The UK’s Data Protection Act (DPA) controls how organizations must use information they collect. The original Act was introduced in 1998 and was renewed in 2018 to take account of changes in digital technology. This guide to the DPA will help you to understand what it is, how it works, and why we need it.
What does the DPA do?
Information is powerful, and in modern times organizations hold an awful lot of information. This ranges from healthcare providers to internet companies, from schools to employers, and there are very few businesses that do not need to consider their obligations under the DPA. The DPA is used to control how businesses use and store this data.
What rules does the DPA set down?
If you collect data of any kind on your customers, then you are a “data controller”. This includes addresses, phone numbers, personal information such as date of birth and marital status, and so on. If you are a data controller, then data you collect must be:
- Lawfully and fairly processed
- Relevant and not excessive
- Processed for specific reasons
- Accurate and up to date
- Not kept for longer than necessary
- Processed according to the individual’s rights
- Not transferred to other countries without adequate protection
This means that organizations aren’t allowed to simply accrue as much data as they want. They can only collect data that they need and can only keep it for as long as they need it.
Doesn’t the GDPR cover this?
The GDPR covers many of these aspects, and the 2018 version of the DPA actually aligns very closely with the GDPR in many ways. However, the DPA also covers national security and law enforcement data, which isn’t covered under the GDPR. Once the UK leaves the EU, however, the GDPR will no longer be a UK law. Of course, any businesses that collect data from or send it to the EU must comply with GDPR, which means it’s likely to remain a feature of UK business after Brexit.
Complying with the DPA
The DPA is regulated and enforced by the Information Commissioner’s Office (ICO). As of this year, the ICO is able to issue fines of up to £17 million or 4% of turnover, whichever is the larger. Complying with the DPA is therefore very important for businesses to consider. If you aren’t sure where you stand, you should contact a specialist advisor to conduct an assessment of your working practises.