Chapter 1: Introduction and EU Regulations – Data Protection Compliance in the UK, Second Edition


The Data Protection Act 19981 (DPA) came into force on 1 March 2000. It applies throughout England, Wales, Scotland and Northern Ireland. It is based on the EU Data Protection Directive of 19952 (DPD). Special rules cover the use of telecommunications data and the use of e-mail, telephone and fax for direct marketing. These are based on the EU Privacy and Electronic Communications Directive of 2002.3 In the UK, this was implemented by the Privacy and Electronic Communications Regulations 20034 (PECR).

The DPA, like other legislation, has to be interpreted in the light of the Human Rights Act 1998.5 This is particularly important for the DPA because the Human Rights Act includes a specific right relating to private life. This is Article 8 which reads:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and if necessary in a democratic society in the interest of national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights of freedom and of others.

The courts in recent years have used this provision to develop the law in the UK, so that it gives some protection for people’s private lives even outside the scope of the DPA. This can be seen in the cases in which the court has decided that the publication of photographs of celebrity figures, such as Naomi Campbell, taken in private situations without their agreement has been a breach of confidentiality.

The Freedom of Information Act 20006 (FOIA) made some changes to the DPA for public authorities. As a result, people who seek access to information about themselves from public authorities will obtain more information than they would do from a private sector body. This is dealt with under the subject access provisions in Chapter 4.

The DPA will apply to an organisation if it is established in the UK and is responsible for personal data. If an organisation processes personal data in the UK but does not have an establishment in the UK then it will have to nominate a representative in the UK. The only organisations that will not be covered by the DPA are those that do not process any personal data or those that only use systems in the UK for the purposes of data transit through the UK.

Throughout the EU and the non-EU states (Iceland, Norway and Lichtenstein) in the European Economic Area (EEA), there are comparable rules on data protection, so information can flow freely among those countries. When information is to be sent outside that area, special rules will apply.

This pocket guide provides initial guidance to those who need to understand the Data Protection Act in the UK.

The information is intended to be for guidance only and is not authoritative. If an organisation has a specific legal query, it should seek specialist advice.

In this guide, we have also looked at the rules which cover monitoring telecommunications, for example the use of the internet by employees. These are covered by regulations made under the Regulation of Investigatory Powers Act 20007 but are so relevant to privacy concerns it is considered appropriate to cover them.