Online Mind Mapping and Brainstorming

Create your own awesome maps

Online Mind Mapping and Brainstorming

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account? Log In

Data Protection by Mind Map: Data Protection
0.0 stars - 0 reviews range from 0 to 5

Data Protection


What's is about?

Personal data

Standards for handling that data

How to meeting those standards

Where did it come from?

Euro Convention on Human Rights in 1950s

Concerns about restricting trade within Europe

Reflection of importance of Euro issues, Untitled, Free movement, Free trade

Early UK developments, Untitled, Sex Discrimination Act 1971, Race Relations Act 1968, Younger Report 1972, Untitled, "Committee on Privacy", Younger Principles, Untitled, Hold data for specified purpose, Authorised access only to data, Minimum holding of data for specified purposes, No individual info in statistical data, Subject access, Security precautions, Hold data for limited time, Up-to-date and accurate data, Value judgements should be coded, White Papers, Untitled, Computers & Privacy, Computers: Safeguards for Privacy, Lindop Report 1978, Untitled, Recommended legislation, Public & private sector, Independent regulator, Proposed principles, Untitled, Similar to Younger, For data subjects, For users, For community

Early international developments, Untitled, OECD guidelines in 1980, Untitled, Protection of Privacy, International data transfers, Set out 7 governing principles, Council of Europe Treaty in 1981, Untitled, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Set out 8 Governing Principles

The UK Laws

Data Protection Act 1984

Data Protection Act 1998, Untitled, Data Protection Directive 95/46/EC

Human Rights Act 1998



Untitled, Key concepts, Personal data, Personal, Untitled, Identifiable, Directly or indirectly, By reference to, ID number, Physical identity, Physiological identity, Mental identity, Economic identity, Social identity, Living, Doesn't apply to the dead, Individual, People not companies, Data, Untitled, If you can identify from the data, If you can identify from other stuff you have, Includes, Opinions about individual, Intentions about individual, Examples, Untitled, Name & address, Email, CCTV (to some extent), Types of systems, Computer, Manual systems, Durrant -v- FSA, Untitled, Court of Appeal, 2 Aspects, Untitled, Identification from the data, Data relates to the individual, Person must be the focus, Mere mention in passing not enough, Processing, Untitled, Obtaining, Recording, Holding, Disclosing, Erasing, Data Protection Principles, 1. Personal data shall be processed fairly and lawfully, Consent, Necessary to perform a contract, Necessary to comply with a legal obligation, Necessary to protect the vital interests of the individual, Necessary for the administration of justice, Necessary for the legitimate interests of the data controller or a third party to whom the data are disclosed, except where it is unwarranted because it is prejudicial to the individual., 2. Personal data shall be obtained only for one or more specified and lawful purposes, 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed, 4. Personal data shall be accurate and, where necessary, kept up to date, 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes, 6. Personal data shall be processed in accordance with the rights of data subjects under this Act, 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, State of technological development at any time, Cost of implementing any measures, Level of security appropriate to the harm that might result from a breach of security, Nature of the data to be protected, Reliability of staff having access to the personal data, 8. Personal data shall not be transferred to a country or territory outside the EEA…, Notification, What, Untitled, Nature of nofication, Name & address, Represenative's information, Personal data being processed, Purposes of processing, Recipients, Countries, Security Measures, Group companies, No group notification, To Who, Information Commissioner, Untitled, UK data protection responsibility, FOIA responsibility, England, Wales, Northern Ireland, Duties, Promotion of good practice, Development of some codes of practice, Approval of publication schemes, Register of Data Controllers under Data Protection legislation, Enforcement, Status, Appointed by the Crown, Independent of Government, Reports to Parliament, Holds office for 2 year terms, Cannot hold for 3+ terms unless special circumstances, Cannot hold for more than 15 years, When, Before processing, Annual renewal, If you don't, Untitled, Processing without notification is a criminal offence, Failing to update is a criminal offence, Data Subject, Individual about whom personal data are processed, Subject access right, Include, Untitled, Customers (including those dealing with companies via the internet), Individuals on contact lists or marketing databases, Employees, Contractors, Suppliers, Consultants, Data Controllers, Untitled, Person who controls processing, Person, Either alone or jointly or in common with other persons, Controls processing, Purposes of processing, Manner of processing, Examples, A company will be the controller of the data processed relating to its employees or customers, An entity may be a data controller even if the information concerned is held by a third party, Where payroll administration is outsourced to a third party, More than one data controller of the same data, Companies in the same group which use the same data for different purposes, Data Processors, Untitled, Choose a data processor who gives guarantees about security measure, Take reasonable steps to ensure compliance with those measures, Have a contract with data processor, Untitled, Must be in writing or evidenced in writing, Data processor only to take instructions from data controller, Data processor must comply with obligations upon the data controller, Jurisdiction, Established in the UK, Untitled, UK registered companies, An office, branch or agency in the UK, Individuals who are ordinarily resident in the UK, Outside the UK, Untitled, Use equipment in the UK for the processing of data, Not for transit via UK, Risks, Untitled, Civil Proceedings, Action for breach of contract, Claims for compensation under s13 DPA 1998, S13(1), An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage, S13(2), Compensation for distress needs:, Financial damage; or, Special purposes (journalism, artistic or literary purposes), S13(3), Reasonableness defence, People do sue for compensation but it is difficult to succeed, Criminal Penalties, Criminal prosecutions do happen, Fine up to £5000

Statutory Instruments

Guidance notes


Awareness is low, but rising

You cannot ignore DPA issues

Strong contract position is always better than trying to sort out later