- Privacy & Data Protection Logo -
Privacy & Data Protection

 

 

The Ultimate Guide to the Data Protection Act 1998

Part I
 

The first in a series of articles of progressive complexity, will examine the basics of the Act

Driven largely by an aspiration of Europe-wide privacy rights for individuals, various European legal measures culminated in a 1995 European Directive under which all member states of the European Union, including the UK, were obliged to create new law on the 'processing of personal data'.

The Data Protection Act 1998, the statutory provision under which the UK implemented the Directive, came into force on 1st March 2000.  More significantly, the transitional exemptions in the Act (which allow some companies to delay the implementation of their compliance procedures) expired on 31st October 2001 - meaning that the Act came fully in force on that date.

 

What is Data Protection?

Data protection is essentially that area of the law that governs what may, and what may not, be done with personal information.  Such personal information may be in electronic (e.g. stored on a computer hard drive) or manual (e.g. hand-written) form.

 

Terminology

In order to ascertain the scope of the legislation, it is necessary to consider four basic terms that will be used throughout this article.  The exact definitions of these terms in the Act are complex, but it is sufficient here to deal with the generality.

  • Personal Data - electronic or manual information which identifies a living individual, e.g. a person's name, address, email address, DNA sample, CCTV image, etc.

  • Processing - any activity that can be carried out concerning personal data, e.g. obtaining, storing, copying or transferring such data.

  • Data Controller - any person who controls the processing of personal data, e.g. banks, insurance companies, stockbrokers, law firms, supermarkets and government departments.  In fact virtually all UK businesses (and non-businesses) are data controllers.

  • Data Subject - the individual person who is the subject of any relevant personal data.

The Data Protection Act applies only to the processing of personal data by data controllers.

 

What does the Act do?

Essentially the Act does three things:

1.  It requires every data controller to inform the relevant national authority of its processing operations ('Notification')

2.  It obliges data controllers to comply with a code of conduct on data processing (the 'Data Protection Principles'); and

3.  It creates a set of enforceable expectations for individuals concerning the processing of their personal data (the 'Individuals' Rights').

 

Notification

Data Controllers must inform the Office of the Information Commissioner of the types of processing that they undertake.  Notification can be done online at www.dataprotection.gov.uk and is subject to an annual fee of £35.  The register of data controllers, maintained by the Information Commissioner, is a public document and can be searched online - it contains a list of all the registered purposes of processing for each registered data controller.  The Office of the Information Commissioner is unable to refuse to register a data controller's processing following a notification.

There are a few exemptions from the need to notify processing such as that undertaken purely for the purpose of maintaining employee records or of a membership or customer list.

Processing without notification, and processing of a type not reflected in the notification, are both criminal offences.

 

The Data Protection Principles

There are eight principles of data processing.  All data controllers must generally comply with all eight, even if they are exempt from notification.

The principles, which will be looked at in detail in future editions, are enforceable by the Information Commissioner by virtue of her powers to issue Enforcement Notices.  Failure to comply with such an enforcement notice constitutes a criminal offence.

There are various exemptions from the need to comply with the principles.  Examples include processing for national security, the prevention or detection of crime, the assessment or collection of tax, the determination of examination results and for the purposes of management forecasting.

 

Fair & Lawful Processing

The first data protection principle requires personal data to be processed fairly and lawfully.  As part of that requirement, it is necessary that all personal data processing must comply with at least one of six threshold processing conditions.

The most common condition is that the consent of the data subject has been obtained to the processing.  Consent may be implied except where the data to be processed is sensitive (see the box for the definition of sensitive data), when it must be 'explicit'.

 

Security

The seventh data protection principle requires that all data processing be undertaken in a secure environment.  This requires appropriate measures to be adopted to ensure that unauthorised processing does not occur and that data are not accidentally lost, stolen or destroyed.

 

Export Ban

The eighth principle outlaws the sending of personal data to destinations that are not within the European Economic Area.  The exceptions to this rule include those countries that have adequate data protection legislation (so far only Switzerland and Hungary comply) and where consent to the export has been obtained from the data subject.

A further exception, known as 'safe harbor', has been created by US and the EU to allow transfers of personal data to companies within the US.  To qualify, such companies must agree to comply with a set of data protection rules not unlike those contained in the Data Protection Act.

 

Individuals' Rights

Individuals are entitled to the following rights in respect of data processing:

  • To be informed by any data controller whether it is processing data concerning him, and to be given a copy of such data;

  • To prevent processing likely to cause him damage or distress;

  • To prevent direct marketing to him;

  • To prevent the taking of automated decisions concerning him;

  • To have inaccurate data corrected or erased;

  • To compensation for damage or distress caused by unlawful data processing; and

  • To ask the Information Commissioner to investigate the activities of any data controller.

In further articles the following topics we be considered:

  • The exemptions from the requirement to notify;

  • The right of individuals to gain access to their data;

  • The remaining rights of individuals;

  • The fair and lawful processing requirement in the first data protection principle;

  • The security requirement in the seventh data protection principle;

  • The personal data export ban;

  • The exemptions from various of the Act's obligations; and

  • The criminal offences.

 

-

Homepage       © Privacy & Data Protection Limited, 2002

Part II...

 

All Rights Reserved   |   Legal Notice   |   Privacy Policy   |   Site Comments?  Email webmaster