Business Law
Computer Security Law

What is the data protection act 1998?



User Avatar
Wiki User

It sounds like the question is asking about the "Data Protection Act 1998", a United Kingdom Act of Parliament which defines UK law on the processing of data on identifiable living people. It replaced a couple of earlier laws: the Data Protection Act 1984 and the Access to Personal Files Act 1987. It also was an attempt by the UK to implement the European Data Protection Directive (officially Directive 95/46/EC) of the European Union.

The Data Protection Act creates rights for those who have their data stored, and responsibilities for those who store, process or The person who has their data processed has the right to

  • View the data an organisation holds on them, for a small fee, known as 'subject access fee
  • Request that incorrect information be corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded
  • Require that data is not used in any way that may potentially cause damage or distress
  • Require that their data is not used for direct marketing
Holders of covered personal data are required to abide by the following principles:
  • Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
  1. The data subject (the person whose data is stored) has consented ("given their permission") to the processing;
  2. Processing is necessary for the performance of, or commencing, a contract;
  3. Processing is required under a legal obligation (other than one stated in the contract);
  4. Processing is necessary to protect the vital interests of the data subject;
  5. Processing is necessary to carry out any public functions;
  6. Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject
and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. Examples of conditions listed in Schedule 3 include:
  1. The data subject has given his explicit consent to the processing of the personal data.
  2. The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.
  3. The processing is necessary-
(a) in order to protect the vital interests of the data subject or another person, in a case where- (i) consent cannot be given by or on behalf of the data subject, or

(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or (b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld. (See attached link for more details on what is in Schedule 3)

  • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • About the rights of individuals e.g.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Except under a few exceptions mentioned in the Act, the individual needs to consent to the collection of their personal information and its use in the purpose(s) in question. The person consenting must be old enough to grant consent and in sufficient command of their faculties to understand what they are consenting to. Although in most cases consent lasts for as long as the personal data needs to be processed, individuals may be able to withdraw their consent, depending on the nature of the consent and the circumstances in which the personal information is being collected and used.