This snapshot taken on 04/03/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for
The Data Protection Act 1998 (DPA) gave effect in UK law to the EC Directive on Data Protection. It replaced the Data Protection Act 1984 and came into force on 1 March 2001. For full details, see www.ico.gov.uk.
You can find the following information on this page:
The DPA is concerned with personal data, that is, any data relating to an individual who can be identified.
Some elements are categorised as sensitive, for example information concerning:
The DPA sets out eight data protection principles that must be met. These determine that personal data must be:
For further details, see www.ico.gov.uk.
Anyone has the right to access his or her own personal data. This includes stored and backup data, as well as regular live stores.
Individuals also have the right to prevent processing if it is likely to cause damage or distress. They can also prevent themselves being the subject of direct marketing.
If the DPA is breached and harm is caused, individuals have the right to claim compensation, and to change, impede or destroy inaccurate personal data.
The DPA places a legal obligation on Data Controllers. Who this is will vary depending on the nature of your organisation. For example, in the case of limited companies, the company itself is the Data Controller. However in the case of sole traders and partnerships, accountability rests with the owners of the business. Most Data Controllers will need to notify the Information Commissioner of their processing of personal data. See our section on Practical Data Protection for further details.
The DPA is based on eight enforceable rules for the handling of personal information. The seventh principle requires those handling personal information to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal information, and against the accidental loss or destruction of, or damage to, the information.
The Act goes on to stipulate that security measures must ensure a level of security appropriate to the harm that might result from a breach of security and to the nature of the data to be protected - i.e. a risk analysis approach is required. It also stipulates that reasonable steps must be taken to ensure the reliability of employees having access to personal information.
Furthermore, where those responsible for the personal information use a subcontractor to process it on their behalf, the subcontractor must guarantee sufficient security measures, and reasonable steps must be taken to ensure compliance with those measures. There must also be a written contract in place between the party responsible for the processing and the subcontractor.
The Information Commissioner has produced a guide to data protection auditing, including a section on compliance with the seventh principle. This is available at www.ico.gov.uk. The Commissioner's site also carries comprehensive advice on all aspects of data protection compliance.
BERR has produced a publication entitled Information Security: BS 7799 and The Data Protection Act which explains how the BS 7799 (now ISO 27002) code of practice can help you meet the information security requirements of the 1998 Data Protection Act. This, together with a full range of information security publications, is available to order or download.
The DPA operates alongside a number of other pieces of legislation, most notably:
