Data Protection Act

The Data Protection Act (DPA) in the United Kingdom is designed to protect the privacy and integrity of data held on individuals by businesses and other organisations. It ensures that individuals associated with an organisation (customers and employees) have access to their data and can correct it if necessary. It is enforced by the Information Commissioner’s Office (ICO), which has responsibility for overseeing the Freedom of Information Act and the regulation of interception of communications under the Regulation of Investigatory Powers Act 2000 (RIPA).

If you store personal information on clients, employees or other individuals, you must comply with the requirements of the act. We suggest that you review your policies, practices and procedures associated with this kind of data, and regularly review the necessity to hold / appropriateness of holding such data, and how it is protected. You may also need to review the terms and conditions that apply to your website.


The DPA consists of eight principles which represent guidelines for best practice in handling personal data:

1. Personal data must be processed fairly and lawfully

Tell people for which purposes the data is being collected, and if applicable, that the data may be sent outside of the EEA (European Economic Area). The most common bases for processing personal data are to enter into a contract (for example contract of sale) or if you have the individual’s consent. Recorded telephone messages are useful tools for enabling these types of message, and can be optional (for example, press 1 to hear the DP message). Notices should be prominent where CCTV is used as these images are covered by the Act and would be in scope for data subject access requests if the images are not overwritten within 40 days.

2. Notify the Information Commissioner (via the online process) that you are processing personal data and for which purposes (there is a notification charge).

Personal data shall only be used in accordance with the purposes for which it was collected

Ensure data collected for one purpose is not then used for a different purpose. This can be covered off by including all likely purposes in the DP fair processing message. The purposes for collecting the data must be reasonable (and obviously, lawful).

3. Personal data must be adequate, relevant and not excessive

Do not collect data just in case it might be useful.

4. Personal data must be accurate and where necessary kept up to date

Allow individuals the ability to update their data or to have it updated. This includes marketing communications.  It is common practice nowadays for organisations to provide an opt-in approach to marketing (‘tick here if you wish to be contacted for marketing purposes’), and to enable the updating of personal data online.

5. Personal data must be kept for no longer than is necessary

Develop a retention policy for personal data and ensure it is enforced.

6. Personal data must be processed in accordance with the rights of data subjects

Ensure any requests from individuals for a copy of their data are responded to promptly and the data is provided within 40 days. Establish whether or not you require a fee (maximum £10) to be paid – and how it should be paid. Provide opt-in tick boxes for marketing communications and ensure this is accurately captured in systems. Many complaints rightly arise from people receiving marketing emails or calls when they have not requested them.

7. Appropriate technical and organisational measures must be established to protect the data

To protect systems from hackers, set up firewalls at your network perimeter, store the data itself securely with only specific authorised individuals having access. Consider data encryption. Develop an organisational policy for handling personal data (and other sensitive or confidential data) and set up a staff training programme accordingly.  Consider additional protection when emailing personal data over the internet, as email is inherently insecure.

8. Personal data must not be transferred outside the EEA unless adequate provisions are in place for its protection

If a requirement exists to send or transfer data outside the EEA, consider the following:

  • Does the receiving state have an adequate privacy legislation equivalent to that of the EU?
  • Is it necessary to send the data as part of the fulfilment of a contract?
  • Has the data subject consented? (Does the fair processing notice include a statement to the effect that it may be transferred outside the EEA?)
  • Is the data being processed outside of the EEA by another office of the same firm which is established within the EEA? (such as a branch of a UK firm in the US which needs to view orders).
  • Is there a contract in place between the data controller and the receiving organisation providing for adequate protection of personal data? (such as if a UK organisation uses a third party in India for managing its HR records).

Notable exemptions:

  • If personal data is processed for the prevention and detection of crime, a fair processing notice does not have to be provided. Disclosure of personal data to law enforcement agencies is generally acceptable as long as a formal procedure is established to ensure the request is ‘reasonable’ and the response satisfactory and not excessive.
  • Journalistic exemption. There are certain exemptions relating to the processing of personal data in the media (photographs in newspapers, TV images etc).
  • Legal proceedings.
  • Vital interests of the data subject.

These principles have to be applied by all organisations regardless of whether they are registered. However, in certain circumstances you may be required to register with the Information Commissioner. Registration costs £35 for organisations turning over up to £25.9m, and £500 for companies exceed this turnover and with more than 249 employees. Beware of bogus ‘agencies’ who offer registration in exchange for a higher fee than this.


  • Personal data – information relating to a living individual.
  • Data subject – the person about whom the data relates.
  • Data subject access request – the right of an individual to request a copy of their data under a formal process and payment of a fee.
  • Data controller – an organisation or body which uses personal data.
  • Processing of personal data – storage, transfer, viewing, access, analysis of personal data.
  • Notification – a formal process of notifying the Information Commissioner’s Office by an organisation of the use of personal data.
  • Sensitive personal data – data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal record.


  • Digital or electronic data (including CCTV images).
  • Data in manual filing systems (paper-based systems), if it is considered to be a structured filing system.

A relevant filing system is defined as “a manual file that is well indexed with marked tabs so a particular document within the file is very easy to find”.

Legal constraints on employee monitoring

The Data Protection Act also covers employee monitoring. Besides perceived ethical constraints, there are legal constraints which require that employee monitoring must be:

  • Proportionate to the objective. For example, preventing online timewasting probably does not require that every employee be kept under permanent video surveillance.
  • Carefully considered. For example, it needs to tally with employee policies and be planned and implemented with care.
  • Clearly communicated to staff before it begins. This is typically done using employment policies.

The Regulation of Investigatory Powers Act covers the interception of communications on private networks, such as monitoring internet and email. Covert surveillance is very rarely legal. The act underlines the importance of prior communication. We recommend that you seek advice from a lawyer if considering any of these measures.

Consequences of non-compliance

The Information Commissioner has legal powers to take action against organisations that breach the principles of the Data Protection Act. Individuals who believe their personal data has been misused can initially complain to the organisation but may also take legal proceedings and complain to the Information Commissioner, who will then instigate an investigation and decide whether the organisation has taken sufficient measures to protect personal data.

Actions that can be taken by the Information Commissioner include the following:

  • Serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period.
  • Issue undertakings committing an organisation to a particular course of action in order to improve its compliance.
  • Serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law.
  • Conduct consensual assessments (audits) to check organisations are complying;
  • Serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice (data protection only).
  • Issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010, or serious breaches of the Privacy and Electronic Communications Regulations occurring on or after 26 May 2011.
  • Prosecute those who commit criminal offences under the Act.
  • Report to Parliament on data protection issues of concern.

Further information – Information Commissioner’s website, including advice and guidance on Data Protection, Privacy and Electronic Communication and Freedom of Information*

(*applies to public authorities)



See Also...

In partnership with

Jargon Buster

A Glossary of terms used in this article:


The process of converting data into cipher text (a type of code) to prevent it from being understood by an unauthorised party.

Information Commissioner

The UK Information Commissioner’s Office (ICO) is the independent public body set up to uphold information rights in the public interest, responsible for upholding the Data Protection Act 1998 and the Freedom of Information Act 2000.