Data Protection Act 1998

See Data Protection Bill 2017 for proposed legislation

The Data Protection Act 1998 (DPA98) is the law that governs the processing of personal information held on living, identifiable individuals (non-reversible aggregate and anonymised data is not subject). It is the UK implementation of the European Union's Data Protection Directive. It is widely felt to be both weak and defective compared to the original Directive.

Data Handling

Any organisation processing personal information must comply with eight principles of good information handling. The eight principles state that the data must be:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive (also referred to as minimisation of data);
  • accurate and up to date;
  • not kept longer than necessary;
  • processed in accordance with the individual's rights;
  • secure;
  • not transferred to countries outside the European Economic area, unless there is adequate protection.

All organisations handling personal data subject to the act must register with the Information Commissioner's Office, the organisation with the legal remit for enforcing the Act. They have a number of penalties at their disposal to help ensure compliance, though they are not without criticism.

Individual Rights

The Act gives individuals a level of control over data on them held by organisations. Amongst these there is the right to see all the data held on them - typically for a "subject access fee" of ten pounds or so - within 40 days[1]. Data that is normally held for less than 40 days may be rejected in subject access requests.

Individuals also have the right to correct factually incorrect information held on them (not opinion), and require both that their data is not used in a way that has potential to cause harm or distress and that their data not be used for direct marketing.

The act stipulates that any requested use of personal information by an organisation must be opt-in; the individual must actively agree to it, it is not enough for it to be merely "opt-out".


Improper Implementation

The Data Protection Act has been criticised as improperly implemented and weak in its aims when compared to the EU's Data Protection Directive (Directive 95/46/EC). There are multiple ways in which it has been found to be defective, and these include:

Constituional Basis

The constitutional basis of of DPA98 is said to be weaker than the equivalent legislation implemented in other EU member states to comply with Directive 95/46/EC[2].

Problems surrounding the Information Commissioner's Office

There is a lack of stringency on the part of the ICO's enforcement of the legislation; it can be said to have a "negotiable" approach to enforcement, in which it would rather seek a settlement than a rigid application of the law. Arguably, this approach does not engender respect for the legal rights that DPA98 seeks to protect, and thus weakens the law's efficacy.

There are also suspicions of a lack of appropriate independence on the part of the ICO; it lacks autonomous powers of access to data, and instead must seek a search warrant from a judge. However, the counterargument to this is that far from making the ICO in thrall to the whims of the judiciary, it rather ensures a level of necessary oversight. However the fact that it is subject to a Framework Document concerning its operations, which is concluded between it and the sponsoring Ministry of Justice, casts doubts over whether it has a level of autonomy necessary to operate properly.

Another criticism that has been levelled against the ICO is that it does not "go out of its way" to investigate" unless there has been a "complaint of a series of complaints". This holds less water as a criticism per se; it simply means that in its implementation it is a reactive rather than an investigative body, and this alone is not necessarily detrimental to the enforcement of DPA98. However, what is true is that this fact in combination with lax enforcement of those cases that are investigated result in a deficient approach to data protection.

Individual Rights

Individuals are limited in their rights in that they do not have recourse to a tribunal for cases affecting them whereas organisations subject to rulings do; for individuals, their only possibility is recourse to judicial action through the courts.

Alleged Dangers

There have also been allegations that the lack of data sharing as prohibited by the Act can have dangerous implications; in 2003 a review of the Data Protection Act was ordered[3] after an interpretation of the law meant British Gas did not inform social services after cutting off gas to a couple in their 80s out of fear of being in breach of the Act; the couple subsequently died.

Dampening Effect Upon Open Expression

Some individuals have alleged that data protection laws have resulted in a dampening on honesty and true expression, in particular with regards to references for applications; with any individual enshrined with the legal right to access all data on them, referees are now unwilling to give honest assessments in case the reference in question is later accessed by the subject[4]. The response to this is that rather than having any chilling effect on free speech, all it means is that individuals have to be prepared to be accountable for what they say.

Changes to the legislation

In May 2006 the Information Commissioner published a report, What Price Privacy?, calling for prison sentences of up to two years for the illegal buying and selling of personal information. A public consultation was subsequently held, seeking responses to the proposed changes.

Further Reading and external links

Related articles