The Act gives 'data subjects' certain rights. It also requires 'data controllers' to be open about how
'personal information' about data subjects is used, and to follow 8 principles of good information handling.
The Act is applicable to any data controller who is established in the UK, and is processing personal data in either manual or computerised systems within the context of his/her organisation.
For example, museums hold personal data relating to donors in their Accession and Cataloguing records and this means that they are required to comply with the Act. Under the Act a data controller is not allowed to hold or process data unless they have 'notified' the Data Protection
Commissioner. Failure to notify is a criminal offence.
Anyone processing personal data must comply with the eight principles of good practice. The 8
Principles say that data must:
1. Be fairly and lawfully processed. Processing covers obtaining, recording, retrieving consultation, holding, disclosing and use of data. Data controllers must not process personal data unless at least one of the following conditions are met:
 The individual has given his or her consent to the processing;
 Processing is necessary for the performance of a contract with the individual;
 Processing is required under a legal obligation;
 Processing is necessary to protect the vital interests of the individual;


Processing is necessary to carry out public functions;
Processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could prejudice the interests of the individual).
The Data Protection Act imposes further restrictions on the processing of sensitive personal data which include information about racial or ethnic origin; political opinions; religious or other beliefs; trade union membership; health; sex life; criminal allegations, proceedings or convictions;
2. Be obtained for specified lawful purposes and shall not be processed for any other purpose;
3. Be adequate, relevant and not excessive in relation to the purpose for which it is held;
4. Be accurate and where necessary up to date;
5. Not be kept longer than necessary for the purpose for which it was originally processed;
6. Be processed in accordance with the data subject's rights;
7. Secure against unauthorised or unlawful processing, or accidental loss, destruction or damage;
8. Not be transferred to countries outside the European Economic Area unless that country has an adequate protection for the rights of data subjects.




You must notify the Office of the Data Protection Commissioner and keep your notification up to date;
You must comply with the 8 principles of good data protection practice set out in the Act;
You have a duty towards the people about whom you hold data under the DPA and you must ensure that you comply with that duty;
You should make sure that the policies of your organisation reflect the DPA principles. You should have a written Data Protection Policy.
1

Every organisation processing personal data must complete a standard application form, and pay a notification fee of £35.00.
The form is available from: Office of the Data Protection Commissioner PO Box 66 Wilmslow
Cheshire SK9 5AF Telephone 01625 545740
The form is also available online at: http://www.dataprotection.gov.uk
The following alterations have been made to the old Act:
1. The word 'data' now covers data held in manual records as well as data in computer records;
2. The process of processing data must now be justified by satisfying at least one of a set of conditions;
3. Precautions must be taken when processing 'sensitive personal data';
4. Some rights of the data subject are strengthened;
5. The present system of Data Protection 'registration' has been replaced by a 'notification' system;
6. There are new regulations covering the transfer of personal data outside the European
Economic Area.
Some kinds of data do not have to be notified under the Act, for example if an organisation keeps personal information about appointments, pay, discipline, pensions or work management.
If you think you only hold these kinds of data about individuals, then you may not have to notify under the Act, however this is unlikely to apply to heritage organisations.
Specific consent is required if an organisation is holding sensitive information. However, much of the information held by a museum will not be of this nature. This question arises most often when museums believe donors or lenders have to give permission in writing for their name and address to be held in museum documentation systems. This is not the case, as the recording of the individuals name and address is necessary as part of the contract between the individual and the museum (see Principle 1).
It is however good practice to inform the public that you comply with the DPA in your publicity literature.
You will have to ensure that everyone at all levels within your organisation understands the DPA, and their obligations under it and that Data Protection is an integral part of all of your working procedures and recording systems. In a small museum this might involve giving out information about the DPA at staff meetings, and ensuring that all new employees and volunteers are aware of the Act. A larger museum will have a written DP policy, a DP Compliance Officer, and a DPA handbook. DPA training should also be a part of the induction of a new employee or volunteer.
2

The aim of Museum Accreditation is to raise standards in museums. Particularly it aims:
1. To encourage all museums and galleries to achieve agreed minimum standards in museum management, user services, visitor facilities and collection management.
2. To foster confidence in museums as bodies which (a) hold collections in trust for society and (b) manage public resources appropriately.
3. To reinforce a shared ethical basis for all bodies which meet the definition of a 'museum'.
So, although the DPA is not mentioned specifically in the Accreditation Standard it is clearly an underpinning legal standard for all museums.
Individuals have the right to access to data held on them by a data controller. An enquiry for access to personal data should be made in writing to the person responsible for DP within the organisation.
Replies to requests must be made within 40 days, and the data processor is able to charge a small fee for dealing with access requests. Failure to comply with requests for access is grounds for a complaint to the Commissioner. Data subjects have the right to apply to a court to ensure that inaccurate data is rectified, erased or destroyed, or to stop processing of data that is causing damage or distress to the individual, or is unnecessary.
data
Information which is processed either manually or on computer as part of an information system. data controller
This replaces the data user in the 1984 Act and refers to the person who decides the purpose for which data is recorded and the way in which this is done. data processor
Any person who processes data on behalf of the data controller. data subject
The individual who is the subject of the personal data. notification
The Information Commissioner maintains a public register of data controllers. Notification is the process by which a data controller's details are added to the register. The Data Protection Act 1998 requires every data controller who is processing personal data to notify unless they are exempt. personal data
Data relating to a living individual, and which identifies that individual. processing
Obtaining, recording or holding and processing information or data.
3

More information can be found at:
Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Information Line: 01625 545745
Switchboard: 01625 545700 Fax: 01625 524510
Website: www.dataprotection.gov.uk
e-mail: mail@dataprotection.gov.uk
4