The Data Protection Act

The DPA was passed in 1988 as the UK Act of parliament. This concentrated on how organisations use personal or customer information. The Data Protection Act 2018 is the legislation enforced by the Information Commissioner’s Office (ICO), UK, to protect personal data processing and data stored on computers, digital media, or paper filing systems. This blog post deals with the DPA 8 principles and also covers why now there are only seven! This blog covers the core privacy principles providing you with the Data Protection legislation or Data Protection Act / GDPR summary. GDPR further defines data processor and data controller to make it easier for regulation requirements on organisations. You can read more on this topic: Data processor or data controller.

The DPA 2018 is the enhanced version of DPA 1998 and defines how organisations, businesses, and governments use personal data. Personal data relating to a piece of information about an identifiable or identified natural person known as data subject in GDPR language. The Data Protection Act 1998 was mainly composed to protect the personal data stored on computers and digital media or in a paper filing system.

In 2018, the DPA 1998 was replaced by the Data Protection Act 2018 to enhance the legislation by updated technologies and online activities.

Feel free to watch this video containing a condensed version of the article.

But first, let’s get the basics right.

Data Protection Act, 1998

The definition of Data protection act 1998 involves enacting the EU Data Protection Directive, 1995’s provisions on the protection and processing of personal data. It was designed to protect personal data stored on computer systems.

In a nutshell, the Data Protection Act summary can be defined as these following core privacy principles:

• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimisation.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality (security)
• Accountability.

What are the 8 main principles of The Data Protection Act?

The eight data protection principles, also known as core privacy principles, of The Data Protection Act 1998 are outlined below:

Principle 1 – Fair and lawful

The first data protection principle directs the controller to process the data protection lawfully and fairly. This means that the controller must notify the data subject on how their data will be processed in accordance, why the information is being collected and to whom it will be disclosed (if required). Unauthorised or unlawful processing of data is a violation of this principle.

This act principle gives individuals the right to allow the organisation to process data lawfully and fairly.

Principle 2 – Purpose

The collected data can only be processed fairly and lawfully for purposes. Any processing that is not justified or allowed by the subject’s general data protection cannot be held. The controller must inform the individual to obtain and process the data.

Principle 3 – Adequacy 

The personal data processing must meet the legitimate purposes defined and accepted by the controller and data subjects, and it remains used adequately. The controller must not collect excessive data and only contains concise, minimum, and required information. 

Principle 4 – Accuracy 

The collected personal data must be stored, processed in accordance and kept accurate and up-to-date. The controller must check the accuracy of data and do not process any inaccurate data.

Principle 5 – Retention

The fifth principle directs the controller not to keep data more than its requirement. The controllers are limited to use data as long as there are requirements. They must not save the data for future use.

Principle 6 – Rights

The sixth principle has granted the rights to the individual. The controller must follow the individuals’ liberty and allow the data subjects to access their data anytime.

Principle 7 – Security

The seventh principle makes the controller responsible for data protection subject’s information. The act conducts the controller to maintain data integrity, confidentiality and appropriate security on personal data collection and processing.

Principle 8 – International transfers 

The eighth and last principle forbids the controller from transferring personal data without data subjects’ consent.

In addition to it, while sharing the data outside the European economic area, the controller has to make sure the company or other controller must protect personal data and maintain all the rights and principles defined by the DPA 1998.

Which principle is added to the GDPR that is not applicable in the DPA?

The International transfers of data is not included as a key principle in the DPA.

You might ask…

Did GDPR replace DPA?

Yes, GDPR is Europe’s new data protection law that replaced the data protection directive from 1995.

How many principles are there in the Data Protection Act 2018?

Seven

Though many organisations may not have changed their practices, it is vital now, in 2021, that all understand and abide by these increasingly universal data protection principles.

The DPA 1998 has been updated to the 2018 legislation with seven principles designed as a foundation for organisations’ privacy policies. The revised version of the General Data Protection Regulation Act,2018 consists of seven principles compared to eight principles of The DPA, 1998.

7 data protection principles – The DPA 2018

Lawfulness, fairness and transparency

The revised first principle of DPA 2018 mandates the organisations and controllers to be working in 100% transparent manner while seeking the individuals for data collection, processing and protection.
They must deliver the data collection purposes in clear and plain language to address the data subjects’ consent and individual rights on personal data collection.

