This sets out rules for collecting, storing and processing personal data.
Personal data relates to living, identifiable individuals.
The Act first became law in 1984 and was updated in 1988
The rules that data controllers (people who store and process personal data) must follow;
The rights of data subjects (the individuals that the data is about);
The exemptions that exist to the Act
Rules that data controllers must follow
- Eight principles of ‘good information handling’ – data must be:
- processed fairly and lawfully;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate not kept longer than necessary;
- processed in accordance with the data subject’s rights;
- kept secure;
- not transferred to countries without adequate protection
Rights of data subjects
Data subjects can normally see all of the data held about them, with some exceptions, for example if it would affect:
- The way crime is detected or prevented
- Catching or prosecuting offenders
- Assessing or collecting taxes or duty
- The right to see certain health and social work details may also be limited
- The data subject is required to write a letter asking for a copy of the data held about them.
- Data controllers should reply within 40 days, provided proof of identity and the fee have been provided.
Exemptions to the Act
- Exemptions are possible for:
- Maintenance of a public register;
- Some not-for-profit organizations;
- Processing personal data for personal, family or household affairs (including recreational purposes):
- If you only process personal data for
- staff administration;
- advertising, marketing and public relations
- accounts and records;
- Individuals who are processing personal data for personal, family or household affairs are exempt from notification and most of the other provisions of the Data Protection Act 1998.
The Data Protection Commissioner
An independent officer appointed by the queen. Reports directly to Parliament.
Maintaining a register of the names and addresses of all data controllers;
Considering complaints from data subjects about data controllers who have not followed the principles of information handling and prosecuting or serving notices on offenders.