Principles of Data Protection Act in the UK

In an attempt to safeguard personal data from its citizens, the UK government came up with a set of rules that would regulate how organisations, businesses or the government would collect, store and process the data from all the citizens. All these were set out in the Data Protection Act of 1998. These regulations were later updated in 2018 so as to incorporate the wider European standards and at the same time, include all the changes and developments that have taken place in the realm of personal data. Even you have to agree that the data landscape has massively changed since 1998, especially after seeing all the data breaches and data mishandling that were happening quite often, affecting millions of citizens. This is why the UK government in collaboration with other EU members introduced the General Data Protection Regulation in 2018. In this guide, we will take a look at the Data Protection act of 1998, and also the GDPR of 2018, looking at the principles of data protection under the two legislations and if there are any changes. But first;

What is the data protection act?

The Data Protection Act UK, or DPA, is an Act of Parliament that was designed to protect all personal data from UK citizens stored either on computers or organised paper filing systems. Before this act was enacted, the law that was in place was enacted in 1984, and as you know, there were no digital media or internet then, which means it was never mentioned under the regulations. So, the 1998 act was enacted to replace the earlier Act. Under this regulation, there were 8 principles that were to be used by the organisations to design their data protection policies. In 2003, there was an amendment to the 1998 Act to implement the European Data Protection Directive 95/46/EC. Together, these acts regulated how personal data was to be collected, stored, and used by organisations across the UK, where data controllers or processors are obligated to follow these data protection principles.  

Data Protection Act 2018 (GDPR)

The data protection act 2018 is the Act of parliament in the UK that later replaced the Data Protection Act of 1998. After the GDPR regulations were enacted in Europe, the UK parliament had to update its data protection laws to be in line with these new regulations. Just like under the GDPR regulations, the 2018 Act UK set out rules that will guide the processing of personal data. And since there were some parts of the GDPR law that were left for state governments to alter to fit their respective citizens, the data protection act UK of 2018 also did cover all these sections. Basically, the UK government set out a similar data processing framework, including immigration services processing, intelligence services processes, and also the processing of data stored in unstructured form by local authorities.

Now, looking at both the 1998 Act and the 2018 Act, you will notice that the main differences include the right of reassurance, inclusions of all exemptions, the fact that data subjects were given the right to request for the erasure of their personal data, the fact the 2018 Act is in tandem with the GDPR regulations, and most importantly, the fact that the rights of the data subjects were massively increased under the new law.

What are the principles of the data protection act?

As we’ve mentioned above, the data protection act did list a total of 8 data protection principles, which all the data processors and controllers are supposed to follow when handling personal data from EU citizens. Under the 2018 Act, it, in fact, became very crucial for all organisations to use these policies as a foundation upon which they must build their data protection practices. Now, these principles are as follows;

Lawfulness, fairness, and transparency – by lawfulness, it simply means the processing of personal data must be done lawfully, where you must identify specific grounds to be the basis of the processing. There are six lawful bases for data processing, clearly set out under Article 6 of the DPA 2018, and are as follows;

Consent – meaning that data processors and controllers must obtain clear consent from the data subjects before they process their personal data.

Contract – processing is done in fulfilment of a contract between the data subject and the data processor.

Legal obligation – other than a contractual obligation, the data processor may be required to process certain data in compliance with a legal requirement.

Vital interest – if at all the processing of personal data is required to save someone’s life, then the processor should do so, given that this is considered to be a lawful basis.

Public interest – there are times when data processing is necessary to protect the interest of the general public. This is also considered to be a lawful basis, and whenever such a need arises, the processor should do so, whether or not the data subjects agree.

Legitimate interests – data processing is also lawful when there are legitimate concerns, or interests involved – either for the processor or for a third party.

If there is no single lawful basis within which an organisation processes data, then it will be clear breach of this principle, and it might attract a legal penalty.        

