||» Home|

» Search |  » Contact |  » Help |  » Site map

| People's rights | Human rights | Freedom of information | Data protection | FAQs | Contact details | Legislation | European Union & International | The Information Commissioner | Publications | Useful links | Data sharing | Elections | Transsexual people | Your rights - DCA

Legislation: about the Data Protection Act

This section provides an introduction to the data protection act and includes what the act does, who enforces it, and guidelines for both individuals and organisations. You can also read the actual text of the Data Protection Act 1998 and relevant legislation

• What the act covers
• Who ensures the act is enforced
• Your rights as an individual
• What organisations need to do
• Responding to requests for personal data - subject access requests

---

What the act covers

The 1998 Act applies in England, Wales, Scotland and Northern Ireland. It applies to:

• computerised personal data;
• personal data held in structured manual files

held by all data controllers. In addition, the Freedom of Information Act 2000 extended the Data Protection Act 1998 to apply to all recorded personal data (including that in unstructured manual files) held by data controllers who are also public authorities for the purposes of the 2000 Act.

It applies to anything at all done to personal data ("processing"), including collection, use, disclosure, destruction and merely holding personal data.

• Back to top

---

Who ensures the act is enforced

The supervisory authority is the Information Commissioner, who:

• enforces the Act's requirements;
• promotes compliance and good practice;
• manages the notification scheme.

• Back to top

---

Your rights as an individual

The Act gives individuals rights to:

• gain access to their data;
• seek compensation;
• prevent their data being processed in certain circumstances;
• "opt-out" of having their data used for direct marketing;
• "opt-out" of fully automated decision-making about them.

• Back to top

---

What organisations need to do

Organisations processing personal data ("controllers") must comply with the data protection principles. These require data to be:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with individuals' rights;
• kept secure;
• not transferred to non-EEA (European Economic Area) countries without adequate protection.

As part of complying with the principles, controllers must:

• meet one of six conditions in order to process personal data;
• meet one of a number of further conditions in order to process sensitive data*;
• inform individuals when their data is collected.

Sensitive data is data about a person's ethnic origins, political opinions, religious beliefs, trade union membership, health, sexual life and criminal history.

Controllers must tell the Commissioner about their processing (unless a notification exemption applies). Notification exemptions cover:

• manual records;
• core business activities;
• charities' membership records.

Exemption from notification does not usually grant exemption from the data protection principles.

• Back to top

---

Responding to requests for personal data - subject access requests

People can ask to see any personal information that is held about them by organisations. These requests are called "subject access requests". We have published guidance on how to respond to and handle subject access requests under section 7 of the Data Protection Act.

© Crown Copyright