Jump to content

Data Protection Act 1998

From Wikipedia, the free encyclopedia

Data Protection Act 1998
Act of Parliament
Parliament of the United Kingdom
Long titleAn Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.
Citation1998 c. 29
Introduced byJack Straw MP, Secretary of State for the Home Department (Commons)
Lord Williams of Mostyn, the Minister of State, Home Office (Lords)
Territorial extent 
  • England and Wales
  • Scotland
  • Northern Ireland
Dates
Royal assent16 July 1998
Other legislation
Repeals/revokes
  • Data Protection Act 1984
  • Access to Personal Files Act 1987
Repealed byData Protection Act 2018
Status: Repealed
Text of statute as originally enacted

The Data Protection Act 1998 (c. 29) (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of personal data.

The 1998 Act marked a significant change in how personal details were handled back in the UK. Before it, privacy laws mainly covered computer records where this law was applied to both digital and physical files.[1] It aimed to make sure that any group or company gathering data did it fairly, under ethical procedures and kept user information safe and confidential as technology rapidly advanced.

Under the 1998 DPA, individuals had legal rights to control information about themselves. Most of the Act did not apply to domestic or personal use,[2] such as keeping a private address book. Anyone holding personal data for other purposes was legally obliged to comply with this Act, subject to some exemptions. The Act established eight crucial data protection principles to ensure that information was processed lawfully, kept accurate stores securely and utilised ethically.[3]

The DPA of 1998 was eventually superseded by the Data Protection Act 2018 (DPA 2018) on 23 May 2018, which extended the EU General Data Protection Regulation (GDPR), that came into effect just two days later, on 25 May 2018. The newer Act and GDPR strengthened privacy security and placed greater responsibility on companies securing personal data.[4]

Background

[edit]
Data Protection Act 1984
Act of Parliament
Parliament of the United Kingdom
Long titleAn Act to regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information.
Citation1984 c. 35
Dates
Royal assent12 July 1984
Repealed1 March 2000
Other legislation
Repealed byData Protection Act 1998
Status: Repealed
Text of statute as originally enacted

The 1998 Act replaced the Data Protection Act of 1984 and the Access to Personal Files Act 1987. This Act came from rising tensions in the 1990s about how easily personal data would be copied, altered and shared using new computer systems. By that time, names, addresses, and financial records were kept solely on digital files instead of physical copies triggering the chance of misuse and unauthorised access. EU to this responded with the Data Protection Directive in 1995, which required all EU counties to pass strong data privacy laws.[5]

Access to Personal Files Act 1987
Act of Parliament
Parliament of the United Kingdom
Long titleAn Act to provide access for individuals to information relating to themselves maintained by certain authorities and to allow individuals to obtain copies of, and require amendment of, such information.
Citation1987 c. 37
Dates
Royal assent15 May 1987
Repealed1 March 2000
Other legislation
Repealed byData Protection Act 1998
Status: Repealed
Text of statute as originally enacted

The Privacy and Electronic Communications (EC Directive) Regulations 2003 later changed how organisations could contact people electronically. It introduced "positive consent," meaning companies needed people to agree before sending marketing emails or texts. However, companies could still send messages about "similiar products or services" to existing customers unless they opted out.

The law also influenced other privacy acts, such as the Data Protection (Jersey) Law 2005, which was based on the UK's version.Around this time, the Information Commisioner's Office (ICO) was also created to enforce the Act and handle complaints about data misuse. The ICO later became the UK's main authority for data privacy and protection[6]

Contents

[edit]

Scope of protection

[edit]

Section 1 of the Data Protection Act of 1998 defined "personal data" as any information that could identify a living person. This included details such as name, address, phone number, or email. The Act applied to data stored electronically or in a "relevant filing system," which referred to organised paper records that could be easily searched for personal details.[7]

The law also covered some paper documents if they were structured in a way that allowed easy access to personal information, such as customer database kept in folders. This meant businesses couldn't avoid compliance by claiming their data wasn't digital. [8]

The Freedom of Information Act 2000 later worked alongsde the DPA by allowing people to access data held by public bodies, while the Durant v Financial Services Authority case clarified how the term "personal data" should be used and interpreted.[9] The Durant case ruled that not all mentions of a peron;s name count as personal data unless the information is truly about the person or it affects or exposes their privacy in any way. This helped narrow down the defintion and became one of the most cited cases in UK data protection history [10][11]

