The Data Protection Act (DAP) came into force on 1 March 2000 and replaced the Data Protection Act 1984. It gives individuals (‘data subjects’) a general right of access to ‘personal data’ (ie personal information) about themselves held by ‘data controllers’ within the United Kingdom. It also lays down principles for the way personal data must be managed.

Data Protection principles

The Data Protection Act 1998 establishes the following 8 principles in relation to the processing (ie management) of personal data

1. Personal data should be processed fairly and lawfully.
2. Data should only be obtained for specified purposes and should not be further processed in a manner incompatible with these purposes.
3. Personal data should be adequate relevant and not excessive in relation to the purposes for which they were collected.
4. Personal data should be accurate and where necessary kept up to date.
5. Personal data should not be kept longer than is needed for its intended purpose.
6. Personal data should be processed in accordance with the rights of the individual which the information concerns.
7. Appropriate measures should be taken against unauthorised or unlawful processing or destruction of personal data.
8. Personal data should not be transferred outside the European Economic Area (the EU states plus Liechtenstein, Iceland and Norway).