Data Protection in United Kingdom

Definition of Data Protection

In accordance with the work A Dictionary of Law, this is a description of Data Protection : Safeguards relating to personal data, i.e. personal information about individuals that is stored on a computer and on “relevant manual filing systems”. The principles of data protection, the responsibilities of data controllers (formerly data users under the Data Protection Act 1984), and the rights of data subjects are governed by the Data Protection Act 1998, which came into force on 1 March 2000.

The 1998 Act extends the operation of protection beyond computer storage, replaces the system of registration with one of notification, and demands that the level of description by data controllers under the new Act is more general than the detailed coding system required under the Data Protection Act 1984. Under the 1998 Act, the eight principles of data protection are:

(1) The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.

(2) Personal data shall be held only for specified and lawful purposes and shall not be used or disclosed in any manner incompatible with those purposes.

(3) Personal data held for any purpose shall be relevant to that purpose and not excessive in relation to the purpose(s) for which it is used.

(4) Personal data shall be accurate and, where necessary, kept up to date.

(5) Personal data held for any purpose shall not be kept longer than necessary for that purpose.

(6) Personal data shall be processed in accordance with the rights of data subjects.

(7) Appropriate technical and organizational measures shall be taken against unauthorized and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

(8) Personal data shall not be transferred to a country or territory outside the European Community area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data controllers must now notify their processing of data (unless they are exempt) with the Information Commissioner via the telephone, by requesting, completing, and returning a notification form, or by obtaining such a form from the website (https://www.dpr.gov.uk/notify/1.html). Notification is renewable annually; a data controller who fails to notify his processing of data, or any changes that have been made since notification, commits a criminal offence.

The Information Commissioner can seek information (via an information notice) and ultimately take enforcement action (via an enforcement notice) against data controllers for noncompliance with their full obligations under the 1998 Act. Appeals against decisions of the Information Commissioner may be made to the Data Protection Tribunal, which comprises a chairperson and two deputies (who are legally qualified) and lay members (representing the interests of the data controllers and the data subjects). There are other strict liability criminal offences under the 1998 Act other than non-notification. They include (1) obtaining, disclosing (or bringing about the disclosure), or selling (or advertising for sale) personal data, without consent of the data controller; (2) obtaining unauthorized access to data; (3) asking another person to obtain access to data; and (4) failing to respond to an information and/or enforcement notice.

Data subjects have considerable rights conferred on them under the 1998 Act. They include: (1) the right to find out what information is held about them; (2) the right to seek a court order to rectify, block, erase, and destroy personal details if these are inaccurate, contain expressions of opinion, or are based on inaccurate data; (3) the right to prevent processing where such processing would cause substantial unwarranted damage or substantial distress to themselves or anyone else; (4) the right to prevent the processing of data for direct marketing; (5) the right to compensation from a data controller for damage or damage and distress caused by any breach of the 1998 Act; and (6) the right to prevent some decisions about data being made solely by automated means, where those decisions are likely to significantly affect them.

Resources

See Also

Further Reading

• Data Protection in the Encyclopedia of Britain
• Data Protection in the Osborn’s Concise Law Dictionary
• Data Protection in the Halsbury’s Laws of England
• Data Protection in the Stroud’s Judicial Dictionary of Words and Phrases
• Data Protection in the Jowitt’s Dictionary of English Law
• Data Protection in the New Oxford Companion to Law
• Data Protection in the Words and Phrases Legally Defined
• Data Protection in the Oxford Dictionary of Law