Data protection principles

[edit]

Schedule 1 of the Act listed eight protection principles. These principles required that data must be handled fairly, lawfully, and securely, and that it should not be used in ways that conflict with its original purpose. [12]

  1. Personal data shall be processed fairly and lawfully.
  2. It shall be obtained only for valid and lawful purposes.
  3. It shall be adequate, relevant, and not excessive.
  4. It shall be accurate and kept up to date.
  5. Information should not be kept for a prolonged period of time unnecessarily.
  6. It shall be processed in accordance with the rights of a person.
  7. It shall be protected against unauthorised access, loss, or damage.
  8. It shall not be transferred outside the European Economic Area without adequate protection.

These principles were the foundation of the UK's privacy law and still influence current rules under the Data Protection Act of 2018 and GDPR. They made it clear that collecting and gathering personal data also came with the legal responsibility of protecting it. Many of these ideas were later simplified into six core principles under the GDPR, but their original structure in the 1998 Act helped set clear expectations for fairness and accountability. [13]

Conditions relevant to the first principle

The first data protection principle stated that personal data should only be processed fairly and lawfully. To meet this standard, atleast one of the several legal conditions had to apply, as listed in Schedule 2 of the Act.

These conditions explained when it was acceptable for an organisation to collect or use someone's information. They could, only if the conditions below were satisfied:

  1. The person (known as the data subject) has consented ("given their permission") to the processing.
  2. Processing is necessary for starting or continuing a contract.
  3. The organisation was required by law to process the data.
  4. The processing was necessary to protect the person's vital interests (such as in a medical emergency).
  5. It was required for official public duties.
  6. It was necessary for the legitimate interests of the organisation or another party, as long as it did not unfairly harm the individual's rights. [14]

These six bases made it clear that not every use of data required direct consent. For example, a hospital could process patient records for treatment without written permissions, or a bank could store account data to fulfill its contract. The idea of "legitimate interest" was especially important, as it gave flexibility to organisations while still protecting individuals from unfair data handling.[15]

Consent

The Act required that individuals give consent before their personal data could be processed, unless another lawful basis applied. Consent was defined as a "freely given, specific, and informed indication" of agreement.[16] Unlike modern privacy laws, the 1998 Act did not always require written consent. People could agree verbally or through actions that showed they accepted the use of their information, as long as it was clear they understood what they were agreeing to.

However consent had to be appropirate to the person's age and capacity. If an organisation planned to use someone's data even after their relationship ended, such as for future marketing, this needed to be stated clearly when the consent was obtained.

The Act also created a higher standard for sensitive personal data, which included topics like race, religion, health, and criminal history. In those cases, consent had to be explicit, often requiring written proof or clear affirmative action. Later updates, such as the Privacy and Electronic Communications Regulations (2003), built on this by making opt-in consent mandatory for most digital marketing. This change helped shape how modern companies handle emails, online cookies and subscriptions. [17]

Exceptions

[edit]

The Act was structured such that all processing of personal data was covered by the act while providing a number of exceptions in Part IV.[2] Notable exceptions were:

  • Section 28 – National security. Any processing for the purpose of safeguarding national security is exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data).
  • Section 29 – Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle.
  • Section 36 – Domestic purposes. Processing by an individual only for the purposes of that individual's personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification).

Police and court powers

[edit]

The Act gave specific powers to police forces and courts when handling or requesting personal data.

  • Under Section 29 , consent of the data subject was not required if information was processed to prevent or detect crime, to prosecute offenders, or to meet tax-collection duties.[18]
    • This meant police could obtain data such as phone records or financial details if it was relevant to an investigation, Courts could also order disclosure of records when necessary for legal processings.
  • Under Section 35, allowed data to be shared if required by law or by a court order. This ensured that legal processes were not blocked by data-protection claims.[19]
    • Even with these powers, public bodies were expected to protect confidentiality. Any data shared under these sections still had to be stored securely and used only for the stated purpose. The ICO later published guidance to help law-enforcement agencies apply these rules fairly.

Offences

[edit]

The Act created several civil and criminal offences for misuse of data These applied mainly to organisations or individuals who handled information irresponsibly.

