The Data Protection Act
The DPA was passed in 1988 as the UK Act of Parliament. This concentrated on how organisations use personal or customer information. The Data Protection Act 2018 is the legislation enforced by the Information Commissioner’s Office (ICO), UK, to protect personal data processing and data stored on computers, digital media, or paper filing systems. This blog post deals with the DPA 8 principles and also covers why there are only seven now!
Here I cover the core privacy principles providing you with the Data Protection legislation or Data Protection Act / GDPR summary. GDPR further defines data processor and data controller to make it easier for regulation requirements on organisations. You can read more on this topic: Data processor or data controller.
The DPA 2018 is the enhanced version of DPA 1998 and defines how organisations, businesses, and governments use personal data. Personal data relating to information about an identifiable or identified natural person is known as data subject in GDPR language. The Data Protection Act 1998 mainly protected personal data stored on computers and digital media or in a paper filing system.
In 2018, the DPA 1998 was replaced by the Data Protection Act 2018 to enhance the legislation by updating technologies and online activities.
Feel free to watch this video containing a condensed version of the article.
But first, let’s get the basics right.
Data Protection Act, 1998
The definition of the Data protection act 1998 involves enacting the EU Data Protection Directive, 1995’s provisions on protecting and processing personal data. It was designed to protect personal data stored on computer systems.
In a nutshell, the Data Protection Act summary can be defined as the following core privacy principles:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity and confidentiality (security)
What are the 8 main principles of The Data Protection Act?
The eight data protection principles, also known as core privacy principles, of The Data Protection Act 1998 are outlined below:
Principle 1 – Fair and lawful
The first data protection principle directs the controller to process data protection lawfully and fairly. This means that the controller must notify the data subject on how their data will be processed in accordance, why the information is being collected and to whom it will be disclosed (if required). Unauthorised or unlawful processing of data is a violation of this principle.
This act principle gives individuals the Right to allow the organisation to process data lawfully and fairly.
Principle 2 – Purpose
The collected data can only be processed fairly and lawfully for purposes. Any processing not justified or allowed by the subject’s general data protection cannot be held. The controller must inform the individual to obtain and process the data.
Principle 3 – Adequacy
Personal data processing must meet the legitimate purposes defined and accepted by the controller and data subjects and remain used adequately. The controller must not collect excessive data and only contains concise, minimum, and required information.
Principle 4 – Accuracy
The collected personal data must be stored, processed in accordance and kept accurate and up-to-date. The controller must check the data’s accuracy and not process any inaccurate data.
Principle 5 – Retention
The fifth principle directs the controller not to keep more data than required. The controllers are limited to the use of data as long as there are requirements. They must not save the data for future use.
Principle 6 – Rights
The sixth principle has granted rights to the individual. The controller must follow the individuals’ liberty and allow the data subjects to access their data anytime.
Principle 7 – Security
The seventh principle makes the controller responsible for the data protection subject’s information. The act conducts the controller to maintain data integrity, confidentiality and appropriate security on personal data collection and processing.
Principle 8 – International transfers
The eighth and last principle forbids the controller from transferring personal data without the data subjects’ consent.
In addition, while sharing the data outside the European economic area, the controller must ensure the company or other controller must protect personal data and maintain all the rights and principles defined by the DPA 1998.
Which principle is added to the GDPR that does not apply to the DPA?
International data transfer is not included as a critical principle in the DPA.
You might ask…
Did GDPR replace DPA?
Yes, GDPR is Europe’s new data protection law that replaced the data protection directive from 1995.
Join the conversation on Data Protection and Privacy
Your data privacy is important to us. Let’s talk about how we can help you protect your data.
How many principles are there in the Data Protection Act 2018?
Though many organisations may not have changed their practices, it is vital now, in 2021, that all understand and abide by these increasingly universal data protection principles.
The DPA 1998 has been updated to the 2018 legislation with seven principles designed as a foundation for organisations’ privacy policies. The revised version of the General Data Protection Regulation Act,2018 consists of seven principles compared to eight of The DPA, 1998.
7 data protection principles – The DPA 2018
Lawfulness, fairness and transparency
The revised first principle of DPA 2018 mandates that organisations and controllers work in a 100% transparency manner while seeking individuals for data collection, processing and protection.
They must deliver the data collection purposes in clear and plain language to address the data subjects’ consent and individual rights regarding personal data collection.
