Data Protection Act

Home > Science and Technology > Computers and Electrical Engineering > Computers and Computing

Data Protection Act (1998) In the UK the principles of data protection, the responsibilities of data controllers, and the rights of data subjects are now governed by the Data Protection Act (1998), which came into force on 1 March 2000. As compared to the Data Protection Act (1984), the 1998 Act extends the operation of protection beyond computer storage, replaces the system of registration with one of notification, and demands that the level of description by data controllers under the new Act is more general than the detailed coding system previously required. Under the 1998 Act, the eight principles of data protection are:(1) The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully. (2) Personal data shall be held only for specified and lawful purposes and shall not be used or disclosed in any manner incompatible with those purposes. (3) Personal data held for any purpose shall be relevant to that purpose and not excessive in relation to the purpose(s) for which it is used. (4) Personal data shall be accurate and, where necessary, kept up to date. (5) Personal data held for any purpose shall not be kept longer than necessary for that purpose. (6) Personal data shall be processed in accordance with the rights of data subjects. (7) Appropriate technical and organizational measure shall be taken against unauthorized and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (8) Personal data shall not be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.Data controllers must now notify their processing of data (unless they are exempt) with the Information Commissioner via the telephone, by requesting, completing, and returning a notification form, or by obtaining such a form from the website http://www.dpr.gov.uk/notify/1.html. Notification is renewable annually; a data controller who fails to notify his or her processing of data, or any changes that have been made since notification, commits a criminal offence.

The Information Commissioner can seek information from and ultimately take enforcement action against data controllers for noncompliance with their full obligations under the 1998 Act. Appeals against decisions of the Commissioner may be made to the Data Protection Tribunal. Apart from nonnotification, strict liability criminal offences under the 1998 Act include: • obtaining, disclosing (or bringing about the disclosure), or selling (or advertising for sale) personal data, without consent of the data controller; • obtaining unauthorized access to data; • asking another person to obtain access to data; • failing to respond to an information and/or enforcement notice.Data subjects have considerable rights conferred on them under the 1998 Act. They include:• the right to find out what information is held about them; • the right to seek a court order to rectify, block, erase, and destroy personal details if these are inaccurate, contain expressions of opinion, or are based on inaccurate data; • the right to prevent processing where such processing would cause substantial unwarranted damage or substantial distress to themselves or anyone else; • the right to prevent the processing of data for direct marketing; • the right to compensation from a data controller for damage or damage and distress caused by any breach of the 1998 Act.

Data Protection Acts Two acts (1984 and 1998) enacted in the UK concerning data protection legislation.