  • Section 21(1) made it an offence to process personal data without registration.[20]
  • Section 21(2) penalised failure to follow notification requirements[20]
  • Section 55 made it illegal to obtain or disclose personal data without authority which covered hackers, impersonators, and employees who accessed files without consent or validation[21]
  • Section 56 made it a criminal offence to require an individual to make a subject access request relating to cautions or convictions for the purposes of recruitment, continued employment, or the provision of services.[22] This rule came into force on 10 March 2015.[23]

Complexity

[edit]

The UK Data Protection Act was a large Act that had a reputation for complexity.[24] While the basic principles were honored for protecting privacy, interpreting the act was not always simple. Many companies, organisations, and individuals seemed very unsure of the aims, content, and principles of the Act. Some refused to provide even very basic, publicly available material, quoting the Act as a restriction.[25] The Act also impacted the way in which organisations conducted business in terms of who should have been contacted for marketing purposes, not only by telephone and direct mail, but also electronically. This has led to the development of permission-based marketing strategies.[26]

Definition of personal data

[edit]

The definition of personal data was data relating to a living individual who can be identified

  • from that data; or
  • from that data plus other information that was in the possession, or likely to come into the possession, of the data controller.

Sensitive personal data concerned the subject's race, ethnicity, politics, religion, trade union status, health, sexual history, or criminal record.[27]

Subject access requests

[edit]

The Information Commissioner's Office website stated regarding subject access requests:[28] "You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a 'subject access request.'"

Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018, organisations could have charged a specified fee for responding to a SAR of up to £10 for most requests. Following GDPR: "A copy of your personal data should be provided free. An organisation may charge for additional copies. It can only charge a fee if it thinks the request is 'manifestly unfounded or excessive'. If so, it may ask for a reasonable fee for administrative costs associated with the request."[28]

Information Commissioner

[edit]
Main article: Information Commissioner's Office

Compliance with the Act was regulated and enforced by an independent authority, the Information Commissioner's Office, which maintained guidance relating to the Act.[29][30]

EU’s Article 29 Working Party

[edit]

In January 2017, the Information Commissioner's Office invited public comments on the EU's Article 29 Working Party's proposed changes to data protection law and the anticipated introduction of extensions to the interpretation of the Act, the Guide to the General Data Protection Regulation.[31]

See also

[edit]
  • Data Protection Act, 2012 (Ghana)
  • Computer Misuse Act 1990
  • Data privacy
  • Data Protection Directive (EU)
  • Freedom of Information Act 2000
  • Gaskin v United Kingdom
  • List of UK government data losses
  • Privacy and Electronic Communications (EC Directive) Regulations 2003
  • General Data Protection Regulation – a 2016 EU regulation on data protection
  • Smith v Lloyds TSB Bank plc
  • Durant v Financial Services Authority [2003] EWCA Civ 1746
  • Data Protection Act 2018. UK Public General Acts. Vol. 2018 c. 12. 23 May 2018. From Data Protection Bill 2017-19 HL Bill [104]. Retrieved 26 April 2024.

