Data Protection for Organisations
Personal data is information relating to an identifiable living individual. Whenever personal data is processed, collected, recorded, stored or disposed of it must be done within the terms of the Data Protection Act (DPA). The DPA and other information rights laws set out your rights regarding your personal information, how organisations should carry out direct marketing and how you can access information from public authorities.
- Personal Information Request
- Accessing public body information
- Raising a concern
- Claiming compensation
- Query Information held on you
Can I access my personal information?
What can I request?
The Freedom of Information Act, Environmental Information Regulations and INSPIRE Regulations give you rights to access official information. Under the Freedom of Information Act and the Environmental Information Regulations you have a right to request any recorded information held by a public authority, such as a government department, local council or state school. Environmental information requests can also be made to certain non-public bodies carrying out a public function.
- You can ask for any information you think a public authority may hold. The right only covers recorded information which includes information held on computers, in emails and in printed or handwritten documents as well as images, video and audio recordings.
- You should identify the information you want as clearly as possible.
- Your request can be in the form of a question, rather than a request for specific documents, but the authority does not have to answer your question if this would mean creating new information or giving an opinion or judgment that is not already recorded.
- Some information may not be given to you because it is exempt, for example because it would unfairly reveal personal details about somebody else.
The INSPIRE Regulations require public authorities that hold spatial or geographic information to make it available so that you can search it in particular ways.
What should I do before I make a request?
-
Is the information you want already available, for example, on the authority’s website?
-
Authorities must make certain information routinely available. You can find out what information is available by checking the authority’s publication scheme or guide to information. Do this by looking at its website or by contacting the authority.
You have the right to be confident that organisations handle your personal information responsibly and in line with good practice. If you have a concern about the way an organisation is handling your information; if it:
- is not keeping your information secure;
- holds inaccurate information about you;
- has disclosed information about you;
- is keeping information about you for longer than is necessary; or
- has collected information for one reason and is using it for something else;
we believe that the organisation responsible should deal with it. We expect them to take your concern seriously and work with you to try to resolve it.
How should I raise my concern about how an organisation has handled my information?
You can use the template letter below to help you raise your concerns.
[Your full address] [Name and address of the organisation] Dear [Sir or Madam / name of the person you have been in contact with] Information rights concern I am concerned that you have not handled my personal information properly. [Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.] I understand that before reporting my concern to the Information Commissioner’s Office (DPC) I should give you the chance to deal with it. If, when I receive your response, I would still like to report my concern to the DPC, I will give them a copy of it to consider. You can find guidance on your obligations under information rights legislation on the Commission’s website (www.dataprotection.org.gh) as well as information on their regulatory powers and the action they can take. Please send a full response within 28 calendar days. If you cannot respond within that timescale, please tell me when you will be able to respond. If there is anything you would like to discuss, please contact me on the following number [telephone number]. Yours faithfully |
The Commissioner cannot award compensation.
As an individual you may go to court to claim compensation for damage or distress caused by any organisation if they have breached the Data Protection Act.
When can I claim compensation under the Data Protection Act?
How do I make a claim for compensation?
What do I need to do before I make a claim to the court?
Will it help me in court to involve the Information Commissioner’s Office?
How much will the court award me if my claim is successful?
Can an organisation record a telephone call without telling me?
Yes. In our view, individuals should generally expect that an organisation will keep a record of the call. This could be by recording the call itself or by making notes.
How long can an organisation hold data about me?
The Data Protection Act states that organisations should only keep personal data for as long as it is necessary. Organisations should also have a retention policy for the information they hold.
Can an organisation use my information or pass it on without my consent?
How do I get information held about me corrected?
How do I get an organisation to stop using my data?
How do I get information held about me deleted?
You do not have an automatic right to have personal data deleted. However, you may ask an organisation to stop using your information. For further information, read our guidance on preventing processing of personal information.
I think a decision has been made about me by a computer. What can I do?
The Data Protection Act gives you a limited right to prevent significant decisions being taken about you solely by automatic processing. You can write to an organisation telling it not to make decisions about you on this basis. You should consider sending your letter by recorded delivery and keeping a copy. The organisation has 21 days to respond. It can either reconsider any decision it has made or make a fresh decision not just using a computer. If you are not satisfied with the response, you can go to court and the court can order the organisation to reconsider the decision it has made or take a new decision on a different basis.
What is a privacy notice?
When organisations collect your information, they should usually be open about why they are collecting it, only use it in a reasonable way that you would expect, and shouldn't use it in way that is unfair to you. When your data is collected you should be given a fair processing notice or privacy notice that tells you what will be done with your data and why, unless it's already obvious who has collected your details and what they are going to be used for.
Are organisations allowed to transfer my data to foreign call centres?
Yes, providing the organisation keeps your data secure.