Data Protection Act 1998

The extracted details have been replaced by the 2018 Act. For details, see the 1998 Act itself. It is generally accepted that the Data Protection Act 1998 was very badly worded and in some aspects is probably not compliant with the Directive. Many aspects are open to interpretation. The leading case of Durant v Financial Services Authority, for example, defined personal data as relating to the person and not to a complaint made by a person.

The Data Protection Act gives individuals the right to know what information is held about them and, where the data are inaccurate, to have them rectified or destroyed. It provides a framework to ensure that personal information is handled properly.

The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with the eight principles and secondly, provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

Should an individual or organisation feel they're being denied access to personal information they're entitled to, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner's Office for help. Complaints are usually dealt with informally, but if this isn't possible, enforcement action can be taken.

All personal data are included unless there is an exemption to be found in the Act. Bear in mind that personal data must be readily accessible. If the information is filed (on a computer on in paper form) in a way that it could be found by a temporary secretary, then it is considered to be accessible but if it would require specialist knowledge or hunting through lots of files, then it is not considered to be accessible. This is informally known as the ‘temporary secretary test’.

The Act runs to 86 pages and is Crown Copyright. To view the complete Act, use the following link:  

Data Protection Act 2018

The new Act is a response to advances in technology, the way business uses technology and data and the consequential privacy risks for consumers and employees.

GDPR represents the biggest shake up in the data protection arena in 20 years, introducing stringent compliance requirements and tough penalties in the event of a breach of data protection principles.

The ICO's enforcement powers include powers to ban or suspend data processing, potentially at great cost and inconvenience, and the power to issue graduated fines for infringement up to EUR 20 million or 4% of global turnover, whichever is the higher. Under current laws fines are capped at £500,000.

Individual's rights will also be bolstered by reform, with individuals being able to bring civil claims, either alone or as part of a class action, in the event of a data breach. Under current laws individuals cannot bring standalone claims for distress or hurt feelings and so claims are rare - this has now changed.

The biggest challenge for businesses will be updating their approach to data protection compliance to take account of the more stringent regime and to avoid enforcement action, fines and reputational damage. Legal reform and GDPR should also be seen as an opportunity for businesses to secure a competitive edge by demonstrating intelligent data handling and protection to match future consumer expectations.

Businesses (large and small) cannot afford to ignore data protection reform or delay taking steps to ensure compliance.

In practice, however, the ICO prefers to advise firms that go wrong rather than issue fines.

To view the 2018 Act, use the following link: