The Data Protection Act (DPA) is a United Kingdom Act of Parliament. It defines a legal basis for the handling in the UK of information relating to living people. It is the main piece of legislation that governs protection of personal data in the UK. Although the Act does not mention privacy, in practice it provides a way in which individuals can enforce the control of information about them. Most of the Act does not apply to domestic use^[1], for example keeping a personal address book. This is a list of Acts of the Scottish Parliament. ... This is a list of Acts passed by the Parliament of Northern Ireland. ... This is a list of Acts of the Northern Ireland Assembly passed by that body from its establishment in 2000 until its suspension in 2002 and from its re-establishment in 2007. ... This is a list of Measures of the National Assembly for Wales. ... The is a list of Orders in Council for Northern Ireland which are primary legislation for the province when the it is being directly ruled from London and also for those powers not devolved to the Northern Ireland Assembly. ... Statutory Instruments (SIs) are parts of United Kingdom law separate from Acts of Parliament which do not require full Parliamentary approval before becoming law. ... An Act of Parliament or Act is law enacted by the parliament (see legislation). ... We dont have an article called Data protection Start this article Search for Data protection in. ... Privacy has no definite boundaries and it has different meanings for different people. ...

Compliance with the Act is overseen by an independent government authority, the Office of the Information Commissioner. The Office of the Information Commissioner (OIC) in the United Kingdom, is an independent government authority and reports directly to Parliament. ...

The act defines eight principles of information-handling practice. These are listed below. The key requirements are:
- Data may only be used for the specific purposes for which it was collected.
- Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.
- Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
- Personal information may be kept for no longer than is necessary.
- Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
- Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner.
- Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training). Consent (as a term of jurisprudence) is a possible justification against civil or criminal liability. ...  EFTA countries (except Switzerland)  EU countries Together these form the EEA. The European Economic Area (EEA) came into being on January 1, 1994 following an agreement between the European Free Trade Association (EFTA) and the European Union (EU). ... It has been suggested that this article or section be merged with Information Commissioners Office. ...

The UK Data Protection Act is a large Act, and has a reputation for complexity.^{[citation needed]} Whilst the basic principles are honoured for protecting privacy, interpreting the act is not always simple. Many companies, organisations and individuals seem very unsure of the aims, content and principles of the DPA. Some hide behind the Act and refuse to provide even very basic, publicly available material quoting the Act as a restriction.^{[citation needed]}

History

The Data Protection Act 1984 was an implementation of the 1981 European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. It provided for a regulatory authority, the Data Protection Registrar, to oversee the implementation of and adherence to the Act. The 1984 Act was repealed by the Data Protection Act 1998. ^[2] Ireland The Office of the Information Commissioner was set up under the terms of the Freedom of Information Act, 1997, which came into effect in April 1998. ...

The Data Protection Act 1998 expanded on the 1984 Act, and was an implementation of European Union Directive 95/46/EC which, amongst other measures, expanded the remit of the Data Protection Registrar and renamed the position to the Data Protection Commissioner. The full title of this directive is Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. ... Ireland The Office of the Information Commissioner was set up under the terms of the Freedom of Information Act, 1997, which came into effect in April 1998. ...

Paper-based health, education and social work records which were created before 24 October 1998 are subject to slightly different provisions in the Act which will apply until 23 October 2007.

Most recently, the Freedom of Information Act 2000 further expanded the role to include freedom of information; the job title of the DPR/DPC was changed once again, this time to Office of the Information Commissioner. Freedom of Information logo See Freedom of information in the United Kingdom for a general discussion of freedom of information legislation throughout the United Kingdom. ... The Office of the Information Commissioner (OIC) in the United Kingdom, is an independent government authority and reports directly to Parliament. ...

Following the practice of taking fingerprints of children without parental consent in school, it has been established that the latter was not necessary under the DPA. 3,500 schools in the UK have such fingerprint locks or databases in 2007 ^[3]. A macro shot of a palm and the base of several fingers; as seen here, debris can gather between the ridges. ...

Personal data

The Act covers any data which can be used to identify a living person. This including names, birthday and anniversary dates, addresses, telephone numbers, Fax numbers, e-mail addresses etc. It only applies to that data which is held, or intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'.

Subject rights

The data protection act creates rights for those who have their data stored, and responsibilities for those who store or collect personal data.

The person who has their data processed has the right to^[4]

• View the data an organisation holds on them, for a small fee, known as 'subject access'^[5]
• Request that incorrect information is corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded.^[6]
• Require that data is not used in a way which causes damage or distress.^[7]
• Require that their data is not used for direct marketing.^[8]

Compensation has several different meanings as indicated below. ... Wikibooks has more about this subject: Marketing Direct marketing is a discipline within marketing that involves contacting individual customers (business-to-business or consumer) directly and obtaining their responses and transactions for the purpose of developing and prolonging mutually profitable customer relationships. ...

