2.1 The Data Protection Act 1998 (DPA)
This section is part of the amber and green pathways.
The original Data Protection Act (DPA) became law in 1984. Organisations were legally obliged to act responsibly with respect to personal information, which relates to data on any living individual, held in computer databases.
It was replaced by the Data Protection Act 1998 which was implemented in two stages in 2000 and 2003. This change was needed to reflect the changes in technology that had passed since the original DPA. The 1998 Act is currently in force and will be for the foreseeable future. The most recent amendment has been in 2018 and it is now referred to as the. Yet again, the changes made have been to keep up with the changing digital technology. The DPA 2018 increases the responsibility on companies to ensure personal data is protected at all times. The DPA 2018 not only forces companies to report breaches, but they must inform the SA within 72 hours of the incident being discovered (the actual breach might have taken place long before but gone undiscovered).
The Information Commissioner’s Office is an independent supervisory authority appointed by the government to oversee and enforce compliance with the Act in all dealings with personal information and to ensure access is freely available to recorded information held by public authorities. The Office reports directly to the UK Parliament. Note that the Scottish Information Commissioner’s Office promotes and enforces freedom of information in Scotland.
The DPA enforces strict rules on the storage and processing of electronic data that can uniquely identify a living person. It is designed to stop data being obtained or stored unnecessarily, to prevent it from being exchanged without good reason, to ensure it is held under secure conditions and to give individuals redress if they feel their personal data has been misused.
So, all organisations that store information on living individuals must comply with the Data Protection Act. The Information Commissioner maintains a public register of these organisations called the Data Protection Register.
Before you look at the Act in more depth, let’s define what is meant by ‘information’ and ‘data’ and how they differ.
- data is a representation of information so that it can be conveyed, manipulated or stored
- information is the meaning that we give to data in particular contexts.
So data cannot really be considered to be information until it is given meaning and interpreted. Opinion polls, where members of the public are asked their opinion on particular subjects, are good examples of where data is collected, stored and manipulated to show the resulting information as statistics. They may demonstrate how we might vote in the next parliamentary election, or whether one brand of food is preferred to another.
In terms of the DPA, data controllers are people who are employed by any organisation that stores, manipulates and retrieves personal information held on computers. Inadvertent breaches of the Data Protection Act may be prosecuted, even though no harm was intended.
The DPA is based around eight fundamental principles of good information handling. Data controllers are legally required to act in accordance with these rules, the details of which are explained in the Principles of the DPA. The case studies below describe examples of the Data Protection Act in action.
Case study: Bounty UK
Bounty (UK) Ltd. is a company involved with the NHS maternity environment. They were fined £400,000 for illegally sharing the personal information of over 14 million people. The company collected personal information during interactions with its customers. The information was shared with third parties for direct marketing. About 34.4 million records were shared with credit reference and marketing agencies. This was not disclosed to the end users.
These activities were between June 2017 and April 2018. Therefore, the applicable act was the DPA 1998 with amendments and not the GDPR. Had it been the GDPR, the fines would have been much higher.
The ICO mentioned that this case involved the highest number of individuals whose information was brokered.
Case study: British Airways
In July 2019, British Airways was fined £183 million over a data breach that compromised 500,000 customers.
The incident was brought to the ICO in September 2018. The incident involved the traffic to the BA website being diverted to a fraudulent site, beginning in June 2018. The attackers harvested customer information, including login, payment card, and travel booking details, as well as name and address information.
The customers affected included those from the EU. The breach was a violation of the GDPR.
One area of change in the DPA 2018 is where personal identifiers, such as a person’s name, address or social security number is replaced with a new tag to protect that person’s privacy; a process known as pseudonymisation.
Pseudonymisation is widely used where personal data is exchanged between organisations. An example might be a hospital patient receiving novel treatment. Their patient record containing their genuine name and address is used by their doctors, but a pseudonymised record with a random name might be shared with medical researchers.
As part of its implementation of GDPR, the DPA 2018 places new responsibilities on organisations using pseudonymisation to ensure that it is not possible to for attackers to easily deanonymise personal data.
Next, you’ll learn about the Investigatory Powers Act.