What is the UK Data Protection Act, and how does it affect your business?
There’s a growing awareness that the apps and services we use every day can collect vast amounts of data. High profile incidents such as the Cambridge Analytica scandal have shed light on the perils of oversharing online, and the way companies have previously abused permissions to harvest data. While much of this data may be considered harmless, even seemingly benign information can have substantial commercial value – and more private information can be a threat to personal security.
The UK’s Data Protection Act is designed to protect against such abuses, and govern how organisations collect, store, and use personal data. Having been shored up by the EU’s General Data Protection Regulations (GDPR), the Data Protection Act is now an important bulwark against abuses of personal data – and a must-read piece of legislation for almost every business.
What is personal data?
The tenets of data protection in the UK are enshrined in the Data Protection Act, which sets out rules for how your personal information can be used by organisations, businesses or the government.
The Act controls how your personal data can be collected and how it is used. This might constitute information collected with explicit consent (e.g. a submitted form) or information collected passively (e.g. information on how you use an app or website). What makes the data ‘personal’ is the ability to associate it with you, through factors such as name, age, gender, location, or other key identifiers.
The UK Information Commissioner’s Office defines personal data – or Personal Identifiable Information (PII) – as data which relates to a living individual who can be identified:
- from that data, or;
- from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller; and includes any expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.
What is sensitive and personal data?
The UK ICO defines sensitive personal data – or Sensitive Personal Information (SPI) – as personal data consisting of information as to:
- the racial or ethnic origin of the data subject;
- their political opinions;
- their religious beliefs or other beliefs of a similar nature;
- whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
- their physical or mental health or condition;
- their sexual life;
- the commission or alleged commission by them of any offence, or;
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
What activities are regulated by the Data Protection Act?
The main activity regulated by the Data Protection Act is the “processing” of personal data. In relation to information or data, processing is defined as obtaining, recording or holding said information or data, or carrying out any operation or set of operations on it. This includes:
- organisation, adaptation or alteration of the information or data;
- retrieval, consultation or use of the information or data;
- disclosure of the information or data by transmission, dissemination or otherwise making available, or;
- alignment, combination, blocking, erasure or destruction of the information or data.
The 7 principles
Central to the Data Protection Act are its ‘data protection principles’, the key considerations all organisations must make when storing and using personal information. These principles should be cross-referenced when justifying the decision to collect, store or use any personal data – ensuring that data is only retained for the right reasons, and done with the utmost care and security.
The 1998 Act, which enacted provisions from the EU Data Protection Directive 1995, was based on eight key principles that were used by organisations to create their own data protection policies. These have since been modified and condensed to 7 principles to bring the law in line with the EU’s GDPR regulations, though their spirit remains the same. The seven current principles of the Act are:
1. Lawfulness, fairness and transparency
One of the founding principles of GDPR – and one of the biggest changes to the previous Data Protection Act – is the bolstering of users’ right to know when their data is being collected. As well as using data fairly and lawfully, as enshrined in the previous version of the law, organisations must now use ‘clear, plain language’ to describe precisely what data the subject is being asked to hand over.
2. Purpose limitation
The Data Protection Act stipulates that data can only be used for the purpose outlined to the subject when it was collected. Expanded upon by GDPR, this greatly limits organisations’ ability to repurpose data. For example, companies are no longer allowed to use emails collected from clients to send them marketing materials unless the clients agreed at the time to receive marketing materials.
3. Data minimisation
As well as being limited to a specific purpose, data collected by organisations must be minimised – in other words, kept to only the data that is required to fulfil the outlined purpose. This means defining exactly what data you require before asking for it, and not collecting data that isn’t needed for the purpose you’ve outlined (e.g. recording people’s names if this isn’t relevant information).
A principle of the Data Protection Act that has barely changed since it was first introduced, data collected by organisations must be accurate to what was provided by the user. If it is found not to be accurate, it should be either corrected or destroyed, so that inaccurate data is not used later on.
5. Storage limitation
The storage limitation principle dictates that organisations may not keep data for an indefinite period, or any longer than is necessary to fulfil its intended purpose. While there are public interest defences for retaining data (e.g. archives or scientific research), these must be both well justified and thoroughly documented.
6. Integrity and confidentiality
Known as the ‘security principle’ under the previous Data Protection Act, this principle now states that information must be kept both secure and intact, such that it cannot be accessed or used by anyone other than the organisation permitted by the user. This should be achieved using physical and technological safeguards where required, e.g. storage in a secure data centre.
A new principle inherited from GDPR, this holds organisations responsible for both achieving and demonstrating compliance with the other six principles. This requires organisations not just to comply with the law, but to keep records demonstrating this compliance, and have measures in place to ensure that those records are kept and maintained correctly.
Data protection officers, risk managers and those involved in processing and distributing data should become familiar with these principles in order to ensure that their organisation is compliant. Having a good working knowledge of GDPR will help you and your staff stay up to date with the requirements of the Data Protection Act, and of parallel European laws.
Sota has helped numerous clients to become fully compliant with GDPR and the UK Data Protection Act, as well as providing ongoing knowledge and support on data protection. To learn more about our services and how we can help protect your data, get in touch with us today.