Return Home

Some Information on the UK Data Protection Act, 1998

As with most Acts, Data Protection is complicated due to interpretation, exceptions and caveats.

Envocare is not expert in the Data Protection Act and we do not offer these notes as a definitive source of information. They are our interpretation of what we have read from a reputable source. You may find the summary draws attention to some interesting points but if you decide that you need to be better informed or protected please consult an appropriate adviser or consult the Information Commissioner's Office (see the ICO link near the bottom of this page).
The Data Protection Act 1998 came into force on 1 March 2000 in the UK to bring it into line with a European Community Human Rights directive and to achieve a common standard of protection across the Community.
The purpose of the new act is to protect the individual rights and freedoms of persons especially their right to privacy with respect to the processing of personal data.
You should be concerned about the act and the obligations it imposes if you handle personal data as part of your job. Failure to comply, can mean that an employee is personally liable and may incur a large fine and receive a criminal record. If individuals are caused damage and distress by breach of the act there are rights to compensation.
The act applies to personal data (information that applies to a living person) whether it is held on a computer system or a piece of paper and there are particularly stringent rules surrounding certain sensitive data. These include matters relating to health, sexual life, religious beliefs, political opinions, racial background, trade union membership and criminal offences. Information about a company is not covered by this law.

The act requires that data are processed in accordance with certain principles and conditions.
Special care must be exercised with respect to Personal Data and especially if it is Sensitive Data, and the principle of Consent by the individual must be observed.
Personal data can only be processed if: an individual has given consent; it is part of a contract; it is a legal obligation; it is necessary to protect the individual; it is in the legitimate interests of the data controller.
For processing sensitive data, explicit consent must be obtained, or there must be a legal requirement, or it is necessary to protect the vital interests of the individual.
Where consent has to be obtained, the individual must be made fully aware of the purposes for which the data are to be used and of any recipients.

  Every item of personal data that is held or processed must be accurate and up to date, and held for no longer than necessary. When data is no longer relevant to the purpose for which it was originally obtained, and/or has reached the end of the period for which it must legally be retained, it must be destroyed.
The security of personal information must be maintained and any disclosure of personal data must be properly authorised. There are also requirements in respect of data transferred overseas to countries outside of the European Community.
Individuals have the right to know what data are held about them (but see temporary exemptions, below) including the purposes for which the data is processed and a description of those to whom it may be disclosed. By making application, by letter or e-mail, the individual can request details and these must be made available promptly; a fee of up to 10 may be charged. Individual rights are further extended to enable an individual to prevent processing of data for the purposes of direct marketing.
There are some temporary exemptions but this area is quite complex and there are only a few areas where total confidentiality can be maintained. For example, there are limited exemptions in relation to manual data which was being processed prior to 24 October 1998, which would in many cases cover personnel records. It also appears that the right to view paper records would not come into force until October 2001. Reviewing the situation in Q1 2006, it seems that, in practice, very few manual files are covered by the DPA.
The general principle is that you should not record anything about individuals that you are not prepared to justify or to say to them directly.

On the other hand if you are a victim of data misuse, consumer organisations are arguing that the legislation is weak. The Data Protection Commission cannot enforce the act, only request compliance, (except where fraudulent abuse is evident) and action may depend on the victims taking redress through the courts.

A cautionary note: this article is a very brief and simplified summary and does not cover all aspects of the new legislation which is very complex. If you are responsible for paper or computerised records of individuals and feel that you may be vulnerable you should consult an appropriate adviser. Further information may be sought at the web sites given below.

The Information Commissioner's Office (ICO) is an independent supervisory authority reporting directly to the UK parliament. The ICO regulates and enforces the Data Protection Act, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004.
Envocare Ltd Facebook Link Google+ Button Twitter logo 40




Copyright 2001-2013, Envocare Ltd.
ENVOCARE is a registered trade mark of Envocare Ltd.
For legal matters see the section "About Us & Contact Us".
Originated: Early 2001, Updated: 7 March, 2013