Data Protection

Course contents

The Data Protection Essentials course is made up of four bite-sized sections:

Why Protect Data: Introduces what personal data is, why it's so important and the responsibilities placed on organisations and individuals by the Data Protection Act.

Personal Data: What is deemed as Personal Data and what we need to do at Brookson to comply with the Data Protection Act

The Eight Principles: Provides clear, comprehensive explanations of all eight principles of the Data Protection Act, with examples and case studies to illustrate the practical implications of each of them. Now updated to introduce the main provisions of the forthcoming GDPR.

Personal, Sensitive Data and Subject Access: To understand what is deemed as Personal Data and how we should represent the business should a subject access request be made.

The Data Protection Challenge: Tests your knowledge and understanding of data protection by asking you a series of questions on the key points covered in the course. Pass the challenge to earn a course completion certificate.

Data Protection Act 1998


Each UK citizen is thought to have over 4,000 pieces of personal information about them stored on databases!

Virtually everything we do with technology leaves some kind of data footprint, whether we are aware of this or not. More and more people have raised concerns about the amount of personal data being collected and how this is used. 

And what about at Brookson, Much of this information will be on record, as well as details of your employment, sickness history and job performance.

The Data Protection Act was passed in order to meet these growing concerns. It defines our rights in relation to our personal data, and sets clear rules which organisations and individuals must follow.

Learning Objectives

This course is designed to help you understand your obligations in relation to Data protection, as a Brookson employee.

Breaching Data Protection could have serious consequences for both the customer and the company.

These include:

  • Incurring a financial fine
  • Losing our licence to hold data
  • Loss of our reputation
  • Loss of business

As a result, all employees must be trained in Data Protection on an annual basis.

Click on the below link to view our Data Protection Policy

xxxxxxxxxxAdd Link xxxxxxxxx

The Need for Data Protection Laws

It's clear there is a need for tight controls on how personal data is processed. Above all else, people need to have confidence that their personal information is safe and secure.

This is one of the reasons the Data Protection Act was created.

Select each button opposite for more about the purpose and aims of the Data Protection Act.


Main Provisions of the DPA

The Data Protection Act 1998 defines everyone's information rights and sets out eight 'data principles' which all individuals and organisations must follow.

These principles state how data may be lawfully collected, stored and managed (more about these principles later in the course).

Select the button to learn more about the Data Protection Act.

Is Everyone's Data Safe?

Electronic technology is part of people's daily life and everyone would like to think their personal information is secure. But how safe is this personal data?

Select each button to reveal high-profile breaches of our data protection laws.


In this topic we explored:

  • How the Data Protection Act defines people's rights and sets rules that businesses must abide by
  • The various data protection roles and who they refer to
  • The penalties which can be enforced if an organisation breaches the Act
  • How companies intend on keeping our personal data secure


Personal Data

Personal Data - A

With computerisation and other advances in technology, it is much easier for Brookson to store personal data.

This information should be given willingly and used correctly.

The problems that could arise for a person if the information we hold is incorrect, or the information given for one purpose is used for another or given to another organisation, are extensive.

Personal Data - B

The purpose of the Data protection Act is to prevent these problems with data occurring.

The Act achieves this in 2 ways:

  • By placing obligations on people who hold data
  • By giving rights to people about whom the data is held

These obligations and rights are underpinned by the 'eight principles of good information handling'.

Before we move to look at the eight principles, let's have a look at some of the terminology used within the Act.

Personal Data - C

Firstly let's look at the term 'Personal Data'.

Firstly it must relate to a living person. This means once a person has died, the information held about them ceases to be covered by the Data Protection Act.

Secondly, the person must be identifiable either from the information itself or from the information plus the other information which the Data Controller possesses.

For example, a spreadsheet with partial information may not identify a person, but when put together with another spreadsheet located elsewhere in the office, it does. This is then classed as 'Personal Data'.

Personal Data - D

You should note that the definition of 'Personal Data' includes any expression of opinion about the Data Subject.

For example, a customers' Connect account application would be classed as personal data, but the advisors opinions about the customer on the notes section would also be classed as personal data.

Personal Data - E

The act applies whether the personal data is held on a computer system or is recorded in some other way with the intention of later holding it on such system.

It also applies if the information is held on 'a relevant filing system'. A relevant filing system is one that, whilst not computer controlled, is maintained in a structured way, an example would be an employee's staff file. This means that information about an individual can be readily accessed by referring to them either by name or by another criteria such as employee number.

There are specific conditions that apply to 'sensitive data' and we will look at these later on.

Question 1

Thinking about the following situation:

Brookson has a database that stores the details of the age, sex and salaries of it customers. However, it only uses this information for statistical purposes and the customers are NOT identified by name on the database, only by reference number.

Elsewhere in Brookson there is a manual file that links the reference numbers to the names and addresses,

  • Under the Act, is the information on the database classed as 'Personal Data'?

Processing Data & Data Protection Principles

Processing Data

The provisions of the Act refer to 'Processing Data'.

Under the Act, "processing data" means:

  • Obtaining Information
  • Recording Information
  • Holding Information on File
  • Disclosing Information to Someone
  • Retrieving, Consulting or Using Information 

In other words, just about anything you can think of will fall within the definition of 'processing data'!

Understanding this fact is important if you are trying to avoid contravening the eight data protection principles, and is particularly important if you are dealing with sensitive data that we will come to later.

Processing Data

The Data Protection Act refers to various data protection roles carried out at government and organisational level, right through to the individual whose personal data is being collected and processed.

