The Data Protection Act

The Data Protection Act

From the 1950s onwards companies started using computers as a way of storing information about people who used their goods and services. Because this data was stored electronically there was the worry that it could be easily passed between companies or inappropriately used by anyone who had access to the system. The 1998 Data Protection Act was passed to protect those who have information stored about them.

This Act distinguishes between the following groups of people:

The data subject– an individual whose personal information is stored by an organisation. This will almost certainly include everyone who is reading this.

The data controller – the person or organisation who holds information about the data subject.

The Information Commissioner– who holds the legal power to enforce the 1998 Data Protection Act.

This Act outlines a number of rules which data controllers have to follow if they are to be given legal permission to hold information, either electronically or on paper, about other living people.

GCSE ICT - data-protection

The 8 principles of the Data Protection Act

Once a company has registered with the Information Commissioner, they are required by law to follow these 8 rules:

1.) Personal data must be collected ethically and used legally.

2.) The data can only be used for the purposes they stated when registering with the Information Commissioner.

3.) Data cannot be sold or passed on to anyone other than what was agreed with the Information Commissioner.

4.) No more data that is required should be stored on file.

5.) The data should be kept up to date.

6.) The data may not be kept for longer than it is needed.

7.) The information must be kept secure.

8.) The information may not be shared with any organisation outside of the European Economic Area, unless it is to be found in a country with suitable data protection laws.

Some organisations are exempt from these rules. Complete exemptions include:

  • Information held about you for national security purposes.
  • Personal data held about you by friends, relatives or acquaintances for domestic purposes i.e. addresses, telephone numbers, birthdays etc.


Partial exemptions include:

  • Information held by researchers or journalists if it is deemed to be in the public interest.
  • Information held by the data controller for historical, research or statistical purposes.
  • Information held by the taxman or police if they are using it to prevent tax fraud or criminal activity.
  • Schools, which don’t have to disclose personal information to pupils in their care.
  • References written by former employees.