DATA PROTECTION IN THE UK – THE DATA PROTECTION ACT 1998
In the UK the framework piece of legislation is the Data Protection Act 1998, or ‘DPA’ for short. The DPA repealed and replaced its predecessor, the Data Protection Act 1984, in order to give effect to the requirements of the EC Data Protection Directive 1995. The DPA also gives effect to the requirements of the Council of Europe’s Data Protection Convention 1981. The DPA is supplemented and supported by many other pieces of legislation, which will be introduced at appropriate places.
The DPA describes itself as being an Act that makes ‘new provision for the regulation of the processing of information relating to individuals’. This statement is worth thinking about, for it has massive ramifications. Putting it simply, the processing of information relating to individuals is something that we all do. Every government body processes information relating to individuals, as does every public authority, every business and every person with a PC.
Processing personal data – information relating to data subjects
However, it is only the processing of information relating to identifiable living individuals that is regulated by the DPA. The DPA does not regulate the processing of information relating to unidentified or unidentifiable living individuals, or the processing of information relating to the deceased or the processing of information relating to companies, non-incorporated organizations (such as clubs and societies), public authorities, charities or similar bodies. Information relating to identifiable living individuals is known as ‘personal data’ and the people whose personal data are processed are known as ‘data subjects’.
Automated and manual processing by data controllers and data processors
The Act regulates both automated processing of personal data, that is, processing done by computers, and limited kinds of manual processing of personal data, but only where the processing is performed by ‘data controllers’ and ‘data processors’. The data controller, who is characterized by having the power to determine the purpose of the processing or the manner of the processing, carries most of the obligations under the DPA. A data processor processes personal data on behalf of a data controller, but is not an employee (for the purposes of the DPA employees of data controllers form part of the data controller). The data controller is ultimately responsible for ensuring that the data processor’s activities are compliant with the DPA.
The concept of processing
The concept of processing is extremely wide, covering every conceivable act that can be done on or towards personal data, from its initial collection right through to its final deletion or destruction. Acts of processing include organization, adaptation or alteration of data, retrieval, consultation or use of data, disclosure of data by transmission and dissemination and the alignment, combination, blocking, erasure or destruction of data.
Summary – the key things to remember
A person who is interested in data protection should remember the following things:
Data protection laws regulate the processing of personal data by data controllers and data processors. The DPA also concerns ‘third parties’ and ‘recipients’. A third party is anyone other than the data controller, the data subject or the data processor and can include legal persons, such as companies, as well as individuals. A recipient is any person to whom personal data are disclosed in the course of processing done by or on behalf of the data controller, apart from persons who receive personal data as a result of a particular inquiry made in exercise of legal powers, such as the Information Commissioner or the police.
The fairness, lawfulness and legitimacy of data processing are benchmarked against the ‘data protection principles’. There are eight data protection principles in the DPA.
The Information Commissioner is the UK’s supervisory authority, responsible for promoting the following of good practice by data controllers and for enforcing compliance with the DPA.
Personal data is information relating to living individuals and includes opinions about living individuals and indications of the data controller’s intentions towards living individuals.
Within Europe, the most important laws are the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Data Protection Convention 3 and the Data Protection Directive.4
Within Europe, the main law-making bodies are the Council of Europe, the EC, the Article 29 Working Party, the national governments, the national supervisory authorities and the courts.
The aims of data protection laws are twofold: they protect privacy and they support the free flow of personal data between data controllers and between countries.
The DPA replaced and repealed the Data Protection Act 1984 Data Protection Act 1984, in order to give effect to the requirements of the Data Protection Directive 1995 generally Data Protection Directive 1995. The DPA also gives effect to the requirements of the Data Protection Convention 1981 Data Protection Convention 1981.