The Data Protection Act (2018)
What is the Data Protection Act?
- The Data Protection Act (DPA) is a law that protects personal data from being misused
- Examples of personal data would include
- Name
- Address
- Date of Birth
- Race
- Religion
- Most people that store personal data has to follow the Data Protection Principles although there are a few exemptions:
- Domestic purposes – if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the DPA
- Law enforcement – the Police investigating a crime is not subject to the DPA. E.g. if someone has been suspected of a crime they can't request to see the evidence about them
- Intelligence services processing – personal data processed by the intelligence services (eg MI5) is not covered by the DPA
The data protection principles
Principle |
How does it affect a company? |
Example |
1. Personal data must be fairly and lawfully processed |
A company has to be clear about what personal data they wish to collect and what they want to use it for. |
A school can request personal data to be able to call guardians in an emergency. |
2. Personal data must be collected for specified and lawful purposes |
A company cannot use personal data for any purpose other than what they stated originally. They also cannot pass this data on without permission. |
A company asks for a phone number to call regarding delivery but then uses it to market new products. |
3. Personal data must be adequate, relevant and not excessive |
A company cannot request personal data that they do not need right away. |
A bank cannot ask for their customer's previous trips when opening an account. |
4. Personal data must be kept accurate and up to date |
If a company holds personal data that is wrong or out of date then you have a right to have it corrected or deleted. |
If a bank has a customer's old address then they will not be able to send up to date statements. |
5. Personal data will not be kept for longer than is necessary |
A company must delete personal data once they no longer have a need for it. |
If a customer closes their account the company must delete their data. |
6. Personal data must be processed in line with people's rights |
If requested a company must provide a customer with all the personal data they hold on them. |
A hospital has to give a patient’s full records if requested by the patient. |