Data Protection Act: A Historical Overview

The Data Protection Act 2018 is a UK law that controls how personal information is used by organisations, businesses, or the government. It received royal assent on 23 May 2018 and came into effect on 25 May 2018, replacing the Data Protection Act 1998. The act provides individuals with greater control over their personal data and ensures that UK data protection laws are fit for the digital age. It also aligns with the European Union's General Data Protection Regulation (GDPR), providing for certain permitted derogations, additions, and UK-specific provisions.

The Data Protection Act 2018

• Used fairly, lawfully, and transparently
• Used for specified and explicit purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and up to date
• Kept for no longer than necessary
• Handled securely, with protection against unlawful or unauthorised processing, access, loss, destruction, or damage

The act also provides stronger legal protection for sensitive information, such as trade union membership, biometrics (when used for identification), and sex life or orientation. Separate safeguards are in place for personal data related to criminal convictions and offences.

Under the Data Protection Act 2018, individuals have the right to know what information is stored about them by the government and other organisations. They can request to:

• Be informed about how their data is being used
• Access their personal data
• Have incorrect data updated
• Restrict or stop the processing of their data
• Have data portability, allowing them to reuse their data for different services
• Object to how their data is processed in certain circumstances

Additionally, individuals have rights regarding the use of their personal data for automated decision-making processes and profiling. The act introduces new offences, including knowingly or recklessly obtaining, disclosing, or retaining personal data without the consent of the data controller.

• Provisions about the processing of personal data
• Supplementing the GDPR and applying a similar regime to certain types of processing outside the scope of the GDPR
• Provisions about the processing of personal data by competent authorities for law enforcement purposes, implementing the Law Enforcement Directive
• Provisions about the processing of personal data by intelligence services
• Provisions about the Information Commissioner
• Enforcement of the data protection legislation
• Supplementary provisions, including the application of the Act to the Crown and Parliament

The Data Protection Act 1998

• Personal data shall be processed fairly and lawfully.
• Personal data shall be obtained only for specified and lawful purposes.
• Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
• Personal data shall be accurate and, where necessary, kept up to date.
• Personal data processed for any purpose or purposes shall not be kept for longer than is necessary.
• Personal data shall be processed in accordance with the rights of data subjects (individuals).
• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data.
• Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.

The Data Protection Act and Digital Information Bill

The Data Protection Act is a UK act of Parliament designed to protect personal data stored on computers or in organised paper filing systems. The Data Protection Act 1998 was superseded by the Data Protection Act 2018, which received royal assent on 23 May 2018 and came into effect on 25 May 2018. The Act controls how personal information is used by organisations, businesses, or the government, and it grants individuals rights over their data.

The Data Protection Act 2018 was to be significantly amended by the Data Protection and Digital Information Bill. This bill was first introduced during the 2022-23 parliamentary session but did not complete before Parliament was dissolved on 24 May 2024 and is no longer being progressed. The Data Protection and Digital Information Bill aimed to make provisions for the regulation of processing information relating to identified or identifiable living individuals. It also sought to address services consisting of using information to ascertain and verify facts about individuals, access to customer and business data, privacy and electronic communications, and the provision of electronic signatures and trust services.

The Data Protection and Digital Information Bill also intended to address the disclosure of information to improve public service delivery, the implementation of agreements on sharing information for law enforcement purposes, and the keeping and maintenance of registers of births and deaths. Additionally, the bill included provisions for information standards for health and social care, the establishment of the Information Commission, and oversight of biometric data.

The Data Protection Act 2018 is a revision of the 1998 Act, which includes the importance of organisations being more responsible with information and improving confidentiality. The 2018 Act also works in tandem with the EU's General Data Protection Regulation (GDPR), which the 1998 Act did not. The key additions in the 2018 Act include the right to erasure, clearer inclusions of exemptions, and regulation in line with the GDPR.

The Data Protection Act updates

The Data Protection Act 2018 controls how personal information is used by organisations, businesses, or the government. It is the UK's implementation of the General Data Protection Regulation (GDPR) and came into effect on 25 May 2018. The Act has seven parts and applies the data protection standards set out in the GDPR.

Updates to the Data Protection Act

The Data Protection Act 2018 replaced the Data Protection Act 1998, which was an act of Parliament in the United Kingdom designed to protect personal data stored on computers or in organised paper filing systems. The 1998 Act provided individuals with legal rights to control information about themselves and imposed obligations on those holding personal data for other purposes.

The Data Protection Act 2018 introduced several key additions, including:

• The right to erasure
• Clearer inclusions of exemptions to the Act
• Regulation in tandem with the GDPR
• New offences, including obtaining or disclosing personal data without the consent of the data controller
• A new public interest test applicable to the research processing of personal health data

The Data Protection Act, 2018 was to be significantly amended by the Data Protection and Digital Information Bill, but this was abandoned due to the 2024 United Kingdom general election.

The Data Protection Act in the UK

The Data Protection Act 2018 is a United Kingdom act of Parliament which updates data protection laws in the UK. It received royal assent on 23 May 2018 and came into effect on 25 May 2018, the same day that the EU's General Data Protection Regulation (GDPR) came into force. The Data Protection Act 2018 is the UK's implementation of the GDPR, and it replaces the previous Data Protection Act 1998.

The Data Protection Act 2018 controls how personal information is used by organisations, businesses, or the government. It gives individuals the right to find out what information is stored about them and to have incorrect data updated. The Act also introduces new offences, including knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller.

The Act has seven parts:

• This Act makes provision about the processing of personal data.
• Most processing of personal data is subject to GDPR.
• Part 2 supplements the GDPR and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply.
• Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
• Part 4 makes provision about the processing of personal data by the intelligence services.
• Part 5 makes provision about the Information Commissioner.
• Part 6 makes provision about the enforcement of the data protection legislation.
• Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

The Data Protection Act 2018 outlines several data protection principles that must be followed by anyone responsible for using personal data. These principles include:

• Data must be used fairly, lawfully, and transparently.
• Data must be used for specified, explicit purposes.
• Data must be adequate, relevant, and limited to only what is necessary.
• Data must be accurate and, where necessary, kept up to date.
• Data must not be kept for longer than is necessary.
• Data must be handled securely to ensure appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.

The Act also provides stronger legal protection for more sensitive information, such as trade union membership, biometrics (when used for identification), and sex life or orientation. There are also separate safeguards for personal data relating to criminal convictions and offences.

Frequently asked questions