Just dug out these two tit bits I'm sure you could use some parts to suit your needs? should make them think twice,
The Data Protection Act 1998
A Summary
Key Points to Note
Personal data must be obtained fairly and lawfully. The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject
The new Act covers personal data in both electronic form and manual form (e.g. paper files, card indices) if the data are held in a relevant, structured filing system
Personal data processing must be in accordance with the purposes stated
Appropriate security measures must be taken against unlawful or unauthorised processing of personal data and against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection training
Data Subject Rights
The Act gives significant rights to individuals in respect of personal data held about them by data controllers. These include the rights:
To make a subject access request- an individual is entitled to be supplied with a copy of all personal data held.
To require the data controller to ensure that no significant decisions that affect them are based solely upon an automated decision-taking process
To prevent processing likely to cause damage or distress
To prevent processing for the purposes of direct marketing
To take action for compensation if they suffer damage by any contravention of the Act by the data controller
To take action to rectify, block, erase or destroy inaccurate data, and
To request the Data Protection Commissioner to make an assessment as to whether any provision of the Act has been contravened
European Communities (Data Protection) Regulations, 2001
A Summary of the New Data Protection Rules
The European Communities (Data Protection) Regulations, 2001 were signed by the Minister for Justice, Equality & Law Reform on 19 December 2001, and will bring into force some new data protection rules with effect from 1 April 2002. The Regulations give effect to some parts of the 1995 EU Data Protection Directive. The main points of the new rules are briefly summarised below.
o The new rules clarify the level of security measures that organisations must have in place to protect personal data. Generally speaking, organisations must take all necessary and reasonable steps, having regard to the state of current technology, and to the sensitivity of the personal data in question.
o If you retain the services of an agent to process personal data on your behalf – a ‘data processor’ – then you must use a contract in writing (or equivalent form) which deals adequately with issues of security, confidentiality and other data protection matters
Comment: Organisations dealing with personal data of a private or sensitive nature – such as people’s medical files, personnel files, or private telecommunications – naturally need to have very robust standards of security in place. Organisations that hold personal data with a lower privacy value – such as name, address, or membership of a local drama group – do not need to go to such great lengths, but must still have reasonable security measures in place
Comment: There is no point in preparing an elaborate security scheme, which works well in theory, if the measures are not applied in practice. The Regulations therefore require data controllers and data processors to take all reasonable steps (i) to develop an appropriate level of staff awareness, and (ii) to ensure compliance by staff with the security measures. This requirement applies for employees, and for other persons at the place of work.
The Regulations should be seen as underlining the importance of security measures, particularly in an environment where more and more personal data is being transmitted over the internet, and via telecommunications and other networks