What is the Data Protection Act (DPA)?

The Data Protection Act (DPA) passed in 1998 by the Parliament of the United Kingdom.  It’s basically an update to how the data of living people is to be legally handled and utilized in the United Kingdom. The act was a direct response to the growth of the Internet and is intended to prevent misuse of valuable personal information. The original DPA was passed in 1984, and the updated act sought to include elements from the European Data Protection Directive. It governs the obtaining, usage, disclosure, and holding of ‘personal data.’

The act is one of the most complex legislative texts in the UK, and it consists of six major Parts, which are followed by sixteen explanatory Schedules. The Schedules are detailed explanations of all the Parts and they are filled with diverse legal interpretations and contingency situations where the application of the act may seem confusing.

Defining personal data

The act was created to allow individuals to have a greater say of how their data is handled.  “Personal Data”  is defined in the Act as any data that can be used to identify a living person. The act covers information held on computers and information stored in relevant filing systems as accepted under UK law. There are however some notable exceptions to this act and they are provided in Part IV of the legislative text. This is detailed in Sections 28, 29, and 36 and the exceptions are national security, crime & taxation, and domestic purposes respectively.

Fundamental principles of the Data Protection Act

The data protection act lists eight fundamental principles. They state that personal data shall be:

1. processed lawfully and fairly
2. updated periodically to reflect current formation
3. retained only while it is justifiably required
4. acquired only when there is a clear lawful need
5. adequate, relevant, and not excessive
6. processed while keeping in mind the rights of the individuals involved
7. guarded against unjust and authorized usage and against accidental damage, destruction, or loss
8. shielded from transfer outside the EEA unless the country or location specifically guarantees the rights of the data subjects

When can data be ‘processed’?

The first principle states that data must be ‘processed fairly and lawfully.’ Schedule 2 of the act covers the six conditions, one of which has to be met, that define what ‘fairly processed’ means.

These six conditions are when;

• An individual has provided consent for the act of processing
• Processing is required for contractual purposes
• Processing is needed for some form of legal obligation
• The interests and rights of the subject need to be guarded
• Some vital public function has to be undertaken
• Processing is required to follow through the legitimate, legal interests of a third party or a data controller

Only when one of these six conditions are met can data be processed.

Certain aspects are more strongly protected

In order to shield the rights of minorities and more vulnerable sections of the society, the act provides tougher legal protections for certain types of sensitive personal data such as sexual health, criminal rap sheet, ethnicity, religion, general health, and political viewpoints. All of these protections come under the term ‘sensitive personal data’ as defined by the legislative text. As most of this information is private and could easily be used to target or discriminate against certain sections of the population, it must be protected accordingly. Schedules 2 and 3 specifically deal with these issues.