The Data Protection Act 1998 governs how your personal data is used by organisations, businesses and the government. Personal data is data which relates to a living individual who can be identified from the contents of the data. If the data provides particular information about an individual or is focussed on them, then it can be viewed as personal data and will be protected by the Data Protection Act.

What does the Data Protection Act 1998 do?

The Data Protection Act seeks to ensure the safe and secure processing of data in order to protect individuals’ personal data. This personal data needs to be protected due to the fact that it can be sensitive in nature. Information pertaining to ethnic background, political opinions, religious beliefs, health, sexual health or criminal records are examples of sensitive personal data and could be used in a discriminatory way if not processed correctly.

I’ve heard about Data Controllers and Data Processors – what are they?

This can be a confusing subject as sometimes organisations are both, but typically:

  • A data controller determines the purposes for which, and the manner in which, any personal data is, or is to be, processed.
  • A data processor processes the data on behalf of the data controller and acts on the instructions of the data controller.

Another helpful term is a data subject.  This is a living individual about whom a data controller holds personal data.

My organisation handles personal data, what should I do?

Where an organisation processes personal information about individuals, it will normally need to be registered with the Information Commissioner’s Office (ICO for short).  This is called “notification” and it tells the ICO (for example) what personal and sensitive data will be processed, the groups of people whose data will be processed, and who that data may be shared with.  

In addition, organisations need to ensure that the following eight principals are followed in order to ensure that the personal and sensitive data is sufficiently protected:

  • Principle 1 – Says that all data should be processed fairly and lawfully. In order to ensure fairness the data controller should be clear, open and transparent with the data subject when it comes to how and why their data is being collected. 
  • Principle 2 – States that personal data must only be used for the purpose for which it was intended. This helps to reinforce the first principal as data controllers and data processors must be clear and transparent with the data subject about the handling of their data.
  • Principle 3 – Makes sure that the data collected is adequate for the purpose that has been specified clearly and transparently in the previous two Principals. This ensures that data collected is relevant for the specified purpose and is not excessive in nature.
  • Principle 4 - Focuses on the accuracy of data. Personal data must be accurate and up to date and the more personal or sensitive the data, the more steps need to be taken to ensure that it is accurate.
  • Principle 5 – Looks at the retention of data.  If the data collected / processed for a specified purpose is no longer needed, it should either be archived or securely deleted. Retention schedules help to ensure that records are not deleted prematurely or retained for too long.
  • Principle 6 - The rights of the data subject are set out here, and help to protect the data subject from being at the mercy of the data controller.  Subject to satisfying certain conditions, the data subject has the right to access a copy of their personal data that a data controller possesses. In addition the data subject has the right to, amongst other things, have inaccurate personal data rectified, blocked, erased or destroyed, and claim compensation for damages caused by a breach of the Data Protection Act.
  • Principle 7 – States that the nature of the security should match the level of sensitivity of the data. It is vital that data controllers have put in place the correct physical and technical security, reinforced by robust policies and procedures, followed by dependable well trained staff who are able to respond to any breach of security quickly and precisely.  
  • Principle 8 – Is concerned with the exporting of data outside the European Economic Area (EEA). This Principal states that personal data should not be transferred outside the EEA unless that country or territory possesses adequate levels of protection for the rights and freedoms of the data subjects.

This is a lot to take in.  What if the organisation does nothing?

Data Protection is simply the practice of ensuring that data is held and processed safely and securely.  Once you understand and abide by the above eight Principles, it becomes second nature to you and staff.  Failure to comply with the above may mean that your organisation is reported to the ICO and it has the ability to impose financial penalties of up to £500,000 for significant non-compliance with the Act.  Not only are organisations liable, but potentially so are senior managers.  The ICO also publically names organisations on its website that have failed to comply with the Act, together with the action taken against it / individuals.  So you are not only looking at a potentially huge fine, but also reputational damage.  Therefore it is important to ensure your greatest assets; your staff, are adequately trained to reduce the risk of being reported to the ICO and the possible penalties.

In addition to this, the new General Data Protection Regulation will be coming into force over the next two years and this is set to over-haul the Data Protection Act 1998.  Not only will there be fundamental changes to Data Protection, but Parliament is also considering giving the ICO the ability to fine organisations 100 million euros, or 5% of its annual worldwide turnover, whichever is the greater.

We provide a variety of training for staff competitively priced, whether they deal with a small amount of data, to senior managers who handle a vast amount. See our Data Protection Training Academy for more information.

We can also give your organisation an audit in order to show you where your strengths and weaknesses lie, and steps your organisation can take to become even more compliant with the current Act, but also the General Data Protection Regulation.  By working towards compliance with both, there is less risk of action from the ICO.

For more information, please contact a member of the Data Protection and People Services team on 01926 880814 or email

About the authors

Paula Tighe Partner

Paula is a qualified data protection professional and leads the trusted advisor information governance service.

Rebecca Harmer Solicitor

Rebecca works within the people services team as a data protection adviser and employment lawyer, giving clients the link between keeping workers’ data secure and employment law implications when a data breach occurs. This gives clients continuity of advice as you deal with one solicitor, rather than two or more.