Select each button to find out more about these roles.

The 8 Principles

It is important to remember these eight principles, since contravention of any of them could result in legal action against both the Company and you personally.

Contravention could also result in Disciplinary action being taken.

Sensitive Data & Subject Access

Overview - Sensitive Data

We mentioned earlier that some types of personal data are classed as sensitive.

Sensitive data includes matter relating to:

  • Race or Ethnic Origin
  • Political Opinions
  • Religious or Similar Beliefs
  • Trade Union Membership
  • Physical or Mental Health/Medical Records
  • Sexual Preference
  • Commission of offences or Alleged offences
  • Any Criminal Offences Committed by the Individual 

In these cases the Act generally requires explicit consent before the data can be processed.

Sensitive Data - Email

Look at the email below.

What parts of the email are disclosing Sharha's personal data?

Click next to answer the questions


Which of the following would be classed as 'sensitive data'?

  • Age
  • Nationality
  • Political Views
  • Employer
  • Medical History
  • Relationship with other named individuals

Processing Data

Processing Data

It is very important to remember that, when the Act talks about 'processing data' it is referring to much more than simply holding data somewhere.

Any use of information could be regarded as processing, particularly when it is included in an email.

You must be careful to ensure that personal data is only included in an email if it is for legitimate interests of the company, and never send sensitive data in an email.


  • Email can be traced
  • Email is not private
  • Email is not just idle chat
  • Security is not guaranteed on email

Personal Data

Personal Data

What does this mean for you?

All employees should understand their responsibilities under the Data Protection Act.

In particular, employees must not:

  • Disclose personal data, except in strict adherence with Company procedures
  • Use personal data held on others for their own purposes

Anyone who collects personal data in the course of their work, for example, customer information, must seek advice to ensure they are conforming with the Act, if it is not covered by Company Policies and Procedures.

Data Subjects - Rights

The Rights of Data Subjects

the Data Protection Act gives everybody important rights to access the information that we hold about them, and rights in respect of what should happen to that information.

these are known as the '7 Rights of Data Subjects'.

Let's now look at these Rights in more detail.

1. The Right to Subject Access

The first right is the right to subject access.

This rights allows people to find out what information is held about them on computer systems and some manual records.

When someone makes a request to a Company for details of the information held about them, it is known as a subject access data request. The Company must reply promptly, and no later than 40 days, after receiving a written request. 

On payment of a maximum fee (£10) the Data Controller must provide a copy of the personal data in a legible and intelligible form.

2. The Right to prevent processing likely to Cause damage or Distress

The second right is that of preventing the processing of data that is likely to cause substantial and unwarranted damage and distress.

You should note that there are certain circumstances in which this right does not apply including:

  • Where the Data Subject has given his or her consent to the data processing
  • Where the processing is necessary for the prevention or detection of crime or the assessment or collection of tax

3. The Right to Prevent Processing for Direct Marketing Purposes

The third right of Data Subjects is to prevent processing for direct marketing purposes.

This entitles a Data Subject to write to a Company requiring it to cease, or not to begin, processing their personal data for the purposes of direct marketing.

4. The Right in relation to Automated Decision Taking

The fourth right of Data Subjects to have a decision that was made by automatic means, for example by a computer, to be considered by a real person.

This usually applies when new credit applications are credit scored.

5. The Rights to Compensation

The fifth right of Data Subjects is to seek compensation through the High Court if he or she suffers damage or distress as a result of a Data Controller contravening any of the requirements of the Act.

6. The Right to Rectification, Blocking, Erasing and Destruction

The sixth right is that of being able to apply to the high court to have inaccurate personal data rectified, blocked or erased or destroyed, if an individual is unable to do this after a discussion with the Company holding their data.

7. The Right to Establish Whether the Act has been Contravened

The seventh and final right of Data Subjects is the right to establish whether the Data Protection Act has been contravened.

To do this the Data Subject must ask the Information Commissioner to make an assessment.

The Information Commissioner is an independent official appointed by the Crown to oversee the workings of the Data Protection Act and certain other legislation concerned with information and the public.


The fact that someone is of 'Catholic' religion would be classed as sensitive data under the aCT.

  • Type your statement here...

Penalties - Data protection Act

Penalties under the DPA

If an organisation or its employees breach the Data Protection Act, they could face a range of penalties.

The ICO has various powers it can use to enforce data protection laws, or impose penalties on individuals or organisations who fail to comply.

It will also 'name and shame' organisations who breach the Act by publishing details of actions against them. This can be an effective way of enforcing the law as most organisations are reluctant to risk damaging their reputation.

Select each box to learn about the penalties the ICO can impose.

Risks of Non-Compliance

  • Breaching the Data protection Act represents a reputational and financial risk to Brookson
  • The Information Commissioner's Office has the power to fine organisations up to £500,000 for breaches of the Data Protection Act
    • Ealing Council and Hounslow Council fined £70,000 and £80,000 for losing password-protected but unencrypted laptops.
    • Hertfordshire County Council fined £100,000 for accidentally faxing sensitive personal information to the wrong recipient
    • Company A4e fined £60,000 for losing unencrypted laptops containing sensitive information relating to customers (personal details) and staff (salaries, criminal activities).


In the next section you will be asked a number of questions.

You will need to score 90% on the assessment to PASS.

A certificate will be printed at the end of the assessment if you pass, if you do not achieve 90% you will need to review the training material and re-take the assessment, you will only be allowed 2 attempts before being locked out.

Best of Luck.........