The United Kingdom (UK) Data Protection Act (DPA) sets out rules for how your personal information can be used by organisations, businesses or the government.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
The DPA 2018, which came into effect on 25 May 2018, updates and replaces the Data Protection Act 1998. Post Brexit, the act was further amended in January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU.
The Data Protection Act 1998 was a UK Act of Parliament designed to protect personal data stored on computers or in organised paper filing systems. It replaced the 1984 Data Protection Act, which had barely mentioned digital media and computers.
The 1998 Act, which enacted provisions from the EU Data Protection Directive 1995, was based on 8 principles that were used by organisations to design their own data protection policies. The eight principles related to the protection, processing, and movement of data, and mostly did not apply to domestic use. The eight guiding principles of the act were as follows:
The Data Protection (Amendment) Act, 2003 implemented the European Data Protection Directive 95/46/EC. Together with the Data Protection Act 1998, these acts regulated how employers collect, store and use personal data about their employees (past, prospective, and current) that is held by them. The Acts stated that anyone responsible for holding or using data followed the ‘data protection principles’, and they must make sure that the information they collect is used fairly and lawfully, for limited, specifically stated purposes, in a way that is adequate relevant, is accurate, is handled according to people’s data protection rights, and is kept safe and secure.
The Data Protection Act 2018 is a United Kingdom Act of Parliament that replaced the Data Protection Act 1998. The 2018 Act served to update data protection laws in the UK, and it is the UK’s implementation of the EU’s General Data Protection Regulation (GDPR). The Act sets out rules for the processing of personal data, and implements the parts of GDPR that “are to be determined by member state law” and sets out its own similar framework for the processing of personal data that is not subject to GDPR, such as intelligence services processing, immigration services processing, and the processing of personal data held in unstructured form by public authorities.
The main differences between the 2018 Act as opposed to the 1998 Act are in the right to reassure, inclusions of exemptions from the Data Protection Act, the fact that the Act works in tandem with GDPR, and a revision that allows law makers to erase data if an individual chooses to, which is based on the individual’s right to privacy.
Data protection law in the UK is based on the 1998 Data Protection Act. However, with continued changes in technology, 20 years on that law looks outdated and not relevant to the data protection concerns we face today. In May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act and will impose many new responsibilities and sanctions on organisations. Despite all the noise around GDPR, the eight principles of data protection laid out in the 1998 Data Protection Act will remain relevant, with changes to some of the key principles. Below is an overview of the eight principles of data protection, with guidance on the changes and what they could mean for your business.
Editor’s note: the eight principles of data protection have now been amended to become the six principles of GDPR.
Your organisation must have legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect. Organisations are required to provide full transparency about how they wish to use the data, as well as ensure their data is only used in ways customers would expect. Detailing precisely what a consumer’s information is being used for allows them to make an informed decision as to whether to share certain pieces of personal information.
Under GDPR, conducting criminal record checks on employees must be justified by law. For example, a school is far more likely to be permitted to carry out such checks on their teachers than a restaurant hiring kitchen staff.
Organisations must be open about their reasons for obtaining personal data and what they plan to use it for. They should only use the personal data for the purpose they originally said it would be used for. This means that a company should not use the data to market other companies to their customers unless the individual has agreed to it. For example, if a local toy store starts selling children’s bikes, it is probably fine for them to market the bikes to existing customers. However, unless they have agreed, the toy store cannot use their customers’ details to promote other companies. They also shouldn’t pass customers’ details onto third parties unless they have already consented.
Genetic and biometric information is now considered sensitive data, meaning that organisations may only request such information if it is required for a relevant purpose. A health clinic, for example, should require such information in order to provide the best possible care for their patients.
The data you hold on your customers should be adequate for the purpose you are holding the information. You should avoid holding more information than necessary for your customers. The best practice is to calculate the information you need in order to achieve your goals, a practice known as “minimisation”. An example of this would be when an individual unsubscribes from a service. In this case, the company should only keep hold of the minimum information needed in order to hold records on former customers.
Privacy notices or “how we use your information” guides now need to be clearer than before. This means that mere consent is not enough; the individual must be informed of exactly what their data is being used for. Further, organisations must inform the person of their right to withdraw consent at any time.
Reasonable steps must be taken to keep the information up to date and to change it if it is inaccurate. When a customer updates the information a company holds on them, the organisation must stop contacting the individual using the previously provided details. Moreover, organisations should not simply wait for individuals to contact them to update their information, rather they should be active in ensuring they have the correct information on an individual.
For example, a company that sells books to individuals online doesn’t need to regularly check they have the correct information about them. However, if a company awards a pay increase to a staff member, their details and salary should be checked and updated where necessary.
Organisations must regularly review the length of time they retain data on individuals. Only holding on to data for the amount of time required will make it easier to manage your data and provide personal information to customers that request it. Data that is out of date or no longer necessary must be properly destroyed or deleted. For example, a customer contacts a music store to tell them they no longer wish to receive any marketing information and to remove their details from their records. The company should retain enough information on the individual to ensure they can remove them from their marketing lists.
People have the right to access their personal data, stop it from being used if it is causing distress, prevent it from being used for direct marketing, have inaccurate data changed, and claim compensation for damaging data breaches. In certain cases, customers have the right to request that specific data be deleted or destroyed. Customers should only request information relevant to themselves. The organisation has a responsibility to establish whether the information requested by customers is relevant to the person requesting it.
Customers can also request to see the information held on them by submitting a subject access request. This is a request typically sent by email, fax or post. While organisations can issue an online form for individuals to request they stop holding information on them, they shouldn’t require this as the only way to do so.
A new “right to be forgotten” in the GDPR means that someone can request that online content is removed from an organisation’s database. The Data Portability Act means that a person can request all their personal data be transfered to another system for free. For example, they may wish to have all their photos transfered from one social network to another.
A proper physical and technical security system must be used to keep personal information safe and secure, and not be exposed to undue security risks. It is advisable to provide training for staff in your organisation on data protection and cyber security. Further, your information security system should be relevant to the nature of your business and the data you hold on your customers. For example, a bank should have a higher information security system than a local book store. This is because the potential repercussions of a data breach stand to be much higher than for the book store.
Companies that process over 5,000 personal records per year and employ over 250 employees are now required to appoint a Data Protection Officer, or DPO. The DPO is responsible for everything related to keeping personal data secure and cannot be easily replaced. Appointing someone in this position means personal data can be kept safe and secure more easily, with customer and employee rights being respected according to GDPR.
Data should not be transferred to other countries that do not have the same level of data protection. For example, with the US, the EU has a ‘Privacy Shield’ that American companies can sign up for to enable data to be legally sent across the Atlantic. Data sent within the EEA and a few other specified countries is allowed.
Organisations must receive explicit consent from their customers for their personal information to be transferred outside of the EEA. GDPR can still hold a company liable even after data has been transferred to another country. These changes mean that companies must consider the impact GDPR could have on their international data transfers.
Data protection officers, risk managers and those involved in processing and distributing data should become familiar with these principles in order to ensure their organisation is compliant. Short online data protection courses are available and can be customised to suit any industry and job role. You can demo our modular course, GDPR: Privacy at Work, here. Further, familiarity with the GDPR guide will help you and your staff stay up to date with the requirements of the Data Protection Act.