Data Protection Act 1998

The Data Protection Act 1998 (c 29) was a United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. It enacted the EU Data Protection Directive 1995's provisions on the protection, processing and movement of data. The Data Protection Act 1998 (c 29) was a United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. It enacted the EU Data Protection Directive 1995's provisions on the protection, processing and movement of data. Under the DPA 1998, individuals had legal rights to control information about themselves. Most of the Act did not apply to domestic use, for example keeping a personal address book. Anyone holding personal data for other purposes was legally obliged to comply with this Act, subject to some exemptions. The Act defined eight data protection principles to ensure that information was processed lawfully. It was superseded by the Data Protection Act 2018 (DPA 2018) on 23 May 2018. The DPA 2018 supplements the EU General Data Protection Regulation (GDPR), which came into effect on 25 May 2018. The GDPR regulates the collection, storage, and use of personal data significantly more strictly. The 1998 Act replaced the Data Protection Act 1984 and the Access to Personal Files Act 1987, and implemented the EU Data Protection Directive 1995. The Privacy and Electronic Communications (EC Directive) Regulations 2003 altered the consent requirement for most electronic marketing to 'positive consent' such as an opt-in box. Exemptions remain for the marketing of 'similar products and services' to existing customers and enquirers, which can still be given permission on an opt out basis. The Jersey data protection law was modelled on the UK law. Section 1 defines 'personal data' as any data that can be used to identify a living individual. Anonymised or aggregated data is less regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or email address. The Act applies only to data which is held, or intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'. In some cases paper records may be classified as a 'relevant filing system', such as an address book or a salesperson's diary used to support commercial activities. The Freedom of Information Act 2000 modified the act for public bodies and authorities, and the Durant case modified the interpretation of the act by providing case law and precedent.