Data Protection Act 1998 (DPA) (chapter 29) (U.K.)
The Act gives citizens important rights including the right to know what information is held about them and the right to correct information that is wrong. The Act helps to protect the interests of individuals by obliging organizations to manage the personal information they hold appropriately.
The Act sets forth rules for how organizations must treat personal information, whether stored on paper or in electronic records. These rules are mandatory for all organizations that retain or process personal data, in the public as well as private and voluntary sector.
Data protection principles
The Act contains eight Data Protection Principles, stating that all data must be:
- Processed fairly and lawfully
- Obtained and used only for specified and lawful purposes
- Adequate, relevant and not excessive
- Accurate, and where necessary, kept up-to-date
- Kept for no longer than necessary
- Processed in accordance with the individual's rights
- Kept secure
- Transferred only to countries that offer adequate protection.
The Act states that anyone who processes personal information must comply with these eight principles. The Act also allows people to find out what personal information is held about them by making a subject access request. This covers information held electronically or in some paper records, and includes credit reference details. Fair processing requires that data subjects are informed of the identity of the data controller and the purposes of the data processing.
Health data may only be processed if explicit consent is obtained or if the processing is necessary for one of several defined conditions. One such specification is medical purposes undertaken by a health professional or person with an equivalent duty of confidence.
- "Health data" section: Data Protection and Medical Research, at 2.