

and:

  • the decision is to grant a request of the individual; or
  • the individual’s interests are safeguarded by allowing them to make representations.

You will find more on the rights in relation to automated decision making here

What is the right to complain and seek compensation? 

An individual has the right to complain to the Ombudsman about any perceived violation of the DPA, and to seek compensation for damages in the courts.

You will find more on the right to complain and seek compensation here

Relevant provisions

Data Protection Act (2021 Revision)

Schedule 1, part 1, paragraph 6: Sixth data protection principle – respect for the individual’s rights                

Schedule 1, part 2, paragraph 2: Specified information at the relevant time                

Sections 8-9: Fundamental right of access to personal data                                                        

Section 14: Rectification, blocking, erasure or destruction                                                               

Section 10: Right to stop processing                                                              

Section 11: Right to stop processing for direct marketing                                                               

Sections 8(3) and 12: Rights in relation to automated decision making

Previous Next