An overview of the Data Protection Act 1998

Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection Act The EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. The Data Protection Act is how the UK implements the European Directive.

The aims of the Data Protection Act Anyone who processes personal information must comply with the eight principles It provides individuals with important rights, including the right to find out what personal information is held about them

The eight data protection principles Information must be: Fairly and lawfully processed Processed for specified purposes Adequate, relevant and not excessive Accurate and up-to-date Not kept for longer than is necessary Processed in line with individuals’ rights Secure Not transferred outside the European Economic Area without adequate protection

Individual rights Right of access – individuals have a right to know what information organisations hold about them on a computer or in certain filing systems. Individuals can submit a Subject Access Request to see or have a copy of this information. This could include their medical record, files kept by public bodies, or financial information held by credit reference agencies. Right to prevent direct marketing – individuals have the right to object to their personal information being used to target them with unwanted marketing.

The ICO and data protection The Data Protection Act makes the Information Commissioner responsible for: promoting good practice in handling personal data, and giving advice and guidance on data protection; keeping a register of organisations that are required to notify him about their information-processing activities; and helping to resolve disputes by deciding whether it is likely or unlikely that an organisation had complied with the Act when processing personal data.

Enforcement If an individual believes they have been the victim of a breach of the Data Protection Act they can complain to the ICO. The ICO will make a judgement as to whether it is ‘likely’ or ‘unlikely’ that the Data Protection Act has been breached.

ICO’s data protection powers Conduct assessments to check organisations are complying with the Act. Serve information notices requiring organisations to provide the ICO with specified information within a certain time period. Serve enforcement notices and 'stop now' orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law.

ICO’s data protection powers (continued…) Prosecute those who commit criminal offences under the Act. Conduct audits to assess whether organisations processing of personal data follows good practice. Report to Parliament on data protection issues of concern.

New power to issue monetary penalties The ICO's new power to issue monetary penalties came into force on 6 April 2010, allowing the ICO to serve notices requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act. The ICO has produced statutory guidance about how it proposes to exercise this new power, which has been approved by the Secretary of State for Justice.statutory guidance

Find out more Website: Telephone: Write: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow SK9 5AF

Subscribe to our e-newsletter at Follow us on Twitter at