Data Protection Act 1998

Data Protection Act 1998
Act of Parliament

Long title An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.
Territorial extent United Kingdom of Great Britain and Northern Ireland
Royal assent 16 July 1998
Commencement March 2000
Other legislation
Replaces Data Protection Act 1984
Status: Current legislation
Text of the Data Protection Act 1998 as in force today (including any amendments) within the United Kingdom, from

The Data Protection Act 1998 (DPA) is a United Kingdom Act of Parliament which defines the law on the processing of data on identifiable living people and is the main piece of legislation that governs the data protection. Although the Act itself does not mention privacy, it was enacted to bring British law into line with the 1995 EU Data Protection Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In practice it provides a way for individuals to control information about themselves. Most of the Act does not apply to domestic use,[1] for example keeping a personal address book. Anyone holding personal data for other purposes is legally obliged to comply with this Act, subject to some exemptions. The Act defines eight data protection principles. It also requires companies and individuals to keep personal information to themselves regardless of it's value or origins.


The 1998 Act replaced and consolidated earlier legislation such as the Data Protection Act 1984 and the Access to Personal Files Act 1987. At the same time it aimed to implement the European Data Protection Directive. In some aspects, notably electronic communication and marketing, it has been refined by subsequent legislation for legal reasons. The Privacy and Electronic Communications (EC Directive) Regulations 2003 altered the consent requirement for most electronic marketing to "positive consent" such as an opt in box. Exemptions remain for the marketing of "similar products and services" to existing customers and enquirers, which can still be given permission on an opt out basis.

The Jersey data protection law was modelled on the UK law.[2]

Personal data

The Act's definition of "personal data" covers any data that can be used to identify a living individual. Anonymised or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or Email address. The Act applies only to data which is held, or intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'.[3]

In some cases even a paper address book can be classified as a 'relevant filing system', for example diaries used to support commercial activities such as a salesperson's diary.

The Freedom of Information Act 2000 modified the act for public bodies and authorities, and the Durant case modified the interpretation of the act by providing case law and precedent.[4]

The Data Protection Act creates rights for those who have their data stored, and responsibilities for those who store, process or transmit such data. The person who has their data processed has the right to:[5]

Data protection principles

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
    1. at least one of the conditions in Schedule 2 is met, and
    2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. About the rights of individuals e.g.[10] personal data shall be processed in accordance with the rights of data subjects (individuals).
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Conditions relevant to the first principle

Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions must be applicable to that data (Schedule 2).

  1. The data subject (the person whose data is stored) has consented ("given their permission") to the processing;
  2. Processing is necessary for the performance of, or commencing, a contract;
  3. Processing is required under a legal obligation (other than one stated in the contract);
  4. Processing is necessary to protect the vital interests of the data subject;
  5. Processing is necessary to carry out any public functions;
  6. Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject).[11]


Except under the below mentioned exceptions, the individual needs to consent to the collection of their personal information and its use in the purpose(s) in question. The European Data Protection Directive defines consent as “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”, meaning the individual may signify agreement other than in writing. However, non-communication should not be interpreted as consent.

Additionally, consent should be appropriate to the age and capacity of the individual and other circumstances of the case. E.g., if an organisation "intends to continue to hold or use personal data after the relationship with the individual ends, then the consent should cover this." And even when consent is given, it shouldn't be assumed to last forever. Although in most cases consent lasts for as long as the personal data needs to be processed, individuals may be able to withdraw their consent, depending on the nature of the consent and the circumstances in which the personal information is being collected and used.[12]

The Data Protection Act also specifies that sensitive personal data must be processed according to a stricter set of conditions, in particular any consent must be explicit.[12]


The Act is structured such that all processing of personal data is covered by the act, while providing a number of exceptions in Part IV.[1] Notable exceptions are:


The Act details a number of civil and criminal offences for which data controllers may be liable if a data controller has failed to gain appropriate consent from a data subject. However, 'consent' is not specifically defined in the Act and so is a common law matter.


