The Data Protection Act 1998
This article provides a detailed overview of the Data Protection Act 1998.
Scope and Definitions
The Data Protection Act 1998 (DPA) applies to the “processing” of “personal data”. Both terms are defined widely in the act and almost every any business operating in the UK which holds information about individuals (whether employees, customers or anyone else) will be affected by the DPA.
It is important to be aware of data protection obligations because breaches of the DPA can result in criminal as well as civil liability, not to mention adverse publicity (an increasingly likely result of non-compliance).
The DPA places obligations on the data controller rather than the data processor. The data controller is defined as the person who determines the purposes for, and the manner in which, personal data is, or is to be, processed. For example, it is likely that most companies will be in control of the data relating to their employees and/or customers.
An entity may be a data controller even if the data is held by a third party (for example, where the work is outsourced to a third party) and it is also possible for there to be more than one data controller in respect of the same data (for example, companies in the same group which use the same data for different purposes).
A data processor does not determine the way in which the data is processed and instead simply processes the data on behalf of a data controller. An example of this would be where payroll administration is outsourced to a third party, that third party would usually be the data processor and the party doing the outsourcing would be the data controller.
Although the DPA does not impose obligations directly on the data processor, it does require the data controller to place respective obligations on the data processor.
Any living individual whose personal data is processed will be a data subject for the purposes of the DPA. Typical data subjects would include individuals on contact lists or marketing databases, personnel, suppliers and customers.
The DPA applies only to personal data. This can either be electronic data (such as that stored on a computer) or paper records where there is a relevant filing system.
Examples of personal data include:
Dates of birth
Only data which can be used to identify living individuals will be classified as personal data. This includes data which directly identifies an individual (e.g. a name) and also data which on its own may not be classified as personal but which when combined with additional information can be used to identify an individual. This additional information may be in the possession of the data controller, but will also include information which is, or is likely to come into the possession of, the data controller.
The DPA imposes obligations on those who process personal data. Under the act processing is broadly defined and includes obtaining, recording, holding, using, disclosing or deleting data which means that almost any activity involving personal data will fall within the scope of the DPA.
The DPA applies to data controllers that process data in an establishment in the UK. An establishment is widely defined, and includes:
UK registered companies.
Companies that have an office, branch or agency in the UK.
Companies that maintain a regular practice in the UK.
For example, an overseas company with a branch office in the UK will need to comply with the DPA if it processes personal data at, or in connection with, that branch.
Most organisations that process personal data must notify the Office of the Information Commissioner (ICO) before they process data. However, there are some exemptions including some not-for-profit organisations and processing personal information for personal, family or household affairs (including recreational purposes).
Data controllers who are exempt from notification must still comply with the other provisions of the DPA, and may choose to notify voluntarily.
More information about the notification process is available at https://www.ico.gov.uk
Data Protection Principles
To ensure that data is processed properly, the DPA imposes a range of obligations on data controllers. Schedule 1 to the DPA sets out the following eight key data protection principles:
- Data must be processed fairly and lawfully.
- Data must be obtained only for specified lawful purposes and not processed in a manner which is incompatible with those purposes.
- Data must be adequate, relevant and not excessive in relation to the purposes for which it is processed.
- Data must be accurate and, where necessary, kept up to date.
- Data must not be kept for longer than is necessary.
- Data must be processed in accordance with the rights of data subjects under the DPA.
- Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss, destruction or damage to personal data.
- Personal data must not be transferred outside the EEA unless the destination country ensures an adequate level of protection for the rights of the data subject.
The first data protection principle – (fair and lawful processing)
Under the first principle, data will only be deemed to be processed fairly if at least one of the following conditions is satisfied:
The individual has consented to the processing.
The processing is necessary to perform a contract with the individual.
The processing is necessary to comply with a legal obligation of the data controller.
The processing is necessary to protect the vital interests of the individual.
The processing is necessary for the administration of justice.
The processing is necessary for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the individual.
Fifth data protection principle – (deletion of unauthorised information)
Data controllers are required to put procedures in place to delete data which is no longer required to fulfil the purposes for which it was originally collected (for example, where data is collected for a specific purpose, once that purpose has been completed, the data should be erased).
Seventh data protection principle – (security)
To prevent unauthorised or unlawful processing, accidental loss, destruction or damage to personal data, appropriate technical and organisational security measures must be taken. This is considered to be one of the most onerous duties placed on data controllers under the DPA and poses particular problems in respect of data held on mobile devices.
Following a number of high profile cases the ICO has recommended that all portable and mobile devices used to store and/or transmit personal information should be protected using approved encryption software, warning that enforcement action will be sought in cases where appropriate measures have not been taken and losses occur.
Sensitive Personal Data: Additional Rules
The DPA introduced a number of additional conditions that regulate the processing of sensitive personal data. Examples of sensitive data include:
Trade union membership.
Religious and other similar beliefs.
Sensitive personal data will only be processed fairly and lawfully if at least one of the following conditions is satisfied:
The individual has given their explicit consent to the processing.
The processing is necessary for the performance of the data controller’s obligations under employment law.
The processing is necessary to protect the vital interests of the data subject.
The processing is carried out by certain non-profit organisations.
The processing relates to information deliberately made public by the data subject.
The processing is necessary for the purpose of legal proceedings, obtaining legal advice, establishing or defending legal rights, for the administration of justice or the exercise of functions of a public nature.
The processing is carried out by a health professional and is necessary for medical purposes.
The data relates to racial or ethnic origin and is processed in the context of equal opportunity monitoring.
Rights of Individuals
Right of access
Upon making a request to the data controller, a data subject has the right to be informed whether any personal data about them is being processed by, or on behalf of, the data controller. Such a request must:
Be addressed in writing to the data controller.
Contain information to enable the data controller to satisfy himself as to the identity of the individual making the request.
Provide information to enable the data controller to locate the data sought.
A data controller must comply with a request promptly and, in any event, within 40 days from receipt of the request and may charge an administration fee of up to £10 for their response.
Right to object to processing – Direct marketing
Even where previous consent has been given, individuals have a continuing right to withdraw their consent to the processing of personal data for direct marketing purposes.
Processing by Third Parties
A data controller is required to ensure that personal data is protected under the DPA, this it true even where the data is being processed by a third party. Under the DPA the data controller must enter into a written contract with the data processor which requires the data processor to act only on instructions from the data controller and comply with obligations equivalent to those contained in the seventh data protection principle. This will be of particular relevance where the data controller is outsourcing services which contain data processing functions.
International Transfer of Data
Unless the destination country ensures an adequate level of protection for the rights of the data subject, personal data must not be transferred outside the EEA. The European Commission has considered the protection provided by a number of countries and the following countries are considered to provide adequate protection:
Isle of Man
Counties in the US which have signed up to the safe harbour scheme will also provide an adequate level of protection.
A company can send data to a country outside the EEA which has not been assessed as providing adequate protection only if they are satisfied in the particular circumstances that there is an adequate level of protection and they use a contract to place the requirements of the DPA on to the data processor. For example, by using the European Commission’s approved model contractual clauses which are available on the EC website.
To assist data controllers, there is now a British Standard on personal information management (BS 10012). There is also more information about data protection legislation available on the ICO website https://www.ico.gov.uk.
Reviewed in 2015