As for fairness, the law essentially states that the processing of personal data must be fair, as much as it is lawful. The thing is that if the data processing, or any aspect of it, is deemed to be unfair, then that will be in breach of this principle, even when there is a lawful basis for doing it. Basically, what the law envisioned is that even when there is a lawful basis, the processors should only process the data in a manner that would be reasonably expected, and not just take advantage of the lawful basis to process in a manner that would have unjustified adverse effects on the data subjects. You should note that fairness starts at the initial data collection phase, not just when processing it. For instance, if an organisation lied to the data subjects when collecting the data, then that would be unfair, and any other process after that is unlikely to be fair. So, for you to ensure fairness in your data processing, you need to ask yourself how the process is affecting those who are concerned, either individually or as a group. Remember, there are times the processing may affect the data subject negatively, but it’s not necessarily unfair.

Transparency is largely linked to fairness. It basically states that when processing personal data, organisations must be clear, honest, and open to the data subjects, right from the start to the end. Maybe you start by something as simple as explaining who you are and why you are collecting their personal data. This is the starting point for a transparent process, as you are able to give the subjects a choice on whether to commit or not. Transparency is very crucial, especially when there is no direct relationship between the data processor and data subjects, given that at times, people might not know you are collecting data, and that alone will be a breach of this principle.

Now, this principle was enacted under the Data Protection Act 1998 and was later updated under the Act of 2018.                                       

 Purpose limitations – in very simple terms, this principle stipulates that when an organisation collects data for a specific, clearly communicated, and understood purpose, then that data should not be used for any other purpose. However, it’s not a total ban! As per the law, this principle may not apply when the grounds for processing are public interest, historical research, or statistical or scientific purposes. But in general, the law still limits the extent to which data processors may “multi-purpose” the data in their possession. What this principle aims to achieve is to ensure that data controllers and processors – which includes organisations, businesses, and the government – are open and clear about the reasons they are obtaining personal data and that what they do with it is within reasonable expectations of everyone concerned. This way, the data subjects will be able to decide whether or not they are comfortable sharing their personal information with you from the onset.

So, what happens when an organisation after collecting data, decides to use it for a different purpose other than the one they stated when collecting it? Well, the UK GDPR doesn’t necessarily ban the usage of personal data for other purposes! What it does is put restrictions. The law did anticipate a scenario where the purpose previously stated changes and a new purpose arises, and did authorise the organisation to proceed to process, but should only be when;

  • The new purpose is compatible with the initial purpose – here we are talking of archiving purposes in the public interest, statistical purposes, or historical or scientific purposes.
  • The data subject gives clear consent to these specific purposes
  • There is a clear legal provision that allows or requires you to process.

 You might be wondering, ‘how will I decide whether the purpose is really compatible or incompatible with the original purpose?’ If so, how about you ask yourself the following questions first;

  • Is there any link between the new purpose and the old purpose?
  • What was the context within which you collected the original data, particularly your relationship with the data subjects and what they would reasonably expect?
  • What is the nature of the data – is it sensitive?
  • What consequences will processing the data have on the data subjects?
  • And lastly, are there appropriate safeguards to protect the data?

The answers to these questions will definitely help you determine whether your new purpose is compatible enough or not. Remember, if the data is not compatible, you will have to seek specific consent from the data subjects before you do anything else.

Data minimisation – essentially, this principle is all about ensuring that the amount or extent of the data collected and/or processed is relevant, adequate, and most importantly, limited to its intended use. It tries to curtail data controllers and processors from hoarding too much data without a clear rationale. Now, the manner in which you will determine whether the data is adequate, limited, and relevant isn’t clearly defined under the UK GDPR. However, all this will depend on your specific purpose for the personal data, which will differ from one individual to another. So, to know whether the data you have collected is the right amount, you first need to know why exactly you need it in the first place. For instance, if you are collecting data for criminal investigations, it is important that you ensure you collect the right amount of information to help you complete the case – nothing less, nothing more. Also, always review the data in your possession to ensure that it is still adequate and relevant for your intended purposes, and if you find data that you don’t need, you need to erase it right away.

