Areas of Advice

  • No categories

The Advice Archive

Data Protection Act 1998

The Data Protection Act (DPA) is a British Act of Parliament that provides a legal basis and allowing for the privacy and protection of data of individuals in the UK. The act places restrictions on organisations which collect or hold data which can identify a living person. The Act does not apply to domestic use (Data Protection Act 1998, Part IV (exemptions), Section 36), for example keeping a personal address book.

Data collected by any person or organisation may only be used for the specific purposes for which they were collected. Personal data may only be kept for an appropriate length of time and must not be disclosed to other parties without the consent of the data owner. Schools, for example, may decide to keep information on former pupils for no longer than ten years.

The act is overseen by an independent government authority, the Office of the Information Commissioner. Persons and organisations which store personal data must register with the Data Protection Commissioner – now known as the Information Commissioner.

The UK Data Protection Act is a large Act, and has a reputation for complexity. Whilst the basic principles are honoured for protecting privacy, interpreting the act is not always simple.


The Data Protection Act 1984 was an implementation of the 1981 European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. It provided for a regulatory authority, the Data Protection Registrar, to oversee the implementation of and adherence to the Act.

The Data Protection Act 1998 expanded on the 1984 Act, and was an implementation of European Union Directive 95/46/EC which, amongst other measures, expanded the remit of the Data Protection Registrar and renamed the position to the Data Protection Commissioner. The 1984 Act was repealed by the Data Protection Act 1998. See link

Paper-based health, education and social work records which were created before 24 October 1998 are subject to slightly different provisions in the Act which will apply until 23 October 2007.

Most recently, the Freedom of Information Act 2000 further expanded the role to include freedom of information; the job title of the DPR/DPC was changed once again, this time to Office of the Information Commissioner.

Personal data

The Act covers any data which can be used to identify a living person. This including names, birthday and anniversary dates, addresses, telephone numbers, e-mail, Fax numbers, etc. It only applied to that data which is held, or intended to be held, on computers (‘equipment operating automatically in response to instructions given for that purpose’), or held in a ‘relevant filing system’.

Data protection principles

The data protection act creates rights for those who have their data stored, and responsibilities for those who store or collect personal data.

The responsibilities of those holding or collecting the data are that:

  • Personal data should only be processed fairly and lawfully. In order for data to be classed as ‘fairly processed’, at least one of these six conditions must be applicable to that data.
    1. The data subject (the person whose data is stored) has consented (“given their permission”) to the processing;
    2. Processing is necessary for ‘the performance of’ (to speed up the completion of) a contract;
    3. Processing is required under a legal obligation (other than one stated in the contract);
    4. Processing is necessary to protect the vital interests of the data subject’s rights;
    5. Processing is necessary to carry out any public functions;
    6. Processing is necessary in order to pursue the legitimate interests of the “data controller” or “third parties” (unless it could unjustifiably prejudice the interests of the data subject).
  • Personal data must be obtained only for specified and lawful purposes.
  • The data collected must be adequate, relevant and not excessive.
  • Personal data must be accurate and up to date.
  • The data should not be kept any longer than necessary. Data collected for research or historical reasons may be kept indefinitely
  • Personal data should only be processed in accordance with the “data subject’s” (the individual’s) rights.
  • Personal data should be securely kept, and not transferred to any other country without adequate protection.

The person who has their data held has the right to Your rights, ICO

  • View the data an organisation holds on them, for a small fee – As of 2006, the maximum fee is £10 per item, FAQs, ICO
  • Request that incorrect information is corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded. Correcting information, ICO
  • Request not to receive direct marketing. Data Protection Act 1998, Section 11

8 principles

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
    1. at least one of the conditions in Schedule 2 is met, and
    2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

See also

External links

Article written by Jennifer Kirk based on information from OPSI and Wikipedia.