2.1 The Data Protection Act 1998 (DPA)
The original Data Protection Act (DPA) became law in 1984. Organisations were legally obliged to act responsibly with respect to personal information, which relates to data on any living individual, held in computer databases.
It was replaced by the Data Protection Act 1998 which was implemented in two stages in 2000 and 2003. This change was needed to reflect the changes in technology that had passed since the original DPA. The 1998 Act is currently in force and will be for the foreseeable future.
The Information Commissioner’s Office is an independent supervisory authority appointed by the government to oversee and enforce compliance with the Act in all dealings with personal information and to ensure access is freely available to recorded information held by public authorities. The Office reports directly to the UK Parliament. Note that the Scottish Information Commissioner’s Office promotes and enforces freedom of information in Scotland.
The DPA enforces strict rules on the storage and processing of electronic data that can uniquely identify a living person. It is designed to stop data being obtained or stored unnecessarily, to prevent it from being exchanged without good reason, to ensure it is held under secure conditions and to give individuals redress if they feel their personal data has been misused.
So, all organisations that store information on living individuals must comply with the Data Protection Act. The Information Commissioner maintains a public register of these organisations called the Data Protection Register.
Before you look at the Act in more depth, let’s define what is meant by ‘information’ and ‘data’ and how are they different?
- data is a representation of information so that it can be conveyed, manipulated or stored
- information is the meaning that we give to data in particular contexts.
So data cannot really be considered as information until it is given meaning and is interpreted by us. Opinion polls, where members of the public are asked their opinion on particular subjects, are good examples of where data is collected, stored and manipulated to show the resulting information as statistics. They may demonstrate how we might vote in the next parliamentary election, or whether one brand of food is preferred to another.
In terms of the DPA, data controllers are people who are employed by any organisation that stores, manipulates and retrieves personal information held on computers.
The DPA is based around eight fundamental principles of good information handling. Data controllers are legally required to act in accordance with these rules, the details of which are explained in the Principles of the DPA (PDF). The case study below describes an example of the data protection act being used.
Case study _unit8.3.2 Case study: The British Pregnancy Advisory Service
The British Pregnancy Advisory Service is a charity offering confidential advice to pregnant women, including information about abortion and sterilisation.
In early 2012, a hacker defaced the charity’s site, claiming to have obtained records of nearly 10,000 people who had contacted BPAS and threatening to post their details online. Police were able to determine the IP number of the attacker’s computer and James Jeffery was arrested the next day in the West Midlands. No confidential data was released, although copies of the BPAS data were found on Jeffery’s computer.
BPAS had initially acquired the names through a ‘call back’ form where people could leave details so they could be contacted later, but had chosen to not continue with the ‘call back’ because of security concerns. However, unbeknownst to BPAS, the data was retained on the site and inadequately secured from attacks.
BPAS was fined £200,000 for the breach, although at the time of writing it was contesting the fine. In April 2012, James Jeffery was sentenced to 32 months in prison under the Computer Misuse Act.
Inadvertent breaches of the Data Protection Act may be prosecuted although no harm was intended.
Case study _unit8.3.3 Case study: Hertfordshire County Council
In June 2010, Hertfordshire County Council breached the DPA on two occasions when its childcare department accidentally sent faxes to incorrect numbers.
On the first occasion, documents intended for lawyers were sent to members of the public, and on the second occasion, information including personal information about two children in council care, criminal convictions of two people and domestic violence records were sent to a legal practice unconnected to their case.
The council correctly alerted the Information Commissioner to the two breaches, but was fined £100,000 because of the seriousness of their mistake which could have had serious consequences for the safety of children in the council’s care.
Next, you’ll learn about The Regulation of Investigatory Powers Act.