Data Protection Act 1998
| Act of Parliament | |
|
|
| Long title | An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. |
|---|---|
| Territorial extent | United Kingdom of Great Britain and Northern Ireland |
| Dates | |
| Royal assent | 16 July 1998 |
| Commencement | March 2000 |
| Other legislation | |
| Replaces | Data Protection Act 1984 |
|
Status: Current legislation
|
|
| Text of the Data Protection Act 1998 as in force today (including any amendments) within the United Kingdom, from legislation.gov.uk | |
The Data Protection Act 1998 (DPA) is a United Kingdom Act of Parliament which defines the law on the processing of data on identifiable living people and is the main piece of legislation that governs the data protection. Although the Act itself does not mention privacy, it was enacted to bring British law into line with the 1995 EU Data Protection Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In practice it provides a way for individuals to control information about themselves. Most of the Act does not apply to domestic use, for example keeping a personal address book. Anyone holding personal data for other purposes is legally obliged to comply with this Act, subject to some exemptions. The Act defines eight data protection principles, which apply in various contexts, to ensure that information is processed lawfully.
The 1998 Act replaced and consolidated earlier legislation such as the Data Protection Act 1984 and the Access to Personal Files Act 1987. At the same time it aimed to implement the European Data Protection Directive. In some aspects, notably electronic communication and marketing, it has been refined by subsequent legislation for legal reasons. The Privacy and Electronic Communications (EC Directive) Regulations 2003 altered the consent requirement for most electronic marketing to "positive consent" such as an opt in box. Exemptions remain for the marketing of "similar products and services" to existing customers and enquirers, which can still be given permission on an opt out basis.
The Jersey data protection law was modelled on the UK law.
The Act's definition of "personal data" covers any data that can be used to identify a living individual. Anonymised or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or email address. The Act applies only to data which is held, or intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'.
...
Wikipedia