6.2 Data protection law in the UK
Case study 5 quotes the principles of the EU’s General Data Protection Regulation (GDPR), which are included in the UK’s data protection law of 2018.
Case study 5: The UK Data Protection Act 2018
This Act replaces earlier data protection legislation to make UK law align to the requirements of the EU’s General Data Protection Regulation (GDPR). The essence of this act is encapsulated in a set of principles, that are derived from Article 5(1) of the GDPR, quoted below.
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’)
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Additionally, as specified in Article5(2) of the GDPR, there is a seventh principle that requires data controllers to be responsible for, and be able to demonstrate compliance with, the first six principles.
These principles are set out in the Act, together with guidance for interpreting key terms such as what is meant by ‘personal data’ and ‘sensitive processing’. For example, while any data that is linked to an individual in an identifiable way is considered ‘personal data’, information that may reveal details of an individual that have the potential to affect their fundamental rights or freedoms (e.g., religion, political affiliation, trade union membership) is considered ‘sensitive’ and need to be processed more carefully. For more details on what is considered ‘personal’, see the UK Information Commissioner’s guidance on
Starting from these principles, GDPR also establishes a number of rights for individuals in relation to the collection and processing of their data:
- The right to be informed: this relates to the transparency principle and means that individuals need to be told about how their personal data is collected and processed. There is an expectation that this information will be provided in a clear, concise and accessible format.
- The right of access: which means people can make a request to find out what personal data is being held by an organisation. This is also called a‘Subject Access Request’. Organisations must provide this information in less than a month and should in most cases do this free of charge.
- The right to rectification: individuals can ask for any errors in information held about them to be corrected on request and organisations are expected to respond promptly, within one calendar month.
- The right to erasure: sometimes called ‘the right to be forgotten’, this allows individuals to request that data about them should be deleted by an organisation. However, this is not an absolute right and organisations are not required to comply with requests where there is a legitimate requirement to collect or process data, for example where the data is part of the evidence in a legal claim.
- The right to restrict processing: this allows individuals to ask organisations to limit the ways in which their personal data is used.
- The right to data portability: aims to enable individuals to access their data for their own use, or to move it to a different IT system. There needs to be measures for appropriate confidentiality, integrity and availability requirements to be satisfied when data is moved under this right.
- The right to object: allows individuals to ask organisations to stop processing their data. This gives people the absolute right to stop their data being used for direct marketing and some, more limited grounds for objecting to other uses of their data, such as for research purposes.
- Rights in relation to automated decision making and profiling: relate to how organisations might use data processing algorithms to make automatic decisions in relation to an individual, for example where a computer system decides whether to grant someone a loan.
GDPR protects EU citizens from abuses of data privacy by companies based in their own country as well as those based in member states. Additionally, any company wishing to process personal data of EU citizens, no matter where they are based in the world, will be obligated to obey GDPR. Under GDPR, each country will have its own Statutory Authority (SA) to oversee data protection, which in the UK will be the Information Commissioner’s Office (ICO). GDPR increases the responsibility of companies to ensure personal data is protected at all times. GDPR requires all organisations employing more than 250 people to have at least one Data Protection Officer (DPO) responsible for developing that organisation’s data protection policies and ensuring that it is compliant with GDPR. This represents a major change from the 1998 Data Protection Act which did not require organisations to employ DPOs.
With the principles of GDPR included in the UK’s 2018 Data Protection Act, they will continue to be important requirements for systems that collect and process UK citizen’s data. It is also important to note that the Act is not limited to enacting the provisions of the GDPR and that it includes aspects for data collection and processing which fall under UK national jurisdiction – such as those relating to immigration and law enforcement.
Data collected and processed by computer systems should be accurate and appropriate, kept secure, and only used for the purposes for which they were gathered.