Data protection and identity theft
What is the Data Protection Act?
The Data Protection Act 1998 (DPA) controls how organisations, businesses and the Government ('data controllers') handles personal information and gives legal rights to individuals who have information stored about them ('data subjects'). The DPA protects personal data stored in physical and electronic form.
How does the Data Protection Act work?
The DPA protects personal information in two ways:
- The DPA establishes rules, called 'data protection principles', which have to be followed by data controllers
- The DPA has an Information Commissioner (IC) to enforce the data protection principles.
What are the data protection principles?
The eight principles of data protection are as follows:
- personal data must be collected and used fairly and legally
- personal data must be used only for the reasons provided to the IC
- personal data can only be used for the registered purposes and disclosed to the people stated in the register entry
- personal data stored must be adequate, relevant and proportionate to the purpose recorded in the register
- personal data must be accurate and updated
- personal data must not be retained longer than necessary for the registered purpose
- personal data must be kept safe and secure
personal data files must not be transferred outside the European Economic Area unless the recipient country has adequate data protection laws. Stronger legal protection is afforded to more sensitive information such as ethnic, religious and political background.
Who is the Information Commissioner?
The IC is the individual (and their office) who has statutory powers to enforce the DPA. Prospective data controllers are obligated to make an application to register with the IC. In doing so, they must declare what information will be stored and how it will be used. This information is recorded in the register.
What rights do individuals have concerning their stored personal information?
Data subjects have the right to:
- access the personal information held. The data subject may incur a fee (usually £10) for access
- correct the personal information held if it contains errors
- prevent use of the personal information held if its use will cause them distress
- prevent Direct Marketing, such as receiving 'cold calls' or junk mail
- prevent automatic decisions, such as when a computer processes a loan application through points scoring
- complain to the IC if they object to the use of their personal information
- compensation for inaccurate, lost or disclosed personal information.
Is all personal information covered by the Data Protection Act?
The DPA has exceptions - some complete, others partial. Essentially, this means that data controllers are not always bound by data protection principles. An example of a 'complete exemption' is personal data held for national security purposes, such as MI5. A 'partial exemption' is, for instance, that HM Revenue and Customs does not have to disclose information held (or processed) to prevent tax fraud.
What is identity theft and its consequences?
Identity is an asset and, like all assets, it can easily become the target of criminals who want to steal it. Criminals use a variety of methods to find out and use stolen personal information to:
- open bank accounts
- obtain credit
- apply for State Benefits.
Identity theft may not only result in the identity owner losing money, but may also compromise their ability to secure credit facilities, such as credit cards, loans and a mortgage.
What are the signs of identity theft?
Classic signs of identity theft include:
- theft of important identity documents (for example, a passport or driver's licence)
- non-arrival of post from a bank or utility provider
- appearance of unrecognised items on a bank or credit card statement
- receipt of invoices for unrequested goods services
- denial of credit facilities despite having a good credit score
- receipt of debt collector or solicitor's letters
- an application for State Benefits is made yet notification of an existing claim is given.
What can victims of identity theft do to prevent being held responsible for any financial losses?
Victims of identity theft must act quickly to avoid being held liable for any financial losses incurred. This includes taking one or more of the following steps:
- report all lost or stolen documents to the issuing organisations
- report unusual or suspicious activity on bank or credit card statements
- request a copy of their credit file and look for any unidentified credit applications
- report theft of personal documents and unidentified credit applications to the police (and request a crime reference number)
- contact the Credit Industry Fraud Avoidance Service (CIFAS), the UK's Fraud Prevention Service, to apply for protective registration.