The Data Protection Act 1998 was an act of Parliament designed to protect personal data stored on computers or in organised paper filing systems. It enacted the EU Data Protection Directive, 1995’s provisions on the protection, processing and movement of personal data.
The 8 principles of the Act guided its purpose and the data protection policies of organisations.
The Data Protection Act 1998 replaced the Data Protection Act, 1984 which barely covered digital media and computers. The DPA 1998 was enforceable until 25th May, 2018, when it was superseded by the Data Protection Act 2018
At its core, the DPA 1998 has eight principles which were used by organisations to design their own data protection policies. Complying with these was essential for organisations to meet their obligations.
Data Protection Act 1998 principles
The 8 guiding principles of the Act are as follows;
- Principle 1 – Fair and Lawful
- Principle 2 – Purposes
- Principle 3 – Adequacy
- Principle 4 – Accuracy
- Principle 5 – Retention
- Principle 6 – Rights
- Principle 7 – Security
- Principle 8 – International transfers
We will take a closer look at what they mean below.
Principle 1 – Fair and Lawful
Personal data should be controlled and processed lawfully and fairly in relation to individuals. A Fair Processing Notice is included in the Act, which requires the controller to notify the subject of the following information:
- The identity of the data controller
- The purposes for which the personal data are intended to be processed
- To whom the personal data may be disclosed to.
The first data protection principle gave individuals the right for their personal data to be processed fairly and lawfully by any organisation.
Principle 2 – Purposes
Personal data should only be obtained if it will be used for a lawful purpose. It should not be processed for any means incompatible with the purpose.
The second data protection principle placed a specific obligation on the controller to only use personal data for a lawful and justifiable purpose.
Principle 3 – Adequacy
Personal data should only be adequate to the purpose it will be used for. It must not be excessive to the purpose it will be used.
The third data protection principle placed an obligation on the controller to only collect the minimum amount of information required.
Get a free half-hour privacy consultation
Principle 4 – Accuracy
Personal data should be accurate and up to date. If personal data becomes inaccurate, it can no longer be used for the purpose.
The fourth data protection principle demanded the controller only collect, store and keep accurate information on the individual.
Principle 5 – Retention
Personal data should not be kept longer than it is needed for. Personal data cannot be stored indefinitely until such a time it may serve a purpose.
The fifth data protection principle placed a limit on the amount of time the controller can keep personal information on the individual.
Principle 6 – Rights
Personal data should be processed in accordance with the rights of individuals. The following rights are mentioned in the legislation:
- Access to personal data
- Preventing process likely to cause damage or distress
- Prevent direct marketing
- Automated decision making
- Correcting inaccurate personal data
- Compensation
The sixth data protection principle gave individuals the right to choose how their personal data would be used. People now had a say in how organisations who held data about them used that data in their activities.
Principle 7 – Security
Personal data should be protected using reasonable and practical means to maintain its integrity and people’s rights and freedoms. The Act specifically states that controllers must adopt measures to prevent the following:
- Unauthorised processing of personal data
- Unlawful processing of personal data
- Accidental destruction, damage or loss to personal data
The seventh data protection principle placed a legal obligation on the controller to secure data against unauthorised or unlawful processing and against accidental loss or destruction.
Principle 8 – International transfers
Personal data should not be transferred outside the EU unless the country it is being transferred to can ensure adequate protection of the data in order to maintain the rights and freedoms of data subjects and their personal data.
The eighth data protection principle requires the controller to inform the individual of their intent to transfer their data overseas and to ensure the country it is being transferred to can adequately protect the data under their own laws.
Comparing these guiding principles with the DPA 2018’s
Now that the Data Protection Act 1998 has been replaced by the Data Protection Act 2018, a comparison can be made between the two Acts.
The new principles are as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
There’s seven principles now, with ‘international transfers’ and ‘security’ being covered separately in legislation. A new accountability principle features here, making it the legal obligation of the organisation to comply with the other principles – and being able to prove this compliance through the creation of documented policies that must be produced on demand. This is one of the biggest differences between the two Acts.
As you can see, the principles are markedly similar to those of the Data Protection Act 1998, although the legislation behind them is very different and individuals rights around the processing of their data being enhanced. Perhaps the biggest difference is the Information Commissioner’s Office (ICO) now has the power to fine both the controller and processor. Under the DPA 1998, they only had powers to pursue the controller for infringement.
So there we have it, a summary of the 8 guiding principles of the now defunct Data Protection Act 1998. Many of the Act’s nuances live on in the Data Protection Act 2018, but any data protection policy based on the DPA 1998 will need updating to be compliant with the GDPR. Organisations who don’t do this now risk the effects of non-compliance, whether that be the loss of business if unable to produce appropriate policies, or action from the ICO.