Purpose limitation

This principle specifies that personal data must be used for the specific purpose the data subjects have given consent. The controller cannot use the data for processing outside the mentioned purpose.
Unlike GDPR, DPA 2018 only gives leniency to store data beyond the defined data processing purpose in some cases, such as some historical, scientific, statistical or archiving purposes.

Data minimisation

The DPA 2018 conditions collect the necessary, relevant and not excessive amount of personal data for processing. The controller must not collect the data more than they need. Article 5 (1) (c) of GDPR defines data minimistration as “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed “.

Accuracy

The controllers must verify that the data they process and collect is accurate and not misleading, incomplete or incorrect.
At any stance, the information is found inaccurate; it is the controller’s responsibility to consider steps, i.e., erase or correct the data as soon as possible.

Storage limitation

The act makes it necessary for controllers not to keep personal data more than its requirement. They must notify the data subjects on how long they will hold the data.
If any of the requirements are completed before its retention time, the controller should destroy or erase the data in such a situation. Controllers can only keep personal data for a long time if they need it for statistics, scientific, historical, and research purposes.

Integrity and confidentiality (Security)

The sixth DPA 2018 principle, also known as the security principle, ordered the organisations and controllers to have security controls and measures to protect the confidentiality or integrity of stored and processed personal data so no one can alter or steal the data subjects information. Read more about the CIA triad (confidentiality, integrity and availability) here.

Regarding data protection, the controller must implement controls to prevent

• Unauthorised access to personal data
• Unauthorised processing of personal data
• Unlawful processing of personal data
• Accidental destruction, damage or loss to personal data

Accountability

This principle is relatively new in contrast with DPA 1998. With this newly added principle in DPA 2018, every organisation that stores or processes personal data must comply with regulatory obligations.
To meet the legislation, controllers and businesses must design the data protection principles for secure usage of UK citizen’s personal data.

An individual has the right to demand or access copy of their collected personal data and other information. This request is known as simple SAR or Data Subject Access Request. We have covered this topic in detail here Article 15 – the right of acess.

What are the eight pieces of sensitive personal data as classified by GDPR?

Under the GDPR rights, data is classified into two categories, i.e., personal data and sensitive personal data. Personal data is some of the information that helps identify the person related to some degree of accuracy.
In contrast to GDPR breach, sensitive personal information is information that, if disclosed or misused, can result in data theft or identity fraud. Both of the data needs to be protected at any cost. However, sensitive personal information needs an extra layer of security controls such as encrypted, password-protected, etc., to keep it secure.
Any organisation that uses or stores personal data (be it personal or sensitive personal) must comply with the law’s compliances and rules.

Biometric data
This sensitive data includes individuals’ physical characteristics such as fingerprints, DNA, hand geometry, facial patterns, retina and ear shape recognition, palm recognition, iris scanning, etc.

Health data
This is linked to an individual’s health condition and medical history, including health diagnosis information, disability data, medical insurance, fitness data, etc. See why data protection of sensitive health data is important in health and social care

Genetic data
This sensitive data is associated with inherited characteristics through the analysis of DNA and RNA and chromosomal information.

Individual data
In the scope of GDPR, individual personal data includes sexual orientation, political views, cultural background, religion, race and ethnicity, etc.

Financial data
Involves individuals’ financial information such as credit card details, security codes, banking details, income statements, digital cards pins, retained earnings, cash flow, etc.

Classified data
It includes any personal information classified explicitly for non-public disclosure or identifiable information.

Business-related data
Any information related to the business intellectual property, trade secret, employees PII, financial accounts, etc., are described as sensitive data in the GDPR.

Web data
Any information that reveals any individuals’ online identification. It includes data such as location, IP address, cookies, RFID tags, etc.

Following the DPA is a technical and organisational requirement as per compliance. To abide by the law, you must follow the fundamental principles and notify the ICO about your activities because you will have to face legal challenges in minor glitches or security incidents.

Like GDPR data breach reporting, the Data Protection Act requires the controller to notify the ICO within 72 hours if the personal data gets breached or accessed in any cyber attack.
Under the DPA 2018 compliance, the ICO can fine the controller up to 17m GBP or 4% of global turnover consistent with GDPR.

Another good source on this topic Data protection act 2018 – BBC bite-size article. 

Conclusion

If you doubt whether your business requires to meet the legislation, you must seek advice from ICO or any independent professional.
As a security services provider, Cyphere helps businesses with GDPR penetration testing and other security compliance services. This helps organisations identify the needs of data protection measurements and facilities incorporating data privacy and security models according to business demands.

Get in touch today to discuss your security & privacy concerns.