The Data Protection Act (1998) was drafted to ensure the privacy of personal information stored electronically on computers nationwide. The Act aims to “promote high standards in the handling of personal information, and so to protect the individual’s right to privacy”.
Anyone holding data relating to living individuals in electronic format (and in some cases, on paper) must follow the Act’s 8 data protection principles:
The 8 Principles of Data Protection
Under the DPA, personal information must be:
• Fairly and lawfully processed
• Processed for specified purposes
• Adequate, relevant and not excessive
• Accurate, and where necessary, kept up to date
• Not kept for longer than is necessary
• Processed in line with the rights of the individual
• Kept secure
• Not transferred to countries outside the European Economic Area unless there is adequate protection for the information
The DPA included the creation of an Information Commissioner to maintain a list of data controllers and details of the type of personal data stored by each controller. This is a process described as “notification”. A list of all data controllers and the information they store can be accessed online here.
Not only is compliance with the Data Protection Act a legal requirement, there are also a number of business reasons why you should comply – we discuss this further in our article on Data Protection Compliance.