What is the Data Protection Act 1998?
Despite GDPR coming into force businesses may still find themselves sanctioned under the 1998 act
The European Union's General Data Protection Regulation (GDPR) was one of, if not the biggest shake-ups of data laws the world has ever seen. Since its introduction in May 2018, the way businesses across Europe collect, store and use data has come under greater scrutiny.
However, its introduction also came amid the UK's prolonged exit from the EU. This lead to uncertainty around the UK adopting the legislation as its main purpose was to harmonise data transfers throughout member states. However, GDPR has and will continue to exist in the UK in the form of the Data Protection Act 2018.
The DPA 2018 is often referred to as 'UK GDPR' but is actually an update to the Data Protection Act 1998. It was changed to translate the majority of the GDPR's principles so that they fit into existing UK laws.
The 1998 law is still in use for cases of data misuse or theft that happened before 23 May 2018 (the implementation date of DPA 2018). And, given the new law is still relatively new, it's important that businesses understand how both work since they can still be found in breach of the older one.
It's also important to understand that data laws have had to evolve which may have changed some articles of the Data Protection Act 1998. How much it has changed and its current scope in terms of compliance can be found in this article. Along with a brief history of UK data laws and how they can still affect you and your business.
Data Protection Act 1998: Definition
The Data Protection Act 1998 was the law governing the processing of personal data by all organisations, be they public or private, including charities.
All data breaches in the UK are investigated by the Information Commissioner's Office (ICO) and the same was true then, although the act provided guidelines for the type of penalty that could be applied if someone was found to have been in contravention of the rules.
Data Protection Act 1998: Summary
The Data Protection Act 1998 regulated the use and protection of personal data, and outlined the responsibilities a business had to protect that data. It superseded the Data Protection Act 1984 and Access to Personal Files Act 1987.
It was amended in 2003 to give individuals more control over digital marketing communications they receive, meaning they must opt-in to receive emails, SMS text messages etc from an organisation if they've never had contact with it before.
Data Protection Act 1998: What was personal data defined as?
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
According to data protection principles, and previous regulations, personal data is defined as information related to an individual that can be used either in isolation or in tandem with other data sources, to reveal that individual's identity. If there is such pre-existing data held by a data controller, then personal data also encompasses information that may come under this entity's possession.
This also included expressions of opinion about that person and any intention the data controller or another individual may have in regards to them.
The DPA 1998 also provided protection for sensitive personal data, which was defined as information relating to a person's racial or ethnic origin, political and religious or similar beliefs, membership of a trade union, physical and mental health, sex life, any criminal charges or allegations against them, and any proceedings against them (such as a court case or a prison sentence).
Data Protection Act 1998: What data formats were covered?
The DPA defined possession of data as that which resided in a machine or on paper in a readable, accessible way. Regarding paper forms of information, the ICO classified paper filing systems as individuals' records being held in a "systematic, structured way" that provided easy access to those individuals' information.
Data was also classified as "accessible records" covering health or education. While this information wasn't necessarily held in a structured, easily accessible way, it was important enough that the DPA stipulated it should still be protected.
Data controllers' "data processing" activities were also subject to the DPA's rules. Processing was a very broad term covering plenty of things, but was thought of as relating to every interaction had with personal data. As the ICO noted, almost any activity concerning data would constitute processing.
Data Protection Act 1998: What were the penalties for a data breach?
There were a number of penalties and processes available to the ICO when it came to taking action on data protection.
The most material impact was perhaps the possibility of a fine. As of April 2010, the ICO was able to issue penalties of up to 500,000 for offences taking place on or after that date, although the maximum fine was only ever imposed once (against Facebook during the 2018 Cambridge Analytica scandal).
It was also able to lay out processes an organisation should have undertaken in order to improve its data protection posture, and was able to conduct audits to ensure compliance (these could have been consensual or, if necessary, compulsory).
If a breach occurred, in addition to the possibility of a 500,000 fine, the ICO was able to prosecute anyone it believed had committed a criminal offence under the act.
Data Protection Act 2018
After 20 years, UK data protection regulations received an overhaul following Royal Assent on 23 May. The Data Protection Act 2018 updates the UK's data protection legislation to make it more relevant to the way technology is used today and harmonises laws with that of the EU's General Data Protection Regulation (GDPR).
The act mirrors GDPR in many aspects, including tougher sanctions for data breaches (up to 17 million or 4% of global turnover).
The new Data Protection Act 2018 modernises the UK's data protection framework to account for the value of people's personal data today, offering people stronger rights over what others can do with their data, and requiring companies to gain people's consent to use their information.
Generally, most provisions under the 1998 act have been strengthened, requiring far more from organisations when it comes to seeking consent and holding data for longer than necessary.
When it comes to processing data, companies are now required to make efforts to be transparent, which was not necessarily required under the 1998 act. It's also far more difficult to collect data under the 2018 act, as it needs to have an explicit purpose.
What specific data could be collected was also up for interpretation under the 1998 act, as organisations could use it provided it wasn't deemed "excessive" compared to its original purpose. Under the 2018 act, the processing is limited to only that data considered relevant.
For more information on the new Data Protection Act 2018, and how it works alongside GDPR, head here.
Data Protection Act 1998 - important terms and further reading
Data subject: Data subject is a term used in both the GDPR and DPA. It refers to an individual who is the subject of personal data.
Data controller: As with data subject, data controller is used in the GDPR and DPA. It means a person who individually or with a group of other people decides how and why any personal data is or will be processed.
BCDR buyer's guide for MSPs
How to choose a business continuity and disaster recovery solutionDownload now
The definitive guide to IT security
Protecting your MSP and your customersDownload now
Cost of a data breach report 2020
Find out what factors help mitigate breach costsDownload now
The complete guide to changing your phone system provider
Optimise your phone system for better business resultsDownload now