Data protection principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
   1. at least one of the conditions in Schedule 2 is met, and
   2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Conditions relevant to the first principle

• Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions must be applicable to that data.
  1. The data subject (the person whose data is stored) has consented ("given their permission") to the processing;
  2. Processing is necessary for 'the performance of a contract (any processing not directly required to complete a contract would not be "fair");
  3. Processing is required under a legal obligation (other than one stated in the contract);
  4. Processing is necessary to protect the vital interests of the data subject's rights;
  5. Processing is necessary to carry out any public functions;
  6. Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject).

Exemptions

The Act is structured such that all processing of personal data is covered by the act, while providing a number of exemptions in Part IV.^[1] Notable exemptions are:

• Section 28 - National security. Any processing for the purpose of safeguarding national security are exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data).
• Section 29 - Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle.
• Section 36 - Domestic purposes. Processing by an individual only for the purposes of that individual's personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification).

Offences

• Section 55 - Unlawful obtaining of personal data. This Section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data.^[9]

• Section 56 - This section makes it a criminal offence to require an individual to make a Subject Access Request relating to cautions or convictions for the purposes or recruitment, continued employment, or the provision of services.^[10] As of 2007 this section has not yet been enabled.^[11] According to the government, this section will not be enabled until the Criminal Records Bureau is providing a Basic Disclosure service.^[12] The provision of a Basic Disclosure service is dependent on s.112 of the Police Act 1997 being enacted, which provides for "Criminal Conviction Certificate".^[11]

A police caution is an alternative to prosecution available to be administered by the police in the United Kingdom. ... The Criminal Records Bureau (CRB) is an executive agency of the Home Office in the United Kingdom, which conducts criminal record checks on potential employees on behalf of organisations and recruiters throughout England and Wales. ...

References

1. ^ ^{a b} Data Protection Act 1998, Part IV (Exemptions), Section 36, Office of Public Sector Information, accessed September 6, 2007
2. ^ Data Protection Act 1998, Schedule 16, Part I (Repeals), Office of Public Sector Information, accessed September 8, 2007
3. ^ Child fingerprint plan considered, BBC, March 4, 2007
4. ^ Your rights,, ICO, accessed September 6, 2007
5. ^ As of 2006, the maximum fee is £10 per item, FAQs, ICO
6. ^ Correcting information, ICO
7. ^ Data Protection Act 1998, Part III (Notification by Data Controllers), Section 10, Office of Public Sector Information, accessed September 6, 2007
8. ^ Data Protection Act 1998, Part III (Notification by Data Controllers), Section 11, Office of Public Sector Information, accessed September 6, 2007
9. ^ Data Protection Act 1998, Part VI (Miscellaneous and General), Section 55, Office of Public Sector Information, accessed September 14, 2007
10. ^ Data Protection Act 1998, Part VI (Miscellaneous and General), Section 56, Office of Public Sector Information, accessed September 14, 2007
11. ^ ^{a b} British Employment Law website (emplaw.co.uk), Criminal law aspects / vetting of job applicants / position under Police Act 1997
12. ^ Hansard, 28 Jun 2005 : Column 1451W

The Office of Public Sector Information (OPSI) is the new body incorporating Her Majestys Stationery Office (usually abbreviated as HMSO). ... is the 249th day of the year (250th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... The Office of Public Sector Information (OPSI) is the new body incorporating Her Majestys Stationery Office (usually abbreviated as HMSO). ... is the 251st day of the year (252nd in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... For other uses, see BBC (disambiguation). ... is the 249th day of the year (250th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... The Office of Public Sector Information (OPSI) is the new body incorporating Her Majestys Stationery Office (usually abbreviated as HMSO). ... is the 249th day of the year (250th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... The Office of Public Sector Information (OPSI) is the new body incorporating Her Majestys Stationery Office (usually abbreviated as HMSO). ... is the 249th day of the year (250th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... The Office of Public Sector Information (OPSI) is the new body incorporating Her Majestys Stationery Office (usually abbreviated as HMSO). ... is the 257th day of the year (258th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... The Office of Public Sector Information (OPSI) is the new body incorporating Her Majestys Stationery Office (usually abbreviated as HMSO). ... is the 257th day of the year (258th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ...

See also

• Data privacy
• Freedom of Information Act 2000
• Computer Misuse Act 1990
• Privacy and Electronic Communications (EC Directive) Regulations 2003

Data privacy refers to the evolving relationship between technology and the legal right to, or public expectation of privacy in the collection and sharing of data. ... Freedom of Information logo See Freedom of information in the United Kingdom for a general discussion of freedom of information legislation throughout the United Kingdom. ... The Computer Misuse Act 1990 is an Act of the UK Parliament. ... The Privacy and Electronic Communications (EC Directive) Regulations 2003 is a law in the United Kingdom which make it unlawful to transmit an automated recorded message for direct marketing purposes via a telephone, without prior consent of the subscriber. ...

External links

• The Information Commissioner
• Data Protection Act 1998 (full text from OPSI)
• Council of Europe - ETS no. 108 - Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) - basis for Data Protection Act 1984
• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data - basis for Data Protection Act 1998
• The Department for Constitutional Affairs
• The Data Protection Act Explained
• Data Protection Act 1984 (full text), broken link on September 6, 2007
• The Employment Practice Code (an explanation of employees rights from the Data Protection Act) (full text)