This principle specifies that personal data must be used for the specific purpose the data subjects have given consent. The controller cannot use the data for processing outside the mentioned purpose.
Unlike GDPR, DPA 2018 only gives leniency to storing data beyond the defined data processing purpose in some cases, such as for historical, scientific, statistical or archiving purposes.
The DPA 2018 conditions collect the necessary, relevant and not excessive amount of personal data for processing. The controller must not collect more data than they need. Article 5 (1) (c) of GDPR defines data minimisation as “adequate, relevant and limited to what is necessary about the purposes for which they are processed “.
The controllers must verify that the data they process and collect is accurate, not misleading, incomplete, or incorrect.
At any stance, if the information is found inaccurate, the controller must consider steps, i.e., erase or correct the data as soon as possible.
The act makes it necessary for controllers not to keep personal data more than its requirement. They must notify the data subjects on how long they will hold the data.
If any requirements are completed before its retention time, the controller should destroy or erase the data in such a situation. Controllers can only keep personal data for a long time if needed for statistics, scientific, historical, and research purposes.
Integrity and confidentiality (Security)
The sixth DPA 2018 principle, also known as the security principle, orders organisations and controllers to have security controls and measures to protect the confidentiality or integrity of stored and processed personal data so no one can alter or steal the data subjects’ information. Read more about the CIA triad (confidentiality, integrity and availability) here.
Regarding data protection, the controller must implement controls to prevent
- Unauthorised access to personal data
- Unauthorised processing of personal data
- Unlawful processing of personal data
- Accidental destruction, damage or loss of personal data
This principle is relatively new in contrast with DPA 1998. With this newly added principle in DPA 2018, every organisation that stores or processes personal data must comply with regulatory obligations.
To meet the legislation, controllers and businesses must design data protection principles to secure UK citizens’ personal data usage.
Individuals can demand or access copies of their collected personal data and other information. This request is known as a simple SAR or Data Subject Access Request. We have covered this topic in detail in Article 15 – the Right of Access.
What are the eight pieces of sensitive personal data as classified by GDPR?
Under the GDPR rights, data is classified into two categories, i.e., personal and sensitive personal data. Personal data is information that helps identify the person related to some degree of accuracy.
In contrast to GDPR breaches, sensitive personal information is information that, if disclosed or misused, can result in data theft or identity fraud. Both of the data need to be protected at any cost. However, sensitive personal information needs an extra layer of security controls, such as encrypted, password-protected, etc., to keep it secure.
Any organisation that uses or stores personal data (personal or sensitive personal) must comply with the law’s compliance and rules.
This sensitive data includes individuals’ physical characteristics such as fingerprints, DNA, hand geometry, facial patterns, retina and ear shape recognition, palm recognition, iris scanning, etc.
This is linked to an individual’s health condition and medical history, including health diagnosis information, disability data, medical insurance, fitness data, etc. See why data protection of sensitive health data is essential in health and social care.
This sensitive data is associated with inherited characteristics through the analysis of DNA and RNA, and chromosomal information.
In the scope of GDPR, individual personal data includes sexual orientation, political views, cultural background, religion, race and ethnicity, etc.
Involves individuals’ financial information such as credit card details, security codes, banking details, income statements, digital card pins, retained earnings, cash flow, etc.
It includes any personal information classified explicitly for non-public disclosure or identifiable information.
Any information related to the business intellectual property, trade secrets, employees’ PII, financial accounts, etc., is sensitive data in the GDPR.
Any information that reveals any individual’s online identification. It includes location, IP address, cookies, RFID tags, etc.
Following the DPA is a technical and organisational requirement as per compliance. To abide by the law, you must follow the fundamental principles and notify the ICO about your activities because you will have to face legal challenges in minor glitches or security incidents.
Like GDPR data breach reporting, the Data Protection Act requires the controller to notify the ICO within 72 hours if personal data gets breached or accessed in any cyber attack.
Under the DPA 2018 compliance, the ICO can fine the controller up to 17m GBP or 4% of global turnover consistent with GDPR.
Another good source is the Data protection act 2018 – BBC bite-size article.
If you doubt whether your business requires to meet the legislation, you must seek advice from ICO or any independent professional.
As a security services provider, Cyphere helps businesses with GDPR penetration testing and other security compliance services. This allows organisations to identify the need for data protection measurements and facilities incorporating data privacy and security models according to business demands.
Get in touch today to discuss your security & privacy concerns.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.