The British Data Protection Act (DPA) 1998 is instrumental for data protection in the United Kingdom. The law applies in England, Northern Ireland, Scotland and Wales.
In addition to the general act, there are specific provisions for individual sectors. Furthermore, a variety of legal provisions are discussed in the arrangements and guidelines of the Information Commissioner (ICO), www.ico.org.uk. All violations in the area of data processing are prosecuted by the British Data Protection Authority.
Links to the British Data Protection Act:
Until the United Kingdom is leaving the EU, the EU’s data protection provisions will continue to apply, including the Europe-wide General Data Protection Regulation (GDPR) from May 2018.
After Brexit, the UK will have the opportunity to create its own data protection law.
As far as data protection is concerned, Brexit means that any data exchange will no longer take place in the EU. The UK will become a so-called “third-party state”. Transfers of data to third-party countries will be subject to higher requirements.
Data Protection Act 1998 from 16th July 1998
In the U.K., the DPA (Data Protection Act 1998) is the primary legal basis for data protection. Furthermore, the British data protection act implements the rules of EU directive 95/46/EC (“Data Protection Directive”) as part of national legislation.
The DPA only applies to collecting, processing and using personal data, i.e. it includes all information on living, natural persons. The protection of legal persons and other collective units, i.e. groups of people, is not specifically regulated. However, as soon as information identifies, for instance, the name of a legal person or several natural persons, then this information also falls under the provisions of individual data protection.
The law applies to the processing of any kind of personal data, whether in the private or public sector. Beyond that, data protection regulations are only found in few other sector specific laws (see below) such as the Freedom of Information Act and The Privacy and Electronic Communications (“EC Directive”) Regulations 2003.
Structure of the UK Data Protection Act 1998
The UK DPA contains an introductory text with 6 parts, followed by 16 schedules.
The 6 parts contain a total of 75 provisions:
- Introduction (articles 1-6)
- Rights of the affected parties (articles 7-15)
- Reporting obligation (articles 16-26)
- Exceptions (articles 27-39)
- Implementation (articles 40-50)
- Final provisions (articles 51-75)
These provisions are further elaborated in explanatory schedules:
- Schedule 1 The 8 data protection principles
- Schedule 2 Conditions for elaborating on the first principle: Processing personal data
- Schedule 3 Conditions for elaborating on the first principle: Processing sensitive data
- Schedule 4 Exceptions to the 8th principle
- Schedule 5 The Data Protection Authority (Information Commissioner’s Office)
- Schedule 6 Appeals process
- Schedule 7 Exceptions
- Schedule 8 Temporary measures
- Schedule 9 Control and access permissions
- Provisions of article 53 in terms of supporting the data protection authority
- Databases in education
- Access to public documents
- Changes to the DPA with effect from 24th October 2007.
- Exceptional and transitional provisions
- Cancellation and revocation
The UK does not have a written constitution and protects privacy primarily by means of case law. Subsequently, the DPA is the primary law that governs the processing of personal data. The DPA weighs up the legitimate interest of companies processing personal data with the interests, specifically in terms on the right to privacy, of the data subject. The Act was brought into force to meet the requirement of EU Data Protection Directive 95/46/EC. Even though the DPA implemented the Data Protection Directive, which explicitly relates to the right to privacy, the DPA does not mention the word “privacy” in any provision. The DPA establishes how personal data of living persons can be legally processed. The law’s primary objective consists of protecting persons from the improper use or misuse of information.
Schedule I of the DPA contains eight principles, which are based on the EU Data Protection Directive. Compliance with these principles, the data controllers responsible for processing personal data provide good data protection.
- Principle 1: Proper and legal processing
- Principle 2: Processing for a specific purpose
- Principle 3: Appropriateness, materiality, purpose
- Principle 4: Accuracy and timeliness
- Principle 5: Time limits on storage
- Principle 6: Processing in accordance with the rights of the affected party
- Principle 7: Security
- Principle 8: No transfer to other countries without adequate
The most important sector-specific laws are described briefly below:
- The Privacy and Electronic Communications (EC Directives) Regulations 2003) (ENG))
This law implements the provisions of EU directive 2002/58/EC and 2009/136/EU contains stipulations on online marketing and for regulating cookies.
- The Regulation of Investigatory Powers Act 2000 (RIPA) (ENG))
The Act governs telecommunications surveillance, in other words listening to messages, procuring information data and surveillance powers. The law currently does not allow the interception of messages only if the data subject has not granted his/her consent, but rather if the party intercepting the communications has “reason to believe” that the data subject’s consent is present.
- Data Retention and Investigatory Powers Act 2014 (DRIPA) (ENG)
The Secretary of State can require telecommunication companies to save connection data. In a judgement passed by the ECJ dated 21st December 2016 C-203/15, C-698/1, the Court reached the conclusion that the act is not compatible with EU law.
Both RIPA and DRIPA will be amended and replaced by a new regulation on investigative powers.
- Freedom of Information Act 2000 (ENG)
The act governs the right to free access to information from public bodies.
Territorial application of the British Data Protection Act
The Data Protection Directive 95/46/EC shall be decisive, in this instance. Article 5 of the UK DPA implements the provisions as part of national law.
In accordance with article 5(1), the DPA applies when at least one of the following conditions has been met:
- The data controller is located in the UK and the data is processed as part of this location.
- The data controller is not located in the UK or in another EU/EEA member state, but employs methods that are located in the UK unless these methods are only used for the purposes of implementation throughout the area of the EU.
In accordance with article 5(2), a data controller located in a third-party country must name a representative resident in the United Kingdom.
The following persons are deemed to be located in the UK, in accordance with article 5(3).
- Individuals resident in the UK.
- Companies registered in the UK.
- British partnerships or any other non-entered unions.
- Each individual that does not fall under the above-mentioned categories, but does have a branch office, an agency or regular employment in the UK.