Background
The 1998 Act replaced the Data Protection Act of 1984 and the Access to Personal Files Act of 1987. Additionally, the 1998 Act implemented the EU Data Protection Directive 1995. The Privacy and Electronic Communications (EC Directive) Regulations 2003 altered the consent requirement for most electronic marketing to "positive consent" such as an opt-in box. Exemptions remain for the marketing of "similar products and services" to existing customers and enquirers, which can still be permitted on an opt-out basis. The Jersey data protection law was modelled on the United Kingdom's law.Contents
Scope of protection
Section 1 of DPA 1998 defined "personal data" as any data that could have been used to identify a living individual. Anonymised or aggregated data was less regulated by the Act, provided the anonymisation or aggregation had not been done reversibly. Individuals could have been identified by various means including name and address, telephone number, or email address. The Act applied only to data which was held, or was intended to be held, on computers ("equipment operating automatically in response to instructions given for that purpose"), or held in a "relevant filing system". In some cases, paper records could have been classified as a relevant filing system, such as an address book or a salesperson's diary used to support commercial activities. TheData protection principles
Schedule 1 listed eight "data protection principles": # Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: ## at least one of the conditions in Schedule 2 is met, and ## in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. # Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. # Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. # Personal data shall be accurate and, where necessary, kept up to date. # Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. # About the rights of individuals e.g. personal data shall be processed in accordance with the rights of data subjects (individuals). # Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. # Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. ;Conditions relevant to the first principle Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions had to be applicable to that data (Schedule 2). # The data subject (the person whose data is stored) has consented ("given their permission") to the processing; # Processing is necessary for the performance of, or commencing, a contract; # Processing is required under a legal obligation (other than one stated in the contract); # Processing is necessary to protect the vital interests of the data subject; # Processing is necessary to carry out any public functions; # Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject). ;Consent Except under the exceptions mentioned below, the individual had to consent to the collection of their personal information and its use in the purpose(s) in question. The European Data Protection Directive defined consent as “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed", meaning the individual could have ''signified'' agreement other than in writing. However, non-communication should not have been interpreted as consent. Additionally, consent should have been appropriate to the age and capacity of the individual and other circumstances of the case. If an organisation "intends to continue to hold or use personal data after the relationship with the individual ends, then the consent should cover this." When consent was given, it was not assumed to last forever, though in most cases, consent lasted for as long as the personal data needed to be processed, and individuals may have been able to withdraw their consent, depending on the nature of the consent and the circumstances in which the personal information was collected and used. The Data Protection Act also specified that sensitive personal data must have been processed according to a stricter set of conditions, in particular, any consent must have been explicit.Exceptions
The Act was structured such that all processing of personal data was covered by the act while providing a number of exceptions in Part IV. Notable exceptions were: * Section 28 – National security. Any processing for the purpose of safeguarding national security is exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data). * Section 29 – Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle. * Section 36 – Domestic purposes. Processing by an individual only for the purposes of that individual's personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification).Police and court powers
The Act granted or acknowledged various police and court powers. * Section 29 – Consent of the data subject was not required when processing personal data to prevent or detect crime, apprehend or prosecute offenders, the assessment and collection of taxes and duties and discharge a statutory function. * Section 35 – Disclosures required by law or made in connection with legal proceedings. This included obeying court orders and other laws, and were part of legal proceedings.Offences
The Act detailed a number of civil and criminal offences for which data controllers may have been liable if a data controller failed to gain appropriate consent from a data subject. However, consent was not specifically defined in the Act and so was a common law matter. * Section 21(1) made it an offence to process personal information without registration.''Data Protection Act 1998''Complexity
The UK Data Protection Act was a large Act that had a reputation for complexity. While the basic principles were honored for protecting privacy, interpreting the act was not always simple. Many companies, organisations, and individuals seemed very unsure of the aims, content, and principles of the Act. Some refused to provide even very basic, publicly available material, quoting the Act as a restriction. The Act also impacted the way in which organisations conducted business in terms of who should have been contacted for marketing purposes, not only by telephone and direct mail, but also electronically. This has led to the development of permission-based marketing strategies.Definition of personal data
The definition of personal data was data relating to a living individual who can be identified * from that data; or * from that data plus other information that was in the possession, or likely to come into the possession, of the data controller. Sensitive personal data concerned the subject's race, ethnicity, politics, religion, trade union status, health, sexual history, or criminal record.Subject Access Requests
The Information Commissioner's Office website stated regarding Subject Access Requests: "You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a 'subject access request.'" Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018, organisations could have charged a specified fee for responding to a SAR of up to £10 for most requests. Following GDPR: "A copy of your personal data should be provided free. An organisation may charge for additional copies. It can only charge a fee if it thinks the request is 'manifestly unfounded or excessive'. If so, it may ask for a reasonable fee for administrative costs associated with the request."Information Commissioner
Compliance with the Act was regulated and enforced by an independent authority, the Information Commissioner's Office, which maintained guidance relating to the Act.EU’s Article 29 Working Party
In January 2017, the Information Commissioner's Office invited public comments on the EU's Article 29 Working Party's proposed changes to data protection law and the anticipated introduction of extensions to the interpretation of the Act, the Guide to the General Data Protection Regulation.See also
* Data Protection Act, 2012 (Ghana) *References
External links
UK legislation
* {{UK legislation Data laws of the United Kingdom Data protection Information privacy United Kingdom Acts of Parliament 1998