The Data Protection Act, ratified by the United Kingdom Parliament in 1998, protects individual rights to privacy regarding their personal data. It allows individuals to limit the use of personal information about themselves, including, in some cases, the manner of collection, storage, processing, and distribution. In compliance with the European Directive of 1995, the Data Protection Act sets forth eight key principles for the care and use of personal data collected and compiled by companies, researchers, and government agencies. The Data Protection Act compels all data controllers not only to register with the Information Commissioner, but also to abide by the data protection principles in the act.
In accordance with the Data Protection Act, data controllers must disclose to the Information Commissioner their use of personal data, including what types of information that they collect and for what purpose they gather that information. Additionally, the data must be collected and processed fairly and lawfully, taking care to ensure that record handling is consistent with the stated purpose to the Information Commissioner. The Data Protection Act also requires that the information be accurate and up to date as much as possible. Firms must implement appropriate security measures to prevent unauthorized or prohibited use of personal data, as well as accidental loss or damage to the information.
The Data Protection Act also defines the rights of those individuals who are subjects of the information in question. For a subject access fee, he has the right to view the data, request the amendment of any inaccuracies, and control the dispersal of his information to third parties. He may also obtain a description of the purposes for which a data controller is holding his material. Data controllers must comply with subject access requests within 40 days.
If a data controller fails to act in accordance with the Data Protection Act, there are a number of criminal and civil penalties under Sections 21, 55, and 56. Notable exemptions to the Act include family data collections, such as personal address books or telephone listings, tax collection efforts, and criminal investigations. Furthermore, data processing completed for the purpose of national security is exempt.
In order for a data controller to handle fairly compiled information pursuant to the Data Protection Act, he must hold only that information that meets one of six conditions. Processing is acceptable if the data subject has given his consent. It is also authorized when such processing fulfills a legal obligation, contract, or essential public function. Finally, data processing that protects or pursues the vital or legitimate interests of the subject himself or another third party is also permissible.