Document Library

    Show

    The Data Protection Act 1998

    The Data Protection Act 1998 gives you the right to access information held about you by organisations.The act governs how organisations can use the personal information that they hold - including how they acquire, store, share or dispose of it.

    The act is administered and enforced by the Information Commissioner - an independent authority who is appointed by the Queen and reports directly to parliament.

    The 1998 Act applies in England, Wales, Scotland and Northern Ireland. It applies to:

    • Computerised personal data 
    • Personal data held in structured manual files

    held by all data controllers. In addition, the Freedom of Information Act 2000 extended the Data Protection Act 1998 to apply to all recorded personal data held by data controllers who are also public authorities for the purposes of the 2000 Act. It applies to anything at all done to personal data ("processing"), including collection, use, disclosure, destruction and merely holding personal data.

    The Act gives individuals rights to:

    •  gain access to their data; 
    •  seek compensation; 
    •  prevent their data being processed in certain circumstances; 
    •  "opt-out" of having their data used for direct marketing; 
    •  "opt-out" of fully automated decision-making about them.

    Organisations processing personal data ("controllers") must comply with the data protection principles. These require data to be:

    •  fairly and lawfully processed; 
    •  processed for limited purposes; 
    •  adequate, relevant and not excessive; 
    •  accurate; 
    •  not kept longer than necessary; 
    •  processed in accordance with individuals' rights; 
    •  kept secure; 
    •  not transferred to non-EEA (European Economic Area) countries without adequate protection.

    As part of complying with the principles, controllers must:

    • meet one of six conditions in order to process personal data; 
    • meet one of a number of further conditions in order to process sensitive data*; 
    • inform individuals when their data is collected.

    *Sensitive data is data about a person's ethnic origins, political opinions, religious beliefs, trade union membership, health, sexual life and criminal history.

    Additional Information on the Data Protection Act 1998 from the Information Commissioner. Information sourced from the Department for Constitutional Affairs website.