What is the Data Protection Act 1998?
Despite GDPR coming into force businesses may still find themselves sanctioned under the 1998 act
The introduction of the EU's General Data Protection Regulation (GDPR) in May 2018 brought with it a major shake-up to data laws across Europe. Representing the world's widest-reaching set of regulations, in terms of the number of states involved, and one of its strictest, GDPR effects every single business operating within its scope.
The main goal of GDPR was to harmonise data transfers throughout member states, and despite Brexit and attempts to dissociate the UK from EU laws, GDPR will continue to exist in the UK in the form of the Data Protection Act 2018.
Often referred to as 'UK GDPR', the DPA 2018 was introduced as an updated replacement to the 1998 act of the same name, and translates the majority of the principles of GDPR to fit with existing UK law.
However, given that these laws are not retroactively applied to new cases, any incidents involving the misuse or theft of data that occurred before 23 May 2018 (the implementation date of DPA 2018) will be scrutinised under the 1998 law. As the new rules are in their infancy, it's likely that any new data breach reports shared to authorities will relate to incidents that took place prior to GDPR being implemented, in some cases years before.
It's therefore important that businesses understand the articles of the older law and what changes have been made since that act, particularly as the definitions of what constitutes data processing have evolved.
So what was the scope of the Data Protection Act 1998, and how much has changed in terms of compliance? Below we've provided a brief history of data laws in the UK and the ways in which they may still influence your decisions when it comes to handling a data breach.
Data Protection Act 1998: Definition
The Data Protection Act 1998 was the law governing the processing of personal data by all organisations, be they public or private, including charities.
All data breaches in the UK are investigated by the Information Commissioner's Office (ICO) and the same was true then, although the act provided guidelines for the type of penalty that could be applied if someone was found to have been in contravention of the rules.
Data Protection Act 1998: Summary
The Data Protection Act 1998 regulated the use and protection of personal data, and outlined the responsibilities a business had to protect that data. It superseded the Data Protection Act 1984 and Access to Personal Files Act 1987.
It was amended in 2003 to give individuals more control over digital marketing communications they receive, meaning they must opt-in to receive emails, SMS text messages etc from an organisation if they've never had contact with it before.
Data Protection Act 1998: What was personal data defined as?
According to data protection principles, and previous regulations, personal data is defined as information related to an individual that can be used either in isolation or in tandem with other data sources, to reveal that individual's identity. If there is such pre-existing data held by a data controller, then personal data also encompasses information that may come under this entity's possession.
This also included expressions of opinion about that person and any intention the data controller or another individual may have in regards to them.
The DPA 1998 also provided protection for sensitive personal data, which was defined as information relating to a person's racial or ethnic origin, political and religious or similar beliefs, membership of a trade union, physical and mental health, sex life, any criminal charges or allegations against them, and any proceedings against them (such as a court case or a prison sentence).
Data Protection Act 1998: What data formats were covered?
The DPA defined possession of data as that which resided in a machine or on paper in a readable, accessible way. Regarding paper forms of information, the ICO classified paper filing systems as individuals' records being held in a "systematic, structured way" that provided easy access to those individuals' information.
Data was also classified as "accessible records" covering health or education. While this information wasn't necessarily held in a structured, easily accessible way, it was important enough that the DPA stipulated it should still be protected.
Data controllers' "data processing" activities were also subject to the DPA's rules. Processing was a very broad term covering plenty of things, but was thought of as relating to every interaction had with personal data. As the ICO noted, almost any activity concerning data would constitute processing.
Data Protection Act 1998: What were the penalties for a data breach?
There were a number of penalties and processes available to the ICO when it came to taking action on data protection.
The most material impact was perhaps the possibility of a fine. As of April 2010, the ICO was able to issue penalties of up to 500,000 for offences taking place on or after that date, although the maximum fine was only ever imposed once (against Facebook during the 2018 Cambridge Analytica scandal).
It was also able to lay out processes an organisation should have undertaken in order to improve its data protection posture, and was able to conduct audits to ensure compliance (these could have been consensual or, if necessary, compulsory).
If a breach occurred, in addition to the possibility of a 500,000 fine, the ICO was able to prosecute anyone it believed had committed a criminal offence under the act.
Data Protection Act 2018
After 20 years, UK data protection regulations received an overhaul following Royal Assent on 23 May. The Data Protection Act 2018 updates the UK's data protection legislation to make it more relevant to the way technology is used today and harmonises laws with that of the EU's General Data Protection Regulation (GDPR).
The act mirrors GDPR in many aspects, including tougher sanctions for data breaches (up to 17 million or 4% of global turnover).
The new Data Protection Act 2018 modernises the UK's data protection framework to account for the value of people's personal data today, offering people stronger rights over what others can do with their data, and requiring companies to gain people's consent to use their information.
Generally, most provisions under the 1998 act have been strengthened, requiring far more from organisations when it comes to seeking consent and holding data for longer than necessary.
When it comes to processing data, companies are now required to make efforts to be transparent, which was not necessarily required under the 1998 act. It's also far more difficult to collect data under the 2018 act, as it needs to have an explicit purpose.
What specific data could be collected was also up for interpretation under the 1998 act, as organisations could use it provided it wasn't deemed "excessive" compared to its original purpose. Under the 2018 act, processing is limited to only that data considered relevant.
For more information on the new Data Protection Act 2018, and how it works alongside GDPR, head here.
Data Protection Act 1998 - important terms and further reading
Data subject: Data subject is a term used in both the GDPR and DPA. It refers to an individual who is the subject of personal data.
Data controller: As with data subject, data controller is used in the GDPR and DPA. It means a person who individually or with a group of other people decides how and why any personal data is or will be processed.