The Data Protection Act is administered by the Information Commissioner, an independent officer who reports directly to Parliament. It is concerned with personal information which is automatically processed. It works in two ways, giving individuals certain rights whilst requiring those who record and use personal information to be open about that use and to follow sound and proper practices.

"Personal information" is information about living, identifiable individuals, but isn't necessarily particularly sensitive information, and can be as little as a name and address.

"Automatically processed" means, broadly speaking, information which is processed by computer, although it does not cover some information which is held and processed manually, i.e. paper files but they have to be organised using a particular method to be covered by the Act.

You have the right to apply to public sector organisations or private companies which keep information about individuals (children as well as adults). The Act requires all such organisations to abide by the Data Protection Principles.

Organisations must:

• obtain and process information fairly and lawfully;
  
• register the purposes for which they hold it, not use or disclose the information in a way contrary to those purposes;
  
• hold only information which is adequate, relevant and not excessive for the purposes;
  
• hold only accurate information, and, where necessary, keep it up to date;
  
• not hold the information any longer than necessary;
  
• when requested, give individuals copies of information about themselves, and;
  
• where appropriate, correct or erase the information;
  
• take appropriate steps to keep the information safe.
  

The Data Protection Act allows you to have access to information held about yourself on a computer and where appropriate to have it corrected or deleted. This is the 'subject access right' and it means that you are entitled, on making a written request to a data user, to be supplied with a copy of any personal data held about you. The data user may charge a fee of up to £10 for each register entry for supplying this information but in some cases it is supplied free. Usually your request must be responded to within 40 days. If not, you are entitled to complain to the Information Commissioner or to apply for a court order for access. If personal data is found to be inaccurate you may complain to the Information Commissioner or apply to the Courts for correction or deletion of the data.

The Public Register of Data Controllers is open to public inspection at the Information Commissioner's (ICO) Office in Wilmslow, or via the ICO's webite at www.informationcommissioner.gov.uk. Copies of individual register entries are available free of charge (a small fee is payable for certified copies). A register entry only shows what a data user is registered to do, it does not reveal whether or not that data user holds personal information about you.

If you consider there has been a breach of one of the Principles (or any other provision of the Act), you are entitled to complain to the Information Commissioner. If the Commissioner considers the complaint to be justified and cannot be resolved informally then he may decide to prosecute or to serve an enforcement notice or notice of refusal of registration on the data user in question.

You are entitled to seek compensation through the Courts if damage (not just distress) has been caused by the loss, or unauthorised destruction or disclosure of your personal data. 'Unauthorised' means without the authority of the data user or computer bureau concerned. If damage is proved, the Court may also order compensation for any associated distress. You may also seek compensation through the Courts for damage caused by inaccurate data.