References

[edit]
  1. ^ "New data protection laws - new rights of access to information under the Data Protection Act 1998". cms-lawnow.com. Retrieved 26 October 2025.
  2. ^ a b Data Protection Act 1998, Part IV (Exemptions), Section 36 Archived 24 August 2007 at the Wayback Machine, Office of Public Sector Information, accessed 6 September 2007
  3. ^ "Wayback Machine" (PDF). www.dataprotection.ie. Archived from the original (PDF) on 4 April 2025. Retrieved 26 October 2025.
  4. ^ Ford, Michael (March 1999). "Recent legislation. The Data Protection Act 1998". Industrial Law Journal. 28: 57–60. doi:10.1093/ilj/28.1.57.
  5. ^ Bignami, Francesca (1 June 2007). "Privacy and Law Enforcement in the European Union: The Data Retention Directive". Chicago Journal of International Law. 8 (1). ISSN 1529-0816.
  6. ^ Jersey: Data Protection In Jersey And Other Offshore Jurisdictions Archived 27 October 2012 at the Wayback Machine 23 July 2008 Article by Wendy Benjamin, mondaq.com,
  7. ^ "Data Protection Act 1998, Basic interpretative provisions". Office of Public Sector Information. Archived from the original on 1 March 2014. Retrieved 14 March 2014.
  8. ^ "FOI guidance (Ministry of Defence)". GOV.UK. Retrieved 26 October 2025.
  9. ^ "What is personal data? Information Commissioner updates guidance". Pinsent Masons. 30 August 2007. Archived from the original on 20 October 2011. Retrieved 20 August 2012. In the case involving Michael Durant he sought information held on him by the Financial Services Authority. The Court of Appeal ruled that just because a document contained his name it was not necessarily defined as personal data. This changed the perception of how wide a definition of personal data could be.
  10. ^ "Durant v Financial Services Authority". 5RB Barristers. Retrieved 26 October 2025.
  11. ^ "A very brief history of the GDPR". iHasco. Retrieved 26 October 2025.
  12. ^ VinciWorks (21 February 2017). "The 8 Principles of the Data Protection Act 1998 and how GDPR will affect them". VinciWorks. Retrieved 26 October 2025.
  13. ^ Maxwell, F., Six Principles of GDPR, Quality Compliance Systems Ltd., published 3 February 2020, accessed 3 January 2024
  14. ^ OPSI.gov.uk Archived 16 April 2009 at the Wayback Machine Data Protection Act 1998 Schedule 2
  15. ^ "What is the 'legitimate interests' basis?". ico.org.uk. 9 September 2025. Archived from the original on 16 September 2025. Retrieved 27 October 2025.
  16. ^ "Art. 4 GDPR – Definitions". General Data Protection Regulation (GDPR). Retrieved 27 October 2025.
  17. ^ "Conditions for Processing – Guide to Data Protection – ICO". Information Commissioner's Office. Archived from the original on 6 January 2015. Retrieved 8 February 2013.
  18. ^ Data Protection Act 1998, Part IV (Exceptions – Crime and taxation), Section 29 Archived 1 June 2017 at the Wayback Machine
  19. ^ Data Protection Act 1998, Part IV (Exemptions – Disclosures required by law or made in connection with legal proceedings etc.), Section 35 Archived 23 May 2017 at the Wayback Machine
  20. ^ a b Data Protection Act 1998, Part III (Notification by Data Controllers), Section 21 Archived 7 December 2009 at the Wayback Machine, Office of Public Sector Information)
  21. ^ Data Protection Act 1998, Part VI (Miscellaneous and General), Section 55 Archived 24 August 2007 at the Wayback Machine, Office of Public Sector Information, accessed 14 September 2007
  22. ^ Data Protection Act 1998, Part VI (Miscellaneous and General), Section 56 Archived 24 August 2007 at the Wayback Machine, Office of Public Sector Information, accessed 14 September 2007
  23. ^ "Forced data subject access requests are now a criminal offence". Lewis Silkin. Archived from the original on 19 March 2015. Retrieved 10 March 2015.
  24. ^ Bainbridge, D: "Introduction to Computer Law – Fifth Edition", p. 430. Pearson Education Limited, 2005
  25. ^ Data Protection myths and realities, Information Commissioner's Office, accessed 30 August 2008
  26. ^ Iversen, Amy; Liddell, Kathleen; Fear, Nicola; Hotopf, Matthew; Wessely, Simon (19 January 2006). "Consent, confidentiality, and the Data Protection Act". BMJ. 332 (7534): 165–169. doi:10.1136/bmj.332.7534.165. ISSN 0959-8138. PMC 1336771. PMID 16424496.
  27. ^ "Data Protection Act 1998". UK Statute Law Database. Archived from the original on 20 August 2012. Retrieved 20 August 2012.
  28. ^ a b "Your right of access". Information Commissioner's Office. Archived from the original on 26 May 2018. Retrieved 25 May 2018.
  29. ^ "The Guide to Data Protection". Information Commissioner's Office. Retrieved 6 January 2015.
  30. ^ Guidance – The Data Protection Act, Page of Assorted Guidance[permanent dead link], Information Commissioner's Office, accessed 20 October 2007
  31. ^ "Guide to the General Data Protection Regulation (GDPR)". ico.org.uk. 22 December 2017. Archived from the original on 7 January 2018. Retrieved 6 January 2018.
[edit]
Wikiversity has learning resources about Data Protection Act 1998

UK legislation

[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Data_Protection_Act_1998&oldid=1319069358"