Accuracy – the aim of this principle has always been to make data controllers or processors keep updating the data in their possession, checking whether there are mistakes that need to be corrected or removed, and ensuring that the data is super clear and accurate. Even though the data protection act doesn’t really define what ‘accurate’ means, it does say that ‘inaccurate’ means ‘misleading or incorrect compared to the truth, or matter of fact. In most cases, telling whether personal data is accurate is quite obvious. But to know this, you have to know the data you have – how it is, plus what it should show – which means that from the initial data collecting phase, you have to ensure that you accurately record the data. This way, if something changes, you will be able to pinpoint it during a review. So, updating the data is a very crucial step in ensuring that the data being processed is accurate at all times. it is important to note, however, that not all data would need to be updated. Yes, information such as employee or customer records can be updated, but information meant for statistical, scientific, or historical purposes shouldn’t be updated, otherwise, it will defeat the whole purpose. If the data in question is sensitive, you should wait until the individual tells you to update it. Also, organisations can, in fact, periodically ask individuals to update their own details, if need be. Ultimately, the data should always be updated, and therefore accurate.

Storage limitation – this principle basically restricts data controllers from keeping data for indefinite periods of time, especially after meeting its intended purpose. However, any data held for scientific, historical, research, or public interest purposes, is exempted under this principle.

Why storage limitation is important?    

When you anonymised or erase personal data after it meets its intended use, and you no longer need it, you drastically reduce its risk of becoming irrelevant, inaccurate, excessive, or out of date. And other than the fact that you will be complying with the data minimisation and accuracy principles, you will also reduce the chances of using that data in error, to the detriment of everyone concerned. Secondly, when you hold data for too long, it becomes unnecessary, and as a result, you will no longer have a lawful basis for retention, which means that you can suffer legal consequences

Thirdly, there is always a huge cost associated with storing and securing data in an organisation, and so, when you store excess data that you don’t need, you will only end up even paying more, which is definitely something you would want to avoid.

Fourth, erasing data that you no longer need from your systems will enable you to access other crucial data faster upon request by individuals.

So, having said that, unless there is clear justification to keep specific data longer, you should regularly review the data in your storage, and then make sure that you delete or destroy data that’s no longer important and out of date.

Integrity and confidentiality – this principle aims to keep personal data safe using appropriate security measures, and we mean both on the physical and the technological fronts. The principle is stated under Article 5(1)(f) of the UK GDPR, which says that;

   ‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’

Basically, any personal data that an organisation is holding must always be protected at all times from being compromised, either accidentally or deliberately. So, as an organisation, you have to implement proper security measures, not just to protect the data in storage, but also the one being processed. Some of the best measures can include;

  • Installing alarms, CCTV, security lighting, and also having quality locks.
  • Control everyone going in and out of the premises
  • Have a proper paper and electronic waste system to ensure that the data to be destroyed doesn’t fall in the wrong hands.
  • All the IT devices like tablets, phones, and laptops that could be used to access the data are secured with strong passwords and are always kept in a secure location.

You can also always ensure that your network and information systems are secure; that there is appropriate access control to the data in the systems; and that all your websites and online services are completely secure.

Whichever measures you choose to take;

  • Must ensure that personal data can only be accessed, disclosed, altered, or deleted by the ones authorised to do so. Also, these people must only do this within the scope given to them by the organisations management.
  • Must ensure that the data is complete and accurate, especially during processing.
  • Must also ensure that the data remains usable and accessible, meaning that even when the data is accidentally lost, destroyed, or altered, it can be easily recovered, thereby preventing any distress to the individuals concerned.

Accountability – this principle, as stipulated in the data protection act of 2018, requires data controllers and processors to take responsibility for any personal data being handled or processed, and most importantly, for their compliance with all the other principles.

