Data Protection Act

From TRCCompSci - AQA Computer Science
Jump to: navigation, search

The Data Protection Act


The data protection act is in place to protect peoples data which is stored on servers and on companies computers.

The Data Protection Act states that:

  • If you collect data, you must not use it for a different reason.
  • You must not share data with external sources.
  • People have the right to see data about themselves.
  • You must not keep data for longer than you need to and it must be up-to-date.
  • You must not send data outside the European Economic Area (EEA) to an area with lower protection.
  • People who store data must be registered with the Information Commissioner’s Office (ICO).
  • If you store data, the data must be protected and safe.
  • If companies have information about you that is wrong, it is your right to as them to change it.


Not all situations are covered by the Data Protection Act, the following are exempt:

  • Processing of personal data for personal, family or household affairs (including recreational purposes).
  • Safeguard national security
  • Prevention or detection of crime
  • Collection of tax or duty
  • Journalism for historical and statistical purposes

Your right to view/request

  • You can ask the organisation you think is holding, using or sharing the personal information you want, to supply you with copies of both paper and computer records and related information.
  • Data requests are fulfilled by an appointed data controller at an organisation.
  • Organisations may charge a fee of up to £10 (£2 if it is a request to a credit reference agency for information about your financial standing only).
  • There are special rules that apply to fees for paper based health records (the maximum fee is currently £50) and education records (a sliding scale from £1 to £50 depending on the number of pages provided).
  • However, it is important to remember that not all personal information is covered and there are ‘exemptions’ within the Act which may allow an organisation to refuse to comply with your subject access request in certain circumstances.

GDPR (General Data Protection Regulation)

As of 2018, the Data Protection Act has changed. Alongside the laws that are already existing from the 1998 act, there are an additional few more points that have been amended, such as:

  • Penalties have gotten more strict. Companies can be fined up to €20,000,000 or 4% of annual turnover (which ever is greater) if data is not kept up to date and secure.
  • Terms and conditions of a service or company must not be full of legalese (language of the law), and must be in plain standard English that everyone can understand.
  • Breach notifications - if a breach were to happen, the company must notify the user, so they are aware that their personal data is possibly at risk at the hands of a criminal.