The UK Data Protection Act is a large Act that has a reputation for complexity.[18] While the basic principles are honoured for protecting privacy, interpreting the act is not always simple. Many companies, organisations and individuals seem very unsure of the aims, content and principles of the Act. Some hide behind the Act and refuse to provide even very basic, publicly available material quoting the Act as a restriction.[19] The Act also impacts on the way in which organisations conduct business in terms of who can be contacted for marketing purposes, not only by telephone and direct mail but also electronically and has led to the development of permission based marketing strategies.


Definition of personal data

The definition of personal data is data relating to a living individual who can be identified

Sensitive personal data concern the subject's race, ethnicity, politics, religion, trade union status, health, sex life or criminal record.[20]

Subject access

Personal data may normally be held for under 40 working days and, as such, may be legitimately denied in subject access requests under the Act. This is a consequence of the time limit data controllers must meet in making their response. If the data has been deleted by the normal procedures of the business by the time the data controller responds to a request, that data cannot be supplied. For data such as closed-circuit television images, routinely overwritten, it may be impossible for a subject to exercise their data access rights.


Compliance with the Act is regulated and enforced by an independent authority, the Information Commissioner's Office, which maintains guidance relating to the Act.[21][22]

See also


  1. 1 2 Data Protection Act 1998, Part IV (Exemptions), Section 36, Office of Public Sector Information, accessed 6 September 2007
  2. Jersey: Data Protection In Jersey And Other Offshore Jurisdictions 23 July 2008 Article by Wendy Benjamin,,
  3. "Data Protection Act 1998, Basic interpretative provisions". Office of Public Sector Information. Retrieved 14 March 2014.
  4. "What is personal data? Information Commissioner updates guidance". Pinsent Masons. 30 August 2007. Retrieved 20 August 2012. In the case involving Michael Durant he sought information held on him by the Financial Services Authority. The Court of Appeal ruled that just because a document contained his name it was not necessarily defined as personal data. This changed the perception of how wide a definition of personal data could be.
  5. Your rights, ICO, accessed 6 September 2007
  6. "FAQs". Information Commissioner's Office. Retrieved 19 January 2014.
  7. "An organisation has inaccurate information about me. What can I do?". Information Commissioner's Office. Retrieved 20 August 2012.
  8. Data Protection Act 1998, Part II (Rights of data subjects and others), Section 10, Office of Public Sector Information, accessed 6 September 2007
  9. Data Protection Act 1998, Part II (Rights of data subjects and others), Section 11, Office of Public Sector Information, accessed 6 September 2007
  10. The rights of individuals (Principle 6),, accessed 14 April 2011
  11. Data Protection Act 1998 Schedule 2
  12. 1 2 "Conditions for Processing - Guide to Data Protection - ICO". Information Commissioner's Office. Retrieved 8 February 2013.
  13. 1 2 Data Protection Act 1998, Part III (Notification by Data Controllers), Section 21, Office of Public Sector Information)
  14. Data Protection Act 1998, Part III (Notification by Data Controllers), Section 25
  15. Data Protection Act 1998, Part VI (Miscellaneous and General), Section 55, Office of Public Sector Information, accessed 14 September 2007
  16. Data Protection Act 1998, Part VI (Miscellaneous and General), Section 56, Office of Public Sector Information, accessed 14 September 2007
  18. Bainbridge, D: "Introduction to Computer Law - Fifth Edition", page 430. Pearson Education Limited, 2005
  19. Data Protection myths and realities, Information Commissioner's Office, accessed 30 August 2008
  20. "Data Protection Act 1998". UK Statute Law Database. Retrieved 20 August 2012.
  21. "The Guide to Data Protection". Information Commissioner's Office. Retrieved 6 January 2015.
  22. Guidance - The Data Protection Act, Page of Assorted Guidance, Information Commissioner's Office, accessed 20 October 2007

External links

Wikiversity has learning materials about Data Protection Act 1998

UK legislation

This article is issued from Wikipedia - version of the 12/2/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.