Data Protection in the UK

Data Protection in the UK
(Photo Credits: -12°C)

Data protection law is the law that protects personal information about living individuals in the UK from being processed in anyway by commercial entities. This is governed by the Data Protection Act 1998 in the UK. Members of the EU have country-specific legislation implemented through the Directive 95/46/EC (the Data Protection Directive).

Though technically about data, the data protection law in effect is a privacy legislation that is meant to ensure that private information about people is not misused when collected by companies. 

The provisions of the DPA 1996 apply when personal information relating to an identifiable individual is processed by a data controller.

Personal data is defined by the act as “data which relate to a living individual”. This can be ANY data which relates to a person such as name and address, health conditions,  religious beliefs, or any form of recorded information whether textual, visual, etc.  The exact meaning of “relate” is not explained in the act, but it was discussed in the case of Duran v Financial Services Authority [2003] EWCA Civ 1746, where the court held that it “is information that affects [the person’s] privacy, whether in his personal or family life, business or professional capacity'” and that it the person must be “the focus rather than some other person” with home the information is concerned.

The personal information must be related to an “identifiable” person who can be identified (a) from the data or (b) from those data and other information which is in possession of, or is likely to come into the possession of, the data controller. Unlike the EU Directive, the UK act doesn’t cover the incidents where the processed personal data is used along with information held by a 3rd party is combined to identify the person.

 The personal data will only be regulated when it is ‘processed’ by  data controller. This is a very wide term that means obtaining, recording, or holding information or carrying out any operation or set of operations on the information or data, including organisation, retrieval, disclosure, or alignment. The definition used in the act is wide to include every imaginable action you may perform in relationship to data. 

The law imposes obligations on all “data controllers” – these are natural or legal persons who determine the purpose and means for prosesing the personal data. The law also imposes some additional obligations on a “data processor” – which is the natural or legal persons who processes the data on behalf of the data controller.

Rights for Individuals

If an individual’s personal data has been processed by a data collector, then he has the following rights:

  1. Right to access the personal information stored about him to have inaccurate data rectified.
  2. Right to to request an assessement of processing.
  3. Right to prevent processing of data if it causes substantial unwarranted damage or distress.
  4. Right to object to direct marketing.

It is possible to claim compensation for the breach of some of the rights mentioned above.

The Data Protection Principles

The act requires all data controllers to abide by eight data protection principles:

  1. Data must be fairly and lawfully processed and in accordance with one of the conditions in Schedule 2 of the act.
  2. It must be processed for limited purposes and not used for any purposes other than these.
  3. It must be adequate and relevant for the purpose and not excessive.
  4. It must be accurate and up to date.
  5. It must not be kept for longer than is necessary.
  6. It must be processed in line with the rights of data subjects.
  7. It must be processed using appropriate secure measures.
  8. It must not transferred outside the EEA without adequate protection.

The Information Commissioner’s Office is the body responsible for superivsing the adequate compliance by data controllers with the DPA.

Leave a Reply

Your email address will not be published. Required fields are marked *