Corporate Governance

The Data Protection Act 1998

‌The Legislation

DPA_legislationThe Data Protection Act 1998 (the DPA) came into effect on 1st March 2000. The EC Directive on which this legislation is based was designed to protect the rights and freedoms of individuals, in particular their right to privacy with respect to the processing of personal data. The main effect of the 1998 Act was to ensure manual records are given the same protection as computer records.  In May 2018, the General Data Protection Regulations [link] will supersede the Data Protection Act 1998.

For the full text of the Data Protection Act  1998, go to the website of the Office of Public Sector Information

Definitions used in the DPA

Personal Data

Personal data is any information that can identify a living person either by itself e.g. a person's name, or with other information e.g. an address plus a name.

Sensitive Personal Data

The DPA defines some personal data as sensitive personal data. Sensitive personal data must be processed more carefully with respect to the purposes for which it is collected and who will have access to that information, than other data collected.

Sensitive personal data is defined in the legislation as data referring to:

  1. the racial or ethnic origin of the data subject,
  2. his/her political opinions,
  3. his/her religious beliefs or beliefs of a similar nature,
  4. membership of a trade union,
  5. his/her physical or mental health or condition,
  6. his/her sexual life,
  7. the commission or alleged commission by him/her of any offence, or
  8. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.


'Processing' is the inclusive term given to the collection, use, storage and ultimate destruction of any personal data.

Data Subject

A data subject is the individual to whom the information relates.

Data Controller

The data controller is the organisation that processes the personal data.

Data Processor

A data processor is a third party that processes personal data on behalf of the data controller, but responsibility for that processing remains with the data controller.

Subject Access Request

Anyone can make a request to find out what information is held about them.  This is known as a Subject Access Request.

Notification as a Data Controller

The DPA imposes several requirements on any organisation that processes personal data. The first is that the data controller must notify the Information Commissioner of:

  1. The personal data it is processing,
  2. From whom the information will be collected from,
  3. To whom it may be disclosed to, and
  4. The purposes for which the information is processed.

To view the University's notification as a data controller, click on the following link to the Public Register of Data Controllers on the Information Commissioner's website.

The Data Protection Principles

Anyone processing personal data must take into account the 8 data protection principles when processing personal data to ensure the data is handled properly.

The 8 principles are that:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall only be processed for the purposes for which it was collected and not for any other purpose(s).
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data shall not be kept for longer than is necessary.
  6. Personal data shall be processed in accordance with the rights of data subjects under the DPA.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred outside of the European Economic Area unless an adequate level of protection for the data can be ensured.

The Rights of the Data Subject

A data subject - that is the individual to whom the information relates - has several rights in relation to the processing of their personal data, as outlined in the Sixth Principle. The following is a general explanation of the rights, but further information on how to pursue these rights are detailed in the DPA.

Firstly, there is the right of access to personal data, where the individual is entitled:

  1. To be told if a data controller is processing any information about that individual,
  2. If that is the case, to be given a description of that information, why it is being kept and to whom it may be disclosed,
  3. To have that information given to them as well as details about how that information was received, and
  4. Where the processing is carried out automatically for the purpose of evaluating matters relevant to that person, to have the logic involved in the decision taking explained.

Secondly, there is the right to prevent processing likely to cause damage or distress. An individual can ask a data controller to cease or not begin processing any personal data if that processing could cause unwarranted substantial distress to the individual or someone connected to the individual.

Thirdly, there is the right to prevent processing for purposes of direct marketing whilst the fourth right is in relation to automated decision-taking. The individual can ask the data controller to ensure that no decision that could significantly affect the individual is based solely on processing by automatic means.

Finally, there are the rights to compensation for failure to comply with the previously mentioned rights, and the rights to amend personal data. An individual who suffers damage as a result of failure by the data controller to comply with the DPA is entitled to compensation, and in cases where a court decides that personal data is inaccurate, the court can order the data controller to block, rectify, erase or destroy any personal data that is inaccurate, including any expression of opinion.