Why is taking responsibility important?

For starters, taking responsibility and also demonstrating all the steps you have taken so as to protect individual rights will not only result in better GDPR compliance, but it will also provide a competitive edge for your organisation. Essentially, you are showing and proving to the public how you respect individuals’ privacy, and this will, in turn, help you develop and sustain their trust. Secondly, in the event of the unexpected happening, being responsible means showing that you did consider all the risks, and were able to put all the safeguards to try and mitigate the damages, which could be a plus to your reputation.

Now, you might be wondering, how can ensure that you are fully accountable as a data controller? Well, it depends! The reason is, that larger organisations will take a different approach compared to smaller organisations. Let’s elaborate further;

For a larger organisation, it may decide to put in place a privacy management framework, which could help in creating a culture of commitment towards data safety. Basically, the framework can include things like;

  • Assessment and evaluation procedures
  • An appropriate reporting structure
  • Robust program controls

For a smaller organisation;

  • It could ensure a better level of understanding of data protection among all its staff.
  • It could also implement comprehensive policies and procedures for dealing with personal data
  • Must also maintain a record of everything it does, including the reasons for doing it.

International data transfers – the GDPR laws do restrict the transfer of personal data – no matter the size of the transfer – to other countries outside the EU. The reason is that the organisations from these countries are simply not under the same jurisprudence, especially when it comes to data protection. Now, after Brexit, the EU commission had to deliberate on whether data transfer between the UK and other EU member states would be affected in any way, and they determined that it shouldn’t. They found the country to have ‘adequate’ laws protecting their citizens’ data, and that no other additional safeguards were necessary when transferring data. However, if the data being transferred has anything to do with immigration control or areas where immigration exemption applies, then EU organisations sending the data to the UK must put particular safeguards in place.  

When it comes to data transfers from the UK to other countries, there are restrictions in place as well, which broadly mirror the EU GDPR regulations. However, since after Brexit the UK became independent, the GDPR framework, especially with data transfers is always subject to government reviews. Also, data transfer from the UK to the EEA, or any country covered by the EU’s adequacy decision is subject to specific safeguards that the UK government will keep coming up with. This also applies to other international organisations from the rest of the world, where the government has to be convinced that the legal framework in these countries provides adequate protection for people’s rights to their personal data.      

Individual rights in relation to GDPR principles

All these principles are largely derived from the following individual rights that were highly emphasised in the data protection act of 2018;

Right to be informed – organisations handling personal data are now obligated under the new law to always provide clear information to data subjects with regards to the data being collected – why is it being collected? How is it going to be used? Will it be shared, and if so, with who? And lastly, for how long will it be useful? All these questions must be answered!

The right of access – upon request, individuals are entitled to access their personal data, especially when it is being processed. Also, the individuals may want to have access to the data, to update the information. In any of these cases, the data controller is required by the law to grant access.

The right to rectify – this right corresponds to the principle of accuracy, where individuals have the right to request for rectification whenever they notice something incomplete or inaccurate with their personal data.

The right to erasure – this right allows the individuals to request the deletion or removal of data in the event that there is no reason to continue holding it. This right could also extend to search engine companies, where the individual could request the removal of specific results, or simply limit their discoverability if the data is no longer useful.

The right to restrict processing – under the DPA 2018, individuals can now restrict or block the processing of personal data for a number of reasons, which could include inaccurate data, unlawful processing, or simply a pending objection to the processing.

Organisations are required by law to inform the data subjects about all these rights from the beginning. Failure to which could result in heavy legal fines for non-compliance.

Final thought

To ensure GDPR compliance, which is of critical importance to organisations in the UK and the larger EU region, one must be familiar with GDPR principles. It will not only boost your business and reputation, but it will also prove to people that you do care about their rights to their personal data, and hence will be able to trust you even more.  

Leave a Comment