The Data Protection Act provides various rights of a data subject that apply to both actual and potential customers and employees. These include the right to:
- be informed of the use to which their personal data is to be put;
- access their personal data in custody of any business/company;
- object to the processing of all or part of their personal data;
- correction of false or misleading data;
- deletion of false or misleading data about them; and
- The right not to be subject to a decision based solely on automated processing.
Automated individual decision making
Every business customer and employee has a right not to be subject to a decision based solely on automated processing such as profiling, which produces legal effects affecting them. Automated decision making may however be pursued with the consent of the affected customer/employee or pursuant to any written law to which a business is subject for example some types of profiling by credit reference bureaus and financial institutions.
Where a business takes a decision which produces legal effects or significantly affects a customer or employee based solely on automated processing:
- the business must, as soon as reasonably practicable, notify the affected customers in writing that a decision has been taken based solely on automated processing; and
- the customer may, after a reasonable period of receipt of the notification, request the business to— (i) reconsider the decision; or (ii) take a new decision that is not based solely on automated processing. This provides for human intervention at all levels of decision making within a business.
In the case of financial institutions this would apply to cases such as loan limits for mobile lending or access to credit.