content background top edge

Information Sheet For The Data Protection Act 1998

What is the Data Protection Act all about?

This note highlights the principal features of UK data protection law, which is governed primarily by the Data Protection Act 1998.

In the UK, the collection and use of personal data is primarily governed by the Data Protection Act 1998 (DPA), which (together with accompanying secondary legislation) came into force on 1 March 2000. The DPA implemented the EC Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (95/46/EEC) (the Directive), and replaced the UK's Data Protection Act 1984 in its entirety.

The Directive introduces an extensive data protection regime by imposing broad obligations on those who collect personal data, as well as conferring broad rights on individuals about whom data is collected. The Directive is also intended to harmonise national data protection laws throughout the EU. Differences between national implementing laws have arisen, however, not simply because the Directive gives member states a fair degree of discretion in implementing its provisions, specifically allowing them to introduce or retain more stringent rules, but also because the provisions of the Directive are in some respects less than clear, and it is left to member states to interpret and clarify them.

The DPA aims to promote high standards in the handling of personal information and so protect the individual's right to privacy. The DPA applies to firms holding information about living individuals in electronic format and, in some cases, on paper.

What sort of personal information is covered by the DPA?

Broadly, the DPA covers any information that relates to living individuals which is held on computer. For example, this may include information such as name, address, date of birth and opinions about the individual or any other information from which the individual can be identified.

What sort of processing is covered by the DPA?

Broadly, the processing of personal information includes obtaining, disclosing, recording, holding, using, erasing or destroying personal information.

Which organisation oversees the procedures under the DPA?

The Information Commissioner's Office (ICO) is the UK's independent public body set up to promote access of official information and protect personal information. The DPA requires the ICO to maintain a register of certain 'data controllers' and the purposes for which they use personal information.

What are data controllers and data processors?

Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. It is important to establish whether or not someone is a data controller because it is data controllers who are required to comply with the eight data protection principles (see further). A data controller must be a “person” i.e. a legal person. This term comprises not only individuals but also organisations such as companies and other corporate and unincorporated bodies of persons.

A Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Who should register as a data controller?

If a data controller holds and processes information about individuals who are customers, employees, suppliers, clients or other members of the public, they may need to join the register. This is called 'notification'.

Does everyone have to register?

Not everyone has to notify – for example, a firm may not need to notify if it only processes personal information for its own core business purposes such as marketing, staff administration and accounting. However notification may be required if the firm processes personal information for purposes such as auditing, crime prevention, pensions administration or the prosecution of offenders. The standard fee for notification is £35. Failure to notify is a criminal offence, punishable by a fine of up to £5000.

How can I find out if I am exempt from registering?

There is a self assessment guide to notification exemptions available on the ICO's website (www.ico.gov.uk).

What if someone asks me for their information?

Individuals have a right under the DPA to obtain, from the data controller, a copy of the information held about them. This is known as the 'right of subject access'. If a firm receives a subject access request, they must deal with it within 40 days of receiving it and should promptly send the individual a copy of the personal information held. A fee of £10 may be charged for responding to such a request.

How do data controllers register?

There are 3 ways for data controllers to register (ie. notify):

  • On the internet (www.ico.gov.uk)- by completing the notification form online, printing it off and sending it (with notification fee or direct debit instruction) to Notification Department, Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • By completing the 'Request for a notification form' (this can be downloaded from above website). It should then be faxed or posted to the above address or alternatively emailed. Notification forms will then be sent to the data controller for further completion
  • By telephone – by dialing the Notification Helpline on 01625 545740. Data controllers will be asked to provide their name, address and contact details and will be asked to specify the nature of their business.
  • A data controller is obliged to follow the eight data protection principles of good information handling.

These state that personal information must be:

  • fairly and lawfully processed
  • processed for specified purposes
  • adequate, relevant and not excessive
  • accurate and, where necessary, kept up to date
  • not kept for longer than is necessary
  • processed in line with the rights of the individual
  • kept secure and
  • not transferred to countries outside the European Economic Area unless the information is adequately protected

Is some personal information 'sensitive'?

Some personal information is classed as sensitive personal information. This type of information is subject to further regulations under the DPA and can only be processed under certain circumstances. Personal information becomes sensitive if it includes any of the following types of information about an identifiable, living individual:

  • racial or ethnic origin
  • political opinions
  • religious beliefs
  • trade union membership
  • physical of mental health
  • sexual life
  • commission of offences or alleged offences

To ensure compliance, what would be best practice for my business?

Make a current member of staff responsible for compliance with the DPA and for keeping the data safe as the designated keyholder. This staff member can then train the rest of the staff to process data confidentially and accurately. A handbook may also be compiled so every staff member is clear on all DPA limits and requirements.

Formulating a privacy policy

If the collecting entity is established in an EU member state, or uses equipment (for example, a website hosting server) within an EU member state, the data protection regime of the relevant member state will be based on the EC Data Protection Directive, and will broadly require:

  • Notification or registration with the national data protection authority before processing the data, subject to exceptions in the case of certain countries.
  • Justification for processing the data.
  • The provision of information regarding the processing of the data at the time of its collection.

In practice, the best way to comply with the second and third of these requirements may be to incorporate a privacy policy on the company's website (and generally available as part of a corporations rules, which enables individuals to proactively consent to the proposed processing.

There must be a clear notice at the point at which users of the site submit their data, which invites users to view the privacy policy before agreeing to send their personal data to the website. The notice should also state that by submitting the data, the user consents to the data being dealt with in accordance with the terms of the privacy policy.

The privacy policy itself should be in a position where it can be seen or at least accessed before the user is asked to transmit his personal data to the website owner. At the very least, there should be a hyperlink to the separate page on the site which contains the privacy policy immediately before the user is asked to transmit his personal data to the website.

The policy should contain at least the following information:

  • The identity of the entity collecting the data (the data controller).
  • How the data is collected.
  • The purposes for which the data is collected (in other words, what the company will use the data for, such as order fulfillment, administration and so on). It should be noted that:
    • if the data controller intends to use the data for the purpose of electronic direct marketing, the data controller must usually obtain the user's prior "opt-in" to his data being used for that purpose; and
    • the data controller may not process "sensitive" data about the individual without his "explicit consent".
  • Who will have access to the data (both within and outside the company), to whom the data will or may be disclosed (whether the data could be transferred to other organisations, even if part of the same corporate group of companies) and, if it is disclosed, what those organisations will use the data for (for example, group administration).
  • Whether the data will be transferred outside the EEA and, if so, those countries to which the information would be transferred. Personal data may not, as a rule, be transferred outside the EEA to any jurisdiction which does not have an "adequate level of protection" for such data unless consent has been obtained from the user that is freely given, specific, informed and unambiguous (in the case of "ordinary" personal data) or "explicit".
  • A description of the steps implemented by the data controller to ensure that the personal data is kept confidential, is not disclosed accidentally and is not processed for any purposes other than those notified to the user in the privacy policy.
  • An indication of the company's policy on record retention, including details of the period(s) for which data is kept and the steps taken to ensure that it is accurate and kept up to date.
  • Contact details which an individual can use if he has a query regarding the data held by the company in relation to him.
  • An individual's rights to have access to and require rectification of data held about that person.

For more information on this or related issues please contact Richard Hastings on 01293 742746 or richard.hastings@thomaseggar.com

Back to Resources

Dates & Locations

There are currently no scheduled events.