Data Protection Compliance

In the UK, the collection and use of personal data is primarily governed by the Data Protection Act 1998 (DPA), which came into force on 1 March 2000.

The DPA implemented the EC Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (95/46/EEC) (the Directive), and replaced the UK's Data Protection Act 1984 in its entirety.

If you process data then the DPA will apply to you.

The DPA applies to the "processing" of "personal data", both of which are very widely defined.

It means that practically any business operating in the UK which holds information about individuals, whether employees, customers or anyone else, is affected by the DPA.

A breach of the data protection laws can result in criminal as well as civil liability, not to mention adverse publicity which increasingly is the likely result of non-compliance, no organisation can afford to ignore its data protection obligations

Survey after survey shows that a large proportion of UK companies still operate in breach of data protection laws!

Stay Legal's team of commercial and e-commerce law specialists can help you ensure your business practices comply with the Data Protection Act of 1998. This page provides a brief outline of the Act and it’s implications. Please note, information found on this page can not be considered legal advice in any way whatsoever. The only way we can truly advise and protect your business is through a direct relationship between yourself and Lawdit Stay Legal®.

Overview

For the most part, the provisions of the DPA are common sense based on common courtesy. Based on eight principles covering DPA states that:

  1. All data must be processed fairly and lawfully,
  2. All data must be obtained and used only for its specified purpose,
  3. Data collected must be adequate, relevant and not in excess of what is necessary to conduct business,
  4. All data retained must be accurate and kept up to date,
  5. Data must not be stored longer than is necessary to conduct business,
  6. All data must be processed in accordance with an individual’s rights
  7. All data must be kept secure, and,
  8. Data collected may only be transferred to other countries that have similar or adequate data protection policies.

The Act makes special provisions for what it labels as, "sensitive personal data" which is defined in the Act as:

  1. the racial or ethnic origin of the data subject,
  2. his political opinions,
  3. his religious beliefs or other beliefs of a similar nature,
  4. whether he is a member of a trade union,
  5. his physical or mental health or condition,
  6. his sexual life,
  7. the commission or alleged commission by him of any offence, or
  8. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Compliance with the Data Protection Act of 1998 can be complicated, especially for smaller businesses with less formal record keeping processes.

"Commercial lawyers that provide a no-nonsense creative legal service for creative people"