Data Protection Act 1998

The UK's Data Protection Act 1998 (DPA) regulates the processing of information relating to living individuals.

The Act aims to protect a person's privacy and respect their personal rights in an age when technology makes it easier for organisations to share their information.

The Data Protection Act 1998 (text) confers a right on the individual to have access to their personal information. This means that organisations must (1) tell a person if their personal data is being processed; (2) provide a description of that data; (3) explain why it is being processed, and (4) to whom the organisation might disclose the information.

The definition of 'processing' includes the obtaining, holding, use or disclosure of personal information. The UK regulator keeps a register of data controllers which can be found on its Information Commissioner's website

The Act transposes the European Union's Data Protection Directive into UK law. The Data Protection Act 1998 (text) sets out the 8 Data Protection Principles with which organisations must comply. It is likely that the Act will be reviewed shortly pending a new European Data Protection Regulation.

Personal Data

The Data Protection Act 1998 (text) applies to personal data held in all records formats: electronic, paper, audio, visual or digital. Processing under the terms of the DPA covers all conceivable manipulations of personal data including collection, use, storage, disclosure and amendment. Even possession of such data amounts to processing.

Personal data is any recorded information about a living individual that can be identified from that data and other information, which is in the possession of the Data Controller as defined in the judgement in Durant v Financial Services Authority [2003] EWCA Civ 1746, Court of Appeal (Civil Division).

A summary of this judgement is available on the Information Commissioner's website.

The 8 Data Protection Principles

The Data Protection Act 1998 (text) is underpinned by eight Data Protection principles:

  • Personal data shall be processed fairly and lawfully and not unless conditions are met.
  • Personal data shall be obtained and processed only for specified and lawful purposes and not further processed in a manner incompatible with the purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.
  • Personal data must be accurate and, where necessary, kept up to date.
  • Personal data must not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection.

Rights of Individuals under the Data Protection Act 1998

Individuals have seven basic rights under the Data Protection Act 1998 (text):

  • Access to personal data
  • Prevention of processing likely to cause damage or distress
  • Prevention of processing for direct marketing
  • Prevention of automated decision-taking
  • Rectification, blocking, erasure, destruction
  • Compensation
  • Request for assessment

Personal data should always be objective and accurate. An individual is entitled to serve a written notice upon a data controller which requires the controller to cease processing personal data, if it is causing or likely to cause unwarranted substantial damage or distress to them or to another. A person who suffers damage or distress as the result of any contravention of the Data Protection Act 1998 (text) is entitled to claim compensation against individual members of staff and the organisation. An individual can apply to a court for an order requiring the data controller to rectify, block, erase or destroy data relating to them that is inaccurate or contains an expression of opinion based upon that inaccurate data.

EU Data Protection Directive

The Data Protection Act 1998 (text) implements Directive 95/46/EC on the protection of individuals with regard to processing of personal data and the free movement of such data. It grants individual living people the rights to access their data, prevent their data being processed under certain circumstances, and opt out of having their data used for direct marketing.


The Data Protection Act 1998 (text) sets out what may or may not be done with personal data (personal data is any information that relates to or identifies a living individual). The Act creates a number of criminal offences that can only be instituted by the Information Commissioner's Office or with the consent of the Director of Public Prosecutions (DPP). These are:

Section 55(1) DPA - unlawful obtaining etc. of personal data

It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller. There are some exceptions to this - for example, where such obtaining or disclosure was necessary for crime prevention/detection. If a person has obtained personal information illegally it is an offence to offer or to sell personal information.

There are a number of notification offences; this is where processing is being undertaken by a data controller who has not notified the Commissioner either of the processing being undertaken or of any changes that have been made to that processing. See section 21(1) processing without a register entry. When prosecuting DPA cases as per the case of R v Julian Connor (Southwark Crown Court, 19 May 2003) prosecutors should remember to deduce evidence that the individuals named in each charge were alive at the time their data was obtained, and as per R v Buckley, England, Wallace and Moore (Winchester Crown Court, September 2003), the prosecution has to prove that the information was data within the meaning of Section 2(1) of the Act.

There are no custodial sentences in respect of DPA offences and no powers of arrest; all offences are punishable only by a fine. Search warrants are available to the Information Commissioner by virtue of section 50 and the powers outline at schedule 9 of the Data Protection Act 1998 (text). For reckless misuse loss of personal data, the Information Commissioner's powers have increased to 500,000 GBP.

Code for keeping personal information online

In 2010, the Information Commissioner published his Code for keeping personal information online. The code covers the collection and use of personal data online, whether it is collected via a PC, games console, mobile device, media player or any other equipment that connects to the Internet. It covers obvious identifiers, such as names, email addresses or account numbers obtained, for example, through an electronic application form. It also covers less obvious identifiers, such as information indicating individuals online activity generated through the use of cookies and other identifiable monitoring, such as the analysis of IP addresses. The code covers activities such as:

  • Collecting a person's details through an online application form;
  • Using cookies or IP addresses to target content at a particular individual;
  • Using personal data to market goods or to deliver public services; and
  • Using cloud computing facilities to process personal data.
  • The Durant Case and its impact on the interpretation of the Data Protection Act 1998


Data Protection Act 1998 (text)